The WecSec privacy statement is based on the terms used by European Directives or Regulations upon adoption of the General Data Protection Regulation (GDPR). Our privacy statement should be simple to read and understandable for both our clients and business partners as well as for the general public. In order to ensure this, we would first like to explain the terminology used. We use, amongst others, the following terms in this privacy statement:
a) Personal data
Personal data refers to all information that relates to an identified or identifiable natural person (hereinafter referred to as “data subject”). A natural person is referred to as identifiable if they can be directly or indirectly identified, particularly through assignment to an identifier such as a name, an identification number, location data, online identification data, or to one or more factors specific to the physical, physiological, genetic, mental, financial, cultural, or social identity of this natural person.
b) Data subject
A data subject is any identified or identifiable natural person whose personal data is processed by those who are responsible for processing such data.
Any such set of operations performed on personal data, whether automated or not, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, usage, disclosure via transmission, distribution or otherwise making available, alignment or linking, restriction, deletion, or destruction.
d) Restriction of processing
Restriction of processing involves the marking of stored personal data with the aim of limiting its future processing.
Profiling covers any type of automated processing of personal data that enables personal data to be used to evaluate specific personal aspects relating to a natural person, in particular to analyze or forecast aspects regarding the job performance, economic situation, health, personal preferences, interests, reliability, behavior, location or movements of that natural person.
Pseudonymization means the processing of personal data in such a manner that the personal data can no longer be linked to a specific data subject without the use of extra information, as long as this additional information is stored separately and also technical and organizational measures are in place to ensure that personal data cannot be assigned to an identified or identifiable natural person.
g) Controller or person responsible for processing data
The controller or person responsible for processing data is a natural or legal person, authority, institution, or other body that either decides alone or with others on the purpose and means used to process personal data.
If the purposes and means of such processing are prescribed by EU law or the laws of Member States, then the controller or the specific criteria for the controller’s appointment can be provided for by EU law or the laws of Member States.
The processor is a natural or legal person, authority, institution, or other body that handles personal data on behalf of the controller.
The recipient is a natural or legal person, authority, institution, or other body to which personal data is disclosed, whether a third party or not. Authorities that may receive personal data as part of a specific inquiry in accordance with EU law or the laws of Member States are not regarded as recipients.
j) Third party
A third party is a natural or legal person, authority, institution, or body other than the data subject, the controller, the processor, and persons authorized to process personal data under the direct authority of the processor or controller.
Consent is the informed and unambiguous permission freely provided by the data subject, in the form of a statement or clear affirmative action, by which the data subject signifies their agreement to the processing of any personal data relating to them.
2.Controller within the context of Article 4 (7) GDPR
The controller in the context of the General Data Protection Regulation, and other applicable data protection laws and regulations relating to privacy legislation applicable within the Member States of the European Union, is:
Il-Pjazzetta, Block A, Office 72
Sliema SLM 1607
Telephone: +356 7902 0448
E-mail: office.mt [at] wecsec.com
The data subject may prevent the setting of cookies by our website at any time using the corresponding setting on the internet browser, and therefore permanently refuse the setting of cookies. Furthermore, cookies that have already been set can be deleted at any time via an internet browser or other software program. This is possible in all common internet browsers. If the data subject deactivates the setting of cookies in the internet browser used, some of the functions of our website may not be available.
4.Collecting general data and information
The WecSec website collects a series of general data and information when the website is accessed by a data subject or an automated system. This general data and information are stored in the server’s logfile. The following can be collected, namely (1) the browser types and versions used, (2) the operating system used by the accessing system, (3) the website from which an accessing system has reached our site (so-called referrer), (4) the subpages, via which an accessing system is forwarded to our website, (5) the date and time of access to the website, (6) an Internet Protocol address (IP address), (7) the internet service provider of the accessing system, and (8) other similar data and information that are used for cyber security purposes if attacks take place on our information technology systems. When using this general data and information, WecSec does not draw any conclusions regarding the data subject, rather this information is required to (1) deliver the contents of our website correctly, (2) optimize the contents of our website as well as the advertising for these, (3) ensure the long-term efficiency of our information technology systems and the technology behind our website, and (4) provide law enforcement authorities with the information necessary for criminal prosecution in the case of a cyber attack. WecSec analyzes this anonymously collected data and information statistically with the aim of further improving data protection and cyber security within our company, to ultimately ensure an ideal level of protection for the personal data we process. The anonymous data saved in the server log files is stored separately from all personal data provided by a data subject.
5.Contact via the website
In accordance with regulations, the WecSec website contains information that enables fast electronic contact with our company as well as direct communication with us, which also includes a general address for electronic mail (e-mail address). If a data subject establishes contact with the controller by e-mail or using the contact form, the personal data transmitted by the data subject will be stored automatically. Personal data that is voluntarily transmitted to the controller by a data subject will be stored for processing purposes or to contact the data subject. None of this personal data is forwarded to third parties.
Legal justification for processing of personal data
Point f of Article 6 (1) GDPR (justified interest). If you use the contact form, we assume that you are interested in establishing contact with us and wish to exchange information.
Purpose of data processing
We will use the data collected via our contact form for handling that specific request for information.
Duration of storage
Unless required for further contractual performance or provision of services, or data retention obligations, the collected data is deleted once the request for information has been handled.
Options for revocation and deletion
The options for revocation and deletion are based on the general regulations regarding the right to revocation and deletion in data protection terms, which are described in this privacy statement.
6.Cyber security and data protection, e-mail communications
Your personal data is protected by technical and organizational measures during collection, storage and processing, such that it is not accessible to third parties. However, we cannot guarantee complete cyber security during unencrypted communication with our IT systems by e-mail. We therefore recommend sending highly confidential information either via encrypted means or by mail.
7.Legitimate interests in processing pursued by the controller or a third party
The processing of personal data is based on point f of Article 6 (1) GDPR, i.e. on the legitimate interest of business activities when the balance of interests is in favor of the welfare of our staff and our owners, for the purpose of service provision, provided there are no overriding legitimate interests or fundamental rights and freedoms of the data subject that are opposed to this.
8.Use of service providers
When providing its services, WecSec also uses external partners in the following categories: data storage cloud, e-mail provider.
We do not store your personal data for any longer than the duration of your time with us as a customer, and only store it for as long as it is required for the relevant processing purpose. Data is then blocked appropriately until the statutory retention period has elapsed, at which point it is permanently deleted.
10.Rights of the data subject
Right of confirmation: Every data subject has the right, granted by European Directives or Regulations, to request confirmation from the controller as to whether or not relevant personal data has been processed. If a data subject wishes to enforce this right of confirmation, they can contact any member of the controller’s staff at any time.
Right of access: Every person affected by the processing of personal data has the right, granted by European Directives or Regulations, to receive information from the controller, free of charge, about any personal data that is stored about them as well as to receive a copy of such information. Furthermore, European Directives and Regulations allow for the data subject to be made aware of the following:
- Processing purposes
- Categories of personal data that are processed
- Recipients or categories of recipients who receive or will receive such personal data, particularly in the case of recipients in third countries or international organizations
- If possible, the planned duration for which personal data is to be stored, or if not possible, the criteria used for determining this duration
- Existence of a right of rectification or erasure of personal data relating to them or a right of restriction of processing by the controller, or a right to withdraw consent to such processing
- Existence of a right to lodge a complaint with a supervisory authority
- If such personal data is not collected from the data subject: all available information regarding the origin of the data
- Existence of an automatic decision-making process including profiling in accordance with Article 22 (1) and (4) GDPR and – at least in these cases – meaningful information about the logic involved as well as the scope and the envisaged consequences of such processing for the data subject
In addition, the data subject also has the right to obtain information regarding whether personal data was sent to a third country or an international organization. If this is the case, the data subject also has the right to obtain information regarding suitable guarantees that are linked with such transmissions. If a data subject wishes to exercise this right to access information, they can contact any member of the controller’s staff at any time.
Right to rectification: Every data subject affected by the processing of personal data has the right, granted by European Directives or Regulations, to request instant rectification of relevant personal data which happens to be incorrect. In addition, the data subject also has the right to request, taking processing purposes into account, the completion of incomplete personal data – even by means of a supplementary statement. If a data subject wishes to exercise this right to rectification, they can contact any member of the controller’s staff at any time.
Right to deletion (right to be forgotten): Every data subject affected by the processing of personal data has the right, granted by European Directives or Regulations, to request that personal data relating to them is deleted immediately by the controller, provided that one of the following reasons applies and that processing is not absolutely necessary:
- Personal data is collected for such purposes or processed for matters for which it is no longer necessary.
- The data subject withdraws their consent, which is the basis for processing in accordance with point a of Article 6 (1) GDPR or point a of Article 9 (2) GDPR, and there is no other legal ground for processing.
- The data subject can object to processing in accordance with Article 21 (1) GDPR and there are no overriding legitimate reasons for processing, or the data subject objects to processing in accordance with Article 21 (2) GDPR.
- Personal data has been illegally processed.
- Deletion of personal data is necessary to satisfy a legal requirement in accordance with EU law or the laws of Member States, to which the controller is subject.
- Personal data has been collected in relation to the offer of information society services as per Article 8 (1) GDPR.
If one of the above reasons applies and a data subject wishes to request the erasure of personal data held by WecSec, they can contact a member of the controller’s staff at any time. The cyber security staff at WecSec will ensure that erasure is carried out as promptly as possible. If personal data is made public by WecSec, and if our company, as the controller, is obliged to erase personal data in accordance with Article 17 (1) GDPR, WecSec will take the appropriate steps, including technical measures, taking the available technology and the costs of implementation into account, to inform other controllers processing the personal data that the data subject has requested erasure by such controllers of any links to, copies of or duplicates of this personal data, provided processing is not required. WecSec cyber security staff will instigate the necessary measures on a case-by-case basis.
Right to withdraw consent in data protection matters: Every data subject affected by the processing of personal data has the right, granted by European Directives or Regulations, to revoke their consent to the processing of personal data at any time. If the data subject wishes to assert their right to withdraw their consent, they can contact a member of the controller’s staff at any time.
Right to lodge a complaint: If data protection laws are infringed, the data subject has the right to lodge a complaint with the relevant supervisory authorities. You also have the right to engage a lawyer and enforce your rights.
Right to data portability: You have the right to receive the data that we have stored on you in a structured, accessible, machine-readable format, or to have your personal data transferred directly by us to another controller provided that this is technically feasible and that the rights and freedoms of other people are not infringed as a result.