Privacy Policy

May 2020
This Privacy Policy (the “Policy”) sets out information about how AST Group P.L.C. (hereinafter referred to as “AST”, “We” or “Our”) processes and uses your personal information. At AST, we are firmly committed to respecting your privacy and the confidentiality of the personal information you supply to us and all personal data will be processed in accordance with the Data Protection Act (Chapter 586 of the Laws of Malta) and subsidiary legislations thereunder (the “Act”) and the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as the “General Data Protection Regulation” or “GDPR”).
AST requires the collection and use of certain personal data on various individuals. These include customers, suppliers, business contacts, bond holders, employees and other natural persons and/or entities with whom We have a relationship with or whom We may need to contact.
Contact Us
This Policy outlines Our internal practices to ensure that personal data collected in relation to employees, suppliers, customers, bond holders and any other natural person is protected. Furthermore, it also provides that Our operations are subject to continuous review to maintain alignment with GDPR. We must emphasize that We will only be using and/or disclosing any personal data collected from you in accordance with the manner set out in this Policy.
Should you require further information regarding Our privacy practices, kindly contact us via e-mail at
Key Definitions
“Controller” or “Data Controller” means any natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
“Data subject” refers to any living person (natural person) whose personal data is being collected, held or processed.
“Personal Data” or “Personal Information” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
“Processor” or “Data Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
‘Processing’ means any operation/s which is/are performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
NB: Information in relation to legal persons (e.g. company, other legal entities) does not constitute personal data in terms of both the Act and the GDPR. Nonetheless, the aforesaid information will still be handled in a confidential manner, in accordance with Our standard internal practices and professional secrecy obligations.
Data controller
When processing your personal data for the purposes indicated in this Policy, We are generally qualified as data controllers.
Collection of Personal Data
On a general note, We collect personal data pertaining to our employees, suppliers, customers and bond holders on a regular basis to be able to conduct business activities. We typically collect personal data:
• At the initial stages of the business relationship;
• Throughout the course of the business relationship, whenever a legitimate need arises;
• When so is required to satisfy any statutory obligations to which we are subject;
• For the performance of a contract to which the data subject is party;
• When one accesses and uses our website; and
• When a person voluntarily approaches us in other circumstances, for example when seeking employment or any information on our services and business.
The following is an indicative list of personal data that We collect and process:
• any information provided verbally or in writing for the establishment of a business relationship;
• details of identity including name, surname, employers’ details, title, designation and marital status;
• contact details such as e-mail address, residential address, skype name, telephone and mobile numbers;
• in case of corporate clients, We may collect identification details and contact details pertaining to the directors and/or legal and judicial representatives of legal entities;
• technical data encompassing internet protocol (IP) address, login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices which a data subject uses to access and browse Our website;
• use of cookies on Our website; and
• any other personal information which may be provided to us by the data subject voluntarily.
Lawfulness of Processing
Personal data will be processed on the basis of the following legal grounds:
• performance of contracts to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
• to carry out one or more of Our legal obligations;
• when the data subject has given consent to the processing of his/her personal data for one or more specific purposes; and
• when We have a legitimate interest to process the data, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
Kindly note that special categories of data, which include information about the data subject’s racial or ethnic original, political views, religious or political beliefs, trade union membership, genetic, biometric or health data, sexual orientation and data related to your conviction and offences are not typically processed. However, We may be required to collect special categories of data in specific scenarios such as from our employees to process payroll. Such data shall be collected and processed as required by applicable legislation.
Purposes for Processing Personal Data
We may process your personal data for the following purpose/s:
• to establish and maintain a business relationship, including the processing of payments, accounting, auditing, billing and other support services;
• to provide services, as engaged and/or instructed or authorised by you or your organisation;
• to ensure compliance with our legal obligations;
• to log, deal and track any complaints received;
• to ensure that business policies are adhered to. Such policies may include security and internet use and the prevention of unauthorised access and modifications to systems;
• to update and enhance client records;
• for marketing purposes;
• to identify representatives of Our clients, suppliers and/or service providers;
• for recruitment and employment purposes and to comply with any statutory requirements such as payroll, social security contributions and income tax deductions; and
• to safeguard access to our premises.
The collected personal data shall only be processed for the sole purpose which was explained to the Data Subject or any ancillary purposes. The processing of personal data shall also be conducted for the fulfilment of any legal or regulatory obligation imposed on AST.
We shall inform data subjects accordingly in cases where we are required to process personal data for any other purpose not linked to the ones established with the data subject.
Sharing the Personal Data
In the course of conducting business, it might be necessary for Us to share the data subject’s personal data with third parties as indicated below:
• other entities within the AST group;
• selected professionals and employees within AST, on a need to know basis;
• other entities or institutions that are involved in the process of facilitating our services and/or billing process (e.g. banks, IT and accounting service providers);
• third parties to whom disclosure may be essential in light of the relationship with the data subject;
• any business partners to whom the data subject may have requested that his/her personal data will be transferred; and
• third parties to whom disclosure may be required to comply with legal requirements.

The Company shall not, transfer personal data to any third party without the prior consent of the data subject, except where AST is required to do so by operation of law.
Personal data shall not be transferred to third parties located outside the EU or European Economic Area (EEA) unless specifically instructed to do so in writing by the data subject. However, there are instances whereby it would be necessary to transfer personal data to countries which are not subject to the same level of data protection legislation, such as:
• when the service providers are located outside the EU/EEA;
• if the data subject is situated outside the EU/EEA; and
• if there is a dispute in foreign jurisdictions outside the EU/EEA.
Data Retention
Personal data will only be retained exclusively for the period which is necessary to fulfil the purposes for which it was collected and thereafter, for the purpose of satisfying further legal and regulatory requirements or obligations to which We are subject. This period may also be extended further to be able to assert, exercise or defend possible future legal claims against or otherwise involving the data subject.
In the context of a contractual relationship between AST and the data subject, the latter’s personal data will be retained for a period of five (5) years from the termination date of the contractual relationship on the basis of legitimate interests to protect ourselves against any civil disputes in relation to the aforementioned contractual relationship.
With reference to invoices, credit notes and other similar documentation or information, including all personal information collected for compliance with our legal obligations in terms of applicable laws and regulations with respect to accounting, audit, tax and VAT, these will be retained for a period of ten (10) years from the date of the relevant submissions.
Moreover, the listed time periods may be further extended when We have a legitimate interest related to exercising or defending legal claims or in case of inspections by relevant authorities.
Personal data which has been collected and processed on the basis of the data subject’s consent shall be retained until the data subject withdraws his/her consent.
Data Subject’s Legal Rights
Data subjects have various rights vis-à-vis their personal data:
• the right to be informed: the data subject has the right to be given clear information regarding how his/her personal data is processed. We do this by means of this Policy which will be duly revised from time to time and by means of and any future communications directly with you on a case by case basis.
• the right to access personal data: the data subject may send us a request to access all personal data We hold in his/her respect. To avail yourself of this right, kindly contact us at We will do our best to attend to the data subject’s request within one (1) month. In case of more complex requests, the timeframe will be extended by a further one (1) month. Should the data subject disagree with our judgement, s/he can complain to the Information and Data Protection Commissioner (hereinafter referred to as the “IDPC”) on
• the right to rectification: the data subject can also request that any inaccurate or incomplete personal data which we hold in his/her regard be corrected. Kindly contact us at
• the right to erasure: there are certain instances where data subject may also elect to request deletion of his personal data. On a general note, we will comply with the data subject’s request in this regard. However, we may have the necessity not to comply if retention of the data is required for us to be compliant with a legal obligation and/or such data would be required by us to exercise or defense of any legal claims.
• the right to stop direct marketing messages.
• the right to object: the data subject may object regarding his/her personal data being processed including when such processing is based on legitimate interest.
• the right to data portability: the data subject has the right to put forward a request asking Us to provide him/her with certain personal data which s/he had provided Us with in a structured, commonly used and machine-readable format. When technically feasible, the data subject may also request that his/her personal data be transferred to a third-party controller of his/her choice.
• the right to withdraw consent: the data subject can also withdraw any consent given at any time.
• the right to lodge a complaint: Please be informed that you have the right to lodge a complaint against any personal data breach by communicating such breach to the IDPC by filling in the complaint form available at
Security of Personal Data
Keeping the data subject’s personal data secure is of utmost importance to Us. We undertake to put in our best efforts to keep any disclosed personal information secure by implementing the appropriate technical and organizational measures with the aim of protecting the data subject’s personal data against unauthorized or unlawful processing, encompassing also accidental losses, destruction, storage or access.
Notwithstanding Our efforts to protect personal data, no system can guarantee that the aforementioned scenarios will not occur.
Accuracy of information
It is important that personal information We hold about you is accurate and when necessary kept up to date. Kindly keep us informed if your personal information changes during our business or employment relationship.