We, the team at Vassallo Group, strongly value your privacy and are committed to protecting your personal data as though it were our own. This Privacy Policy describes our practices relating to the personal data of visitors to www.lifeatvassallogroup.com — our careers and recruitment website — and those who make use of our online facilities.
The data controller — the company responsible for your privacy — is Vassallo Group, The Three Arches, Valletta Road, Mosta, MST 9016, Malta. If you have any questions, please contact our Data Protection Officer at dpo@vassallogroupmalta.com.
This Privacy Policy applies to the website at www.lifeatvassallogroup.com (the “Website”), operated by Vassallo Group. For the purposes of the GDPR (EU) 2016/679 and the Data Protection Act (Chapter 586 of the Laws of Malta), we are the Data Controller of personal data collected through this Website.
|
Organisation |
Vassallo Group |
|
Address |
The Three Arches, Valletta Road, Mosta, MST 9016, Malta |
|
DPO Email |
dpo@vassallogroupmalta.com |
|
Tel |
22107000 |
You also have the right to complain to the Information and Data Protection Commissioner (IDPC) — the Maltese supervisory authority for data protection matters. We would, however, appreciate the opportunity to address your concerns in the first instance.
|
IDPC |
Office of the Information and Data Protection Commissioner |
|
Address |
Second Floor, Airways House, High Street, Sliema SLM 1549, Malta |
|
Tel |
+356 2328 7100 |
|
|
idpc.info@gov.mt |
|
Website |
www.idpc.org.mt |
Most of the personal data we collect through this Website is provided to us only if you choose to give it to us — for example, when you apply for a vacancy, register an interest, or contact us.
In addition to the above, when you apply for a vacancy you may also provide:
When you visit our Website, certain technical data is collected automatically through our web servers, cookies and analytics tools, including:
Please refer to Part B (Cookie Policy) for full details.
We only process personal data where we have a valid legal basis under Article 6 of the GDPR. The table below sets out what data we collect, the purposes for which we use it, and the lawful basis we rely upon.
|
Personal Data |
Purpose |
Legal Basis (Art. 6 GDPR) |
|
Name, email address, telephone number, home address |
To respond to general enquiries; to contact you about a vacancy you have applied for or expressed interest in. |
Pre-contractual steps (Art. 6(1)(b)); Legitimate interests (Art. 6(1)(f)). |
|
CV, qualifications, employment history, application responses |
To assess your suitability for a role; to shortlist, interview and make recruitment decisions. |
Pre-contractual steps (Art. 6(1)(b)); Legitimate interests (Art. 6(1)(f)). |
|
Date of birth |
To verify identity and eligibility to work; fraud prevention. |
Legal obligation (Art. 6(1)(c)); Legitimate interests (Art. 6(1)(f)). |
|
Identity documents, police conduct, criminal record declaration |
Pre-employment screening; compliance with legal requirements applicable to the role. |
Legal obligation (Art. 6(1)(c)); Legitimate interests (Art. 6(1)(f)). |
|
Health information (fitness to work) |
To assess fitness for the role; to make reasonable adjustments where required. |
Legal obligation (Art. 9(2)(b)); Explicit consent (Art. 9(2)(a)) where required. |
|
Bank details and emergency contact details |
To process salary payments; to contact a nominated person in a workplace emergency. |
Performance of employment contract (Art. 6(1)(b)). |
|
Email address (job alert / newsletter opt-in only) |
To notify you of future vacancies or news where you have opted in. |
Consent (Art. 6(1)(a)). Withdrawable at any time. |
|
Technical browsing data (IP address, browser, pages visited) |
To ensure the Website functions correctly and securely; to improve performance; to detect misuse. |
Legitimate interests (Art. 6(1)(f)). |
|
Cookie and analytics data |
For Website analytics and performance monitoring. See Part B (Cookie Policy). |
Consent (Art. 6(1)(a)) for non-essential cookies. Strictly necessary cookies require no consent. |
|
NOTE: Where we rely on legitimate interests as our lawful basis, we have assessed that our interests do not override your fundamental rights and freedoms. You may object to processing on this basis at any time — see Section 9 (Your Rights). |
We process personal data only where one of the following lawful grounds under Article 6 GDPR applies:
For special category data (such as health information), we additionally rely on Article 9(2)(b) GDPR (employment law obligations) and, where required, your explicit consent under Article 9(2)(a).
We retain personal data only for as long as is necessary for the purposes for which it was collected, or as required by law. The following retention periods apply:
|
Category of Personal Data |
Retention Period |
|
Unsuccessful application — no talent pool consent given |
6 months from the date of the application decision |
|
Unsuccessful application — talent pool consent given |
12 months from the date of the application decision |
|
Successful candidate — personnel file |
Duration of employment plus 10 years |
|
Pre-employment check records (DBS / police conduct) |
6 months after the recruitment decision unless a longer period is required by law |
|
General website enquiry (no application or employment) |
2 years from the date of the enquiry |
|
Job alert / newsletter consent records |
Until consent is withdrawn, plus 3 years for record-keeping |
|
Website analytics data (aggregated) |
26 months (standard Google Analytics retention) |
|
Web server logs and technical access data |
90 days, unless required for a security investigation |
|
Cookie consent records |
12 months from the date of consent |
On expiry of the applicable retention period, personal data will be securely deleted or irreversibly anonymised. You may request further information about our retention periods by contacting us at dpo@vassallogroupmalta.com.
Our Website includes a section through which candidates may browse current vacancies and submit applications. Vassallo Group is the data controller for all information you provide during the recruitment process. All information you provide will be used solely to progress your application or to fulfil legal or regulatory requirements.
|
NOTE: We will not share your recruitment data with any third parties for marketing purposes, and we will not store your data outside the European Economic Area. |
|
1 |
Application & Initial Shortlisting You submit your personal details, CV, qualifications, employment history and answers to role-specific questions. Our recruitment team reviews applications. |
|
2 |
Assessments and Interviews We may ask you to complete occupational personality questionnaires, skills assessments or attend an interview. Information generated at this stage is retained as part of the recruitment exercise and, if you are selected, forms part of your personnel file. |
|
3 |
Conditional Offer and Pre-Employment Checks If we make a conditional offer, we may request proof of identity, proof of qualifications, a police conduct certificate. We may also request a health questionnaire to establish fitness to work, processed by our occupational health provider. We will contact your referees directly using the details you provide. |
|
4 |
Final Offer and Onboarding If a final offer is made, we will also collect your bank details (for salary processing) and emergency contact details. Where a work permit application is required, further processing of your personal data will be necessary to comply with applicable immigration regulations. |
|
NOTE: If you are unsuccessful, we may ask whether you would like your details retained in our talent pool for up to 12 months. If you agree, we may contact you proactively about further suitable vacancies within that period. You may withdraw this consent at any time. Regardless of your decision, we normally retain your application for at least 6 months in case you raise any questions about the process. |
Our Website and recruitment services are not directed at children under the age of 16. If you are under 16, please obtain your parent or guardian’s permission before providing any personal information to us. Where we need to process personal data relating to a parent or guardian on behalf of a minor, we may request verification documentation to confirm that consent has been given by the holder of parental responsibility.
We do not, and will not, sell any of your personal data to any third party — including your name, address, email address or any other identifying information.
We may share your data with the following categories of organisations where necessary and proportionate:
Under the GDPR and the Data Protection Act (Chapter 586 of the Laws of Malta), you have the following rights in relation to your personal data. These rights are subject to certain legal limitations and exemptions.
|
Your Right |
What This Means |
|
Right to be Informed (Art. 13–14) |
You have the right to be told clearly how and why we process your personal data. This Privacy Policy fulfils that obligation. |
|
Right of Access (Art. 15) |
You can request a copy of the personal data we hold about you by contacting us at dpo@vassallogroupmalta.com or on 22107000. We will respond within one month. We may ask you to verify your identity before releasing personal data. |
|
Right to Rectification (Art. 16) |
If you believe the information we hold about you is inaccurate or incomplete, please ask us to correct it by contacting us at dpo@vassallogroupmalta.com. |
|
Right to Erasure (Art. 17) |
You may ask us to delete your personal data. This right is not absolute — we may retain data where required by law, to comply with a legal obligation, or in relation to the exercise or defence of legal claims. |
|
Right to Restriction (Art. 18) |
You may request that we restrict processing of your personal data in certain circumstances, for example while the accuracy of data you have contested is being verified. |
|
Right to Data Portability (Art. 20) |
Where processing is based on consent or contract and carried out by automated means, you may request your data in a structured, machine-readable format (e.g. CSV), which we can provide to you or transfer to another organisation at your request. |
|
Right to Object (Art. 21) |
You may object to processing based on legitimate interests, including profiling. You may also object to direct marketing or job alert communications at any time. |
|
Rights re: Automated Decisions (Art. 22) |
You have the right not to be subject to decisions based solely on automated processing that produce significant legal effects. We do not make automated recruitment decisions — all decisions involve human review. |
|
Right to Withdraw Consent (Art. 7(3)) |
Where we rely on your consent (such as job alert emails or talent pool retention), you may withdraw that consent at any time without affecting the lawfulness of prior processing. |
|
Right to Complain |
You have the right to lodge a complaint with the IDPC at any time: idpc.info@gov.mt | www.idpc.org.mt | Tel: +356 2328 7100. |
To exercise any of your rights, please contact us at dpo@vassallogroupmalta.com. We may ask you to verify your identity before processing your request. Unreasonable or excessively repetitive requests may be subject to a reasonable fee or refusal in accordance with Article 12(5) GDPR.
We will only send you marketing or job alert communications by email or other electronic means if you have given us your explicit and freely given consent to do so.
You can stop receiving communications from us at any time by:
Stopping marketing messages will not affect any service communications that are necessary in connection with your application or employment.
We implement appropriate technical and organisational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. These measures include:
In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the IDPC within 72 hours of becoming aware of the breach (Article 33 GDPR) and, where the risk is high, notify you directly without undue delay (Article 34 GDPR).
Our Website may contain links to third-party websites that are not operated by us. This Privacy Policy does not apply to those websites. We are not responsible for the privacy practices or content of any third-party site and encourage you to read the privacy statements of every external website you visit.
Our Website is continually under review and this Privacy Policy may be updated from time to time to reflect changes in our data processing practices, our legal obligations, or the features of our Website. When we make material changes, we will post the updated Policy on this page with a revised effective date. We encourage you to review this Policy periodically.
If you have any questions about this Privacy Policy, or wish to make a complaint about how we have handled your personal information, please contact us:
|
Organisation |
Vassallo Group |
|
Address |
The Three Arches, Valletta Road, Mosta, MST 9016, Malta |
|
DPO Email |
dpo@vassallogroupmalta.com |
|
Tel |
22107000 |
|
PART B COOKIE POLICY www.lifeatvassallogroup.com |