Credit Information at your Fingertips ...

GDPR Website Privacy Policy

Our Commitment to You.

  1. We will only use your data to improve your experience.
  2. We will protect your data like it’s our own.
  3. You decide what and how you hear from us.
  4. If we don’t need it, we’ll delete it.
  5. Your privacy is our priority.

Protecting Your Privacy

We, the team at MACM, strongly value our own privacy – and therefore are committed to protect your personal data (i.e. information that identifies you) as though it is our own. If you have any questions about how we protect your privacy, get in touch here: privacy@macm.org.mt  

One of your rights under EU law - the GDPR - is that you must be informed when your personal data - also known as personal information - is processed (collected, used, stored) by any organisation. You also have the right to know the details and purpose of that processing. 

This privacy policy describes our practices relating to the personal data of visitors of www.macm.org.mt and make use of our online facilities, as well as personal data relating to data subjects acting in their own personal capacity, whose personal data is used for the purposes of creating and maintaining MACM’s credit information system regarding defaulting debts, which system is made available to lenders and creditors who are MACM Members (‘Members’). For all our services, the data controller — the company that’s responsible for your privacy — is MACM, the Malta Association of Credit Management with its address at Mdina Bastions, Block D, Office 1, N/S off Triq Mikielang Sapiano, Haz-Zebbug.

We assure you that we will only use and disclose any personal data collected from you in accordance with the manner set out in this policy. 

Navigating this Privacy Policy (Contents)


1. Information we collect

Most of the personal information which we may collect about you through this website is given to us only if you choose to give it to us. Such personal information may be requested from you when you fill in a field (e.g. to fill in any other form with your questions and comments or any other form or application downloaded through or from MACM Website). If you send us emails, then the personal data we process will depend on what you send us in the email. 

The information we collect about you normally includes the following:

A)  Name and Surname

B)  Contact Details  :     

  • Email address
  • Telephone Number
C)  Default Information if applicable;


D)  Information from accounts you link to us;

E)   Your responses to our surveys and Saved Items;

F)   Information about your device (phone or laptop) with which you accessed our website;

In the case of information related to potential defaulters, most of the personal information we may collect about you and process within our credit referencing system is gathered from MACM’s Members, and a variety of other publicly available sources.  Some other information is given to us because you accessed this website (e.g. logs, recorded through cookies).

Check out the next sections to understand how and why we use this information.

2. Users of Online Services 


How & Why we use your information.

We use your information in a number of different ways — what we do with it then depends on the information and the purpose for which we collected such information. Here below out in detail, showing what we do, and why we do it :

A)  Your name and contact details

How? - To send you e-mails and reply to your queries

Why? - We’ve got to do this to respond to your queries and provide you with information as appropriate[Art.6(1)(f) GDPR]

How? - To send you information by email about our latest services, conferences or seminars.

Why? - To keep you up to date. We only send this with your permission and where you have requested us to do so. You can ask us to stop at any         time. [Art.6(1)(a) GDPR]

How? - Fraud prevention and detection.

Why? - To prevent and detect fraud against either you or us – unfortunate, but absolutely essential[Art.6(1)(c),(f) GDPR]

B) Your contact history with us

What you’ve said to us — for example, over email or contact forms.

How we use your contact history

  • Provide customer service and support
  • Train our staff

Why?

  • We’ve got to do this to perform our contract with you to your best satisfaction - [Art.6(1)(b),(f) GDPR]
  • For our team to remain up to scratch so that you get the best possible customer service - [Art.6(1)(b),(f) GDPR]

C) Information about your device (phone or laptop) with which you accessed our website


Information you give us when you browse our site or use our app, including your IP address and device type and, if you choose to share it with us, your location data, as well as how you use our website and app.

How we use information about your phone or laptop, and how you use our website and app

  • Improve our website and set default options for you (such as language)
  • Protect our website

Why?

  • To give you the best possible customer service experience - [Art.6(1)(f) GDPR]
  • To prevent and detect fraud against either you or us — and to meet our legal obligations about looking after your data - [Art.6(1)(f) GDPR]

You don’t have to give us any of this personal information but if you don’t, you may not be able to use our site or all of the services we offer on the site, and you are unlikely to receive an optimal customer experience.  

We also anonymise and aggregate personal information (so that it does not identify you) and use it for purposes including testing our IT systems, research, data analysis, improving our site and app, and developing new products and services. We also share this anonymised information with third parties – but don’t worry, they cannot identify you.

The Legal Basis for Processing

As indicated in the above table (via reference to the relevant provisions), we only process your personal data on the basis of a legal ground in accordance with applicable law (GDPR). The existing legal grounds for the processing of personal data are the following: 

  1. Consent; 
  2. Processing is necessary for the performance of a contract with you or to take steps at your request prior to entering into a contract;
  3. Processing is necessary for us to comply with a legal obligation;
  4. Processing is necessary to protect your vital interests or those of another individual;
  5. Processing is in the public interest; or
  6. Processing is necessary for the purposes of the legitimate interests pursued by us or by a third party. 

Retention Periods

  • We will hold on to your information for no longer than is necessary keeping in mind the purpose/s (or compatible purposes) for which we first collected the data.
  • We may also keep hold of some of your information if it becomes necessary or required to meet legal or regulatory requirements, resolve disputes, prevent fraud and abuse, or enforce our terms and conditions.

As a guide: 

  1. we will keep personal data until such time as you ask us to stop communications with you, unless we need to keep the data for longer; 
  2. we may keep certain categories of personal data for longer in order to meet any legal or regulatory requirements, or to resolve a legal dispute;
  3. and, we may keep different types of personal data for different lengths of time if required by law (for instance, we may need to keep certain personal data relating to purchases for about 10 years in order to comply with tax/VAT reporting requirements);

You may obtain more information as to the retention periods or the criteria used by us to determine the retention periods by contacting us here

Children Under 16

If you are aged 16 or under, please get your parent/guardian's permission before you provide any personal information to us. 
We will need to process personal data relating to parents or guardians in that case – and we may also need to request for verification documentation to ensure that consent is given or authorised by the holder of parental responsibility.

Sharing your information 

We do not, and will not, sell any of your personal data to any third party – including your name, address, email address or any other information. It is not our business to do so – and we want to earn your trust and confidence.
However, we share your data with the following categories of companies as an essential part of being able to provide our services to you, as set out in this statement:

  • Professional service providers, such as marketing agencies, advertising partners and website hosts who service us in turn to operate our business. 
  • Credit reference agencies, law enforcement and fraud prevention agencies, so we can help tackle fraud.

In most circumstances we will not disclose personal data without consent. However there may be occasions where we might have to – e.g. with a court order, to comply with legal requirements and satisfy a legal request, for the proper administration of justice, to protect your vital interests, to fulfil your requests, to safeguard the integrity of the relevant websites operated by us or by such related entities or subsidiaries, or in the event of a corporate sale, merger, reorganisation, dissolution or similar event involving us and/or our subsidiaries and related entities.
When we do share data, we do so on an understanding with the other entities that the data is to be used only for the purposes for which we originally intended – again, we don’t want you to have any surprises.
If we ever have to share data with entities that are outside of the EEA, we will be sure to do so in a manner that complies with the requirements established by the GDPR.

3. Data Subjects indicated within MACM’s Credit Information System 


How & Why we use your information

As a Credit Reporting Agency (CRA), MACM is also the controller of the processing of personal data recorded in a credit information system and manages said system by setting out the mechanisms, rules and procedures applying to its operation and use. As a result, we process your personal data in relation to defaulting debts for the purposes of compiling, maintaining and making available a credit information system to our Members, whose business activity requires knowledge on credit relationships. The personal data We process about you from a variety of sources, such as publicly available databases, court judgments, court registry, decrees and administration orders, as well as information received from lenders and creditors who are MACM Members. The personal data processed at this stage is varied, but usually concerns the following: 

  1. Name & Surname;
  2. Identification Number;
  3. VAT Numbers, where applicable;
  4. Registered Address;
  5. Shareholding involvement;
  6. Overdue history & dishonoured Cheques; 
  7. Court Judgements, judicial decrees and administration order
  8. Judicial letters
  9. Court warrants
  10. Extracts from the Government Gazette

We process your personal data in accordance with applicable law, with the legal basis for such processing of your personal data being that of legitimate interest. The Legitimate interests pursued in this processing operation are as follows: 

  • Promoting responsible lending and helping to prevent over-indebtedness;
  • Fraud prevention and detection;
  • Compliance with applicable law and regulatory requirements;
  • Debt Recovery 
  • Asset & Debt Tracing 

MACM ensures that its processing operations are compliant with applicable law [GDPR, for example], as well as in accordance with any guidelines issued by the Maltese Supervisory Authority, the Information and Data Protection Commissioner (IDPC), such as the “Data Protection Guidelines for the promotion of good practice – Processing of personal data by credit referencing institutions” available on https://idpc.org.mt/en/Documents/CRA_Guidelines.pdf  

Retention Periods

We will hold on to your information for no longer than is necessary keeping in mind the purpose/s (or compatible purposes) for which we first collected the data.
We may also keep hold of some of your information if it becomes necessary or required to meet legal or regulatory requirements, resolve disputes, prevent fraud and abuse, or enforce our terms and conditions.
In accordance with the above mentioned guidelines applicable to the processing of personal data by credit referencing institutions:

  • Personal data relating to defaulting debts which remain unsettled shall be retained by MACM for a maximum period of six (6) years from the data of registration in the system.
  • In the case of settlement or where the debt is otherwise no longer due, MACM shall include such data in its system clearly indicating that the debt has been settles or is no longer applicable, and shall be deleted from the system within eighteen (18) months from the date when such liability becomes no longer due. 

Sharing your information 

We do not, and will not, sell any of your personal data to any third party – including your name, address, email address or any other information. It is not our business to do so – and we want to earn your trust and confidence.
However, we share your data with the following categories of entities as an essential part of being able to provide our services, as set out in this statement:

  1. Members of MACM that share financial data with MACM are entitled to receive similar kinds of data contributed by other Members;
  2. Fraud Prevention Agencies and Law enforcement;
  3. Data processors of MACM who perform tasks on MACM’s behalf

In most circumstances we will not disclose personal data without consent. However there may be occasions where we might have to – e.g. with a court order, to comply with legal requirements and satisfy a legal request, for the proper administration of justice, to protect your vital interests, to fulfil your requests, to safeguard the integrity of the relevant websites operated by us or by such related entities or subsidiaries, or in the event of a corporate sale, merger, reorganisation, dissolution or similar event involving us and/or our subsidiaries and related entities.
When we do share data, we do so on an understanding with the other entities that the data is to be used only for the purposes for which we originally intended – again, we don’t want you to have any surprises.
We may also provide third parties with aggregated but anonymised information and analytics about our customers and, before we do so, we will make sure that it does not identify you. Anonymous information means it is anonymous.
If we ever have to share data with entities that are outside of the EEA, we will be sure to do so in a manner that complies with the requirements established by the GDPR.

4. Vacancies - Job Applicants

Vacancies for MACM Members

We do use our website to submit information for vacancies within the credit control industry that our Members may have from time to time. We do not process any personal data of any applicants in this regard as we solely place the vacancies on our Website on behalf of our Members. 

Once you click ‘Submit Application’, you are automatically linked to the Vacancy Section of the Members’ Website – any personal data you provide in this regard is processed entirely by such Member as a Data Controller, and such processing is therefore regulated by the Members’ own privacy policies. 

Vacancies for MACM

Candidates submit their information for vacancies to us via email 

We are the data controller for the information you provide during the process unless otherwise stated. If you have any queries about the process or how we handle your information please contact us at privacy@macm.org.mt 

What will we do with the information you provide to us?

All of the information you provide during the process will only be used for the purpose of progressing your application, or to fulfil legal or regulatory requirements if necessary.
We will not share any of the information you provide during the recruitment process with any third parties for marketing purposes. The information you provide will be held securely by us and/or our data processors whether the information is in electronic or physical format.
We will use the contact details you provide to us to contact you to progress your application.
We will use the other information you provide to assess your suitability for the role you have applied for. 

What information do we ask for, and why?

We do not collect more information than we need to fulfil our stated purposes and will not retain it for longer than is necessary. The information we ask for is used to assess your suitability for employment.
You don’t have to provide what we ask for but it might affect your application if you don’t. 

Application stage & Short Listing

We ask you for your personal details including name and contact details. We will also ask you about your previous experience, education, referees and for answers to questions relevant to the role you have applied for. Our recruitment team will have access to all of this information.

Shortlisting

Our hiring managers shortlist applications for interview.

Assessments

We might ask you to participate in further recruitment tests or occupational personality profile questionnaires; and/or to attend an interview – or a combination of these. Information will be generated by you and by us and if so, this information is held by us for the recruitment exercise and perhaps after if you are selected.  If we make a conditional offer of employment we may ask you for information so that we can carry out pre-employment checks  which may be required to seek assurance as to trustworthiness, integrity and reliability and the possibility to work in Malta. Further processing of your information would be required if we are to apply for a work permit.

Depending on the job requirements, you may be required to provide: Proof of your identity; Proof of your qualifications; Police Conduct; declaration to declare any unspent convictions.

  1. We will provide your email address to the Government Recruitment Service who will contact you to complete an application for a Basic Criminal Record check via the Disclosure and Barring Service, or Access NI, which will verify your declaration of unspent convictions.
  2. We will contact your referees, using the details you provide in your application, directly to obtain references.

If we make a final offer, we will also ask you for the following:

  • Bank details – to process salary payments
  • Emergency contact details – so we know who to contact in case you have an emergency at work

Final recruitment decisions are made by hiring managers and members of our recruitment team. All of the information gathered during the application process is taken into account.

Retention Periods

If you are unsuccessful following assessment for the position you have applied for, we may ask if you would like your details to be retained in our talent pool for a period of eight (8) months. If you say yes, we may proactively contact you should any further suitable vacancies arise within that period. You may ask us to cancel this at any time – however we normally keep information about your application for at least six (6) months in case you raise any questions about the process.

If you are employed, we will keep your personal data throughout the employment and for a period after that in accordance with our HR privacy policy.

5. Your Rights

You enjoy several rights relating to your personal information:

(i) The right to be informed about how your personal information is being used;

"We need to be clear with you about how we process your personal data. We do this through this Privacy Policy, which we will keep as up to date as possible."

(ii) The right to access the personal information we hold about you;

You can access the personal data we hold on you by contacting us on privacy@macm.org.mt

To process your request, we will ask you to send us proof of identity so that we can be sure we are releasing your personal data to the right person.We will carry out our best efforts to process your request within one month or, if the request is particularly complex, two months. We can provide you with a copy of your personal data in electronic format or hard copy.

If we consider the frequency of your requests as being unreasonable, we may refuse to comply with your request. In those circumstances, if you disagree, you can complain to the IDPC. 

(iii) The right to request the correction of inaccurate personal information we hold about you;


We appreciate feedback from you to ensure our records are accurate and up-to-date. 

(iv) The right to request that we delete your data, or stop processing it or collecting it;

You can ask us to delete your personal data; however, this is not an absolute right.

In spite of a request for erasure, we may be justified to keep personal data which we need to keep, e.g. (i) to comply with a legal obligation (for instance, we are required by personal data for VAT reporting purposes); and (ii) in relation to the exercise or defense of any legal claims. 

Other than as described above, we will always comply with your request and do so promptly. We would carry out our best efforts to notify any third parties with whom we have shared your personal data about your request so that they could also comply.

(v) The right to stop direct marketing messages; 

(vi) The right to object to certain processing based on legitimate interest;

You have a right to object to our use of your personal information including where we use it for our legitimate interests or where we use your personal information to carry out profiling using automated means.

Please note that We may refuse to adhere to your request where we demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defense of legal claims. 

(vii) The right to request human intervention if automated processing without human intervention is used to make decisions having legal or similar effects on you;

(viii)  The right to withdraw consent for other consent-based processing at any time;

(ix) The right to request that we transfer or port elements of your data either to you or another service provider;

You have the right to move, copy or transfer your personal data from one organisation to another. If you do wish to transfer your personal data we would be happy to help. 

If you ask for a data transfer, we will give you a copy of your personal data in a structured, commonly used and machine-readable form (e.g. a CSV file format). We can provide the personal data to you directly or, if you request, to another organisation. 

Please note that we are not required to adopt processing systems that are compatible with another organisation, so it may be that the recipient organisation cannot automatically use the personal data we provide. 

When making a transfer request, it would be helpful if you can identify exactly what personal data you wish us to transfer.

This right does not apply to data subjects whose data is used for the purposes of creating and maintaining a credit information system regarding defaulting debts and is made available to participants offering consumer credit or any other form of payment extension as the processing in this activity is based on legitimate interest. 

(x) The right to complain to your data protection regulator — in Malta – the Information and Data Protection Commissioner (IDPC)

If you want to exercise your rights, have a complaint, or just have questions, please contact us on 

 

Please appreciate that the rights must be exercised within some limitation – for example, if you ask us for information we can only give you what relates to you and not what relates to other persons. When we receive requests, we may also request that you identify yourself and provide documentation or information for verification (we would not want to disclose information to the wrong person). Unreasonable requests may be subjected to a reasonable fee or refusal to respond. 

6. Security Of Your Personal Data

Security of your personal data is very important to us.  Where it’s appropriate, our website uses HTTPS to help keep information about you secure. However, no data transmission over the internet can be guaranteed to be totally secure.

We do our best to keep the information you disclose to us secure. However, we can't guarantee or warrant the security of any information which you send to us.

Security measures which have implemented to secure information transmitted over our website or stored on our systems include the following:

1. Use of secure servers

2. Use of firewalls

3. Use of encryption

4. Physical access controls at data centres;

5. Information access controls;

6. Use of back-up systems; 

Please understand, however, that no system is perfect or can guarantee that unauthorised access or theft will not occur.

7. Changes to how we protect your privacy 

Our website is continually under review – new functions and features are periodically added and improved to interface, thus changes to our privacy policy may be required from time to time. 

We therefore encourage you to check our privacy policy on a frequent basis.

8. Links to Other Websites

This privacy notice does not cover the links within this site linking to other websites which are not controlled by us. We are not responsible for the collection or use of your personal information from these third-party websites. 

Therefore, we encourage you to read the privacy statements on the other websites you visit

9. Links to Other Websites

We are always happy to hear from you, whether to make a suggestion but especially if you feel we can do better. 

If you have any questions about this Privacy Policy, or if you wish to make a complaint about how we have handled your personal information, please contact us by sending your written complaints to the following address:

Mdina Bastions, Block D, Office 1,
N/S off Triq Mikielang Sapiano, 
Haz-Zebbug, ZBG1870
We have appointed a Data Protection Lead who may be contacted via email on