This Privacy Notice (“Notice”) applies where VCMS Company Limited (C 96371) (hereinafter referred to as the “Company” “We”, “Us” or “Our”) are acting as a Data Controller with respect to Our Processing of Your Personal Data.
The Company has been delegated certain services by Vacation Club Services Limited (BVI Company Number 2039169) (hereinafter referred to as the “Club Manager”) and such services will involve the processing of your Personal Data. As explained further below, We may also be required to disclose your Personal Data with third parties, where We and such third parties have a lawful basis to allow for such disclosure to occur.
Any Personal Data We Process is kept within Our own records in accordance with the relevant data protection and privacy laws to which We are subject including but not limited to the Data Protection Regulation (EU) 2016/679 (the “GDPR”) and the Data Protection Act (Chapter 586 of the Laws of Malta) and the subsidiary legislation issued thereto, as may be amended from time to time (hereinafter collectively referred to as the “Applicable Laws”).
References to “Data Controller”, “Data Subject”, “Personal Data”, and “Process”, “Processed”, “Processing” in this Privacy Notice have the meanings set out in, and will be interpreted in accordance with the Applicable Laws. “You” and “Your” refers to the Data Subject.
- Data Controller Details
The Data Controller of your Personal Data is VCMS Company Limited. We are committed to respecting your privacy. If you wish to contact Us about Our privacy practices please feel free to do so by contacting our DPO, Mr. Mark Anthony Galea by post at VMCS Company Limited, Radisson BLU, Resort & Spa, Golden Sands, l/o Mellieha, MLH 5510, Malta or by email at DPO@vcmsmalta.com. You may also wish to contact us by telephone on +356 2033 0108.
- Personal Data
The term “Personal Data” refers to all personally identifiable information about you and includes all the information you provide to Us or information that is provided to Us by third parties, which can be identified with you personally.
The following are the Personal Data that We collect:
- Forename
- Middle name
- Surname
- Address
- Email Address
- Date of Birth
- Maiden Surname
- Nationality
- Home & mobile telephone number
- Employment details
- Financial details including bank account number(s) and
- Driving Licences/ID Cards/Passport
We may also collect Personal Data through CCTV surveillance that is present on Our premises. Furthermore, We collect audio and video footage of any sales meetings that Our employees or representatives hold with you.
We do not collect and/or otherwise Process special categories of Personal Data. Such special categories of Personal Data include data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
- Purposes of Processing
The purposes of the processing for which your Personal Data are intended are:
- Taking steps to enter into your contractual relationship with Us;
- Your contractual relationship with Us and/or the Club Manager which has arisen following your completion of the relevant membership application agreement;
- Financing of your membership/application and any renewals or reminders in this respect;
- To provide you with statements and/or reports;
- For the development and improvement of Our systems, products and services;
- Any Personal Data which you may voluntarily provide to Us;
- For safety and security purpose insofar as necessary or required, including (amongst others) safety of our premises, property and employees/officers, and the establishment, exercise or defence of legal claims;
- For purposes of a legitimate interest pursued by Us or by a third party, provided such interest is not overridden by your interests, fundamental rights and freedoms; and
- Your consent in relation to your choice of financing.
From time to time we would also like to contact you about Our products and services, promotional offers, information relating to operations as well as information in relation to products and services provided by third parties offers and promotions (“Marketing”).
- Legal Basis
Our legal bases of Processing your Personal Data are:
- a) Contract – Your contractual agreement between the Club Manager and yourself in order for you to become a member. Providing such Personal Data is necessary for your membership. The provision of Personal Data in this context is a contractual necessity. The consequence for not providing your Personal Data to Us in order to undertake such Processing would be that you would be unable to complete your membership application and contract, thus meaning that you would not be considered to be a member;
- b) Legitimate Interests – in particular legitimate interests which may arise directly or indirectly in relation to your membership and in keeping you updated with information in relation to your membership, including marketing. We also have a legitimate interest to process your Personal Data for safety and security, such as the recording of telephone conversations, video footage or electronic communications which result or may result in transactions where recordings will take When we process your Personal Data on the basis of Our (or a third party’s) legitimate interests, we ensure that the legitimate interests pursued by Us (or a third party) are not overridden by your interests, rights and freedoms; and
- c) Your explicit consent – in which case, Our Processing shall be limited to the purposes
specifically indicated when your consent was requested.
We might also have to Process your Personal Data to comply with legal obligations imposed on Us.
On the basis of Our (or a third party’s) legitimate interests or compliance with legal obligations, as applicable, We may also Process your Personal Data for the purposes of establishing, exercising or defending legal proceedings.
Irrespective of the manner that We have collected your Personal Data, We will only process such data for any purpose in connection with your membership and/or purposes that are inherently related thereto, including the fulfillment of any legal or regulatory obligation imposed on Us.
- Recipients
The recipients of your Personal Data are:
- a) selected individuals within Our company;
- b) Our intra-group companies and affiliates;
- c) Our agents and third parties that provide services to Us, and d) Third parties to whom disclosure may be required.
Individuals with access to your Personal Data shall be subject to the same limitations under this Privacy Notice. Some of the recipient of your Personal Data are located outside of the EU (including within the United Kingdom) and therefore, We have implemented the necessary transfer safeguards which allow transfers to such recipients to take place. Should you require more information on what measures We have implemented with such recipients, please contact our DPO on DPO@vcmsmalta.com or at the details listed in section 2 above.
- Processing Requirement
The processing of your Personal Data is not a statutory requirement – it is a requirement in order for you to become a member and avail yourself of Our and Our affiliates services.
- Automated Decision-Making and Profiling
Your Personal Data will not be used for any automated decision-making or profiling.
- Data Retention Period
We will generally store your Personal Data for a period of 10 years starting from the date of termination of your membership agreement. Thereafter, it shall be immediately and irrevocably erased unless We need to keep your Personal Data to comply with a legal obligation or to exercise or defend any legal claim or complaint either by Us or by a third party having a lawful basis to process your Personal Data in the context of these claims or complaints.
Any Personal Data that has been collected on the basis of your consent shall be stored until such time that your consent has been withdrawn.
If We are required to determine a retention period for the storage of any of your Personal Data, We shall firstly determine whether there is any statutory retention period set out within applicable laws. in the absence of such laws, We will assess how long We determine the retention period would be with respect to that particular category of Personal Data. The criteria which We take into account when determining such retention period include, but are not limited to what the data/information is used for and/or how easy or difficult would it be to make sure the data remains accurate and up to date.
- Your Rights
For as long as We retain your Personal Data, you have certain rights in relation to your Personal Data including:
- Right of access – you have the right to ascertain the Personal Data We hold about you and to receive a copy of such Personal Data;
- Right to complain – you have the right to lodge a complaint regarding the processing of your Personal Data with the supervisory authority for data protection matters. In Malta this is the Information and Data Protection Commissioner (contact details provided below);
- Right to Erasure – in certain circumstances you may request that We delete the Personal
Data that we hold about you;
- Right to Object – you have a right to object and request that We cease the processing of your Personal Data where We rely on Our, or a third party’s legitimate interest for processing your Personal Data;
- Right to Portability – you may request that We provide you with certain Personal Data which you have provided to Us in a structured, commonly used, and machine-readable format (except where such Personal Data is provided to us in hand-written format, in which case such Personal Data will be provided to you, upon your request, in such hand-written form). Where technically feasible, you may also request that we transmit such Personal Data to a third party controller indicated by you;
- Right to Rectification – you have the right to update or correct any inaccurate Personal Data which We hold about you;
- Right to Restriction – you have the right to request that We stop using your Personal Data in certain circumstances, including if you believe that We are unlawfully processing your Personal Data or the Personal Data that We hold about you is inaccurate;
- Right to withdraw your consent – where Our processing is based on your consent.
Withdrawal of your consent shall not affect the lawfulness of the processing based on your consent prior to the withdrawal of your consent; and,
- Right to be informed of the source – where the Personal Data We hold about you was not provided to Us directly by you, you may also have the right to be informed of the source from which your Personal Data originates.
Please note that your rights in relation to your Personal Data are not absolute and We may not be able to entertain such a request if We are prevented from doing so in term of an applicable law.
You may exercise the rights indicated in this section by contacting Us at the details indicated above.
- Complaints
If you have any complaints regarding Our processing of your Personal Data, we kindly ask that you please attempt to resolve any issues you may have with Us first by contacting Us at the contact details included above. However, please note that you always have a right to lodge a complaint with the Office of the Information and Data Protection Commissioner in Malta (www.idpc.gov.mt).
- Marketing
Marketing may be carried out using the following methods:
- Mail;
- Online;
- Telephone/Mobile; and/or
- Email.
In the event that We would like to contact you for marketing purposes, We shall typically do so on the basis of obtaining your consent, unless any other conditions apply. Whenever We collect your consent, you have the option to withdraw your consent at any time. However, the withdrawal of your consent does not affect the lawfulness of the processing based on your consent prior to the withdrawal.
- Where Your Provide Us with Personal Data Related to Third-Party Data Subjects
If you are a non-natural person and you supply to Us Personal Data of third party Data Subjects such as your employees, affiliates, service providers, underlying clients/customers, directors or any other individuals connected to your business, you shall be solely responsible to ensure that:
- you immediately bring this Privacy Notice to the attention of such Data Subjects and direct them to it;
- the collection, transfer, provision, and any Processing of such Personal Data by You fully comply any applicable laws;
- as Data Controller You remain fully liable towards such Data Subjects and shall adhere to the
Applicable Law;
- you collect any information notices, approval, consents, or other requirements that may be required from such Data Subject before providing Us with their Personal Data;
- you remain responsible for making sure the information you give us is accurate and up to date, and you must tell us if anything changes as soon as possible.
You hereby fully indemnify Us and shall render Us completely harmless on first written demand against all costs, damages, or liability of whatsoever nature resulting from any claims or litigation (instituted or threatened) against Us as a result of your provision of said Personal Data to Us.
This clause shall supersede and extinguish all previous agreements, promises, assurances, warranties, representations, and understandings between Us and the non-natural person, as applicable, whether written or oral, relating to its subject matter.
- Processing of Personal Data relating to Minors
We may Process Personal Data relating to minors. In certain situations, this Personal Data may not be provided to Us by the minors themselves but by a third party. Where this type of Processing takes place, We require that such third-party individual provides and explains this privacy notice to the minor and ensures that the minor understands the activities that are being undertaken by Us with respect to the minor’s Personal Data.