Privacy Policy

The Authority for Transport in Malta

Privacy Notice

The Authority for Transport in Malta (hereafter also referred to as ’the Authority’, ’Transport Malta’, ’we’ or ’us’) is the data controller for the purposes of applicable data protection law. The Authority respects your privacy and is committed to protecting your personal data which we process. This Privacy Notice explains how the Authority will comply with applicable data protection law, this includes, the General Data Protection Regulation(EU) 2016/679 (’GDPR’), the Data Protection Act (Chapter 586 of the Laws of Malta), any subsidiary legislation thereto and any other applicable laws relating to privacy and electronic communications as may be amended from time to time.

It is important that you read this Privacy Notice, together with any other privacy notice that is provided on specific occasions when we are collecting or processing personal information about you, so that you are aware of how and why we are using your information.

Data Controller

The Data Controller is the Authority for Transport in Malta, a body corporate established by Chapter 499 of the Laws of Malta, or its successor in terms of law. This means that we are responsible for deciding how we hold and use personal information about you. In certain circumstances, when the Authority delivers services in partnership with another public authority, the Authority will be a joint data controller with that public authority. Transport Malta’s contact details are as follows:

Address:

Malta Transport Centre,
Triq Pantar,
Ħal Lija, LJA2021

 

Transport Malta,
A3 Towers,
Triq l-Arkata,
Paola, PLA 1212

 

Tel: +356 21222203 or +356 80072393 from 0800hrs to 1630hrs

For general contact please send us an email on info.tm@transport.gov.mt

Data Protection Officer

The Authority has appointed a Data Protection Officer (’DPO’) who is responsible for matters relating to privacy and data protection. The Authority’s DPO can be reached by sending an email at dataprotection.tm@transport.gov.mt

What is Personal Data?

Personal Data is any information relating to an identified or identifiable natural living person, otherwise known as a ’Data Subject’. A Data Subject is an individual who can be identified, directly or indirectly, by information such as name, identification number, location data, online identifier, or other data relating to their physical, physiological, genetic, mental, economic, cultural, or social identity. These categories of identifying information are known as personal data. Personal data excludes any data which has been rendered anonymous in such a manner that the data subject is no longer identifiable (anonymous data).

Special category data is data on racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, data concerning a natural person’s sex life or sexual orientation. The Authority will only process special categories of data (sensitive data) under strict conditions and with an appropriate legal basis.

We process personal data about the following categories of data subjects:

  • members of the public
  • suppliers and service providers
  • service users
  • advisers, consultants and other professional experts
  • complainants and enquirers
  • agents and representatives
  • job applicants and employees.

Data protection principles

The Authority is committed towards compliance. If we need to collect, store or otherwise use your personal data, we will abide by the following data protection principles:

  • Lawfulness, fairness and transparency: the processing of personal data shall take place in a lawful, fair and transparent manner;
  • Purpose Limitation: the collection of personal data shall only be performed for specified, explicit and legitimate purposes and shall not be further processed in a manner that is incompatible with those purposes;
  • Data Minimisation: the collection of personal data shall be adequate, relevant and limited to what is necessary in relation to the purpose for which they are processed;
  • Accuracy: the personal data shall be accurate and where necessary, kept up to date. Every reasonable step shall be taken to ensure that personal data that are inaccurate having regard to the purposes for which they are processed, are erased or rectified without delay;
  • Storage Limitation: the personal data shall be kept in a form which permits identification of the data subject for no longer than it is necessary for the purpose for which the personal data are processed;
  • Integrity and Confidentiality: the personal data shall be kept confidential and stored in a manner that ensures appropriate security. Personal data shall not be shared with third parties except when necessary and with a justifiable legal basis.

The personal data we collect and how we use it

We collect and process personal data relating to you in connection with your use of this website and our relationship with you. This personal data may include:

Personal data Purpose for processing Legal basis
Your name and contact details, including your address, phone number and email address. To perform our functions as a public authority and to comply with our legal obligations.

To provide you with information about, and support in connection to the services, including changes to the services, technical updates and changes to terms and conditions as well as this Privacy Notice.
The legal basis we rely on to process your personal data is article 6(1) (e) of the GDPR, which allows us to process personal data when this is necessary to perform our public tasks in our capacity as a regulator.

Article 6(1) (c) is also relied upon in order to comply with all applicable legal obligations.
Different categories of personal data depending on the services offered to you. To grant, renew, refuse, suspend or revoke any licence, certificate or other document.

To regulate the use of ports, aerodromes, any transport facility including different means of public transport, and services provided at such facilities.

For the provision of information with regards to any legislative amendments which may affect the services offered to you.

Upon data collection you will be provided with information on how we will process your personal data within a specific privacy notice.
 
The legal basis we rely on to process your personal data is article 6(1) (e) of the GDPR, which allows us to process personal data when this is necessary to perform our public tasks in our capacity as a regulator.

Article 6(1) (c) is also relied upon for the Authority to perform its duties and obligations as defined within the constituent legal instrument (Chapter 499)
Information that you provide in any online application form, including Freedom of Information requests, enquiries and complaints.

Call recordings.

If you are acting on behalf of someone making a complaint, the Authority will require you to provide proof of authorisation to act on someone else’s behalf, to satisfy us of your identity
To process application forms, including for Freedom of Information requests.

To respond to queries and feedback submitted by you.

To investigate and take regulatory action in line with our statutory duties.

Inbound calls to customer care are recorded for quality assurance and training purposes.
The legal basis we rely on to process your personal data is article 6(1) (e) of the GDPR, which allows us to process personal data when this is necessary to perform our public tasks in our capacity as a regulator.

Article 6(1) (a) based on consent will allow the Authority to process its applications and respond to any queries or enquiries.

If the information you provide us contains any special category data (sensitive data) the legal basis we rely on to process it is Article 9(2) (g) of the GDPR, which also relates to our public task and the safeguarding of your fundamental rights.
CCTV recordings To comply with international and national security obligations.

For the purposes of traffic management and control, as well as road safety.

For the purposes of ensuring a safe and efficient management of the ports in Malta.

We have affixed CCTV signage to indicate such processing.

For more information please refer to our CCTV Code of Practice.
The legal basis we rely on to process your personal data is article 6(1) (e) of the GDPR, which allows us to process personal data when this is necessary to perform our public tasks in our capacity as a regulator.

Article 6(1) (c) is also relied upon for the Authority to perform its duties and obligations as defined within the constituent legal instrument (Chapter 499)
Information that you submit during a consultation process or survey. Generally, the publication of consultation responses will be anonymised. Should we want to publish your name and/or role alongside your response, we will inform you accordingly and seek your approval, where required. To engage in a consultation process.

To carry out research and customer satisfaction surveys.
The legal basis we rely on to process your personal data is article 6(1) (e) of the GDPR, which allows us to process personal data when this is necessary to perform our public tasks in our capacity as a regulator.

In certain circumstances we may also rely on consent under article 6(1) (a) of the GDPR. In such cases, you will be provided with clear information as to what you are consenting to and how you can withdraw your consent.
Personal details of job applicants including full name and contact details; work experience; education; and referees. To assess your suitability for a role you have applied for. For more information please read our Job Applicants Privacy Notice. The legal basis we rely on for processing your personal data is article 6(1) (b) of the GDPR, which relates to processing necessary to perform a contract or to take steps at your request, before entering a contract.
Personal data of employees relating to their employment at the Authority for Transport in Malta. Personal data is collected for purposes pertaining to the individual’s employment with the Authority, including but not limited to performance reviews, the administration of employee payroll, and for the purpose of complying with applicable employment legislation.

For more information employees should refer to our Employees Privacy Notice which is provided to all employees at commencement of employment.
The legal basis we rely on for processing your personal data is article 6(1) (b) of the GDPR, which relates to processing necessary to perform a contract.
 
Details relating to your visit to our premises, including full name, company name, mobile number, time in, time out, visitor pass number and signature. For security and safety purposes. The legal basis we rely on to process your personal data is article 6(1) (c) of the GDPR, which allows us to process personal data when this is necessary to comply with a legal obligation to which we are subject.

More specifically, the obligations emanating from Chapter 424 of the Laws of Malta.
Filming and photography. We aim to avoid using images which could identify members of the public.In certain cases we will require your consent. For publication in our official publications and/or our social media channels. The legal basis we rely on to process your personal data is article 6(1) (e) of the GDPR, which allows us to process personal data when this is necessary to perform our public tasks in our capacity as a regulator.

In certain circumstances we may also rely on consent under article 6(1) (a) of the GDPR. In such cases, you will be provided with clear information as to what you are consenting to and how you can withdraw your consent.
Personal data relating to individuals or organisations providing us with a service. To enter into negotiations and arrangements to develop, improve, coordinate and secure the provision of public transport services.

To take steps to enter into a contract of services with the organisation and to manage our business relationship.
The legal basis we rely on for processing your personal data is article 6(1) (b) of the GDPR, which relates to processing necessary to perform a contract or to take steps at your request, before entering a contract.
Any personal data relating to you that you provide to us or that we generate about you in connection with your use of our official website and mobile applications.

When you visit our website, the following information is retained about that visit:
  • IP (Internet Protocol) address;
  • the number of times per visit a request for data was received from each IP address;
  • the entry page to our website;
  • the length of time spent on our website;
  • the exit page from our website;
  • the IP address of a link if used to access our website;
  • the identity of any search engine used to access our website;
  • a list of all the pages visited while in our website; and
  • the name of the browser used, e.g. Firefox, Chrome, Internet Explorer.

No attempt is made to identify individual users or to associate the technical details listed above with any individual
To improve and develop this website and our mobile applications.

To generate and analyse statistics regarding usage of this website, including the frequency of use of individual pages (where possible, personal data will be anonymised before being used for this purpose).

For more information please refer to our Cookies Policy.
The legal basis we rely on to process your personal data is article 6(1) (e) of the GDPR, which allows us to process personal data when this is necessary to perform our public tasks in our capacity as a regulator.

Failure to provide the information

In most cases, the provision of personal data arises either from statutory requirements or contractual provisions. Where applicable, failure of the provision thereof will prevent the Authority fromcomplying with its legal or regulatory obligations; concluding contracts; and delivering the services requested.

Your responsibility to inform us of changes

It is important that the personal information we hold about you is accurate and current. You need to keep us informed if your personal information changes, for example, a change of surname, signature, address, and/or identity card number.

Cookies Policy

The Authority for Transport in Malta (hereafter also referred to as “Transport Malta”, "us", "we", or "our") uses cookies on the www.transport.gov.mt website (the “website”).

Our Cookie Policy explains what cookies are, why we use and how we use cookies, how third parties we may partner with may use cookies on the Website, your choices regarding cookies and further information about cookies.

What are cookies

A cookie is a small text file (typically numbers and letters) that is downloaded onto ‘terminal equipment’ (e.g. your computer or smart phone) when the user accesses a website using that device. Cookies are then sent back to originating website on each subsequent visit – and they are useful because they allow a website to recognise a user’s device and store some information about your preferences or past actions.

Some cookies are needed for the sole purpose of carrying out the transmission of a communication over an electronic communications network – others may be necessary for the provision of a service over the internet, in which case they have to be used.

Other cookies may be desirable to improve your experience, in which case we will ask you for your consent to use them.

How we use cookies

We use cookies to improve the user experience, to distinguish between visitors and their location, to improve the use and functionality of the website, to enable certain functions of the website, such as navigation and access to secure areas of the website, aggregate statistics about the number of visitors to the Website; and to obtain data about how the website is being used. This data enables us to develop and optimise the use of the website.

Cookies may either be deleted automatically when the user closes their web browser ("session cookies") or stored on the user's device to facilitate future visits to the Website ("permanent cookies"). Permanent cookies will also be automatically deleted after a specified period of time as provided below.

What cookies do we use?

The following table lists the types of cookies that are placed on the website, their function, and the purposes for which the data is collected and for how long it is retained. Please note that the names of the cookies may change over time.

Provider Cookie Name Expiration (when will the cookie be deleted from your computer) Purpose of the Cookie Is the cookie essential for the website to work Who controls/has access to the cookie related information
transport.gov.mt ASPSESSIONID# End of Session Preserves users states across page requests. Yes Transport Malta
Gov.mt _ga
_gat
_gid
2 years
10 Minutes
1 day
a) Registers a unique ID that is used to generate statistical data on how the visitor uses the web site.
b) Used by Google analytics to throttle request rate
NO
Google Analytics Collect End of Session Used to send data to Google Analytics about the visitor's device and behaviour. Tracks the visitor across devices and marketing channels. NO Google

What are your choices regarding cookies?

When you visit the Website, you will be requested to accept cookies and/or manage your cookie settings. We can store cookies on the user’s device if they are strictly necessary for the operation of this site, however, for all other types of cookies, we need to obtain the consent of the user.

Please note, that you may change your mind at any time and may delete, block or refuse to accept cookies. If you do so, you might not be able to use the full functionality of the website, all of the features we offer, or you may not be able to store your preferences, and some of our pages might not display properly.

How to control cookies

You can control and/or delete cookies as you wish. For details on how to control and/or delete cookies, please see:

Delete Cookies in Microsoft Internet Explorer

Delete Cookies in Mozilla Firefox browser

Delete Cookies in Google Chrome browser

Delete flash cookies (all browsers)

You can delete all cookies that are already on your computer and you can set most browsers to prevent them from being placed. If you do this, however, you may have to manually adjust some preferences every time you visit a site and some services and functionalities may not work.

Changes to this Policy

We may update this Cookies Policy from time to time. If we make any significant changes to this policy, we will update a notice regarding the same on the website however, it is advisable to regularly check this Policy to ensure that you are aware of the most updated version.

Disclosing your personal data

Except as described in this Privacy Notice, we will not intentionally disclose the personal data that we collect or store to third parties without your prior explicit consent. We may disclose information to third parties in connection with the abovementioned purposes, in the following circumstances:

Recipients Legal Basis
Any third parties who we engage to provide services to us, such as outsourced IT service providers and professional advisors. The legal basis we rely on for disclosing your personal data is article 6(1) (b) of the GDPR, which relates to processing necessary to perform a contract.
Any advisers/auditors auditing any of our business processes or who need to access such information for the purpose of advising us. The legal basis we rely on for disclosing your personal data is article 6(1) (b) of the GDPR, which relates to processing necessary to perform a contract.

Moreover, article 6(1) (c) of the GDPR, permits the disclose of personal data when this is necessary to comply with a legal obligation to which we are subject.
Any law enforcement body which may have any reasonable requirement to access your personal data for the purposes of the prevention, investigation or detection of crime.
Any regulatory body or authorised entity where required or permitted by law, which may have any reasonable requirement to access your personal data.
Any successor (or receiving) entity in the event of reorganisation or similar event.
The legal basis we rely on to process your personal data is article 6(1) (e) of the GDPR, which allows us to process personal data when this is necessary to perform our public tasks in our capacity as a regulator.

Moreover, article 6(1) (c) of the GDPR, permits the disclosure of personal data when this is necessary to comply with a legal obligation to which we are subject.

All our third-party service providers are required to take appropriate security measures to protect your personal data in line with our policies. Moreover, we only permit them to process your personal data for specified purposes and in accordance with our legally binding agreements.

International Transfers

The information you provide to us may be shared with third parties including regulators, public authorities and law enforcement agencies situated in other European Economic Area (EEA) Member States or in countries outside of the EEA. The Authority will only transfer personal data outside the EEA after taking the necessary steps to ensure that your privacy rights continue to be protected, as outlined in this Privacy Notice and in accordance with applicable data protection laws. For example, we will transfer your personal data outside of the EEA with your consent, to fulfil a legal obligation, to fulfil our contractual obligations or to protect public interest.

Data Retention

The personal data that we process for the above mentioned purposes shall not be kept for longer than is necessary. We retain your personal data for as long as we need it to comply with our obligations under applicable law, to enforce our agreements and, if relevant, for the establishment, exercise and defence of legal claims.

We will actively review the personal data we handle, process and store and will delete or anonymise it in a secure manner when there is no longer a legal, business or customer need for it to be retained.

For more information on the retention of your personal data please contact us on dataprotection.tm@transport.gov.mt.

In those cases where it is not possible for us to specify in advance the periods for which your personal data will be retained, we will base our determination on the following criteria:

  • The purpose/s for which your personal data was collected;
  • Whether there are any statutory obligations, obliging us to continue to process your information;
  • Whether we have a legal basis in place to continue to process your information, including but not limited to consent;
  • The value attached to your information;
  • Whether there are any industry practices stipulating how long information should be retained;
  • The risk, cost and liability attached to such retention; and
  • Any other relevant circumstances.

Data Subject Rights

As a data subject you have a number of rights, in certain circumstances and subject to certain restrictions, in relation to your personal data. We will endeavour to uphold your rights to the extent that they apply to the way in which we process your personal data as a public authority.

Right to be informed As a key part of the transparency requirements, you will be provided with various categories of information which are normally provided within a privacy notice. Any such privacy notice will inform you of:
  1. the identity and contact details of the data controller;
  2. the contact details of the Data Protection Officer;
  3. the purpose and legal basis for processing;
  4. the source that the personal data originated from;
  5. the categories of personal data which we will process;
  6. the categories of recipients with whom data has been or will be shared;
  7. any transfers of data to countries outside of the EU/EEA and the safeguards in place where that occurs;
  8. how long the data will be kept for or the criteria used to determine the retention period;
  9. the rights to which you are entitled;
  10. whether providing the personal data is a contractual or statutory requirement, and if so the possible consequences of not providing it;
  11. whether automated decision which might significantly affect you will take place, and if so information about the logic involved and how it might affect you.
Right of access You have the right to obtain for us confirmation as whether or not personal data concerning you is being processed, and where that is the case, access to the personal data and the additional information.
Right to rectification You have the right to obtain from us without undue delay the rectification of inaccurate personal data concerning you.
Right to erasure You have the right to obtain from us the erasure of your personal data in terms of law. This right is limited by, and subject to all our compliance, regulatory and legal obligations.
Right to restriction of processing You have the right to obtain from us restriction of processing where, one of the following applies:
  1. the accuracy of personal data is contested by yourself for a period enabling us to verify the accuracy of your personal data;
  2. the processing is unlawful and you oppose to the erasure of your personal data and request the restriction of its use instead;
  3. we no longer need the personal data, but it is required by yourself for the establishment, exercise or defence of legal claims;
  4. an objection to processing pursuant to your right to object pending the verification whether our legitimate grounds override yours.
Right to data portability You shall have the right to receive your personal data which you have provided to us, in a structured, commonly used and machine-readable format.
Right to object In certain circumstances, you have the right to object to us processing your personal data.

We shall no longer process your personal data unless we have a compelling legitimate ground for the processing to continue, or the processing related to legal claims.
Right to know of the existence of automated decision making Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention.

In establishing and carrying out our service, we generally do not use any automated decision-making pursuant to Article 22 of the GDPR. You will not be subject to decisions that will have a legally binding or significant impact on you based solely on automated decision-making, unless we have a lawful basis for doing so and we notify you accordingly.
Right to withdraw consent Where our processing of your personal data is based on you having provided consent, you have the right to withdraw your consent to the processing at any time.
Right to lodge a complaint Should you require any clarification or need to discuss matters relating to the processing of your personal data, you may contact our Data Protection Officer by email at dataprotection.tm@transport.gov.mt.

In the case you are not satisfied with the outcome, as a data subject, you also have a right to lodge a complaint with the Information and Data Protection Commissioner, either online, via the submission of a report by conventional mail, or by email at idpc.info@gov.mt. Also, you may seek to enforce your rights through judicial remedy.

If you intend to exercise one or more of your rights, please send your request by email at dataprotection.tm@transport.gov.mt.

Any request you make to us to exercise these rights will receive appropriate consideration, within the timescales required by data protection law. Generally, the Authority will respond to these requests within one (1) month, with a possibility to extend this period to three (3) months for particularly complex requests, in accordance with applicable law. In any case, we will inform you accordingly.

Before we can act on your request, and where deemed reasonably necessary, you will be required to provide us with proof of your identity. This measure is intended to ensure that personal data is not disclosed to unauthorised third parties. Moreover, the Authority may require additional information in relation to your request to speed up our response process.

We reserve the right to withhold personal data if disclosing it would adversely affect the rights and freedoms of others. Generally, no fees are applicable when exercising your rights. However, we may charge a reasonable administrative fee if your request is clearly unfounded, repetitive or excessive.

Security

We take appropriate security measures to protect against loss, misuse and unauthorised access, alteration, disclosure, or destruction of your information. The Authority has taken steps to ensure the ongoing confidentiality, integrity, availability, and resilience of systems and services processing personal information, and will restore the availability and access to information in a timely manner in the event of a physical or technical incident.

No method of transmission over the Internet, or method of electronic storage, is 100% secure. We cannot ensure or warrant the security of any information you transmit to us, and you do so at your own risk. We also cannot guarantee that such information may not be accessed, disclosed, altered, or destroyed by breach of any of our physical, technical, or organisational safeguards.

All of our staff who process personal data are provided with regular training on information security and Data Protection practices and industry standards.

We have put in place procedures to deal with any suspected personal data security breach and will notify the regulator of a suspected breach where we are legally required to do so. In certain cases, we will also inform you, as the data subject, of the occurrence of the breach and the steps you need to take to safeguard your rights.

If you believe your personal data has been compromised, please contact the Authoritys Data Protection Officer by email at dataprotection.tm@transport.gov.mt.

Privacy by design and by default

Where we introduce new technologies, policies or processes, we will ensure that your privacy is considered from the outset i.e. at the design stage, and where applicable we will carry out a Data Protection Impact Assessment (DPIA) in line with Articles 35 and 36 of the GDPR.

We will always carry out a DPIA where we use new technologies or consider there is a high risk to your rights and freedoms. Where an assessment identifies risks that cannot be satisfactorily reduced or avoided, we will seek advice from the Supervisory Authority (Office of the Information and Data Protection Commissioner) before starting the processing.

Links to other websites

Where we provide links to websites of other organisations, this Privacy Notice does not cover how that organisation processes your personal information. We encourage you to read the privacy notices on the other websites you visit.

Changes to this Privacy Notice

This Privacy Notice may change from time to time. If we change this Privacy Notice in ways that may affect how we use your personal data, we will advise you of the choices you may have as a result of those changes. We will also post a notice that this Privacy Notice has changed.