A new EU regulation [General Data Protection Regulation – GDPR] relating to data privacy came into force on the 25th May 2018.
A copy of our Data Protection Policy is being featured for your perusal:
Environment & Resources Authority Data Protection Policy
The General Data Protection Regulation (EU) 2016/679 (GDPR) and the Data Protection Act (Cap 586) regulate the processing of personal data whether held electronically or in manual form. The Environment & Resources Authority is set to fully comply with the Data Protection Principles as set out in such data protection legislation and as such is committed to protect the privacy and security of one’s personal information.
Purposes for collecting data
The Environment & Resources Authority collects and processes information in order to carry out its obligations in accordance with present legislation. However, all data is collected and processed strictly in accordance with Data Protection Legislation, the Environment Protection Act [Chapter 549 of the Laws of Malta and its Subsidiary Legislations] by means of which the Environment & Resources Authority [ERA] was established, and also in accordance with other Laws of Malta and approved policies which are necessary for the Authority to carry out its proper functions and/or obligations.
In all cases the Environment & Resources Authority is committed to adhere to principles as laid down in the GDPR, which means that personal data is: (a) processed lawfully, fairly and transparently; (b) collected for specified, explicit and legitimate purposes; (c) adequate, relevant and limited to what is necessary in relation to the purpose for which it is processed; (d) accurate and where necessary kept up to date; (e) not be kept for longer than is necessary for that purpose; (f) processed in a manner that ensures appropriate security. This includes the processing of location data.
Recipients of data
Personal Information is accessed by the employees who are assigned to carry out the functions of the Environment & Resources Authority. Personal Data will be disclosed to authorised employees carrying out the functions of the Environment & Resources Authority. Any disclosure made to third parties will be in accordance and as authorised by law.
We will keep Personal Information only so long as it is necessary to do so, or as required by law. When the Personal Information that is no longer required it will be disposed of in an efficient manner ensuring that such information is no longer available within the Environment & Resources Authority.
You are entitled to know, free of charge, what type of information the Environment & Resources Authority holds and processes about you and why, who has access to it, how it is held and kept up to date, for how long it is kept, and what the Unit is doing to comply with data protection legislation.
The GDPR establishes a formal procedure for dealing with data subject access requests. All data subjects have the right to access any personal information kept about them by the Environment & Resources Authority, either electronically or in manual files. Requests for access to personal information by data subjects are to be made in writing and sent to the CEO of the Environment & Resources Authority. Your identification details such as ID number, name and surname have to be submitted with the request for access. In case we encounter identification difficulties, you may be required to present an identification document.
The Environment & Resources Authority aims to comply as quickly as possible with requests for access to personal information and will ensure that it is provided within a reasonable timeframe and in any case not later than one month from receipt of request, unless there is good reason for delay. When a request for access cannot be met within a reasonable time, the reason will be explained in writing to the data subject making the request. Should there be any data breaches, the data subject will be informed accordingly.
All data subjects have the right to request that their information is amended, erased or not used in the event the data results to be incorrect.
In case you are not satisfied with the outcome of your access request, you may refer a complaint to the Information and Data Protection Commissioner, whose contact details are provided below.
The Environment & Resources Authority’s CEO may be contacted at:
Marsa MRS 1441
The Information and Data Protection Commissioner
The Information and Data Protection Commissioner may be contacted at:
Level 2, Airways House,
Sliema SLM 1549
Should you require more information on the GDPR, we recommend that you refer to: https://idpc.org.mt/en/Pages/Home.aspx
CCTV Surveillance Cameras Policy for Environment & Resources Authority
The purpose of this policy is to ensure that the use of CCTV Surveillance System within the Environment & Resources Authority does not infringe the rights of the data subjects by processing personal data adequately, not more than necessary and making sure that data is not kept for a period longer than necessary in conformity with Data Protection Legislation.
The Data Controller for the Environment & Resources Authority is the CEO.
The Data Protection Officer representing the CEO may be contacted as follows:
Data Protection Officer
Telephone : (+356) (22923500)
Data subjects will have a right of access to data being processed as per Chapter II (Article 15) of the General Data Protection Regulation. (Please refer to section relating to Access, below). Data subjects are also hereby informed of their right to lodge a complaint with the Information and Data Protection Commissioner.
The Information and Data Protection Commissioner may be contacted as follows:
Information and Data Protection Commissioner
Level 2, Airways House
Sliema SLM 1549
Telephone: (+356) 2328 7100
Location & Purpose
CCTV surveillance is installed:
- In the Environment & Resources Authority’s premises and cameras are located in the common areas of the office complex and the immediate perimeter areas of this building’s grounds. CCTV signages will be placed in prominent and easily visible locations within the monitored area. The sole purpose of surveillance is to ensure security including safeguarding of assets, equipment and property contained in both the building complex and perimeter
- In offsite locations falling under the Environment & Resources Authority’s remit associated with the legal obligations under the Flora, Fauna and Natural Habitats Protection Regulations, 2006 (SL 549.44), cameras are to be strategicaly located in order to cover such designated areas and their immediate perimeter areas. CCTV signages will be placed in prominent and
easily visible locations within the monitored area. The purpose of surveillance is to ensure the adequate protection and management of protected areas, habitats and species, as well as security including safeguarding of assets, equipment and the integrity of the property contained in the designated areas.
Relevant footage will not be used for any other purpose other than the one intended.
CCTV data processing for a distinct activity that is not compatible with the original reason for which cameras were installed will only be done if prior notice is given to the data subjects.
In view of Chapter II (Article 5) of the GDPR the Data Controller justifies the use of a CCTV Surveillance Camera system for the above-mentioned purpose. The recognisable images captured by the cameras will be processed adequately and in a relevant manner and shall be necessary in relation to the purposes of the processing as per Chapter II Article 6 of the GDPR.
Access to Footage & Data
Access to the CCTV footage is restricted to authorised personnel only by means of an authorisation access process. The Data Controller shall authorise further access to footage if so required when relevant to the purpose/s specified above.
In the case of an activity captured by a camera which might lead to disciplinary investigation and/or actions, the relevant extract of the camera’s footage shall only be disclosed to the CEO and/or officer/s nominated to investigate the case by the Authority.
In the case of an activity captured by a camera which might lead to criminal charges, the relevant extract of the camera’s footage shall only be disclosed by the Authority to law enforcement authorities and this subsequent to the filing of a Police report by the CEO or DCS.
The Environment & Resources Authority undertakes to comply with a strict security policy vis-a-vis the access to recorded images. Any internal access to visual images by the Environment & Resources Authority or any disclosure of such images further to a request by a law enforcement authority or by the data subject shall be logged and kept as evidence.
Right of Access
Any individual whose personal data is held by the Environment & Resources Authority, in the form of CCTV recording, can request access to that recording. The Data Controller is obliged to provide access to the footage without disclosing the identity of third parties.
If an individual is not satisfied with the reply as provided or with the manner of access that has been granted, the matter may be referred to the Information and Data Protection Commissioner who will investigate the case and ascertain that the right of access is properly granted.
Right of access request shall be made in writing and addressed to the Controller. For operational efficiency purposes request is to indicate exact location of incident and approximate timeframes that would need to be reviewed, along with a proper explanation as to why request is being made.
CCTV footage data is retained for seven  days (except for the yearly shutdown period). This period is the necessary period for which the data was obtained. After the lapse of this period, images are automatically overwritten by the system with new images. If data is extracted in relation to an investigation it will only be held for the period as established by Law.
This policy provides the reasons and means of processing through the use of a CCTV Surveillance System within the Environment & Resources Authority whilst ensuring that the rights of the data subjects are not infringed, by processing personal data adequately, not more than necessary and making sure that data is not kept for a period longer than necessary in conformity with Data Protection Legislation.