Privacy Policy

A new EU regulation [General Data Protection Regulation – GDPR] relating to data privacy came into force on the 25th May 2018.

A copy of our Data Protection Policy is being featured for your perusal:

Environment & Resources Authority Data Protection Policy

 

The General Data Protection Regulation (EU) 2016/679 (GDPR) and the Data Protection Act (Cap 586) regulate the processing of personal data whether held electronically or in manual form. The Environment & Resources Authority is set to fully comply with the Data Protection Principles as set out in such data protection legislation and as such is committed to protect the privacy and security of one’s personal information.

Purposes for collecting data

The Environment & Resources Authority collects and processes information in order to carry out its obligations in accordance with present legislation. However, all data is collected and processed strictly in accordance with Data Protection Legislation, the Environment Protection Act [Chapter 549 of the Laws of Malta and its Subsidiary Legislations] by means of which the Environment & Resources Authority [ERA] was established, and also in accordance with other Laws of Malta and approved policies which are necessary for the Authority to carry out its proper functions and/or obligations.

In all cases the Environment & Resources Authority is committed to adhere to principles as laid down in the GDPR, which means that personal data is: (a) processed lawfully, fairly and transparently; (b) collected for specified, explicit and legitimate purposes; (c) adequate, relevant and limited to what is necessary in relation to the purpose for which it is processed;
(d) accurate and where necessary kept up to date; (e) not be kept for longer than is necessary for that purpose; (f) processed in a manner that ensures appropriate security. This includes the processing of location data.

Recipients of data

Personal Information is accessed by the employees who are assigned to carry out the functions of the Environment & Resources Authority. Personal Data will be disclosed to authorised employees carrying out the functions of the Environment & Resources Authority. Any disclosure made to third parties will be in accordance and as authorised by law.

Retention policy

Personal Information is accessed by the employees who are assigned to carry out the functions of the Environment & Resources Authority. Personal Data will be disclosed to authorised employees carrying out the functions of the Environment & Resources Authority. Any disclosure made to third parties will be in accordance and as authorised by law.

Your rights

You are entitled to know, free of charge, what type of information the Environment & Resources Authority holds and processes about you and why, who has access to it, how it is held and kept up to date, for how long it is kept, and what the Unit is doing to comply with data protection legislation.

The GDPR establishes a formal procedure for dealing with data subject access requests. All data subjects have the right to access any personal information kept about them by the Environment & Resources Authority, either electronically or in manual files. Requests for access to personal information by data subjects are to be made in writing and sent to the CEO of the Environment & Resources Authority. Your identification details such as ID number, name and surname have to be submitted with the request for access. In case we encounter identification difficulties, you may be required to present an identification document.

The Environment & Resources Authority aims to comply as quickly as possible with requests for access to personal information and will ensure that it is provided within a reasonable timeframe and in any case not later than one month from receipt of request, unless there is good reason for delay. When a request for access cannot be met within a reasonable time, the reason will be explained in writing to the data subject making the request. Should there be any data breaches, the data subject will be informed accordingly.

All data subjects have the right to request that their information is amended, erased or not used in the event the data results to be incorrect.

In case you are not satisfied with the outcome of your access request, you may refer a complaint to the Information and Data Protection Commissioner, whose contact details are provided below.

CEO

The Environment & Resources Authority’s CEO may be contacted at:
Hexagon House
Spencer Hill
Marsa MRS 1441
Malta
Telephone: 22923500
Email: [email protected]

The Information and Data Protection Commissioner

The Information and Data Protection Commissioner may be contacted at:
Level 2, Airways House,
High Street,
Sliema SLM 1549
Telephone: 23287100
Email: [email protected]

Should you require more information on the GDPR, we recommend that you refer to: https://idpc.org.mt/en/Pages/Home.aspx

CCTV Surveillance Cameras Policy for Environment & Resources Authority

 

Scope

The purpose of this policy is to ensure that the use of CCTV Surveillance System operated by the Environment & Resources Authority does not infringe the rights of the data subjects by processing personal data adequately, not more than necessary and making sure that data is not kept for a period longer than necessary in conformity with Data Protection Legislation.

Background Information

The Data Controller for the Environment & Resources Authority is the CEO.

The Data Protection Officer representing the CEO may be contacted as follows:

Address:
Data Protection Officer
Corporate Services
Hexagon House
Spencer Hill
Marsa MRS1441
Telephone : (+356) (22923500)

Email: [email protected]

Data subjects will have a right of access to data being processed as per Chapter II (Article 15) of the General Data Protection Regulation. (Please refer to section relating to Access, below). Data subjects are also hereby informed of their right to lodge a complaint with the Information and Data Protection Commissioner.

The Information and Data Protection Commissioner may be contacted as follows:

Address:

Information and Data Protection Commissioner
Level 2, Airways House
High Street
Sliema SLM 1549
Malta
Telephone: (+356) 2328 7100

Email: [email protected]

Location & Purpose

CCTV surveillance is installed:

  1. In the Environment & Resources Authority’s premises at Hexagon House and other properties being used by the Authority. Cameras are located in the common areas of the office complex and the immediate perimeter areas of these buildings’ grounds. CCTV signages are placed in prominent and easily visible locations within the monitored area/s. In this instance the sole purpose of surveillance is to ensure security including safeguarding of assets, equipment and property contained in both the building complex/es and perimeter
    areas.
  1. In offsite locations falling under the Environment & Resources Authority’s remit associated with the legal obligations under the Flora, Fauna and Natural Habitats Protection Regulations, 2006 (SL 549.44), cameras are to be strategically located in order to cover such designated areas and their immediate perimeter areas. Cameras may also be placed in areas prone to breaches of environmental law for continued surveillance. CCTV signages will be placed in prominent and easily visible locations within the monitored area. The purpose of surveillance is to ensure the adequate protection and management of protected areas, habitats and species, as well as security including safeguarding of assets, equipment and the integrity of the property contained in the designated areas.

Relevant footage will not be used for any other purpose other than the one intended.

CCTV data processing for a distinct activity that is not compatible with the original reason for which cameras were installed will only be done if prior notice is given to the data subjects.

In view of Chapter II (Article 5) of the GDPR the Data Controller justifies the use of a CCTV Surveillance Camera system for the above-mentioned purpose. The recognisable images captured by the cameras will be processed adequately and in a relevant manner and shall be necessary in relation to the purposes of the processing as per Chapter II Article 6 of the GDPR.

Access to Footage & Data

Access to the CCTV footage is restricted to authorised personnel only by means of an authorisation access process. The Data Controller shall authorise further access to footage if so required when relevant to the purpose/s specified above.

In the case of an activity captured by a camera which might lead to disciplinary investigation and/or legal enforcement actions, the relevant extract of the camera’s footage shall only be disclosed to the CEO and/or officer/s nominated to investigate the case by the Authority.

In the case CCTV surveillance mode [1 above] of an activity captured by a camera which might lead to criminal charges, the relevant extract of the camera’s footage shall only be disclosed by the Authority to law enforcement authorities and this subsequent to the filing of a Police report by the CEO or DCS.

Any other requests for footage captured by these CCTVs in general must be made to the Authority’s Data Controller and /or Data Protection Officer through the submission of a Police request which is authorised by a Police Inspector or higher grade.

The Environment & Resources Authority undertakes to comply with a strict security policy vis-a-vis the access to recorded images. Any internal access to visual images by the Environment & Resources Authority or any disclosure of such images further to a request by a law enforcement authority or by the data subject shall be logged and kept as evidence.

Right of Access

Any individual whose personal data is held by the Environment & Resources Authority, in the form of CCTV recording, can request access to that recording. The Data Controller is obliged to provide access to the footage without disclosing the identity of third parties.

If an individual is not satisfied with the reply as provided or with the manner of access that has been granted, the matter may be referred to the Information and Data Protection Commissioner who will investigate the case and ascertain that the right of access is properly granted.

Right of access request shall be made in writing and addressed to the Controller. For operational efficiency purposes request is to indicate exact location of incident and approximate timeframes that would need to be reviewed, along with a proper explanation as to why request is being made.

Retention Period

CCTV footage data is retained for a maximum of seven [7] days (except for the yearly shutdown period). This period reflects the minimum period necessary to fulfil the purposes for which the data was obtained. After the lapse of this period, images are automatically overwritten by the system with new images. If data is extracted in relation to an investigation, it will only be held for the period as established by Law.

Conclusion

This policy provides the reasons and means of processing through the use of a CCTV Surveillance System within the Environment & Resources Authority whilst ensuring that the rights of the data subjects are not infringed, by processing personal data adequately, not more than necessary and making sure that data is not kept for a period longer than necessary in conformity with Data Protection Legislation.

Use of Body-Worn Cameras Policy for Environment & Resources Authority

 

Scope

As part of its enforcement and regulatory functions, the Environment & Resources Authority (ERA) makes use of body-worn cameras (BWCs) operated by authorised officers. The use of such devices forms part of ERA’s commitment to safeguarding public interests and compliance with environmental laws, enhancing officer safety, and ensuring transparent operations in accordance with data protection legislation.

Background Information

The Data Controller for the Environment & Resources Authority is the CEO.

The Data Protection Officer representing the CEO may be contacted as follows:

Address:
Data Protection Officer
Corporate Services
Hexagon House
Spencer Hill
Marsa MRS1441
Telephone : (+356) (22923500)

Email: [email protected]

Data subjects will have a right of access to data being processed as per Chapter II (Article 15) of the General Data Protection Regulation. (Please refer to section relating to Access, below). Data subjects are also hereby informed of their right to lodge a complaint with the Information and Data Protection Commissioner.

The Information and Data Protection Commissioner may be contacted as follows:

Address:

Information and Data Protection Commissioner
Level 2, Airways House
High Street
Sliema SLM 1549
Malta
Telephone: (+356) 2328 7100

Email: [email protected]

Purpose

  • Enhance the safety and security of both the public and ERA officers;
  • Deter abusive, aggressive, or unlawful behaviour during official duties;
  • Provide accurate and impartial evidence for regulatory enforcement, inspections, and legal
    proceedings;
  • Promote accountability and transparency in ERA’s operational conduct.

Legal Basis

Processing of personal data through the use of BWCs is carried out under the following legal provisions:

  • Environment Protection Act (Cap. 549 of the Laws of Malta) – which provides ERA officers with the authority to conduct inspections and enforcement duties.

Categories of Data Collected Data collected through BWCs may include:

  • Video recordings – capturing images of individuals, premises, and environmental conditions;
  • Audio recordings – including conversations between officers and the public during official interactions;
  • Metadata – such as time and date related to the recording.

BWCs are activated at the discretion of officers when a specific situation warrants the need for recording, based on operational and risk assessments. A visual indicator (such as a blinking light) and visible signage on the device serve to inform individuals of active recording.

Retention Period

Recorded data is retained only as long as necessary for the purposes for which it was collected. In the absence of a lawful reason to retain the footage (e.g., for investigation or legal proceedings), data will be automatically deleted after 30 days. If required for evidentiary or legal purposes, data may be retained for a longer period in line with applicable legislation and regulatory obligations.

Right of Access

Access and Data Sharing Access to BWC footage is strictly limited to authorised personnel. Where legally permissible or required, recordings may be disclosed to:

  • Law enforcement authorities;
  • Courts or judicial bodies;
  • Other competent regulatory or governmental entities.

No footage will be shared with unauthorised third parties. ERA ensures appropriate technical and organizational safeguards are in place when handling such data.

In line with data protection legislation, data subjects recorded by BWC devices have the right to:

  • Request access to footage involving them, subject to applicable legal limitations;
  • Request rectification or erasure of personal data, where appropriate;
  • Lodge a complaint with the Information and Data Protection Commissioner (IDPC) if they believe their data is being processed unlawfully.

Conclusion

This policy sets out the lawful basis, purposes, and procedures for the processing of personal data through the use of BWCs by authorised officers of ERA. ERA remains committed to upholding the rights of data subjects by ensuring that all personal data is processed fairly, lawfully, and transparently; limited to what is necessary for the intended purposes; and retained only for the period required to fulfil those purposes, in full compliance with applicable data protection legislation.

Click here to download a soft copy of our Privacy Policy