Security & Operations Privacy Notice

Version 2 | Last updated: 02 September 2019

The Data Controller

Malta International Airport p.l.c. (“the Company”, “we”, “us”, “our”), a company registered under the laws of Malta with registration number C12663 and having its registered address at Malta International Airport, Luqa, LQA 4000, Malta, and its subsidiaries Airport Parking Limited (C43537), Sky Parks Development Limited (C48061) and Sky Parks Business Center Limited (C56107) shall be considered as the data controller and responsible for your personal data.

We have appointed a Data Protection Officer (the “DPO”) whose details can be retrieved via this link. If you have any questions about this Policy, including concerns about your personal data or our data collection practices, please contact our DPO via the contact details provided on the website or via telephone on (+356) 2369 6268 during office hours.

Personal Data

The terms “personal data” or “personal information” mean any information about an individual for which that person can be identified. It does not include data where the identity has been removed (anonymous data).

The Company only collects and processes personal data that you provide it with.

Scope

The purpose of this notice is to describe how the Company shall collect, manage and use the personal data in relation to processing activities in the fields of security and operations.

This policy may be amended, as necessary, and/or supplemented from time to time so as to ensure compliance with the ongoing requirements of the General Data Protection Regulation (EU) 2016/679 (the “GDPR”) and other applicable data protection regulation.

Processing of Personal Data

The Company processes a variety of personal information for aspects relating to the operation and security of the airport in general and the safety of staff, clients, passengers, airlines and visitors in particular.

Outlined below are the details on all security and operations-related data processing activities on a system-by-system basis that the Company may carry out.

4.1 CCTV Systems

The Company operates CCTV Systems that primarily include closed circuit television (“CCTV”) and automatic number plate recognition (“ANPR”). For more information on the purposes of processing of your personal data by means of these systems, we have drafted a specific privacy policy which is publicly available and can be accessed via this link.

4.2 Airport Security Passes

Persons entering security-restricted areas of the airport need to be in possession of a valid Airport Security Pass. The following Airport Security Passes are issued by Aviation Security Malta (“AVSEC”), the regulating body for aviation security in Malta:

Permanent Security Passes (paper-based system)
Security Visitor Passes (computer-based system)

With respect to these systems, we act as a data processor and collect personal data on behalf of and on the instructions of AVSEC. For more information on how AVSEC processes your personal data in their capacity as data controllers, you may request their Privacy Notice via the contact channels on this link.

4.2.1 Permanent Airport Security Passes

We act as a data processor in collecting personal information required for the issuance of Permanent Airport Security Passes (“Permanent Pass”) on behalf of and on the instructions of AVSEC (data controller). For more information on how AVSEC processes your personal data you may request their Privacy Notice via the contact channels on this link.

Personal information may be collected by means of a paper-based system (i.e. forms issued by AVSEC) or an electronic system (i.e. online application), which is operated by us on behalf of the data controller AVSEC.

On behalf of AVSEC, we collect some or all of the following categories of information:

Personal identification information, including name, date of birth, nationality, gender, ID card or passport number and photos
Contact information, such as home address, contact numbers and e-mail address
Employment-related information, such as employing company and job description
Information needed for compliance, such as police conduct certificate from foreign countries in cases where the applicant resided in a country other than Malta in prior years
Application information, such as the number and type of application, access requirements and declaration

Personal information is collected and used for the compliance with legal obligations and based on our legitimate interests for the following purposes:

Processing and endorsement of applications for Permanent Airport Security Passes in terms of operational need in line with the requirements under the National Civil Aviation Security Programme (NCASP)
Issuance, renewal and administration of Permanent Airport Security Passes
Background check on criminal record for security purposes
Issuance and administration of physical access rights

Physical forms and all attached documents are directly passed to AVSEC and not retained by us. However, we may be required to extract and process the following personal information in electronic form as data controller

Personal identification information, including name and ID card or passport number
Employment-related information such as employing company and job description

This information is used to comply with legal requirements of the National Civil Aviation Security Programme (the “NCASP”) that coordinates Malta’s aviation security system in harmony with the European Union legislation, the European Civil Aviation Conference (ECAC) Doc 30 and the International Civil Aviation Organisation (ICAO) Annex 17 and based on our legitimate interests for the following purposes:

Verification of permanent pass holders as escorting person for Security Visitor Pass Holders (see 4.2.2)

For security reasons Airport Security Visitor Pass holders are required to be escorted by a Permanent Pass holder when accessing security-restricted areas. The applicant is required to state the escorting person, who is then verified against the database.

Information submitted in electronic format is processed in line with the instructions provided by AVSEC and the retention periods outlined below.

Personal information will not be retained longer than required for the respective purpose of processing and will generally be stored until the holder’s Permanent Pass expires (or is returned) and a maximum of 2 years thereafter. Personal data will only be retained longer if we are required to keep that information due to a statutory obligation imposed on us and/or due to accepted standards, including where processing may be necessary for the establishment, exercise or defence of legal claims.

4.2.2 Airport Security Visitor Passes

Persons requiring access to restricted areas of the airport may apply for an Airport Security Visitor Pass (“Visitor Pass”, “SVP”) by using an online application system provided by the Company on behalf of AVSEC.

Same as for Permanent Passes, we act as a data processor, as we process this data on behalf of and on the instructions of AVSEC. For more information on how AVSEC processes your personal data you may request their Privacy Notice via the contact channels on this link.

On behalf of AVSEC, we collect some or all of the following categories of information:

Personal identification information, including name and ID card or passport number;
Employment-related information such as employing company and job description; and
Information on the date and reason of the visit as well as the areas that access is requested to;
Information on any prohibited items or vehicles to be taken to restricted areas; and
Information on the accountable Permanent Pass holder, including name and Permanent Pass number.

Third parties may create applications on behalf of individuals requiring a Visitor Pass and the applicant may therefore not necessarily be the prospective Visitor Pass holder. In this case the Company additionally collects personal data, such as the name, the employing company and job description of the person submitting the application.

We process this personal data to comply with legal requirements of the NCASP and based on our legitimate interests in order to sustain highest possible safety and security standards at all times for the purpose of administrating the application and issuance of Security Visitor Passes. We ensure that the legitimate interests pursued by us are not overridden by your interests, rights and freedoms.

The following third parties may need to access your personal data at times:

The Armed Forces of Malta (Security reasons)
SITA (Company providing IT support & helpdesk)

The personal information will be retained until the holder’s Visitor Pass expires or is returned and a maximum of 2 years thereafter. Personal data will only be retained longer if we are required to keep that information due to a statutory obligation imposed on us and/or due to accepted standards, including where processing may be necessary for the establishment, exercise or defence of legal claims.

4.3 Application for the General Security Awareness Training (GSAT)

All holders of an Airport Security Pass issued by AVSEC are required by law to undergo General Security Awareness Training (“GSAT”). To register for the GSAT, prospective participants need file an application form (the “Form”). For this, we may collect personal data pertaining to the following categories:

Personal identification information, including name, home address, contact numbers, date of birth
Employment-related information such as employing company and job description
Information on Airport Security Pass application type

We process your personal data to comply with a legal obligation. We use the personal information submitted in the Form only for the purpose of conducting the administration, certification and billing of the GSAT.

We may need to share certain GSAT-related data with third parties, such as AVSEC (for the processing and issuance of the security pass application) and your respective employer (to certify that the training was conducted and for billing purposes).

The personal information you provide will not be kept for longer than statutory obligations imposed on us, including where processing may be necessary for the establishment, exercise or defence of legal claims, and/or accepted standards allow us to.

4.4 Access Control System

The Company operates an access control system, that facilitates the management of access control throughout the airport, mainly the management of which pass holders can open which doors/gates/entrances. We are responsible for allocating landside access rights (i.e. MIA premises) and AVSEC are responsible for allocating airside access (i.e. Gates). For this, we may collect personal data pertaining to the following categories:

Personal identification information, including name and ID card or passport number;
Employment-related information such as employing company and job description
Information on the requested and/or required areas to be accessible;

We process this personal data to comply with the legal requirements of the NCASP and also rely on our legitimate interest in order to sustain highest possible safety and security standards within our premises at all times. We ensure that the legitimate interests pursued by us are not overridden by your interests, rights and freedoms. We use the personal information only for access control purposes (i.e. issuance of access rights, retention of access logs). To do so, the following third parties may need to access to your personal data at times:

The Armed Forces of Malta (Security reasons)
SITA (Company providing IT support & helpdesk)

The personal information will be retained until the holder’s Visitor Pass expires or is returned and a maximum of 6 months thereafter. Personal data will only be retained longer if we are required to keep that information due to a statutory obligation imposed on us and/or due to accepted standards, including where processing may be necessary for the establishment, exercise or defence of legal claims.

4.5 Pre-Security Boarding Pass Scanners

Pre-Security Boarding Pass Scanners are a layer of security to allow people with a valid boarding pass or airport security pass, who have an “operational need” (i.e. work or travel) to enter the first stage of the Critical Part of the Security Restricted Area (CPSRA). For this, we may collect personal data pertaining to the following categories:

Name, Surname
Flight Number and Details
Time of Pass-Through

We process this personal data to comply with legal requirements of the NCASP. We also rely on our legitimate interest in order to sustain highest possible safety and security standards within our premises at all times. When we process your Personal Data on the basis of our legitimate interests, we ensure that the legitimate interests pursued by us are not overridden by your interest, rights and freedoms. We use the personal information only for access control purposes (i.e. validation of pass) and in case of investigations by public authorities. For these purposes, the following third parties may need to access to your personal data at times:

Courts of Justice, Malta Police Force or Security Services Malta
SITA (Company providing IT support & helpdesk)

The personal information collected will not be kept for longer than statutory obligations imposed on us, including where processing may be necessary for the establishment, exercise or defence of legal claims, and/or accepted standards allow us to. In any case, personal data shall be retained no longer than 6 months.

4.6 Key Management System

For the administration of physical keys, the Company operates a Key Management System. The automated system records when and by whom a key is used and keeps a history of all key transactions. Users have access to keys via their personal PIN number and can only retrieve keys which they are authorized to.

Personal identification information, including name and ID card or passport number;
Employment-related information such as department and/or employing company
Information related to keys, such as authorizations and logs of key issuance and return

We process this personal data to comply with legal requirements of the NCASP and rely on our legitimate interest in order to sustain highest possible safety and security standards within our premises at all times. We ensure that the legitimate interests pursued by us are not overridden by your interests, rights and freedoms. We use the personal information only for key management and access control purposes.

4.7 Airfield Driving Permits (ADP)

Subject to certain requirements, persons with an operational need to operate a vehicle on the airfield can apply for an Airfield Driving Permit by submitting an application form with the Company. We may collect personal data pertaining to the following categories:

Personal identification information, including name, home address, contact numbers, date of birth, ID card number and copy of ID card
Copy of Airport Security Pass
Copy of State Driving Licence
Information on appraisal of aptitude (i.e. doctor’s (fit/unfit) certification)

We process this personal data to comply with legal requirements of the NCASP and rely on our legitimate interest in order to sustain highest possible safety and security standards in critical airfield areas at all times. We ensure that the legitimate interests pursued by us are not overridden by your interests, rights and freedoms. We use the personal information submitted in the application form only for the purpose of administrating and issuing Airfield Driving Permits.

4.8 Airfield Vehicle Permits (AVP)

Vehicles allowed to operate on the airfield need to hold a valid AVP. Since the permit is issued on the vehicle and not on an individual, personal data held is limited to the details of the applicant and the registered owner of the vehicle. Registered owners are mostly persons acting in their professional capacity, not private individuals.

We may collect personal data pertaining to the following categories:

Personal identification information of the applicant, including name, contact numbers, date of birth, ID card number and copy of ID card
Employment-related information such as employing company and job description
Personal identification information of the registered owner of the vehicle, including name, contact numbers, date of birth, and ID card number

We process this personal data to comply with legal requirements and rely on our legitimate interest in order to sustain highest possible safety and security standards in critical airfield areas at all times. We ensure that the legitimate interests pursued by us are not overridden by your interests, rights and freedoms. We use the personal information submitted in the application form only for the purpose of administrating and issuing Airfield Vehicle Permits.

4.9 Light Aircraft Applications

This system provides a means for its registered users to book slots for using light aircraft both for local use such as flight training and sightseeing and also for international flights. We may collect personal data pertaining to the following categories:

Passenger-related information, such as names, and ID card numbers
Flight-related information, such as aircraft registration number
We process this personal data to comply with legal requirements and rely on our legitimate interest in order to sustain highest possible safety and security standards in critical airfield areas at all times. We use the personal information submitted in the application form only for the purpose of administrating and issuing Airfield Vehicle Permits.

We process this personal data to comply with legal requirements and also rely on our legitimate interest. We use the information only for registering local flight movements and for statistical purposes.

When we process your Personal Data on the basis of our legitimate interests, we ensure that the legitimate interests pursued by us are not overridden by your interest, rights and freedoms.

The following third parties may have access to your personal data at times:

SITA (Company providing IT support & helpdesk)

4.10 Marshalling Permits

Employees of Ground Handling Service Providers (GHSP) who work as marshals are required to hold a Marshalling Permit. Companies may submit applications. Potential permit holders need to undergo training from their organization and MIA receives a Certificate of Competence confirming the training. Thereafter, a permit can be issued.

We may collect personal data pertaining to the following categories:

Personal identification information of the applicant, including name, contact numbers, home address, date of birth, ID card number and copy of ID card
Copy of AVSEC Security Pass
Certificate of Competence submitted by employing company

We process this personal data to comply with legal requirements of the NCASP. We use the personal information submitted in the application form only for the purpose of administrating and issuing Marshalling Permits.

4.11 Two-Way Radios

On the airfield, the Company operates a two-way radio system that facilitates communication between the airport, air traffic control (ATC) as well as aircrafts and possible other stakeholders operating on the airfield.

In this respect, we may collect personal data pertaining to the following categories:

Voice recordings

We process this personal data to comply with legal requirements. We use the collected recordings only for documentation purposes in case of investigations of incidents.

Therefore, the following third parties may have access to your personal data at times:

SITA (Company providing IT support & helpdesk)
Courts of Justice, Malta Police Force or Security Services Malta (in case of investigations)

Disclosures of Personal Data

Where we act as data controllers in the above circumstances and we disclose your personal data to third parties (other than government entities and courts of justice), we shall take reasonable contractual measures to ensure that the respective third party processes your personal information diligently and in conformity with data protection legislation. Additionally, we may be required to disclose your personal data to third parties as a result of legal obligations imposed on us (e.g. Courts of Justice, Malta Police Force).

As controllers, we require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

At the time of issuing these policies, the Company does not intend to transfer your personal data to a recipient located in a non-EEA country. Where we or our processors intend to transfer your personal data to non-EEA countries, we shall ensure the lawful processing of your personal data by putting in place the appropriate safeguards in accordance with the applicable privacy laws, and/or any other applicable legislation. These appropriate safeguards include the EU Model Clauses entered into by us and our processors/controllers; or ensuring that our data processors located in the USA subscribe to the Privacy Shield. We shall provide you with a copy of these EU model clauses upon your reasonable request.

Information Security

The Company takes precautions to protect personal information from loss, misuse and unauthorised access, disclosure, alteration and destruction. We have taken appropriate technical and organisational measures to protect the information systems and physical storage where your personal data is stored, and we require our suppliers and service providers to protect your personal information by contractual means.

We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

More information on technical and organizational security measures adopted us may be requested on dataprotection@maltairport.com.

Your Rights at Law

Your rights with regards to personal data are the following:

Right of Access: You have the right to access the personal data that the Company processes about you. You can do so filing a Data Subject Access Request Form online or sending a printed form to our Data Protection Officer. Both the online and printable form together with instructions and contact details can be accessed in the data protection section on our website.
Right to Rectification: You also have the right to request that inaccurate data be corrected or erased and to seek redress for any damage caused. Procedures are in place to ensure all such access requests are dealt with effectively and within the law.
Right to Lodge a Complaint: You have the right to lodge a complaint regarding the processing of your personal data with the supervisory authority for data protection matters. In Malta this is the Information and Data Protection Commissioner (the “IDPC”), with whom a complaint can be lodged via a form available on their website.
Right to Erasure: In certain circumstances you may request the Company to delete the personal data that is held about you.
Right to Object: You have a right to object and request that the Company ceases the processing of your personal data where the Company relies on its own, or a third party’s legitimate interest for processing this data, as long as the legitimate interests pursued by us are not overridden by your interests, rights and freedoms.
Right to Portability: You may request the Company to provide you with your personal data in a structured, commonly used and machine-readable format. Where technically feasible, you may also request that the Company transmits your personal data to a third-party controller as instructed by you.
Right to Restriction: You have the right to request the Company to stop using your personal data in certain circumstances, including if you believe that the Company is unlawfully processing your data.

Your rights are not absolute, and the Company may not be able to entertain the above requests if it is prevented from doing so in terms of the applicable law.

You may exercise all the rights indicated in this section by contacting the Company’s Data Protection Officer via email on dataprotection@maltairport.com or via telephone on (+356) 2369 6268 during office hours.

In the limited circumstances where you may have provided your consent to the collection, processing and transfer of your personal information for a specific purpose, you have the right to withdraw your consent and to object to further processing of your personal data that are not 1) lawfully required, 2) necessary for the fulfilment of a contractual obligation, or 3) required to meet a legitimate need of the Company. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.

Your personal data will not be used for any decision solely taken on the basis of automated decision-making processes, including profiling, without human intervention.

Where Personal Data Related to Data Subjects is Provided to the Company

Where a third-party other than the data subject supplies to the Company personal data, the third-party shall be solely responsible to ensure that:

it immediately brings this Privacy Notice to the attention of the data subjects about whom data is disclosed and/or directs them to it;
the collection, transfer, provision and any processing of such personal data by the third party fully complies any applicable laws;
the third party remains fully liable towards such data subjects and shall adhere to the applicable data protection laws;
the third party shall remain solely responsible to collect any information notices, approval, consents or other requirements that may be required from such data subject before providing the Company with their personal data;
the third party shall remain solely responsible for making sure the information it gives to the Company is accurate and up to date, and it must inform the Company as soon as there are any changes to the personal data.

The third-party supplying such data shall fully indemnify the Company and shall render the Company completely harmless against all costs, damages or liability of whatsoever nature resulting from any claims or litigation (instituted or threatened) against the Company as a result of the provision of said personal data to the Company.

Questions, Feedback and Complaints

Should you have any questions, concerns or feedback about this notice or how the Company handles your personal data, please contact our Data Protection Officer via email on dataprotection@maltairport.com or via telephone on (+356) 2369 6268 during office hours.

If you feel that your request has been insufficiently addressed by the Company, you have a right to file a complaint with the supervisory authority, which in Malta is the Office of the Information and Data Protection Commissioner (www.idpc.gov.mt).

Updates

We will keep this privacy notice under regular review. If there are any changes to this Policy, we will replace this page with an updated version. At the top of this page, we will tell you when it was last updated.

We suggest that you check on the Policy any time you access our website so as to be aware of any changes which may occur from time to time. We may also notify you of changes to this Policy by email or other means, where such data is available.