Data Protection Policy
- Last updated:
Menu
The General Data Protection Regulation (EU) 2016/679 (GDPR) and the Data Protection Act (Cap 586) regulate the processing of personal data whether held electronically or in manual form. The NCPE is set to fully comply with the Data Protection Principles as set out in such data protection legislation.
Purposes for collecting data
The NCPE collects and processes information to carry out its obligations in accordance with present legislation. All data is collected and processed in accordance with Data Protection Legislation and the Equality for Men and Women Act, CAP. 456.
Recipients of data
Personal Information is accessed by the employees who are assigned to carry out the functions of the NCPE. Personal Data will be disclosed to:- Employees within NCPE carrying out similar functions of NCPE1
- Organisations processing data on behalf of the data controller including, but not limited to, NCPE’s service providers for legal advisor services, accountancy, auditing and other service providers and suppliers Disclosure can also be made to third parties but only as authorized by law.
Your rights
You are entitled to know, free of charge, what type of information the NCPE holds and processes about you and why, who has access to it, how it is held and kept up to date, for how long it is kept, and what the Unit is doing to comply with data protection legislation. The GDPR establishes a formal procedure for dealing with data subject access requests. All data subjects have the right to access any personal information kept about them by the NCPE, either on computer or in manual files. Requests for access to personal information by data subjects are to be made in writing and sent to the A/Executive Director of the NCPE. Your identification details such as ID number, name and surname have to be submitted with the request for access. In case we encounter identification difficulties, you may be required to present an identification document. The NCPE aims to comply as quickly as possible with requests for access to personal information and will ensure that it is provided within a reasonable timeframe and in any case not later than one month from receipt of request, unless there is good reason for delay. When a request for access cannot be met within a reasonable time, the reason will be explained in writing to the data subject making the request. Should there be any data breaches, the data subject will be informed accordingly. All data subjects have the right to request that their information is not used or is amended if it results to be incorrect. Data subjects may also request that their data is erased. These rights may be restricted, if applicable, as per Data Protection Legislation. In case you are not satisfied with the outcome of your access request, you may refer a complaint to the Information and Data Protection Commissioner, whose contact details are provided below.Retention Policy
Your personal data is collected through the Equality for Men and Women Act, CAP. 456. The following schedule outlines the retention requirements for the various categories of documentation within the NCPE.| CATEGORY OF DOCUMENT | RETENTION PERIOD | JUSTIFICATION |
|---|---|---|
| Human Resources – Core staff | ||
| Applications – Calls for filling of NCPE positions | 1) For selected candidates – Ten (10) years from date of termination of employment 2) All others – one (1) year after notifying candidates of the outcome of the recruitment process, unless in the interim, a complaint connected with a particular call for application has been filed. |
Retention period in line with the ‘Data Protection Public Administration Human Resources Corporate Procedures’2 |
| Employee files for core staff | Ten (10) years from date of termination of employment | Retention period in line with the ‘Data Protection Public Administration Human Resources Corporate Procedures’ |
| Personal details of staff – Excel sheet | Employee details are to be deleted from this sheet ten (10) years from date of termination of employment, except for data to be retained for historic record | Retention period in line with the ‘Data Protection Public Administration Human Resources Corporate Procedures’ |
| Payroll files and payroll software | Ten (10) years from date of termination of employment | Retention period in line with the ‘Data Protection Public Administration Human Resources Corporate Procedures’ |
| Finger reader software, attendance Sheets and Vacation Leave requests | Two (2) years | Retention period in line with the ‘Data Protection Public Administration Human Resources Corporate Procedures’ |
| Vacation Leave balance sheets | Three (3) years | Retention period in line with the ‘Data Protection Public Administration Human Resources Corporate Procedures’ |
| Sick Leave Certificates | One (1) year from issue of certificate | Retention period in line with the ‘Data Protection Public Administration Human Resources Corporate Procedures’ |
| Training records | Ten (10) years from date of termination of employment | Retention period in line with the ‘Data Protection Public Administration Human Resources Corporate Procedures’ |
| Admonishments – verbal warnings | Six (6) months | Retention period in line with the ‘Data Protection Public Administration Human Resources Corporate Procedures’ |
| Admonishments – Written warnings | One (1) year | Retention period in line with the ‘Data Protection Public Administration Human Resources Corporate Procedures’ |
| Disciplinary Charges | 1) Ten (10) years from termination if found guilty or inconclusive 2) Two (2) months if not found guilty |
Retention period in line with the ‘Data Protection Public Administration Human Resources Corporate Procedures’ |
| Human Resources – Staff recruited for EU co-financed Projects | ||
| All documents listed in the ‘Human Resources – Core staff’ category | For the period stipulated in the regulations governing the relative EU programme/s | Retention period as per rules and regulations of the EU programme/s |
| Procurement and Finances | ||
| Procurement files which includes the personal data of potential bidders, bidders, contractors, service providers and suppliers | – For EU co-financed projects – For the period stipulated in the regulations governing the relative EU programme/s – Others – …3 | – For EU co-financed projects – retention period as per rules and regulations of the EU programme/s – Others – …4 |
| Finance files with data/records of creditors and debtors | Five (5) years after payment settlement | For auditing purposes |
| Administration | ||
| Students’ academic records, contact details and time sheets | – Internship/placement – Five (5) years from termination of placement – Students asking for interviews/information – Two (2) years |
For auditing purposes |
| Travel | ||
| Travel organisers and participant records | Five (5) years from date of termination of employment | For auditing purposes |
| Investigations | ||
| Details of any person in connection with processing and investigating complaints alleging discrimination and sexual harassment as per CAP. 456 Equality for Men and Women Act | Five (5) years from closure of case | – As advised by the NCPE’s Legal Advisor – For research purposes |
| Request for Information | ||
| Details of persons putting forward requests for information via various means of communication | Five (5) years | For research purposes |
| Training | ||
| Training attendance sheets and evaluation sheets | – Attendance sheets – Three (3) years from training – Evaluation sheets – Three (3) years from training |
Required data regarding NCPE’s training sessions is included in Annual Reports |
| Equality Mark | ||
| Equality representative/s/Committee, Head of organisation, staff lists for re-certification training | Five (5) years from termination of certification | For research purposes |
| Projects | ||
| Project partners and records of participants of various project activities namely conferences, training / consultation / mentoring sessions, outreach activities and events | For the period stipulated in the regulations governing the relative EU programme/s | Retention period as per rules and regulations of the EU programme/s |
| Online Directory of Professional Women | ||
| Application forms for Directory registration | Unsuccessful applicants – Five (5) years | Retention of all forms of unsuccessful applicants who may become eligible in due course. |
| Personal data, experience and qualifications of profilers | Profilers have the option to opt out at any time | Unless professionals opt out, this data will be kept online. NCPE has measures in place to ensure the accuracy of the data. |
| Communications & PR | ||
| Conferences and other events attendance sheets and evaluation sheets, speakers and panellists | – Attendance sheets – Three (3) years from event – Evaluation sheets – One (1) year from event | – Attendance sheets are kept for three years for audits as well as for reference purposes in the organisation of similar events – A report is drawn summarising feedback provided in evaluation sheets which are consequently kept for 1 year |
| Mailing Lists | Recipients will have the possibility to opt-out | When contacting persons from the general public on NCPE’s mailing lists, recipients will be given the option to opt out/unsubscribe. Otherwise, NCPE is empowered ‘to keep direct and continuous contact with local and foreign bodies working in the field of equality issues, and with other groups, agencies or individuals as the need arises’ as per the Equality for Men and Women Act, CAP.456, Art. 12(1)(e) |
| Library | ||
| Library borrowers’ details | Six (6) months after the return of all resources borrowed from the library | To ensure resources are returned in good condition |
| GDPR | ||
| Data protection breaches documents | 2 years following conclusion of data breach investigation | This will allow for the necessary follow up icw data breaches. Records of breaches will be kept but no personal data will be kept following the established retention period. |
Data that needs to be destroyed after the noted timeframes will be disposed of in an efficient manner ensuring that such information is no longer available within the NCPE.
The Data Protection Officer may be contacted on dpo.ncpe@gov.mt or by telephone +356 22768200.
A/Executive Director
The NCPE’s Data Controller may be contacted at:
NCPE, Gattard House, National Road,
Blata l-Bajda, HMR 9010 Telephone: +356 22768200 Email: equality@gov.mt
The Information and Data Protection Commissioner
The Information and Data Protection Commissioner may be contacted at: Level 2, Airways House,
High Street, Sliema SLM 1549
Telephone: 23287100
Email: idpc.info@idpc.org.mt
1 In case of investigation of complaints, CAP. 456, Art. 18(5) stipulates that:
“(5) The Commissioner and every other member of the Commission or any member of the staff of the Commission shall treat any matter coming to their knowledge in the course of an investigation as confidential and shall not disclose the same unless such disclosure is necessary in the course of a prosecution or an action for redress under this Act.”
2 Data Protection Public Administration Human Resources Corporate Procedures –
Corporate-Procedures-2020-as-at-30.4.20-ver-1.8.pdf
3 DoC and DPU confirmed that retention period for procurement files is not in place yet
4 Same as above
