Privacy Policy


This Privacy Policy (the “Policy”) sets out information about how Damask (“we” / “our”) processes and uses your personal information. At Damask, we are firmly committed to respecting your privacy and the confidentiality of the personal information you supply to us and all personal data will be processed in accordance with the Data Protection Act (Chapter 586 of the Laws of Malta) and subsidiary legislations thereunder (the “Act”) and the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as the “General Data Protection Regulation” or “GDPR”).

Damask requires the collection and use of certain personal data on various individuals. These include customers, suppliers, business contacts, bond holders, employees and other natural persons and/or entities with whom Damask has a relationship with or whom we may need to contact.

Contact Us

This Privacy Policy outlines our internal practices to ensure that personal data collected in respect of our employees, suppliers, customers, bond holders and any other natural person is protected. Furthermore, it also provides that our operations are subject to continuous review to maintain alignment with GDPR. We assure you that we will only use and disclose any personal data collected from you in accordance with the manner set out in this policy.
Should you require further information regarding our privacy practices, kindly do not hesitate to contact us via e-mail at

Key Definitions

“Controller” or “Data Controller” means any natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

“Data subject” refers to any living person (natural person) whose personal data is being collected, held or processed.

“Personal Data” or “Personal Information” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person

“Processor” or “Data Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

‘Processing’ means any operation/s which is/are performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

NB: Information in relation to legal persons (e.g. company, other legal entities) does not constitute personal data in terms of both the Act and the GDPR. Nonetheless, the aforesaid information will still be handled in a confidential manner, in accordance with Our standard internal practices and professional secrecy obligations.

Collection of Personal Data

On a general note, we collect personal data pertaining to our employees, suppliers, customers and bond holders on a regular basis to be able to conduct business activities. We typically collect personal data:

– At the initial stages of the business relationship;
– Throughout the course of the business relationship, whenever a legitimate need arises;
– When so is required to satisfy any statutory obligations to which we are subject;
– For the performance of a contract to which the data subject is party;
– When one accesses and uses our website;
– When a person voluntarily approaches us in other circumstances, for example when seeking employment or any information on our services and business.

Data Controller
When processing your personal data for the purposes indicated in this Policy, we are generally qualified as data controllers.

Personal Data which is Collected

The following is an indicative (but non-exhaustive) list of the personal data that we collect and process:

– The personal data (including information provided verbally, due diligence documents if applicable etc.) collected for the establishment of the business relationship;
– Details of identity including name, surname, employer, title, position and marital status;
– Contact data such as e-mail address, residential address, skype contact, telephone and mobile numbers;
– In case of corporate clients; we may collect identity and contact data in relation to directors and/or legal and judicial representatives;
– Technical data encompassing internet protocol (IP) address, login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices which you (irrespective of whether you are a client or otherwise) use to access and browse the our website;
– Information regarding how one who accesses our website makes use of it;
– Any other personal information which may be provided to us by the data subject voluntarily.

Lawfulness of Processing

Personal data will be processed based on the following legal grounds:
– Performance of contracts to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
– To carry out one or more of our legal obligations;
– When the data subject has given consent to the processing of his/her personal data for one or more specific purposes;
– When we have a legitimate interest to process the data, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

Kindly note that special categories of data, which include information about the data subject’s racial or ethnic original, political views, religious or political beliefs, trade union membership, genetic, biometric or health data, sexual orientation and data related to your conviction and offences; are not typically processed. However, we may come across some of the above mentioned information when collecting data of our employees when we are required by applicable laws and obligations to collect and store such information (e.g. for processing of payroll)

Purposes for Processing Personal Data

We may process your personal data for the following purpose/s: –
– Establishing and maintaining the business relationship, including use for the purposes of processing payments, accounting, auditing, billing and collection and other support services;
– To provide services, as engaged and/or instructed or authorised by you or your organisation;
– To ensure compliance with our legal obligations;
– To log, deal and track any complaints received;
– To ensure business policies are adhered to, e.g. policies covering security and internet use and to prevent unauthorised access and modifications to systems;
– To update and enhance client records;
– For marketing our services;
– To identify representatives of our clients, suppliers and/or service providers;
– For recruitment and employment purposes and compliance with statutory requirements such as payroll, social security contributions and income tax deductions;
– Securing access to our office.

Irrespective of how we have collected the data subject’s personal data, we undertake that we will only process such data only for the purpose for which we have collected it or for other purposes which are inherently related thereto, including also any fulfilment of any legal or regulatory obligation imposed on us. When processing personal data for purposes other than the purpose for which personal data was collected, and still strictly connected to the purpose for which such data was collected, we shall inform you accordingly.

Sharing the Personal Data

In the course of conducting business, it might be necessary for us to share the data subject’s personal data with the following third-party recipients:
– Other entities within the Damask group;
– Selected professionals and employees within the entity, on a need to know basis;
– Other entities or institutions that are involved in the process of facilitating our services / billing (e.g. banks, IT and accounting service providers);
– Third parties to whom disclosure may be essential in light of the relationship with the data subject;
– Any business partners to whom the data subject may have requested that his/her personal data will be transferred;
– Third parties to whom disclosure may be required to comply with legal requirements.

Personal data will not be transferred to third-parties located outside the EU or European Economic Area (EEA) unless specifically instructed to do so by the data subject. However, there are instances whereby it would be necessary to transfer personal data to countries which are not subject to the same level of data protection legislation, such as:

– When the services providers are located outside the EU/EEA;
– If the data subject is situated outside the EU/EEA;
– If there is a dispute in foreign jurisdictions.

Data Retention

Personal data will only be retained exclusively for the period which is necessary to fulfil the purposes for which we collected it (the provision of the services and the ongoing business relationship with you) and thereafter, for the purpose of satisfying further legal and regulatory requirements or obligations to which we are subject. This period may also be extended further to be able to assert, exercise or defend possible future legal claims against or otherwise involving the data subject.

In the context of a contractual relationship between us and the data subject, the latter’s personal data will be retained for a period of five (5) years from the termination date of the contractual relationship on the basis of legitimate interests to protect ourselves against any civil disputes in relation to the aforementioned contractual relationship.

With reference to invoices, credit notes and other similar documentation or information, including all personal information collected for compliance with our legal obligations in terms of applicable laws and regulations with respect to accounting, audit, tax and VAT, these will be normally retained for a period of ten (10) years from the date of the relevant submissions based upon legal obligations to which we are subject.

Moreover, the above-mentioned time periods may be extended for longer periods when we have a legitimate interest related to exercising or defending legal claims or in case of inspections by relevant authorities.

Personal data which was provided based upon the data subject’s consent, shall only be exclusively retained up until the data subject withdraws his/her consent.

Data Subject’s Legal Rights

Data subjects have various rights vis-à-vis their personal data:

1. The right to be informed: The data subject has the right to be given clear information regarding how his/her personal data is processed. We do this by means of this Privacy Policy which will be duly revised from time to time and by means of and any future communications directly with you on a case by case basis.
2. The right to access personal data: The data subject may send us a request to access all the personal data we hold in his/her respect. To avail yourself of this right, kindly contact us at We will do our best to attend to the data subject’s request within one (1) month. In case of more complex requests, the timeframe will be extended by a further one (1) month. Should the data subject disagree with our judgement, s/he can complain to the Information and Data Protection Commissioner (IDPC) on

3. The right to rectification: The data subject can also request that any inaccurate or incomplete personal data which we hold in his/her regard be corrected. Kindly contact us at

4. The right to erasure: there are certain instances where data subject may also elect to request deletion of his personal data. On a general note, we will comply with the data subject’s request in this regard. However, we may have the necessity not to comply if retention of the data is required for us to be compliant with a legal obligation and/or such data would be required by us to exercise or defence of any legal claims.

5. The right to stop direct marketing messages

6. The right to object: the data subject may object regarding his/her personal data being processed including when such processing is based on legitimate interest.

7. The right to data portability: the data subject has the right to put forward a request asking us to provide him/her with certain personal data which s/he had provided us with in a structured, commonly used and machine-readable format. When technically feasible, the data subject may also request that his/her personal data be transferred to a third party controller of his/her choice.

8. The right to withdraw consent: the data subject can also retract his/her previously given consent to any other consent-based processing at any time.

9. The Right to Lodge a Complaint: Please be informed that you have the right to lodge a complaint against any personal data breach by communicating such breach to the Information and Data Protection Commissioner (“IDPC”) by filling in the complaint form available at

Security of Personal Data

Keeping the data subject’s personal data secure is of utmost importance to us. We undertake to put in our best efforts to keep any disclosed personal information secure by implementing the appropriate technical and organisational measures with the aim of protecting the data subject’s personal data against unauthorised or unlawful processing, encompassing also accidental losses, destruction, storage or access. We would appreciate if you could please understand that no system is perfect or can fully guarantee that the above-mentioned events will not occur.

Accuracy of information

It is important that personal information we hold about you is accurate and when necessary kept up to date. Kindly keep us informed if your personal information changes during our business or employment relationship.