This Privacy Notice (the “Notice”) relates to the services provided by Papilio Services Limited (“we”, “us”, “our”), a private limited liability company registered in Malta bearing company registration number C55990 and having its registered office at 168, St Christopher Street, Valletta VLT 1467, Malta.
Papilio Services Limited respects your privacy and wants to ensure that your personal data is protected.
This Notice sets out the basis on which we will process your personal data when:
– you approach and engage us to provide you with our legal, advisory, company, compliance and book keeping services (the “Services”);
– receive the various Services that you may request from us during the course of this engagement; and/or,
– you visit and use our website <https://www.papilioservices.com> (the “Website” or the “Site”).
This includes any data that you may provide for and in relation to our newsletters, legislative updates, events and other marketing and promotional communications.
By engaging us to provide you with our Services, you enter into a contractual relationship with Papilio Services Limited, as subject to and governed by our Letter of Engagement which stipulates that we will process your personal data in accordance with the practices set out in this Notice.
2. Applicable Laws
Papilio Services Limited is established in the Republic of Malta. Consequently, the main privacy laws that are applicable to us in so far as you are concerned, are as follows:
i. The Data Protection Act (the “DPA”), Chapter 440 of the Laws of Malta, as may be amended from time to time;
ii. The General Data Protection Regulation (the “GDPR”), Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC, as may be amended from time to time.
Please note that in addition to the DPA and the GDPR, Papilio Services Limited is regulated by strict rules on professional secrecy.
3. Who we are
Papilio Services Limited is the controller responsible for the Website. It is also the data controller of any personal data which we collect or receive and which we process in connection with (i) the Services that we offer and/or (ii) the Website.
Please do not hesitate to contact us for any clarification which you may need in relation to this privacy notice. Our contact details are as follows:
Papilio Services Limited
168, St. Christopher Street,
Valletta, VLT 1467,
Email address: firstname.lastname@example.org
You also have the right to lodge complaints with the appropriate Data Protection Supervisory Authority. The competent authority in Malta is the Office of the Information and Data Protection Commissioner. We kindly ask that you please attempt to resolve any issues that you may have with us first.
4. Personal Data that we may collect
The table below lists the various categories of personal data that we may collect about you, including:
|Identity and Contact Data
– Mailing address;
– Telephone or mobile number;
– Email address.
– Email address;
– Mailing address;
– Proof of opt-in consent (where needed);
– Objections to marketing;
– Website data;
– Online identifiers (including IP addresses and information generated via your browser).
– Proof of Address;
– Proof of age;
– Financial status information (bank statements, source of income/wealth etc.);
– Other KYC documentation or information.
|– Internet protocol (IP) address;
– Login data;
– Browser type and version;
– Time zone setting and location;
– Browser plug-in types and versions;
– Operating system and platform.
||– Bank account details;
– Details about any payment methods used to settle our invoices.
5. How we collect Personal Data
a. Direct Interactions
You may give us your personal data by completing our letter of engagement, filling in our forms (such as our ‘Information Request Form’ accessible at: https://www.papilioservices.com/contact-us/), or by corresponding with us by post, phone, email or otherwise or during face-to-face meetings.
b. Automated technologies or interactions
When you interact with our Website, we may automatically collect Technical Data about your equipment, browsing actions and patterns. We may collect this personal data by using cookies, server logs and other similar technologies.
c. Third parties or publicly available sources
We may receive personal data about you from various third parties and public sources. This data includes Identity, Contact and Compliance Data from publicly available sources such as public court documents, the Malta Registry of Companies, the Malta Ship Registry, companies and shipping registers of other jurisdictions, and from electronic data searches, online search tools (which may be subscription or license based), anti-fraud databases and other third party databases, sanctions lists and general searches carried out via online search engines (e.g. Google).
6. How we use your personal data
We value your privacy and we will only use your personal data when the law allows us to. Normally, we will use personal data in the following circumstances:
• When you wish to engage us;
• When we provide you with any of our Services;
• When we need to comply with our legal and professional obligations to third parties, in particular our legal obligations with respect to anti-money laundering and combating the funding of terrorism (this includes our obligations to regulators);
• When it is necessary for our legitimate interest, provided such interest is not overridden by your interests, fundamental rights and freedoms;
• When it is necessary to manage our relationship with you or your company, including for billing and debt collection purposes;
• Keeping you updated with legal updates, news, and events organised by Papilio Services Limited where it is in our legitimate interests to do so;
• When you visit our offices, for the purposes of securing access to our offices.
Your personal data might also be processed by us on the basis of your explicit consent. In such a case, we will process your personal data for the purposes for which your explicit consent was requested. This applies to applicants for a job at Papilio Services Limited who wish that we retain their personal data for the purposes of being contacted with future potential job openings of interest and with respect to communications related to marketing, legal updates, newsletters and events.
7. Purposes for which we will use your personal data and the legal basis for the processing
The purposes for which we will use your personal data and the legal basis for the processing are the following:
a. Entering into and performing a contract
In order to provide you or your company with our Services, managing our relationship with or receiving a service from you or your company.
The provision of your personal data to us is necessary to perform the services envisaged in our Letter of Engagement. The consequence for not doing such processing would be that we would be unable to provide you with our Services and enter into a contract of engagement.
b. Our legitimate interest
Our legitimate interest may arise directly or indirectly in relation to our clients’ instructions, CCTV footage at our offices, and in keeping you updated with legal updates and events.
When we process your personal data on the basis of our legitimate interest, we ensure that such interest is not overridden by your interests, fundamental rights and freedoms.
c. Your explicit consent
In order to be able to provide you with communication related to marketing, newsletters, legal updates and events that you may have requested from us or that we may be authorized at law to provide to you.
In case that you provide us with your explicit consent to process your personal data, our processing shall be limited to the purposes specifically indicated when your consent was requested.
d. Compliance with our legal and professional obligations
This includes our legal obligations imposed on us as a result of anti-money laundering and combating the funding of terrorism legislation. It also includes our obligations to prevent, detect, respond or report other potential illegal activities to regulators.
Please note that normally, we do not process any special categories of personal data. Such special categories include data revealing your racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic, biometric or health data, sexual orientation and data related to your conviction and offences.
When special categories of personal data become envisaged on another basis, we will ensure that we have additional grounds for processing your personal data and will communicate to you any relevant information which may be required under applicable laws.
8. Disclosures of your personal data
We may disclose your personal data with third party recipients who are:
• Selected individuals within Papilio Services Limited, on a need-to-know basis;
• Our associated corporate entities; including, Papilio Corporate Limited, Papilio Holdings Limited and 168 Holdings Limited;
• any service providers that may have access to your personal data in rendering us with their support services, including IT, accounting and auditing service providers; and
• third parties to whom disclosure may be required as a result of the relationship with you as a client;
• any business partners to whom you may have requested that we transfer your personal data; and
• third parties to whom disclosure may be required as a result of legal obligations imposed on us.
9. International transfers
It is important to note that we do not share your personal data with any entity located outside of the EU or EEA, unless specifically instructed and consented by you.
10. Data retention
We retain your personal data for as long as necessary to fulfil the purposes for which we collected it and, thereafter, for the purpose of satisfying any legal, accounting, auditing, tax, anti-money laundering and regulatory reporting requirements or obligations to which we may be subject and/or to exercise or defend any legal claims by or against you.
Generally, our retention of your personal data shall not exceed the period of six (6) years from the closure of your file and you cease to be our client. This retention period enables us to make use of your personal data for potential AML reporting obligations to the Financial Intelligence Analysis Unit (FIAU) and/or to exercise or defend any legal claims by or against you.
Invoices, credit notes and similar transactional documents or information will be kept by us for up to ten (10) years from completion of the relevant transaction on the basis of legal obligations imposed on us by accounting and tax laws to retain such information.
We may have a legitimate interest to retain your data for longer periods of time. This includes circumstances where we are legally obliged to do so or when your data is required for exercising or defending legal claims.
11. Data security
Your personal data shall be kept secure and we shall commit to take appropriate technical and organisational measures to protect your personal data against unauthorised or unlawful processing, including against accidental loss, destruction, storage or access.
We may store your personal data in paper files or electronically on our technology systems or on technology systems of our IT service providers.
12. Your legal rights
Under data protection laws, you have rights in relation to your personal data. These rights include the following:
a. Right of access
You have the right to ascertain which personal data we hold about you and to receive a copy of such personal data;
b. Right to rectification
You have the right to ask us to rectify inaccurate personal data and to complete incomplete personal data concerning You. We may seek to verify the accuracy of the data before rectifying it. It is in your interest to keep us informed of any changes or updates to your personal data which may occur during the course of your relationship with us, since this may otherwise impair our ability to provide you with our Services or the quality thereof.
c. Right to erasure
You may request that we delete the personal data that we hold about you in one of the following circumstances:
i. there is no good reason for us continuing to process it;
ii. you have successfully exercised your right to object to processing (see below);
iii. we may have processed your information unlawfully; or
iv. we are required to erase your personal data to comply with local law.
In any case, we shall not be legally bound to comply with your request to erasure if the processing of your personal data is necessary:
i. for compliance with a legal obligation to which we are subject (including but not limited to our data retention obligations); or
ii. for the establishment, exercise or defence of legal claims.
There are other legal grounds entitling us to refuse erasure requests although the two instances above are the most likely grounds that may be invoked by us to deny such requests.
d. Restriction of processing
This enables you to ask us to suspend the processing of your personal data in the following scenarios:
i. if you want us to establish the data’s accuracy;
ii. where our use of the data is unlawful but you do not want us to erase it;
iii. where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or
iv. you have objected to our use of your personal data, but we need to verify whether we have overriding legitimate grounds to use it.
e. Object to processing
This enables you to object to the processing of your personal data if you feel that it impacts on your fundamental rights and freedoms in those cases where we are relying on a legitimate interest or those of a third party. You also have the right to object where we are processing your personal data for direct marketing purposes.
Where an objection is entered, the processing of data shall cease, unless we provide compelling and legitimate grounds requiring the continuation of the data processing which outweigh the objections you may have raised.
f. Right of data portability
You have the right to ask us to provide your personal data to you, or a third party you have chosen, in a structured, commonly used, machine-readable format. Please note that this right shall only apply where:
i. The processing is based on your consent or on the performance of a contract with you; and,
ii. The processing is carried out by automated means.
g. Right to withdraw your consent
Where our processing is based on your consent, you have the right to withdraw your consent. Withdrawal of your consent shall not affect the lawfulness of the processing based on your consent prior to the withdrawal of your consent.
As a security measure, before we provide you with assistance to exercise your rights as described above, we may ask you to verify your identity to ensure that we do not disclose any of your personal data with any unauthorised third parties.
13. Time limit to respond
We make our best to reply to all legitimate requests within one month from receiving them. In some cases, particularly, if the matter is particularly complex or if you send us multiple requests, it may take us longer than one month. In such cases, we will notify you accordingly and keep you updated.
14. Changes to this Notice
We reserve the right to make changes to this Notice in the future. If you are an existing client with whom we have a contractual relationship, we shall inform you of any changes made to this Notice. If you have any queries or comments regarding this Notice please contact us on the contact details indicated above.