Data Protection Policy

Home Data Protection Policy

Data Protection Policy

The General Data Protection Regulation (EU) 2016/679 (GDPR) and the Data Protection Act (Cap 586) regulate the processing of personal data whether held electronically or in manual form. The Malta Council for Science and Technology (MCST) is set to fully comply with the Data Protection Principles as set out in such data protection legislation.

    • Purposes for collecting data
      The MCST collects and processes information to carry out its obligations in accordance with present legislation.  All data is collected and processed in accordance with Data Protection Legislation and the Electronic Communications Networks and Services (General) Regulations, S.L. 399.28.
    • Recipients of data
      Personal Information is only accessed by those MCST employees who are assigned to carry out the functions of the Authority in line with its duties prescribed at law. Personal Data will be disclosed to third parties when necessary but only as authorised by law.The GDPR establishes a formal procedure for dealing with data subject access requests.  All data subjects have the right to access any personal information kept about them by the MCST, either on a computer or in manual files. Requests for access to personal information by data subjects are to be made in writing and sent to the Data Controller of the MCST, whose contact details are provided below.  Your identification details such as ID number, name and surname must be submitted with the request for access.  In case we encounter identification difficulties, you may be required to present an identification document.The MCST aims to comply as quickly as possible with requests for access to personal information and will ensure that it is provided within a reasonable timeframe and in any case not later than one month from receipt of the request, unless there is a good reason for a delay. When a request for access cannot be met within a reasonable time, the reason will be explained in writing to the data subject making the request.  Should there be any data breaches, the data subject will be informed accordingly. All data subjects have the right to request that their information is amended, erased or not used in the event the data results to be incorrect. In case you are not satisfied with the outcome of your access request, you may refer a complaint to the Information and Data Protection Commissioner, whose contact details are provided below.

    The Data Controller’s Contact Details:

    • The Chairman of the MCST as the Data Controller of the Authority may be contacted at the:
    • Malta Council for Science and Technology
    • Villa Bighi Triq il-Marina
    • Kalkara KKR 1320
    • Telephone:  (+356) 2360 2200        Email:

    The Information and Data Protection Commissioner’s Contact Details:

    • The Information and Data Protection Commissioner may be contacted at:
    • Level 2, Airways House,
    • High Street, Sliema SLM 1549
    • Telephone:  23287100                    Email:

Policy regulating the Retention of External Documentation

  1. Scope

The General Data Protection Regulation (GDPR) (EU) 2016/679 and the Data Protection Act (DPA), Cap. 586 of the Laws of Malta put forward the principle that personal data and sensitive personal data should not be retained for periods that are longer than necessary. In this context, the Malta Council for Science and Technology (‘MCST’) has drawn up a retention policy for all external documentation that it collects and processes, with the purpose of ensuring compliance and to ensure that no resources are utilised in the processing and archiving of data which is no longer of relevance. This policy is aimed at regulating the retention, maintenance and disposal of external documentation in accordance with the principles of data protection legislation, and other legal provisions in Maltese Law.

  1. Objectives

This policy aims to achieve the following objectives:

  • Regulate the retention of and disposal of the various types of documentation whether held in manual or automated filing systems within the MCST, while adhering to the data protection principle that personal data should not be retained for a longer period than necessary.
  • Dispose of unnecessary documentation that is no longer relevant and is taking up useful storage space.
  • Promote the digitisation of documentation as may be reasonably possible in order to minimize the use of storage space required to store documentation, as well as to promote a sustainable use of paper and printing consumables.
  1. Administration

Documentation is held and recorded by the MCST. This policy is therefore applicable to all such documentation. It will be the responsibility of the Chief of the relevant Unit and the Authority’s Data Controller to ensure that all provisions of this policy are adhered to.

  1. Documentation held within the MCST and their Retention Period

As part of its operating requirements the MCST, requests, keeps and maintains a wide range of documentation including personal information. The retention of different categories of documents is governed by different requirements and different legislation and regulations and may be categorised as follows:

EU funded projects:

  • Documentation in relation to EU funded projects: 10 years

Financial Documentation:

  • Tax and National Insurance Records: 10 years
  • Procurement Records: 10 years
  • Accounting Records: 10 years
  • Inventory Records: 10 years
  • Yearly Financial Statements: 10 years
  • General Authorisations and Licences to provide commercial service (Electronic Communications and Posts):

    • Active authorisations and licences (all): unlimited for as long as the authorisation or licence exists
    • Cancellation of authorisation and licence (all): 25 years


    • Documentation in relation to all forms of litigation including arbitration: 7 years from the final judgement (includes Court of Appeal were applicable)


    • Documentation in relation to the recruitment process i.e. published calls for posts, application forms/letters, CV of a chosen applicant, related correspondence, attendance at interviews, publication of results etc.: 1 year from publication of a call for a post.
    • Documentation related to CVs of persons who applied for a post but were not chosen. The MCST shall request such applicants if they would like to grant their consent to the Authority to keep their CVs in case of any future similar posts: 1 year from the end of the recruitment process.
    • Jobsplus report: 5 years from the end of the recruitment process.
    • Application Forms for the filling of positions co-financed from EU Funds: 8 years from the end of the recruitment process.


    • CCTV monitoring: 45 days
    • Visitors Log: 3 months
    • Affidavits: 10 years
    1. Security of Documentation
      • Documentation is maintained in an accessible but secure location with adequate access provided to MCST officials who have the clearance level to access the relevant documentation. In the case of documents with sensitive personal data with higher clearance levels, access control protocols are fully adhered to, to ensure that only those that have the required security clearance have access to such documentation.
      • In the case of personal information, the GDPR also stipulates that only those required to process personal information should have access to personal records.
      • Personnel who are found to be in breach of these security protocols, and thus in breach of the GDPR, will be subject to disciplinary action.
      1. Manual vs Electronic Records

      In terms of retention periods, it needs to be pointed out that the same retention period will apply for both electronic and manual information.

      1. Conclusion

      This data retention policy aims to achieve a good working balance between the retention of useful and meaningful information in line with the provisions of the relevant legislation and the disposal of information which is no longer required and is being archived unnecessarily. Data that needs to be destroyed after the noted timeframes will be disposed of in an efficient manner to ensure that such information will no longer be available within the MCST. Data Protection Controllers and Data Protection Officers are aware of the noted retention periods and will instruct all relevant personnel to follow the indicated procedures accordingly. It is to be noted that anonymised or statistical data do not fall within the parameters of this data retention policy since they do not constitute identifying personal data.

    Privacy Policy at MCST

    1. What do we do with your information?

    Here at The Malta Council For Science & Technology (MCST) we take your privacy seriously and will only use your personal information to administer your account and to provide the products and services you have requested from us.   When you visit our website, we may collect the personal information you give us such as your name, address and email address when you use forms present on our website.   When you browse our website, we also automatically receive your computer’s internet protocol (IP) address in order to provide us with information that helps us learn about your browser and operating system.   Email marketing: With your permission, we may send you emails about us, new products and other updates.   You can stop receiving marketing messages from us at any time. You can do this: By clicking on the ‘unsubscribe’ link in any email By contacting us on:

    1. CV Processing Disclosure

    In order for us to carry out the selection process we need to share your personal data, including your application and CV with the members of the selection panel. We shall only share the information that you will provide us with.Your application and CV will be stored and processed accordingly.

    Applying for any vacancy at MCST means you agree to this disclosure.

    1. Consent
    • How do you get my consent?

    When you provide us with personal information to for example when you fill in a contact form, we imply that you consent to our collecting such information and using it for that specific reason only.   If we ask for your personal information for a secondary reason, like marketing, we will either ask you directly for your expressed consent or provide you with an opportunity to say no.

        • How do I withdraw my consent?

    If after you opt-in, you change your mind, you may withdraw your consent for us to contact you, for the continued collection, use or disclosure of your information, at any time, by clicking here and filling the form. By doing so, all information we hold about your unto our website will be deleted.   If you would like to review the data we have collected you can request access by clicking here and filling the form.

        1. Disclosure

    We may disclose your personal information if we are required by law to do so or if you violate our Terms of Service.

        1. Third-Party Services

    The third-party providers used by us will only collect, use and disclose your information to the extent necessary to allow them to perform the services they provide to us.   Once you leave our website or are redirected to a third-party website or application, you are no longer governed by this Privacy Policy or our website’s Terms of Service.     When you click on links on our website, they may direct you away from our site. We are not responsible for the privacy practices of other sites and encourage you to read their privacy statements.

    1. Security

    To protect your personal information, we take reasonable precautions and follow industry best practices to make sure it is not inappropriately lost, misused, accessed, disclosed, altered or destroyed.

        1. Cookies

    Here is a list of cookies that we use. We’ve listed them here so you can choose if you want to opt-out of cookies or not.   Site analytics cookies – these cookies allow us to measure and analyse how our customers use the site, to improve both its functionality and your shopping experience.   Targeting or advertising cookies – these cookies are used to deliver ads relevant to you. They also limit the number of times that you see an ad and help us measure the effectiveness of our marketing campaigns.   By using our site, you agree to us placing these sorts of cookies on your device and accessing them when you visit the site in the future. If you want to delete any cookies that are already on your computer, the “help” section in your browser should provide instructions on how to locate the file or directory that stores cookies. Please note that by deleting or disabling future cookies, your user experience may be affected and you might not be able to take advantage of certain functions of our site.

        1. Age of Consent

    By using this site, you represent that you are at least the age of majority in your state, county, province, region or country of residence, or that you are the age of majority in your state, county, province, region or country of residence and you have given us your consent to allow any of your minor dependents to use this site.

        1. Changes to this Privacy Policy

    We reserve the right to modify this privacy policy at any time, so please review it frequently. Changes and clarifications will take effect immediately upon their posting on the website. If we make material changes to this policy, we will notify you here that it has been updated, so that you are aware of what information we collect, how we use it, and under what circumstances, if any, we use and/or disclose it.   If our organisation is acquired or merged with another company, your information may be transferred to the new owners.

    Questions and Contact Information: If you would like to: access, correct, amend or delete any personal information we have about you, register a complaint, or simply want more information contact our Data Protection Officer, Dr Carina Nagiah at

    This article was last updated on: January 15, 2022