Privacy Statement for website
The NAO ensures that personal data is processed in terms of the Data Protection Act (Chapter 586 of the Laws of Malta – “the DPA”) and the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation – “the GDPR”).
We have implemented the appropriate technical and organisational measures to ensure a level of security appropriate to the risk and to prevent unauthorised access, accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, personal data transmitted, stored or otherwise processed” and we do not share or disclose your personal data, to any third party unless you give us your consent to do so or as authorized by law.
Our privacy statement applies to information we collect in connection with:
- Our statutory audit work
- Job applicants
- Current and former employees
- Correspondence and communication including, but not limited to data subjects’ access requests or freedom of information enquiries, complaints, general queries
- Our events
- Visitors to our website
- Suppliers of goods and services
The purposes for which the NAO processes personal data are derived from Section 108 of the Constitution of Malta which sets out the Auditor General's general mandate, the Auditor General and the NAO Act of 1997 and Standing Order No. 120 of the House of Representatives of 1995 which extends the mandate, and the Local Councils Act of 1995 that imposed special obligations and responsibilities on the Auditor General and the NAO.
We process data as per the principles in Article 5 of the GDPR, where we have a clear legal basis for doing so and where it is proportionate and necessary in pursuance of our roles and responsibilities.
Processing for the purpose to perform audits
When we perform audits under out statutory powers, we may collect information from public bodies that contains some individuals’ personal data.
Personal data that we collect from public bodies or directly through individuals may be used in audit tests to help us form audit opinions and to provide audit reports. We will only use this information for the purpose for which it was collected. We will hold the data securely in accordance with our Information Technology and Data Management Policy (IT Policy.). When the data is no longer needed, it will be disposed in accordance with our retention schedule that is part of the above-mentioned policy.
The information you provide as part of the recruitment process will be treated in confidence and will be shared only with Finance and Administration Section and Management. We will not disclose information to any third parties without informing you beforehand or unless the disclosure is required by law.
We hold personal information about unsuccessful candidates for a maximum period of 2 years after the recruitment process has been completed and it will then be destroyed or deleted.
Current and former employees
We process personal data for current and former employees that includes identity data, contact data, work data and financial data for payroll and accounting purposes.
All the above data is protected under the DPA and the GPDR and unless disclosure is required by law, no such data will be shared to third parties without the consent of the employees.
The NAO also keeps a personal file record for all current and former employees.
Every employee has the right of access to whatever information is held on him/her in the payroll and accounting systems and in his/her personal file. We will retain information of employees who terminate their employment with the NAO in accordance with the requirements of our retention schedule as specified in the IT Policy.
People who make a complaint or correspond with us
When we receive a compliant, correspondence or concerns about the National Audit Office or a public body we audit, data subjects’ access requests or freedom of information requests, we keep the related documentation in a file.
We will only process your personal information to investigate the complaint or to follow up on your correspondence or comply with your requests. We may have to disclose your personal details when investigating any matter that you raise. In the event you do not consent to disclose or share your personal information, you are hereby informed that it may not be possible to investigate your complaint or comply with your request on an anonymous basis.
We will keep information provided to us in complaints, correspondence, data subjects’ access requests, or freedom of information requests in line with our retention policy.
We organize and facilitate events in our own capacity as well as in collaboration with other public bodies.
Events can include conferences, engagement, or other meetings and events.
Any information that is specifically collected for the purposes of participation in an event whether as a delegate, facilitator or contributor will not be disclosed to third parties without your consent.
Our website may contain links to other websites which are outside our control and are not covered by this notice. If you access other sites using the links provided, the operators of these sites may collect information from you which will be used by them in accordance with their privacy notice which may differ from ours.
Social media features and widgets
We hold information about our suppliers in our accounting system for the purpose of managing our relationship with them, such as placing orders and arranging for payment to be made. This information may be used for internal reporting purposes.
Data subjects’ rights
Subject to regulation 4(f) of Subsidiary Legislation 586.09, an individual may exercise his/her rights to the personal data processed by this Office, including:
- · The right of access
- · The right to rectification
- · The right to erasure
- · The right to restriction of processing
- · The right to object to processing
- · The right to data portability
- The right to withdraw your consent
No fees are applicable when exercising your rights. You will be provided with a response in the shortest time possible.
Such requests may be made in writing to the NAO’s Data Protection Officer. In addition, an individual has a right to lodge a complaint with the Office of the Information and Data Protection Commissioner (www.idpc.gov.mt).
Data Protection Officer
As stipulated in Article 39 of the GDPR, the NAO has appointed a data protection officer for you to contact if you have any questions or concerns about our personal data policies or practices.
The data protection officer can be contacted through:
Telephone: (356) 22055000;
Postal mail at National Audit Office, Notre Dame Ravelin Floriana VLT1601.
Changes to this Privacy Notice
If there are any changes to this Privacy Notice, the NAO will replace this page with an updated version. Therefore, it is in one’s own interest to check the “Privacy Notice” page to be aware of any changes which may occur from time to time.