Legal Information

General Privacy Policy

At ACT, we are committed to safeguarding and preserving the privacy of our visitors. This Policy explains what happens to any personal data that you provide to us, or that we collect from you whilst you visit our site.

We do update this Policy from time to time so please do review this Policy regularly.

1. Who are we? What do we do?

This policy has been prepared by ACT Advisory Services Ltd, a company registered under the Laws of Malta with company registration numbers C 65093 and ACT Assurance Services Limited, a company registered under the Laws of Malta with company registration numbers C 106479 (hereinafter each referred to as “ACT” “we” or “us”).

ACT is a multidisciplinary firm providing assistance in corporate, tax and private clients matters. In particular, we:

are authorised by the Malta Financial Services Authority (MFSA) to act as a Corporate Services Provider in terms of the Company Service Providers Act (Chapter 529 of the Laws of Malta) assisting individuals and companies with their corporate needs in Malta, including general secretarial services;
provide book-keeping and accountancy services;
help private clients with various issues, particularly those relating to migration, residencies, visas and citizenship;
provide tax advice and tax compliance services;
provide general advisory services, mostly in connection with corporate and tax matters;
audit and assurance services

(“Service(s)”)

2. What does this policy COver?

This policy is intended to provide an overview of the personal data that we process in connection with the delivery of our Services, solely when acting in the capacity as data controllers. This policy also outlines how we collect or otherwise procure this personal data, what we do with such personal data and generally how we comply with the provisions of laws relating to the protection of personal data as applicable to us, in particular Regulation (EU) 2016/679 (“GDPR”).

Throughout this document, we will be using certain specific terms. Since our intention is that this document is easily understood, we would like to clarify what these terms are intended to refer to. Naturally, if anything is unclear, please do not hesitate to get in touch with us.

In terms of the provisions of the GDPR, the term “personal data” is defined as ‘any information relating to an identified or identifiable natural person (‘data subject’)’. Furthermore, the term “processing” is also given a wide meaning and is defined as ‘any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means.’ This includes collection, recording, storage, adaptation, and use of personal data.

For clarity and convenience, we will use the term ‘Connected Individual’ to refer to ‘beneficial owners, directors, and other officials, as well as any other individual who is a shareholder, director, officer, or who holds any direct or indirect interest or involvement in a corporate structure to which we provide Services, or have been requested to do so.’

3. What types of personal date will we be processing as data controller?

We have grouped the personal data that we receive, use or otherwise process in the following categories:

Title	Description
Contact Information	This relates to the contact details of an individual, including number, email addresses and postal address.
Interaction Information	This comprises any information, data or material that was exchanged with us in relation to a request for Services, during our provision of Services, or any other matter related to the aforementioned.
KYC Information	This relates to the personal data that we collect or otherwise process in order to comply with our statutory duties and obligations, including the laws and regulations in force against financial crime and money laundering.
Service Information	This includes any personal data that is connected with the Service which we were instructed to provide, including any data that we generate as a result. For the avoidance of doubt, this also includes any correspondence exchanged on this matter, internal notes taken and third party information about your issue or matter.
Financial Information	This includes details concerning the fees owed to us, banking details and other data relative to the aforementioned.

4. To which persons or entities does this personal data relate?

We process various types of personal data essential for our activities and the provision of our Services. It is important to highlight that we only collect data that is directly relevant and necessary for the specific purposes outlined in our interactions.

We process personal data related to the following essential categories to manage and enhance our Services effectively:

Leads and Prospects: We collect contact information and relevant details to initiate communication and evaluate potential service engagement opportunities.
Clients: This category includes comprehensive data required to deliver tailored services, such as personal identification details, financial information, and specific service needs.
Connected Individuals – We gather data necessary for compliance with regulatory requirements, including identity verification, legal standing, AML/CFT compliance and role within the entity.
Client Representatives: We collected and keep contact details and other relevant information for individuals appointed by our clients to interact directly with us, facilitating efficient and effective communication regarding service management.
Third Parties Engaging with Clients: We also process personal data related to third parties who engage or transact with any of our clients, including vendors, service providers, and partners involved in our clients’ operations. We collect and manage information necessary to facilitate and oversee these interactions, such as contact details, transaction histories, and any other data required to ensure the smooth execution of our Services and compliance with legal obligations.

5. How do we collect personal Data? What are the sourceS?

The methods of collecting personal data can vary depending on the context, but typically, we rely on three main sources: (a) personal data provided directly by the data subjects themselves, (b) personal data generated internally through our operations, and (c) personal data obtained from external sources.

[a] Personal data provided directly by the data subjects.

Personal data provided directly by data subjects typically depends on how clients or prospects choose to interact with us and varies based on the size of the entity. Individuals who opt to engage directly with us typically provide their data themselves. This includes both prospects who are initiating contact and clients who have already established a relationship with us. Regardless of the stage of engagement, individuals may provide their data through various channels, including email, phone calls, website forms, or in-person interactions. Additionally, data may also be collected through our marketing efforts, such as registration for webinars or downloading informational materials.

[b] Personal data generated internally through our operations.

At ACT, the processing and management of personal data are central to our operational integrity and compliance with regulatory standards. We generate a significant amount of this data internally. This data is crucial for various aspects of our services, ranging from client onboarding to ongoing monitoring activities designed to uphold stringent legal obligations and internal policies. The following table outlines the specific activities during which we generate personal data, detailing both the nature of this data and the sources and systems we utilize to ensure the highest standards of data accuracy and security:

Data Processing Activity	Details of Data Generation	Sources and Systems Used
(a) Providing Our Services	Data generated internally during the delivery of services, including client interactions, service outcomes, and transaction histories.	Internal CRM and service delivery systems.
(b) Onboarding Activities	Data collected and verified to meet legal and internal requirements, including personal identification, background checks, and financial information.	Public databases, internal systems, risk scoring tools.
(c) Ongoing Monitoring Activities	Continuous data generation for compliance with legal obligations such as sanction screening, Anti-Money Laundering (AML), and Combating Financing of Terrorism (CFT).	External compliance systems, internal monitoring tools, risk assessment software.

[c] Personal data obtained from external sources.

Personal data obtained from external sources is another significant source of information for our organization. While individuals often directly provide their data, larger companies or organizations may choose to delegate this responsibility to a designated representative or another service provider, such as their lawyer or accountant, who submits the data on their behalf. The following table summarises the external sources that provide us with personal data in relation to our Services:

Category	External Sources of Data
(a) Leads and Prospects	Marketing events, referrals from existing partners, partners or other third parties
(b) Clients	Public records, industry databases, corporate registries, financial statements, legal filings, open-data sources.
(c) Connected Individuals	The clients or prospective clients; Public records, industry databases, corporate registries, financial statements, legal filings, open-data sources.
(d) Client Representatives	The clients or prospective clients;
(e) Third Parties Engaging with Clients	The clients or prospective clients; Client representatives

6. How do we use personal data? what is the legal basis for processing personal data?

Our primary objectives in processing personal data is to act and operate our business of a corporate service provider, to provide our Services effectively and to ensure compliance with our legal duties and obligations.

In accordance with relevant laws, any processing activities conducted for anti-money laundering and counter-terrorism financing are considered matters of public interest. Therefore, the legal basis for such activities is established under GDPR, Article 6(1)(e).

We will process personal data when we have a proper reason for doing so. In particular, the legal basis we rely upon to process personal data is further set out in the table hereunder:

Purpose	Type	Lawful basis
To complete our onboarding process, including conflicts check	Contact Information; KYC Information; Interaction Information	Legal obligation (GDPR Article 6(1)(c)); Necessary for our legitimate interests (GDPR, Article 6(1)(f)) – to administer the client opening process; to safeguard our reputation
To provide you with our Services, as further detailed in our letter of engagement	Contact Information; KYC Information; Service Information; Interaction Information	Contractual necessity (GDPR Article 6(1)(b))
To ensure that our Services and any of our engagement complies fully with all applicable laws	KYC Information; Service Information; Financial Information; Interaction Information	Legal obligation (GDPR Article 6(1)(c)) Necessary for our legitimate interests (GDPR, Article 6(1)(f)) – to safeguard our reputation
To manage our relationship with our Clients, including the provision of customer service	Contact Information; KYC Information; Interaction Information	Legal obligation (GDPR Article 6(1)(c)) Contractual necessity (GDPR Article 6(1)(b)) Necessary for our legitimate interests (GDPR, Article 6(1)(f)) – to keep our records updated.
To manage payments and fees	Service Information; Financial Information; Interaction Information	Contractual necessity (GDPR Article 6(1)(b)) Necessary for our legitimate interests (GDPR, Article 6(1)(f)) – to collect the payment due to us.
To manage and maintain our list and database of contacts for the purposes of marketing and communications; to engage in marketing and promotional activities.	Contact Information; Service Information; Interaction Information	Consent (GDPR, Article 6(1)(a)). Necessary for our legitimate interests (GDPR, Article 6(1)(f)) – to keep our records updated; to enhance our business and client-base.
Business Intelligence & Analytics – To collect and anonymse data for statistical and benchmarking purposes.	Contact Information; Service Information; Interaction Information	Necessary for our legitimate interests (GDPR, Article 6(1)(f)) – to improve user experience and our Services).
To safeguard our interests, including keeping our infrastructure secure, through security monitoring to detect, prevent and respond to suspicious activity, fraud, intellectual property infringement, violations of our terms or law and for other similar purposes; to establish, exercise or defend legal claims	Contact Information; Interaction Information; KYC Information; Service Information; Financial Information	Necessary for our legitimate interests (GDPR, Article 6(1)(f)) – to safeguard our interests and infrastructure). Legal obligation (GDPR Article 6(1)(c))
To make certain information available to third parties that may be interested in acquiring our business (either prior to or as part of the transaction). This includes, amongst others, any merger, sale, restructure, acquisition, joint venture, assignment, transfer, or other disposition of all or any portion of our business, assets, or stock.	Contact Information; Interaction Information; KYC Information; Service Information; Financial Information	Necessary for our legitimate interests (GDPR, Article 6(1)(f)) – to ensure that we are able to sell our business, should we decide to do so).

Change of purpose

We will use and process personal information solely for the purposes for which it was initially collected, unless we reasonably believe there is a need to use it for a different yet compatible reason. In the event we intend to use personal information for an unrelated purpose, we will inform the relevant data subjects and provide an explanation of the legal basis that permits us to do so.

7. Is the provision of personal data mandatory?

While we respect decisions by data subjects not to share personal data, please be aware that there may be limitations in our ability to accommodate such choices. In particular, we are unable to onboard a client or provide any of our Services if you fail to provide us with any KYC Information.

8. What about data concerning third parties? are there any additional obligations or duties?

Whilst providing our Services and during our due diligence exercises, we will inevitably process personal data relating to third parties, such as that related to Connected Individuals. The terms of our letter of engagement places certain obligations on the person providing us with such information (typically the person with whom we are interacting, (hereinafter “our direct contact”). In particular the said direct contract will undertake that, prior to sharing such personal data with us (i) our direct contact is to inform such Connected Individuals of the personal data concerning them that our direct contact will be sharing with us; (ii) our direct contact is to ensure that such Connected Individuals are aware of their rights with respect to such information and (iii) our direct contact provides such Connected Individuals with a copy of this Privacy Notice. The above applies, save as otherwise provided in Article 14(5)(c) GDPR.

9. Do we collect special categories of data?

Under the GDPR, personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation is deemed to be “special categories of personal data” and require a higher level of protection. We need to have further justification for collecting, storing and using this type of personal information. We have in place appropriate safeguards which we are required by law to maintain when processing such data.

In relation to most Services, we do not require to process any special category of personal data. However, this may be required when we are providing you with services relating to migration, citizenship and visas and residencies. Our legal basis for doing so is (a) Contractual necessity (GDPR Article 6(1)(b)); Legal obligation (GDPR Article 6(1)(c))l and (b) Explicit consent, given in terms of GDPR, Article 9(2)(a) which we procure either through our letter of engagement or alternatively, on a case-by-case basis.

10. Do we collect data related to criminal convictions and offences?

Similarly to the above, the processing of personal data relating to criminal convictions and offences is very restricted. We only request such documents or information (such as a police conduct certificate) (i) as part of our due diligence exercises, which we are required to undertake in terms of applicable law, but only when such document is necessary as further set out in our internal policies, or (ii) such document is required to be collected or submitted by applicable law (such as when providing services in the areas of migration, visas and citizenship).

11. Do we Share or make personal data available with third parties?

We will share personal data with third parties where required by law, where it is necessary to administer the relationship with our clients, and as otherwise provided hereunder.

Furthermore, we will also share your personal data as follows:

Third-party service providers – from time to time, and always subject to us complying in full with Article 28 GDPR, we engage a number of third parties to provide us with certain services and in doing so, certain types of personal data may be required to be provided to such third-party service providers. These include third parties providing legal advice, audit, banking services, sales and marketing, customer support, AML and sanction screening & IT services;
Our insurers and insurance brokers;
Regulatory authorities, departments or law enforcement agencies, when we are required, or permitted to do so by law;
Any other person or entity but solely when we are expressly authorised to do so, such as when you provide us with your consent;
A prospective buyer or any of its advisors, where relevant, in the course of a due diligence exercise or as part of a corporate transaction. In this situation we will, so far as possible, share anonymised data with the other parties before the transaction completes.

We may share personal data internally within our group of companies for legitimate business purposes, such as human resources management, compliance with anti-money laundering regulations, financial and accounting operations, and other administrative functions. This sharing is conducted in compliance with applicable data protection laws, including the GDPR, and is limited to what is strictly necessary for the intended purposes. All entities within the group adhere to the same data protection standards, and appropriate safeguards are in place to ensure confidentiality and security.

We may also process your personal data to comply with our regulatory requirements or in the course of dialogue with our regulators as applicable, which may include disclosing your personal data to government, regulatory or law enforcement agencies in connection with enquiries, proceedings or investigations by such parties anywhere in the world or where compelled to do so. Where permitted, or unless to do so would prejudice the prevention or detection of a crime, we will direct any such request to you or notify you before responding.

Prior to sharing data with a third-party service provider, we require them to commit in implementing appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.

12. Is the information transferred outside of the EEA?

Currently, all personal data is processed in Malta and the European Economic Area (EEA). It is however possible that personal data will be made available or otherwise processed outside of the EU, namely when we engage third-party contractors.

If we do so, we will take adequate measures to ensure that personal data is safeguarded to the same standards as it would have been if processed in the EU, by relying on one of the following:

We will ensure that personal information is sent to a country that is considered to provide an adequate level of data protection, in terms of any adequacy decision adopted by the European Commission, in accordance with the provisions of article 45 of the GDPR;
We will enter into agreements that impose a legal obligation on the recipient to protect personal data in accordance with the provisions of the GDPR.

13. Data Subject Rights

The GDPR grants data subjects a number of rights that can be exercised in certain circumstances, including:

Right of access (subject access request) – This right allows data subjects to request and obtain confirmation on whether we are processing their personal data. Data subjects can also access details about the processing and receive a copy of the data being held.
Right of rectification – data subjects have the right to request that we correct any inaccuracies or incomplete personal data held about them.
Right of erasure – In terms of this right, commonly known as the “Right to be Forgotten,” data subjects can request the deletion of their personal data under certain circumstances, particularly when the data is no longer necessary for the purpose for which it was collected.
Right of restriction – data subjects can request the limitation of the processing of their personal data in specific situations. This right is relevant, for instance, when the data subject is contesting the accuracy of the data, or the processing is deemed unlawful.
Right to object – This right enables the data subjects to object to the processing of their personal data, including profiling, for reasons related to their particular situation
Right of data portability – data subjects have the right to receive their personal data in a structured, commonly used, and machine-readable format.

We do not carry out any fully automated decision-making or profiling.

In those occasions where we have indicated that we are basing our processing on our legitimate interest, please note that in terms of Article 21 GDPR, data subjects have the right to object to that processing.

Where the legal basis of processing is based solely on the data subject’s consent, the data subjects may withdraw such consent at any time by notifying us accordingly. This shall be without prejudice to the lawfulness of processing based on consent before such withdrawal.

For more information about these rights and how to exercise them (when we are acting in our capacity as data controllers), kindly contact us on the contact details set out hereunder.

14. For how long do we retain personal data?

The length of time for which we hold personal data depends on a number of factors, such as regulatory rules and any legal requirements. We also consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of personal data, the purposes for which we process personal data and whether we can achieve those purposes through other means.

For further information about our data retention policies, please get in touch with our data privacy manager on the contact details set out hereunder.

15. Do you need more information about our data handling policies?

We have appointed a data protection officer to oversee compliance with the GDPR and general data protection related queries. If you need more information about this privacy notice or how we handle personal information, please contact the data protection officer, on [email protected] or + 356 2137 8672.

Our registered address is situated at:

Villa Malitah, Mediterranean Street, The Village, St. Julian’s, MALTA.

16. What responsibilities do clients and data subjects have regarding the processing of personal data?

Privacy and data protection is a two-way street, and while we strive to uphold it diligently, the active participation of everyone is crucial. This means that along with enjoying privacy rights, data subjects also have certain responsibilities. As part of these obligations, we anticipate that data subjects take reasonable measures to assist us in effectively safeguarding and managing your privacy.

For instance, to ensure that we maintain accurate, complete, and up-to-date personal information, we kindly ask clients and data subjects alike to promptly notify us if personal details previously submitted to us become inaccurate, incomplete, or outdated.

17. Is it possible to file a complaint?

We go to great lengths to ensure that we handle personal data responsibly. If there are any concerns or issues with anything related to these matters, please do not hesitate to get in touch with us and we assure you that we will do our utmost to address your concerns.

In any case, if you are not satisfied with the way we manage personal data, you have the right to file a complaint with any relevant data protection authority (particularly the one situated where you habitually reside). Contact details of the competent authority in Malta are as follows:

Address – Information and Data Protection Commissioner, Floor 2, Airways House, High Street, Sliema, SLM 1549, Malta.

Telephone – (+356) 2328 7100

Email – [email protected]

Version 2.0

Date: 27^th January 2025

Changes to the Privacy Policy – We may alter these terms at any time, but in any case we will inform you accordingly, by means we deem reasonable in the circumstances. In the event of any conflict between the current version of these terms and any previous version(s), the provisions current and in effect shall prevail unless it is expressly stated otherwise.

Contacting Us

Please do not hesitate to contact us regarding any matter relating to this Privacy Policy via email on [email protected]