Etisicura Malta (“the Branch”) is committed to all aspects of data protection and takes seriously its duties, and the duties of its officers, agents and employees. Henceforth the Branch has issued this Internal Privacy and Security Policy (“the Policy”) to explain how the Branch handles, processes and uses Personal Information about its data subjects, including where applicable the data of its officers, agents and employees who are currently engaged by means of a contractual agreement with the Branch. 

It is clarified that the Data Subjects of the Branch shall cover all natural parsons who have their personal data entrusted, directly or indirectly, to the Branch, and shall include amongst others, the Branch’s own employees, agents and officers, the Branch’s clients, and the clients of any client or entity that entrusts data to the Branch. 


The Branch recognises its obligations towards all data subjects and also recognises that all agents and employees of the Branch shall adhere to this policy in order to safeguard the branch’s Data protection obligations towards its Data Subjects.


This Policy is being implemented in accordance to the terms of the Data Protection Act (Cap. 586 of the Laws of Malta) and the General Data Protection Regulation (Regulation (EU) 2016/679).



This Policy applies to all data subjects of the Branch.




The purpose of this Policy is to:

  • Establish the parameters of use by the Branch of personal data of all data subjects;

  • Provide data subjects with a framework that outlines appropriate use of any personal data

  • Protect the Branch against liability for the actions breaching data protections laws and regulations;

  • Protect agents and employees’ personal information which is processed as part of their working relationship with the Branch.  


This Policy may be updated from time to time to reflect the current legal obligations and practices laid down by the Branch. Each agent, employee and officer of the Branch subject to this policy will be notified with any changes to this Policy and where explicit consent is necessary, the Branch will obtain the consent from the agents, employees and officers.  


What is Personal Data?

Personal data refers to any information relating to an identified or identifiable natural person, whom the latter can be identified, directly or indirectly, in particular by reference to an identifier. For the purposes of this Policy, Personal Data refers to the personal data of the data subjects of the Branch. Furthermore, this personal information may be processed - such processing refers to any operation which is performed on personal data such as collection, recording, organisation, structuring and storage.


Data Protection Principles


There are a number of principles governing the processing of personal information, and these principles must be fully complied with where personal data is processed. The principles provide that personal data must be:

  • Obtained and used fairly and lawfully

  • Used for limited, specifically stated purposes

  • Adequate, relevant and not excessive for the purpose

  • Accurate and kept up to date

  • Kept for no longer than is absolutely necessary

  • Handled according to people’s data protection rights

  • Kept safe and secure from unauthorised use 


Data Protection Risks


This Policy helps the Branch from several data security risks, which may include:

  • Breaches of Data protection laws;

  • Breaches of Confidentiality: may include instances where information is given out inappropriately;

  • Failing to offer choice: all data subjects should be free to choose how the Branch uses data relating to them;

  • Reputational damage: the Branch can suffer if for example, it gets hacked and personal data is stolen;


The Controller of Personal Data

The Controller of the Personal Data is Etisicura Malta authorised by the Italian Institute for the Supervision of Insurance (IVASS) having registration number B000391497 and with registered address at Conti Buildings, Triq il-Kalkara tal-Gir, Imriehel, BKR 3000. Etisicura Malta is a branch of the Italian company Etisicura S.R.L. registered at Torino (TO) Corso Unione Sovietica 560 Cap 10135 Italy with registration number TO-1090552.

The personal data is accessible by Etisicura S.R.L and Etisicura Malta and processed by any one of both persons. Etisicura S.R.L and Etisicura Malta follow and adhere to appropriate safeguards in line with EU law for the processing of personal data. 


Which Personal Data is collected by the Branch?


To conduct its business and comply with government regulations (employment, tax etc.), the Branch may collect various personal and other data of its data subjects. Such data may be directly collected from data subjects themselves or indirectly entrusted to the Branch in the course of its activities from other controllers or processors or third parties with whom the Branch is interacting.  

During such time that the Branch is processing personal data of its data subjects for its ordinary business, the data subjects should be aware that there may be instances in which the personal information provided to the Branch will classify as “Special Category Data” which may include among others, personal information for the determination of the individual’s racial or ethnic origin, political opinions, religious beliefs, physical or mental health or judicial data.

The Branch recognises that the processing of such Special Category Data is considered to impose a higher risk to the fundamental rights and freedoms of the data subjects and therefore, the Branch should always ensure that sensitive personal data is processed more rigorously and carefully and in very strict adherence to the Policy.    


Which Personal Data is collected?

The Branch may collect or have access to the following information:

    a.If a data subject contacts the Branch through its website, the Branch may collect the following information:


  • Name & Surname

  • Identity Card & Passport Identification Numbers

  • Mobile Number

  • Email address

  • Marital status;

  • Residential Address

  • Details related to financial status, wealth, banking details, and other financial data

  • Date of Birth, Marriage and other acts of Civil life

  • Mailing & Email addresses

  • Resumes and/or applications

  • Letters of offers and letters of acceptance

  • Sanction Letters

  • Details relating to personal health & employment history;

  • Other information voluntarily provided by the data subject


    b.Other information which the Branch may collect or generate through the Branch’s technologies and security systems:

  • CCTV Footage (through the operation of a CCTV System for security and safety purposes inside our premises)

  • Information in relation to the data subject’s use of the Branch IT communication sent electronically

  • Emails and instant messaging

  • Call logs for communication purposes [DA1] [GB2] 


Procedure for the collection of Data Subjects Personal Data


Data subjects’ personal data may be collected or accessed in a number of ways including but not limited to the following:

  • Directly from the data subject (whether directly or verbally) in the course of the business with the Branch

  • When the data subject contacts or requests information from the Branch

  • When the data subject creates a relationship with the Branch (by sending a CV, a query or engages with the staff for business purposes)

  • When the data subject signs up to receive information from the Branch [DA3] 

  • Received by third parties in relation to the services offered to the data subjects. Third parties may include government agencies and publicly accessible sources. In such instances, the Branch will make sure that such third parties are entitled to disclose such information to the Branch.


Such processing is done either to carry out the business and pursue the Branch’s legitimate purposes or to fulfil a contract.


Use of Personal Data


The Branch uses the personal data of its data subjects for any of the following reasons:

  • To provide the data subjects with the services offered by the Branch

  • To contact its data subjects if required in relation to the Branch’s services provided to its data subjects and/or to reply to any communications that any of its data subjects might send to the Branch from time to time.

  • To verify the  identity of its data subjects

  • To provide its data subjects with suggestions and advice in relation to its services

  • To provide its data subjects with the highest level of customer care the Branch possibly can

  • To comply with the Branch’s legal and regulatory obligations

  • For the establishment, exercise or defence of legal claims or proceedings

  • For operational purposes such as health and safety and to ensure a safe working environment

  • To keep up to date client records

  • For employment and recruitment purposes


Job Applicants


As part of the Branch’s recruitment process, or in case an individual sends a CV in connection to a job application through the Branch’s website, the Branch may collect and process personal data relating to job applicants. If the application is unsuccessful, the Branch may keep this information on file for up to two years in case of any future employment opportunities for which the applicant may be suited. The Branch will ask for the applicant’s consent before it keeps his or her data for this purpose and the applicant is free to withdraw his or her consent at any time.

Employee Data


In employment relationships, the collection of the personal data of the employees of the Branch is done for the day-to-day business of the Branch which may include the following uses:

  • To manage all aspects of an employee’s employment relationship, including, but not limited to the establishment, maintenance, and termination of employment relationships.

  • Assessment of qualifications for a particular job or task/s

  • Administering payroll

  • Determination of eligibility for employment

  • Determination of employment performance

  • Establishment of training

  • Gathering of information for disciplinary action

  • Carry out other purposes as part of the Branch’s business activities when reasonably required by it

  • To investigate and respond to claims against the Branch

  • To comply with applicable laws (e.g. health and safety, employment laws, regulations, tax laws), including judicial or administrative orders regarding individual employees (e.g., garnishments, child support payments)


Branch Client Personal Data


Personal data of the clients of the Branch may be processed in order to establish, execute and terminate the contract for services to be provided by the Branch.

Processing of Data Subjects’ Personal Data


The Branch will process personal data fairly and lawfully, and only to the extent necessary as may be allowed in terms of law or any terms and conditions stipulated by the Branch.  When processing data subjects’ personal data, the Branch will make sure that the processing is lawful only if and to the extent that at least one of the following conditions applies:

  1. The data subjects have given clear their affirmative consent, signifying agreement to the processing of their personal data for one or more specific purposes

  2. Processing is necessary for compliance with a legal obligation to which the Branch is subject;

  3. To send marketing communications and informational newsletters that the data subject would have opted-in to; [DA4] 

  4. Processing is necessary for the Branch to operate, maintain, enhance and provide its services;


Restriction of Processing


The Branch recognises the right of its data subjects to restrict the processing of their personal data where one of the following applies:

  1. The data subject contests the accuracy of the personal data for a period, enabling the data subject to verify the accuracy of the personal data or;

  2. The processing is unlawful, and the data subject opposes the erasure of the personal data and requests the restriction of personal data instead or;

  3. The Branch no longer needs the personal data for the purposes of processing or;

  4. The data subject has objected to processing pending the verification whether the Branch’s legitimate grounds override the data subjects’


Data Subjects’ Consent


When a data subject’s consent is required for the collection, processing and disclosure of personal data, the Branch will ensure that such consent is freely given and is unambiguous, with a clear affirmative action from the data subject’s end. Furthermore, subject to legal or contractual restrictions, the data subjects may withdraw their consent. Any communications with respect to such withdrawal or variation of consent shall be sent at and addressed to the Branch Data Protection Contact Person.


Accuracy, Access, Rectification and Portability of Data Subjects’ Personal Data


The law requires the Branch to take reasonable steps to ensure data is kept accurate and up to date.

It is the responsibility of all employees, and where applicable the agents, who work with data to take reasonable steps to ensure it is kept up to date.

Employees should take every opportunity to ensure data is updated, for instance, by confirming the data subject’s details when they engage the Branch.

Data subjects of the Branch shall have the right to have their personal data accurate, complete and up to date for its intended use and shall further have the right to request the Branch to provide the data subject with a copy of all personal data held by the Branch, concerning the said data subject.

In so far as employees’ and agents’ data is concerned, the employees and the agents shall immediately inform the Branch if and when his or her personal data changes. Moreover, the employee and the agents shall have the right to receive confirmation that his or her data is being processed and may request access to such personal data. The employees and the agents may further request a copy of the personal information obtained by the Branch - such request may be made verbally or by electronic means. The Branch will then provide a copy of such in a commonly used electronic form.

The above shall be applicable also to the other data subjects of the Branch who are not employees, agents or officers of the Branch.  

As data subjects of the Branch, they may review the personal data concerning them held by the Branch in order for the data subjects to be able to verify the lawfulness of the processing carried out by the Branch.

When the data subjects become aware of any inaccurate or incompleteness in their personal data, the data subjects shall inform the Branch for rectification. Where it results that there is inaccurate information, the Branch will amend such data with the alternative text that the data subjects believe that it is accurate.

Furthermore, the Branch shall take all the necessary steps to inform any relevant third parties which hold the inaccurate information to rectify accordingly.

The Right of Erasure of Data Subjects’ Personal Data


There are certain instances where the data subjects may ask to have their data concerning him or her to be erased and on such demand, the Branch will take all the necessary measures in order to erase all personal information concerning the data subjects without undue delay. Provided that, the right of erasure of personal data is not absolute as this is limited by, and subject to all compliance, regulatory and legal obligations, including anti-money laundering regulations whereby the Branch is obliged to hold personal data for such period stipulated by law, after the termination of the relationship between the data and the Branch, or any other such longer time which may be necessary in view of the particular services provided to the data subject.

Right of the Data Subjects not to be evaluated on the basis of automated processing


Data Subjects of the Branch have the right not to be evaluated in any material sense, for example in connection with offers of employment or by howsoever means, and solely on the basis of automated processing of their personal data.

Right of Data Subjects to file a Complaint


Any clarifications and/or issues relating to Data Protection may be discussed with the Branch’s Data Protection Contact Person, as mentioned further down below. However, data subjects of the Branch have the right to lodge a complaint with the Information and Data Protection Commissioner, Level 2, Airways House, High Street, Sliema SLM 1549, Malta through their website

Sharing of Personal Data


The Branch will not sell or rent personal information of data subjects to any third parties for marketing purposes without the data subject’s consent.

When personal data is being processed by a third party such as an IT service provider is hired to carry out services which may include the processing of personal data of the data subjects of the Branch, in such cases, an agreement on data processing by such third party will be concluded with the Branch. The Branch will ensure that the third party will be responsible for the proper performance of the data processing and the third party will only process personal data as per the instructions given to it by the Branch. When such instructions are given, the requirements must be complied with.

Moreover, the Branch may provide non-identifiable data to third parties regarding the number of unique users who visit the Branch’s website, the demographic breakdown of users of the Branch’s website, or the activities of users on the Branch’s website.

Data subjects personal data may be shared with the employees of the Branch, and other third parties which may require such information in order to be able to assist the Branch in handling the data subject relationship which the Branch has with the said data subjects. The Branch may further obtain such technological information to assist it in the Branch’s day to day business operations.

Furthermore, the personal data of data subjects may also be shared with insurance principals and agents with whom the Branch has a contractual relationship.

When the Branch shares data subjects’ personal information with such third parties, the Branch makes sure that such parties make use of this data in a manner which is consistent with this Policy.

Retention of Data Subjects’ Personal Data


The Branch will retain data subjects’ personal data for a minimum period of 10 years or such other time that the Branch believes that such data is necessary to fulfil the purposes for which the personal data was collected, and will not be kept for longer than is necessary, except as otherwise allowed or required by applicable laws and regulatory requirements. When the Branch considers that such personal data is no longer required, it will remove any details that will identify the data subjects or destroy any records in relation to the said data subjects.   

The data kept for statistical purposes shall be rendered anonymous and henceforth no identifiable data will be retained.


International Transfers of Personal Data

Where the Branch is required to transfer personal data of data subjects across international borders outside the country, including to countries outside the European Economic Area (EEA) that do not have laws providing specific protection for personal data or that have different legal rules on data protection, the Branch ensures that there is a legal basis for such a transfer and that adequate protection for the personal data is provided as required by applicable law, for example, by using standard contractual clauses approved by the European Commission or relevant authorities (where necessary) and by requiring the use of other appropriate technical and organizational information security measures. 

Responsibilities of Agents, Employees and Senior Offices of the Branch


Senior Officers


Senior Officers should ensure that employees:

  • Have the necessary training on data protection; and

  • Are familiar with local procedures and practices regarding the processing of all personal data with which they have access in the course of their duties.


Agents and Employees

  • Each agent and employee who works for the Branch has some responsibility for ensuring that data is collected, stored and handled properly.

  • Agents and Employees should use data belonging to the Branch and its data subjects responsibly and in accordance with all applicable data protection laws and this Policy. The Agents and Employees should be cautious about disclosing personal data both within and outside the Branch, and about using it in email and via the internet.

  • Each Agent and Employee shall only have access to that data which is required for his or her work;

  • Data should not be shared informally. When access to confidential information is required, employees can request it from their senior officer;

  • Every agent and employee must maintain privacy when displaying confidential data and information where it can be easily observed and must further observe strict confidentiality when discussing secure data and information and do so only when required to perform his or her job.

  • The Branch will provide training to all its agents and employees to help them understand their responsibilities when handling data;

  • Agents and Employees are responsible in keeping all data secure, by taking all necessary precautions and following these guidelines;

  • When required, strong Passwords should be used and they should not be shared. Passwords may not be left on sticky notes posted on or under a computer, nor may they be left written down in an accessible location.

  • Personal data should not be disclosed to unauthorised persons, either within the Branch or externally;

  • Employees should request assistance from their senior officer if they are unsure about any aspect of data protection.

  • Agents and Employees should report any loss or compromise of own or others personal information to the Branch Data Protection Main Contact Person as soon as possible;

  • When working with personal data, agents and employees should ensure the screens of their computers are always locked when left unattended.

  • Personal data should not be shared informally such as being sent by email as this is an unsecure form.

  • Employees are prohibited at all times from removing Branch’s laptops containing data from the Branch’s premises, save in circumstances where prior consent is obtained from their senior officer.

  • Agents and Employees are prohibited from saving copies of personal data of the Branch to their own personal computers.

  • If an employee or an agent acquires any personal data in error by whatever means, they shall inform the Branch Data Protection Main Contact Person and, if it is not necessary for them to retain it, destroy the personal data.

Computer, Email and Internet usage


The Branch employees and agents are expected to use the internet responsibly and productively. Internet access is limited to job-related activities only and, personal use is not permitted. For such purposes, job-related activities shall include all those tasks which may be found via the internet that would help in the employees’ and agents’ role with the Branch.

  • All internet data that is composed, transmitted and/or received by the Branch’s computer systems is considered to belong to the Branch and is recognised as part of its data. It is therefore subject to disclosure for legal reasons or to other appropriate third parties.

  • Emails sent via the Branch email system should not contain content that is deemed to be offensive. This includes, though is not restricted to, the use of vulgar language or inappropriate images.

  • All sites and downloads may be monitored and/or blocked by the Branch if they are deemed to be harmful or otherwise not productive to the activities of the Branch.

  • The installation of software such as instant messaging technology is strictly prohibited.

  • It is unacceptable for the employees and agents to use the internet to send or post discriminatory or offensive images or messages via the Branch’s email service or otherwise send or post information that is defamatory to the Branch, its services, employees or its clients.

  • The employees and agents are further prohibited from using the Branch’s computers to perpetrate any form of fraud and/or software, music or film piracy. In addition, downloading, copying or pirating software and electronic files that are copyrighted or without authorisation.

  • It is of utmost importance that the employees do not share confidential material or proprietary information outside of the Branch’s premises.

  • The employees and agents are prohibited from introducing malicious software onto the Branch network and or/jeopardising the security of the Branch’s electronic communications systems.

  • Every employee and agent of the Branch is responsible for the content of all text, audio or image data that he or she places or sends over the Branch’s internet and e-mail systems. No e-mail or other electronic communications may be sent that hides the identity of the sender.

  • If the employee or the agent is unsure about what constitutes acceptable internet usage, the employee is advised to refer to the Branch Data Protection Main Contact Person.


Data Storage and Security


Safeguarding the privacy of the data subjects’ personal data is of utmost importance to the Branch and henceforth, the Branch shall take necessary measures in terms of this Policy to ensure that the personal data of data subjects is stored safely and all precautions will be carried out to ensure that no authorised or unlawful processing of personal data takes place.

These rules describe how data shall be handled and stored:


When data is stored on paper:

  • Agents and Employees are required to ensure that all sensitive/confidential information in hardcopy or electronic form is secure in their work area at the end of the day and when they are expected to be gone for an extended period.

  • Computer workstations must be locked when workspace is unoccupied.

  • Computer workstations must be shut completely down at the end of the work day.

  • Any Restricted or Sensitive information must be removed from the desk and locked in a drawer when the desk is unoccupied or/and at the end of the work day. The key is to be kept at all times by the employee and not be handed to any co-workers or other persons out of the organisation. At the end of a working day the keys of the drawers should be locked in the safety deposit box. One of the senior offices must be informed of where the keys or copy of the keys are kept at all times in case that one is unavailable to access the documents in case of emergency or one being on leave.

  • Employees and agents shall make sure that paper and printouts are not left unattended, for example left on a printer;

  • Where no longer required, printouts should be shredded and disposed of securely.


When data is stored electronically:

  • Data should be protected from unauthorised access and accidental deletion;

  • Data including all databases holding personal data should be protected by strong passwords that are changed regularly and never shared among employees;

  • Data should only be stored on the Branch’s designated drives and servers and should only be uploaded to an approved cloud computing services.

  • Employees and agents are prohibited from storing any of the Branch’s data on personal drives which are not authorised by the Branch. Employees should be aware that where such instances are to occur, the Branch reserves the right to take disciplinary action against the employee;


Archive Rooms


The Branch has one archive room which has limited access and secured by a security camera at all times. There are certain instances where the Branch may keep hard copies of documents containing personal data of its data subjects.

For this reason, the Branch shall ensure that a log book is maintained recording the name and surname of the person giving or receiving a document, as well as the time and date of entry and date of return of each document. 


Servers & Backups


Currently, the Branch does not have any servers located in Malta. The Branch’s server is located in Italy and provided by the company Internet Technologies SRL, Via Pace, 5, 37010 AFFI Verona. The Branch has contracted with this IT Service Provider with to ensure that it has the proper safeguards in place to secure all personal data belonging to the Branch and that the servers containing personal data of the Branch are protected.

The Branch recognises that personal data contains vital information relating to the data subjects henceforth, the Branch shall make sure that its data is backed up frequently and these backups are tested regularly. These backups shall be verified to ascertain their proper function in case of any loss, corrupt or damaged data. 

Anti-Virus Software


The Branch shall further make use of antivirus software to protect its computers and minimise the possibility of any viruses in its systems which may possibly damage its data and shall further keep updated these software at all times.[DA5] 


Data Protection Breaches


For the purposes of this Policy a data breach is to be considered as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.

In case of any data breach, the Branch is legally obliged to notify the Office of the Information and Data Protection Commissioner without undue delay and, where feasible, not later than 72 hours after having become aware of the personal data breach. Where the Branch fails to do so and notifies the personal data breach later than the 72 hours period, the Branch must provide justification for such an action.

Henceforth, it is essential that upon becoming aware of a personal data breach or a suspected personal data breach, the employee must immediately report to the senior officer or the Branch Data Protection Contact Person. Employees and agents should not attempt to investigate or resolve the breach on their own.

In the case of a personal data breach, the data protection representative on behalf of the Branch will prepare that a report to be presented to the Office of the Information and Data Protection Commissioner is prepared including the following information:

  • The categories and approximate number of data subjects and the data records concerned

  • The contact details of the data protection representative as the main contact point

  • The likely consequences and measures taken to address and mitigate the breach


The Branch’s Right to Monitoring 


The Branch will do its best to respect each employee and agent’s privacy and autonomy at work however employees and agents should not expect that all their communications will be private as the Branch has a legitimate interest in ensuring there is prevention of data loss and there is adequate protection to its IT systems.

All branch-supplied technology, including computer systems, equipment and Branch related working records and documentation belongs to the Branch and not the employee and/or the agent. Therefore, the Branch may monitor, examine and regulate an employee’s internal and external communications, via telephone, email, internet or otherwise when carried out through or by means the Branch’s internal technological equipment, for the Branch to determine proper use.  Such monitoring is not person specific unless the employee has been told that such monitoring will take place and reasons for the monitoring. The Branch will review network communications activity and will analyse use patterns.

No agent or employee may knowingly disable any network software or system identified as a monitoring tool.

In the interest of safety and security, the Branch may monitor areas under the ownership or control of the Branch through the use of video surveillance equipment in order to promote and maintain safety and security. This may include video surveillance devices or other video recording equipment upon the property owned or controlled by the Branch.

Any information collected through the use of video surveillance equipment will be considered as the property of the Branch and the senior officers will determine who has the right to have access to such information.

Video monitoring will not be used in the evaluation of employee performance, or to monitor employment-related duties however if video surveillance reveals a criminal act or criminal offense committed by the employee during his or her working hours, the Branch reserves the right to use that information for disciplinary actions and law enforcement.


Training and Compliance

The Branch shall provide training to all employees and agents on data protection matters and induction on a regular basis thereafter. By such means, the Branch will ensure that all its employees and agents are made aware of the importance of data protection and the manner in which they are expected to handle data of the Branch and its data subjects.  The training is mandatory.

The Branch will review and ensure compliance with this Policy at regular intervals.

The Branch Data Protection Contact Person

The Branch Data Protection Contact Person is Daniel Grech, The responsibilities of the Branch Data Protection Contact Person are the following:

  • To monitor compliance with this Policy, training and awareness-raising in relation to data protection

  • To act as a contact point and to cooperate with the Office of the Information and Data Protection Commissioner on issues relating to processing and in case of a data breach


Adherence to the Policy

It shall be the obligation of each employee of the Branch to adhere to this Policy. Employees should be aware that failure to observe this Policy may result in an employee to be subject to personal disciplinary action up to and including dismissal.

This Internal Privacy and Security Policy is an addendum to the policies and procedures being implemented by the Italian company Etisicura S.R.L. registered at Torino (TO) Corso Unione Sovietica 560 Cap 10135 Italy with registration number TO-1090552 with regards to personal data.