Malta Historical Society Privacy Policy

Last updated on 1st November 2021                                                                  Version 1.2

Definitions

1.1 In this policy, Malta Historical Society also known with the acronym MHS refers to the Voluntary Organisation (reg. no. 0722) and Legal Person (LPA-46), legally established in 1950.

1.2 The term Society will be used interchangeably with the Malta Historical Society and the acronym MHS and will refer to the same entity.

1.3 The MHS Committee shall refer to the individuals elected as per the Society’s Statute to sit on the said Committee.

1.4 The term Member refers to any individual person who:

  • Applies to become an MHS member; or
  • Applies to renew their membership with MHS;
  • Is a paid-up Member of the MHS;
  • Dormant Member
  • Life Member as defined by the MHS Statute;

1.5 The term Dormant Members refers to any individuals who were paid up Members and who have failed to renew their membership for a period of up to twenty-four (24) calendar months from the expiry of their active membership.

1.6 The term Individual refers to any person who is not a Member of the Society who participates or participated in activities organized by MHS, or is using services provided by the Society, such as the newsletter or purchasing products from our online bookshop, and whose Personal Data is collected for administrative purposes during that activity or for the period of subscription to that service.

1.7 The term Contributor shall denote a person who has been invited by the Society to give a public lecture (this also includes online lectures) or submit an article to be included in an MHS publication. A Contributor shall also include persons who submit articles for the biannual MHS Scholarly Article and the MHS Emerging Scholarly Article awards and any other awards the MHS may decide to bestow following a competitive process from time to time.

1.8 The Society may receive support by means of donations be they monetary or otherwise (including services) from entities such as companies, trusts or foundations as well as physical persons. The term Sponsor shall denote said physical persons who support the Society in their own right or as representatives of the entities described above.

1.9 Members, Individuals, Contributors and Sponsors are all Data Subjects for the purposes of this policy.

1.10 The acronym GDPR refers to the General Protection Regulation EU 2016/79.

1.11 Personal Data means any information relating to an identifiable natural person: an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Publication and review

This privacy policy shall be published on the MHS website and shall be forwarded to Data Subjects upon request. This policy will be reviewed and amended from time to time and published on the MHS website accordingly.

Data Controller and Processor

3.1 The MHS determines the purpose and means of the Personal Data collection and processing which shall be in line with the MHS Statute and is deemed to be the ‘Controller’ for the purposes of this policy.

3.2 Personal Data collected shall be processed by the MHS Committee Officers in charge of the Secretariat, Treasury, and Membership and/or any other MHS officers as appointed by the Committee from time to time.

3.3 The MHS uses third-parties to provide IT services to the Society such as email accounts. The third-party providers are deemed to be ‘Processors’ for the purposes of this policy.

3.4 The Controller can be contacted by email on info@mhs.mt, or by postal mail at Malta Historical Society, 41 Lion Street, Floriana FRN 1513.

Confidentiality of this data

4.1 The MHS commits itself to ensure that the processing of Personal Data is done in a confidential manner and further undertakes to take precautions to safeguard this data from any privacy breach or from divulging such data beyond the parameters of this policy.

4.2 The Personal Data of Members, Individuals and Sponsors will not be published on the MHS website, newsletters/ebulletin, emails, social media or reports, in any form, be it electronic or otherwise, unless by the explicit written consent of these Members.

Provided that if said publication or inclusion in a report is required by law, said processing will not be subject to Members/Individuals/Sponsors giving their explicit written consent.

4.3 Personal Data of Data Subjects will not be delivered to any third party under any circumstances, except as set out in this Policy and if required by the Voluntary Organisations Commissioner or other competent legal Authority under Maltese and/or EU law in accordance with the GDPR, the Maltese Data Protection Act (Chapter 586 of the laws of Malta), Convention 108 of the Council of Europe, and other relevant EU and Maltese legislation (collectively ‘the Data Protection Laws’).

Types of Personal Data and Purposes of processing thereof (including collection)

5.1 The MHS may request prospective Members’ Personal Data including contact and financial details for the purposes of processing membership applications. If a prospective Member is unwilling to provide these details, the Society will not be in a position to grant membership to the applicant. The processing of such data shall be based on necessity for the performance of a contract.

5.2 The MHS may process Members’ Personal Data including, username, password, contact and financial details and email and delivery address for the purposes of provision of membership services (both offline and online on the MHS website), renewals, reminders and any other administrative purpose necessary for the running of the Society, including the maintenance of the Society’s website or for the purposes of effecting sales of a book from the MHS online bookshop and having it delivered. The processing of such data for these purposes shall be based on necessity for the performance of a contract.

5.3 The MHS may process Members’ Personal Data (such as registration data/contact details) for the purposes of distributing regular newsletters/e-bulletins which may include information about membership (including benefits and opportunities), upcoming events and publications on the history of Malta. Recipients may at any time unsubscribe from the said service. The processing of such data for these purposes shall be based on necessity for the performance of a contract.

5.4 The MHS may process Members’ personal data (as referred to in Paragraph 10.1) after said persons cease being Members of the Society, for the purposes of maintaining a historical archival record of the Society’s membership for the furtherance of historical/statistical research. The processing of such data for these purposes shall be based on our legitimate interest as a historical society and in the public interest to maintain proper historical archival records.
5.5 MHS may require Personal Data of Individuals subscribing to a service operated by the Society or attending an activity organized by the Society or purchasing a ticket or book from the MHS online bookshop, and this data may include contact and financial details as well as email and delivery address so that the book can be delivered to the Individual. If an applicant for a service or an activity is unwilling to provide such data, the Society may refuse, and in some cases will be unable, to complete the subscription, sale or registration for that activity or service. The processing of such data for these purposes shall be based on necessity for the performance of a contract.

5.6 For the purposes of furthering the Society’s aims as laid out in the Statute, the MHS may collect and process Contributors’ Personal Data for the purpose of organising public/online lectures and editing publications. Contributors’ Personal Data in the form of a biographical background note and academic credentials may also be used for the purposes of promoting said lectures and publications and may also be published in local newspapers, e-bulletins, newsletters and on the MHS website. The uploading of the Contributor’s photos onto social media for promotional purposes will only occur once said Contributor has provided explicit written consent for the Society to do so. Once uploaded, said data will be subject to the privacy policy of that website/service. The Contributor’s consent may be withdrawn at any time. However, in the event that the Contributor withdraws their consent when their personal data are already being processed by MHS (for example, once the material in question has already been published), MHS shall rely on the legal basis of necessity for the purposes of our legitimate interest(s) to carry on processing the Contributor’s personal data to the fullest extent permitted by law. In some cases, for example, when the material has been published online, it may be impossible for use/retention by third parties to be stopped by MHS.

5.7 The MHS may process a Sponsor’s Personal Data which may include contact and financial details for the purposes of processing donations/sponsorships made to the Society. For the internal processing of any Sponsor Personal Data, MHS will rely on the legal bases of necessity for the performance of a contract and/or our legal obligations. The uploading of Sponsors’ Personal Data on social media will only occur if said Sponsors have provided explicit consent, which consent may be withdrawn at any time.

5.8 Data Subjects’ Personal Data may also be processed for the purposes of satisfying legal obligations such as the Society’s record-keeping obligations.

Recipients or Categories of Recipients

6.1 Relevant data will also be disclosed or shared as appropriate (and in all cases in line with the Data Protection Laws) to/with Members of MHS, and/or to/with affiliated entities and/or sub-contractors established within the European Union if pertinent to any of the purposes listed in this Privacy Policy (including to/with MHS’ payment services providers who facilitate the functionality of payment services Members or Individuals may require or make use of when purchasing tickets or books from the MHS online bookshop). Personal information will only be shared by MHS to provide the services Members request from us or for any other lawful reason (including authorised disclosures not requiring the Members’ consent). Any such authorised disclosures will be done in accordance with the Data Protection Laws.

6.2 Personal Data will never be shared with third parties for their marketing purposes (unless Members have given their consent thereto).

 

Rights of the Data subjects

7.1 Before addressing any request that Data Subjects make with MHS, MHS may first need to verify the identity of such Data Subjects. In all cases MHS will try to act on these requests as soon as reasonably possible.

7.2 As explained in the Retention Period section further below, MHS may need to keep certain Personal Data for compliance with certain legal retention obligations but also to complete transactions that Data Subjects have requested prior to the change or deletion requested.

In terms of the GDPR, Data Subjects enjoy the following rights:

7.3 Data Subjects providing Personal Data to the Society will be informed of the identity of the officer/s responsible for collecting and processing the data and will be provided with all the relevant information about the conditions, the term and duration of data retention.

7.4 Data Subjects may request the MHS in writing that they be provided with the Personal Data it holds in their regard. The Data Subject shall be entitled to receive the said information in a commonly used machine-readable format and may further request that such data be transmitted directly to another controller not being the MHS where technically feasible.

7.5 Data subjects shall have the right to access that Personal Data and to the following information:

  • What Personal Data MHS have,
  • Why MHS processes them,
  • Who MHS discloses them to,
  • How long MHS intends on keeping them for (where possible),
  • Whether MHS transfers them abroad and the safeguards MHS takes to protect them,
  • What rights are afforded to the Data Subjects,
  • How Data Subjects can make a complaint,
  • Where MHS got the Personal Data from and
  • Whether MHS have carried out any automated decision-making
  • (including profiling) as well as related information.

Upon request, MHS shall (without adversely affecting the rights and freedoms of others including its own) provide the Data Subject with a copy of the Personal Data undergoing processing within one month of receipt of the request, which period may be extended by two months where necessary, taking into account the complexity and number of the requests. The Society shall inform the Data Subject of any such extension within one month of receipt of the request, together with the reasons for the delay.

7.6 Data Subjects may request in writing that their Personal Data be rectified where inaccuracies are identified.

7.7 Data Subjects may request in writing that the processing of their Personal Data be restricted (that is, stored but not further processed) in certain situations as prescribed by law (Article 18 of the GDPR) such as pending correction of inaccurate data held or when processing is alleged to be unlawful. Following the Data Subject’s request for restriction, except for storing the Data Subject’s Personal Data, the Society may only process the Personal Data:

• Where the Society has the Data Subject’s consent (if any exists); or
• For the establishment, exercise or defence of legal claims; or
• For the protection of the rights of another natural or legal person; or
• For reasons of important public interest.

7.8 Data Subjects shall have the right to withdraw consent at any time where processing is based on consent.

7.9 Data Subjects may object in writing to Personal Data being processed when this is being processed in furtherance of the legitimate interests of the Society (such as Personal Data which is processed in furtherance of the aims of the Society or data which is processed where necessary for the running of the Society). Where an objection is entered, the processing of data shall cease, unless MHS as data controller provides compelling and legitimate grounds requiring the continuation of the data processing which outweigh the objections raised by the Data Subjects.

7.10 Data Subjects may by written request demand that part or all their Personal Data be removed from the Society’s records except for data that the Society is legally required to keep for a specified time period for compliance with a legal obligation to which the Society is subject; or for the establishment, exercise or defence of legal claims; or where such Personal Data is retained for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in so far as your exercise of this right to erasure is likely to render impossible or seriously impair the achievement of the objectives of such processing. In the eventuality that the erasure of said data compromises the ability to provide the service subscribed for or compromises the ability to carry out essential actions tied to membership then said subscription or membership shall be cancelled. There are other legal grounds entitling the Society to refuse erasure requests although the two instances above are the most likely grounds that may be invoked by the Society to deny such requests.

7.11 Data Subjects may lodge a complaint with the competent data protection supervisory authority. In Malta, the national supervisory authority is the Information and Data Protection Commissioner (IDPC). MHS kindly ask their Data Subjects to attempt to resolve any issues which might arise with them first, even though the right of the Data Subjects to contact the supervisory authority may be exercised at any time.

Transfers to Third Countries

8.1 As a general rule, the data MHS processes about its Data Subjects (collected via the website or otherwise) will be stored and processed in the EU in accordance with MHS’ technical and organisational measures, which are in line with GDPR, to ensure the best possible security for the Data Subjects’ personal data. However, in some cases, it may be necessary for MHS to transfer Data Subjects’ Personal Data to a non-EEA country, in such cases, apart from all appropriate safeguards that MHS implement, in any case, to protect the Data Subjects’ Personal Data, MHS have put in place additional adequate measures to protect such Personal Data.

Security Measures

9.1 The personal information which MHS may hold (and/or transfer to any affiliates/partners/subcontractors as the case may be) will be held securely in accordance with MHS’ internal security policy and the law. MHS uses reasonable efforts to safeguard the confidentiality of any and/or all Personal Data that it may process relating to its Data Subjects and regularly reviews and enhances its technical, physical and managerial procedures so as to ensure that such Personal Data is protected from:

  • unauthorised access
  • improper use or disclosure
  • unauthorised modification
  • unlawful destruction or accidental loss.

To this end, MHS has implemented security policies, rules and technical and organisational measures to protect the Personal Data that MHS may have under its control. All MHS staff and data processors (including specific subcontractors, established within the European Union), who may have access to and are associated with the processing of Personal Data, are further obliged (under contract) to respect the confidentiality of MHS’ Data Subjects’ Personal Data as well as other obligations as imposed by the Data Protection Laws.

Despite all the above, MHS cannot guarantee that a data transmission or a storage system can ever be 100% secure. For more information about our security measures please contact MHS in the manner described in Section 3 under the heading ‘Data Controller and Processor.’

9.2 Authorised third parties, such as payment service providers, with permitted access to the Data Subjects’ information are specifically required to apply appropriate technical and organisational security measures that may be necessary to safeguard the Personal Data being processed from unauthorised or accidental disclosure, loss or destruction and from any unlawful forms of processing. The said service providers (MHS’ data processors) are also bound by a number of other obligations in line with the Data Protection Laws (particularly, Article 28 of the GDPR).

Retention Periods

10.1 MHS will retain the Personal Data of Data Subjects only for as long as is necessary (taking into consideration the purpose for which they were originally obtained). The criteria MHS uses to determine what is ‘necessary’ depends on the particular Personal Data in question and the specific relationship MHS has with the Data Subject in question (including its duration).

10.2 The normal practice for MHS is to determine whether there is/are any specific EU and/or Maltese law(s) (for example tax or corporate laws) permitting or even obliging MHS to keep certain Personal Data for a certain period of time (in which case MHS will keep the Personal Data for the maximum period indicated by any such law). For example, any data that can be deemed to be ‘accounting records’ must be kept for ten (10 years).

MHS would also have to determine whether there are any laws and/or contractual provisions that may be invoked against MHS by Data Subjects and/or third parties and if so, what the prescriptive periods for such actions are (this is usually five (5) years in those cases where the Society’s contractual relationship with the Data Subject terminates or two (2) years in those cases where no such contractual relationship exists). In this case, MHS will keep any relevant Personal Data that it may need to defend itself against any claim(s), challenge(s) or other such action(s) by Data Subjects and/or third parties for such time as is necessary.

10.3 MHS will hold the Personal Data of any Member in its entirety for the duration of membership (including Dormant Membership) with the Society. Once a person ceases to be a Member, the society will indefinitely retain for statistical and historical research purposes the following data:

  • Name and Surname;
  • ID Card Number;
  • Year of birth;
  • Date of last renewal.

Any other Personal Data will be deleted except where such data needs to be retained for auditing /reporting purposes in satisfaction of legal requirements.

10.4 Since the archiving in question is done/will be done in the public interest, the said processing of personal data by the Society is subject to a legal derogation found in Article 6(2) of the Maltese Data Protection Act (Chapter 586 of the Laws of Malta) which states that in connection with such processing of personal data, the Data Subject shall not be entitled to exercise:

  • Their Right of Access (Article 15, GDPR),
  • Their Right to Rectification (Article 16, GPDR),
  • Their Right to Restriction of Processing (Article 18, GDPR),
  • Their Right to Data Portability (Article 20, GDPR) as well as
  • Their right to Object to such processing (Article 21, GDPR).

Moreover, the Society shall have no notification obligations arising under Article 19, GDPR in so far as rectification and erasure of personal data or restriction of processing are concerned. In addition, the Data Subject’s right to Erasure (Right to be forgotten) shall also not apply, and this on the basis of Article 17(3), GDPR.

The derogations above are necessary for the fulfilment of the archiving purposes (in the national/public interest) stated above because the exercise of any of the rights above would likely render impossible or seriously impair the achievement of the said archiving purposes (in the public interest).

10.5 The data of Dormant Members, will be retained by the Society for a period of twenty-four calendar months from the last renewal date. During this period, these Members will be sent two reminders to regulate their status. If the Society does not receive any clear instructions in writing from the Members in question, the Society, upon expiration of the twenty-four month period, shall consider said membership as terminated and will proceed to treat their Personal Data in accordance with Paragraph 8.1

10.6 The MHS will only hold the Personal Data of Individuals for the duration of the activity and/or subscription to a service provided by the Society. Some Personal Data may however be kept by the Society for a period of time after said activity or subscription has terminated in satisfaction of legal requirements.

10.7 The MHS will retain Contributors’ contact details as said Contributors may be invited to provide multiple lectures or contributions to publications throughout their career. This is in line with the MHS’s aim of furthering historical research and knowledge of the History of Malta. The Contributor may at any time request that his or her contact details be erased from the MHS records.

10.8 The MHS will retain the Sponsors’ Personal Data for as long as legally necessary. Once said legal obligation or contractual obligation expires, the MHS will retain the name and surname, and details of sponsorship for statistical and historical research purposes.

Links to Third Party Websites

The MHS website may provide links to third party websites. The MHS is not in any way responsible for the content of such website including any applicable privacy policies or data processing operations.

UPDATES

MHS reserves the right, at its complete discretion, to change, modify, add and/or remove portions of this Privacy Policy at any time. If you are a Data Subject with whom MHS has a contractual relationship you shall be informed by the Society of any changes made to this Privacy Policy (as well as other terms and conditions relevant to the Society’s operations). The Society shall also archive and store previous versions of the Privacy Policy for your review.

As a user of the website with which the Society has no contractual relationship or even a lawful way of tracing, it is in your interest to regularly check for any updates to this Privacy Policy (which are usually deemed to be effective on the date they are published on the website), in the event that the Society’s attempts to notify you of such updates do not reach you.

MHS Committee, 2021

Last updated on: 1st November 2021
Version:1.2