1. Data controller and contact details
Controller: Signature Private Office Limited (trading as Malta Residency Programmes)
Registered office: Dragonara Business Centre, 5th Floor, Dragonara Road, St. Julians, STJ 3141, Malta
Data protection contact (for data subject requests): info@maltaresidencyprograms.com
Supervisory authority (Malta): Office of the Information and Data Protection Commissioner, Malta. See https://idpc.org.mt/ for contact details and complaint procedures.
2. Scope and purpose of this notice
This notice explains what personal data we collect, why we collect it, the legal bases for processing, who we share it with, how long we keep it, and your rights under the UK and EU data protection frameworks (including the GDPR). It applies to personal data handled by Signature Private Office related to the Malta Residency Programmes website and services.
3. Categories of personal data we process
We process categories of personal data including: identity information (name, date of birth), contact details (email, telephone, postal address), transactional information (payments, invoices), and communication history (enquiries, emails). We may also process technical data (IP address, device and browser data) necessary for security and site operation.
4. Purposes and lawful bases
We process personal data for specific purposes and rely on lawful bases as follows:
- To provide and manage services, perform contracts with clients — Legal basis: contract; where pre-contractual negotiations occur, our processing is necessary to take steps at your request.
- To respond to enquiries, deliver support and communications — Legal basis: legitimate interest or consent for marketing messages where required.
- To process payments and prevent fraud — Legal basis: contract and legitimate interest.
- To comply with legal obligations (e.g. tax, regulatory reporting) — Legal basis: legal obligation.
- To provide advertising conversion measurement (Google Ads) when you consent — Legal basis: consent.
5. Recipients and international transfers
We share personal data with third-party service providers who process data on our behalf (e.g. Google for advertising measurement). When we transfer data outside the EEA, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) or an EU adequacy decision. Key processors include Google Ireland Limited (for Ads/Consent services).
6. Retention
We retain personal data only for as long as necessary for the purposes set out above, subject to legal and regulatory requirements. Example retention periods (to be confirmed with the business):
- Client onboarding and contract records: 7 years (for tax/regulatory obligations)
- Marketing opt-ins and preferences: until withdrawn or for up to 3 years after last engagement
- Cookie consent (localStorage key `cookie-consent`): 12 months
- Site logs and security records: up to 1 year
Please confirm and approve the precise retention periods with the business owner; these are examples that should be tailored to the company's risk profile and legal requirements.
7. Cookies and tracking
We use essential cookies for site operation. Optional advertising/measurement cookies (Google Ads: _gcl_au and _gcl_ls) are only loaded when you give consent via our cookie banner. You can withdraw consent at any time using the cookie settings button on the website; withdrawing consent prevents future loading of optional tags and we will attempt to clear related cookies.
8. Your rights
Under the GDPR you have rights including: access, rectification, erasure (right to be forgotten), restriction of processing, data portability, objection to processing, and the right to withdraw consent. To exercise any right, contact us at info@maltaresidencyprograms.com. We will verify requests to protect privacy and typically respond within one month; complex requests may require an additional two months with notice.
9. How to lodge a complaint
If you are unhappy with our response, you have the right to lodge a complaint with the Maltese Data Protection Commissioner: https://idpc.org.mt/ or by contacting the Office directly at the details on their website.
10. Security and accountability
We implement technical and organisational measures to protect personal data (e.g. access controls, encryption in transit, regular access reviews). We maintain records of processing activities and will perform data protection impact assessments where required.
11. Automated decision-making
We do not currently carry out automated decision-making or profiling that produces legal effects or similarly significant effects. If this changes, we will update this notice and provide additional information required by law.
12. Changes to this policy
We may update this policy from time to time. When we make material changes we will provide a prominent notice on the site and update the "last updated" date below.
Last updated: 4 September 2025