Privacy Policy

Last updated January 2024

Thank you for choosing BMIT as your business partner and for taking the time to get to know better how we work and process your Company’s personal data and information. In order for you to avoid having to scroll through this document, we have tried to make things easier for you with the headings below that should immediately take you to the section of this notice that interests you.

Introduction and key points
Information we collect about you and when
How and on what basis do we process your information
Data Subject Rights
Other important information
Changes to our Privacy Policy
Contact Us


Introduction and key points

Whether you are our business customer, the client of our business customer, our vendor or contractor, a website visitor, a prospect or have no direct relationship with BMIT whatsoever, we understand the importance to you of your personal data and of your right to privacy. The purpose of this document is to reassure you that we are committed to continuing to do our utmost to keeping your personal data as safe as possible. In order to do this, we invite you to read on and learn about the type of personal data we collect, when we collect it, why we do so, what we do with it – including who we may have to share it with and why – and how long we keep it for and why.

By doing this, we hope to give you a clearer picture of how we do things and how you can better manage and control your personal data. However, if you have any questions or need any clarifications whatsoever, our Data Protection Officer will be more than glad to help you. Please send any such requests to gdpr@BMIT.com.mt or call on (+356) 2258 8200. You may also write in at The Data Protection Officer, BMIT plc, SCM02 Floor 2, Smart City Malta, Kalkara Malta.

Whether you are a new or existing client and whichever of our services you make use of (which, throughout this document, we take to also include, our website and any other means that assist or improve your ease of access to or your experience of our core products), you should read this policy in full and get to know how we work better but, if you choose not to, these are the key points we would like for you to take away:

1. Your information is controlled and processed by BMIT. Depending on the types of services you subscribe to, we may have varying degrees of access to your personal data or the need to process it as well as a varying role as controller or processor of that personal data. This privacy policy describes all the processing which takes place by BMIT as a controller to the fullest extent possible which might therefore not necessarily be applicable to you and to your personal data. If we are engaged as your processor, kindly refer to the Data Processing Agreement in place with your company with regards to the processing carried out in a processing capacity.

2. If you have any questions or concerns about how your personal information is handled, please fill out this Complaints Form and direct your inquiry to the Data Protection Officer by email on gdpr@bmit.com.mt, by ordinary mail at The Data Protection Officer, BMIT plc, SCM02 Floor 2, Smart City Malta, Kalkara Malta, or by calling (+356) 2258 8200.

3. BMIT processes all personal data lawfully and in a proportionate, fair and justified manner and in a manner, which recognises, respects and protects your rights. These rights include your right to access, rectify and port out your personal data. Where circumstances allow this, you can also erase the data we hold on you or suspend, withdraw your consent or object to how we collect, use and save your personal information. Learn more.

4. We process personal data solely for the purpose of providing our customers with the requested services and to ensure that our customers may continue to enjoy this service. In order to do this, we also require the services of other companies and may therefore need to share your information with them. However, we will always do this in a safe way which is consistent with your rights and in accordance with our legal obligations. Learn more.

5. The main reasons we process your information is for us to deliver and maintain the services we offer, to ensure that our customers are complying with the terms of our services, to ensure that we comply with our respective obligations to third parties, to manage payments for our services, to improve and develop our products and services and for marketing purposes in terms of applicable laws.

Information we collect about you and when

We expect to collect your personal data when: (i) we have a direct business relationship with you or with the company with whom you are employed or otherwise involved (when this is necessary for the services that your company has engaged us to perform or when we are monitoring that your company is complying with its obligations towards us); (ii) our customer, with whom we have a contractual business relationship, processes any of your personal data which, in the course of the delivery of any of our services, we may gain access to (please refer to: Personal Information of our Customers’ Clients); (iii) you have applied for a vacancy with us; (iv) you attend any of our events; (v) you communicate with us in any way; (vi) you provide us with your services; (vii) you subscribe to any of our marketing activities including newsletters.

We collect your information (i) when you provide information to us, (ii) when you use or purchase any of our services and (iii) when we obtain it from others, as described below.

(i) Information we collect when you provide information to us

Communication with BMIT:
You share your information with us when you contact us via email, ordinary mail, our website, social media platforms such as Facebook or over the phone or when you visit us at one of our premises to make enquiries or fill out application forms, to fix appointments for services, or to sign new service contracts.

We will use the personal data you have given us so as to process your requests.

There are instances when calls may be recorded and stored. If you call our Company on Tel: 2258 8200, your call may automatically be recorded for quality assurance and training purposes and you will be reminded of this via an automated message before your call is connected. Similarly, all calls which originate from our technical support team, telesales agents, call centre agents, client experience team, fraud prevention unit and credit control units may be recorded. We will not remind you of this recording when we call you if we are legally prevented from doing so. Live calls and call recordings may also be used for internal and external audits and investigations, including by law enforcement agencies. If we save a recording of your call for training purposes, we will delete anything that can identify the call with you and we shall never share any of your personal data with the employees we train. Otherwise, all recordings containing any personal data, such as your phone number, shall be deleted after one year if they are no longer required for crime prevention, investigation and/or detection purposes and reporting, for the resolution of any complaints, for the protection of our business and/or legal interests and the protection of our employees.

We use pixel tags and cookies in our marketing emails so that we can track interaction with those messages, such as when you open the email or click on a URL link embedded in the email. When users click on such URLs, they go through a different server before arriving on BMIT’s website. We use tools like pixel tags and cookies to determine interest in particular topics and so as to measure and improve on the effectiveness of our communication.

BMIT Website:
Each time you visit our website, we use cookies and other tracking technologies to provide functionality and to recognise you across different services and devices. Please see our Cookies Policy to find out more about what these cookies and tracking technologies are, how and why we use them and how you can opt-out or limit these cookies and tracking technologies.

On-Premises CCTV [ Click here to access the full CCTV Privacy Notice ]
All our premises and Data Centre areas are monitored with 24/7 CCTV surveillance cameras and this is clearly indicated with appropriate signage once you enter any of our premises. This is mainly as part of our PCI-DSS certification and is intended to help you and our staff feel safer and the footage recorded is only shared with authorised enforcement agencies for the purpose of crime prevention, investigation and reporting. All footage is maintained for a maximum period of 90 days.

Insurance and Legal Claims:
When you file an insurance-related or any other legal claim with/against us, we will keep your personal data and collect any further data which we may be legally authorised or obliged to collect from third parties until such claim is finally and permanently settled and, where applicable, until any payment due is fully paid or received by us. The same shall apply if we have filed such a claim with/against you ourselves. However, if you do not give us access to personal information which is relevant to help us (or others acting in our interest) to assess our responsibility, if any, with respect to such claim then we may either use whatever legal means we have available to obtain such information or we may not accept responsibility. So long as we are assured that your information shall remain just as safe, we may share your personal information with others in order to verify your identity or the identity of others involved in your claim, with the lawyers or other consultants we engage and with our insurance company. We shall only use and share any such personal information we have access to for the purposes of the insurance or legal claim.

To learn how the above-mentioned data is used by us, please refer to the section on "How we use your information".
To learn about how we store your information and how long for, please refer to the section on "How we store your information" and keep it safe.

(ii) Information we collect when you use any of our services

You provide personal data and information to us when you sign a contract for any of our services.

When you make use any of our client support channels such as, for example, when you submit information to us regarding a problem you may be having with any of our services, we also ask for your personal details to verify your identity for security purposes.

If we need to issue you with a refund we may ask you to provide us with your banking details in order to effect payment.

When you register for any of our events, you provide us with personal data to reserve your place at such event. You may also be required to provide us with payment details to secure your attendance.

When you are a registered client and browse our website or use our customer portal, we use cookies and other tracking technologies which will indicate what on our website appeals to you or your company’s needs.

To learn how the above-mentioned data is used by us, please refer to the section on "How we use your information".
To learn about how we store your information and how long for, please refer to the section on "How we store your information" and keep it safe.

(iii) Information we obtain from others

We use other entities which are completely independent from us, known as credit rating agencies, and other publicly accessible sources, to provide us with information about you only when we need to carry out credit ratings or when we are trying to collect or enforce payment for outstanding bills you or the company you represent may have with us.

We may also receive your CV from recruitment agencies of your choice when you may be interested in a job vacancy with us. We accept such CVs on the understanding that you have consented to it being shared with us.

We may receive certain information about you that is stored or processed by social media platforms such as Facebook, Twitter and LinkedIn should you chose to interact with us via these online channels. You should also refer to the privacy policy statement of these entities.

If our customer purchases software licenses from us, and through your involvement with our customer you are one of the users of such licenses, we may receive your personal data from our Customer. In such cases, the only personal data that we receive, and process is your username. We require that our customers send us this data as it is necessary to calculate and monitor the amount of user-based licenses that they are subscribed to.

To learn how the above-mentioned data is used by us, please refer to the section on "How we use your information".
To learn about how we store your information and how long for, please refer to the section on "How we store your information" and keep it safe..

How and on what basis do we process your information
We only collect, use and store the information about you which you or others provide us with in a lawful manner. In this section, we aim to explain as clearly as possible when and where your information is used by us and the grounds upon which we collect and use that information.

While BMIT does not monitor or view the specific data stored by those business customers making use of its hosting services, it is necessary for it to track various parameters of transferred data (file size, etc.) to support features such as bandwidth monitoring and storage usage. While considered commercially sensitive and subject to our contractual confidentiality obligations, we do not consider such information to be personal information.

As described in the previous sections, the types of information we collect about you can be broadly classified as being: (i) contact information; (ii) transactional information including incident history and information received from the provision of technical support services; (iii) bank details and billing information; (iv) automated information collected from our website or emails; (v)username data; and (vi) identification data.

To the extent any data collected is considered personal data under applicable data protection law and depending on the type of services subscribed to, BMIT may be either a Controller, a Processor or even a sub-Processor of the customer personal data collected.

Current data protection law provides for specific reasons and circumstances when we can collect, use and store your information. In our case, it is one of the following four reasons that will justify why we process your information:
1. The information is needed for you or us to fulfil our contractual obligations;
2. The information is needed for you or us to fulfil a legal requirement;
3. You have provided us with your consent to collect, use and store such information;
4. We have a legitimate interest to collect, use and store such information.

In the circumstances where either as a result of a contractual obligation, a legal requirement, consent or a legitimate interest, BMIT are obliged to take a decision on the processing of the personal data, Controller obligations will apply in line with the General Terms and Conditions of the Services and with applicable Data Protection Legislation .

Where BMIT acts as a processor of such data, you and your company acknowledge that we have an obligation to process your personal data in accordance with your instructions and that you have the necessary consent and authorisation in place for us to do so.

When you have given us your consent to process your information, you are free to withdraw this at any time. When we state that we have a legitimate interest to process your information, you may object at any time. For more information on how to withdraw your consent or object to our legitimate interest, please refer to the section on How you can access and control your information.

The contact information you provide us with in your contract/order form, via our customer support and sales channels is used for us to communicate with you and in order to:
1. provide you with and deliver the services that you signed a contract for
2. respond to you and any comments, questions and requests and provide technical support;
3. inform you about service-related matters such as sending you technical notices, updates, security and usage alerts, informing you about benefits on your existing services and sending you messages of an administrative nature
4. verify your identity when you report a fault, ask for information and make use of our core products;
5. bill, process and receive payments including sending reminders for you to renew or alter your direct debit mandate to us;
6. get your feedback on our services.

We process this information on the basis of your and our legal and contractual obligations and also because we consider that we have a legitimate interest to do so.

Where you have specifically consented to doing so, your contact information is also used by us to communicate with you to market and promote our services. In this case, we will contact you by either of the following means: SMS, mobile phone, telephone, ordinary mail, email and other electronic and digital means. We may also contact you when we send your bill. We will inform you about any offers related of any of our products or services, and for any products or services we may promote jointly together with any other companies.

Any data you generate by using our services is used by us for billing purposes (including itemisation and refunds) and collecting payment and outstanding dues from you, for internal accounting and auditing purposes, to address any technical issues you or we may be experiencing and to monitor your use of our services to make sure you use them in a fair manner which doesn’t go against the law. We do this in line with your and our legal or contractual obligations.

For our legitimate interest we use your signed sales orders and your company’s usage data, your website usage as well as any feedback you consented to provide us with, to understand your preferences, consider the suitability of products that may interest you, to improve and develop our products and services and to personalise services and our communications to your company. In order for us to use your data for the purposes listed in this paragraph, we need to use automated processing. You will only be affected by the conclusions of this automated processing to the extent that we may contact you to make suggestions to change the services you are currently subscribed to. However, you will be under no obligation whatsoever to take up such a suggestion.

For our legitimate interest, in instances where our customer purchases software licenses from us, we will process the usernames of the natural persons that as a result of their involvement with our customers, make use of such procured licensed software. Our customers are obliged to send us information of their infrastructure and license usage, and to generate reports of license utilisation. Such reporting and processing is necessary because we are contractually obliged by the software suppliers to monitor our customer's usage of the software. Against such necessity, the processing is proportional in that only the least amount of personal data (merely usernames) is being necessary for per user licenses is being collected and processed (usernames).

We retain your Company’s incident history and service requests in order to solve problems you may be experiencing with our service, identify issues we may be experiencing with our infrastructure or service, monitor the performance of our infrastructure and to improve our services to you and others. We do this in line with our contractual obligations to you to and also because we feel we have a legitimate interest to do so in order to continue to provide you and our other clients with the best possible service.

How we share your information
In order to provide, improve, customise, support and market our services, as well as to audit our customer's usage of our services and compliance with our terms, we engage the services or use the products of other companies. These companies are usually unrelated to us and we have a contractual relationship with them. As much as possible, we limit their access to any of your data. However, if aspects of your personal data need to be shared by us with them or can be accessed by them for them to be able to assist us with our operations, they will only use or access that information under our instruction, including by abiding by policies and procedures designed to protect your information.

We use such companies or their products for the following purposes:
1. to sell and register products and subscriptions where we are acting as re-sellers;
2. to install, maintain and repair core products (including cloud solutions) and hardware;
3. to offer customer support services, whether technical, logistical or otherwise;
4. to store, cross-check, verify and update your personal details;
5. to store, measure, verify and update information on your use of or your interest in our services;
6. to get feedback on how we are doing and whether you are satisfied with our services;
7. to follow up on debt collection or protect our legal rights;
8. to get professional advice or consultancy services;
9. to build, maintain, provide support services and troubleshoot matters relating to our service and infrastructure;
10. to provide offers to our clients;
11. to communicate with you on our behalf or as tools which we utilize to assist us in communicating with you;
12. to carry out audits on our behalf.

If any of the companies is performing the functions listed above on our behalf outside of the EU or EEA or in a country which the EU Commission has not declared safe, then we will take all appropriate measures, in line with our own legal obligations, to ensure that the companies we trust adhere to the same high standards that are required of all companies operating and processing data within the EU.

Please note that to assist us in our marketing communications, we use Hubspot, which albeit perform most processing within the EU/EEA, there might be instances where processing in the USA is performed by Hubspot on our behalf in rendering us the respective services. Kindly note that such processing is performed through Hubspot Inc. an entity which is participating in the EU-US Data Privacy Framework. Accordingly, please note that such transfers are based on an adequacy decision by the EU Commission, namely the EU-US Data Privacy Framework.

We will never share your personal information with other companies which are not processing your information upon our instructions and we shall never share your personal information for marketing purposes unless you have specifically consented to it.

We may also be obliged to share any of your personal information which we have access to with competent authorities upon a lawful request. This may include enforcement agencies such as the Police and courts of law and public authorities such as the Malta Gaming Authority, the Malta Communications Authority and the Malta Competition and Consumer Affairs Authority. We may challenge any request to share such information if we do not consider it justified but we do not consider ourselves under an obligation to do so. Unless we are prevented from doing so, we will always try to inform you that we have received such a request and which data we have shared with the requesting public entity.

Any personal information relating to the fraudulent or illegal use of our services, recordings of your calls and CCTV footage may also be passed on to local enforcement agencies for the reporting, prevention, investigation and detection of crime.

We may share the results of credit worthiness searches as well as our own experience of your credit worthiness with credit reference agencies.

Data Subject Rights
Since we may process personal data, data protection law gives data subjects specific rights which may be used under certain circumstances. In accordance with law, data subjects have a right to:

Request access to their personal data:
This means that data subjects have a right to ask, at no cost, for a copy of the personal information we hold about them. Data subjects may forward such a request by sending us an email on gdpr@bmit.com.mt. This right can only be exercised by data subjects to the extent that it will not adversely affect the rights and freedoms of other persons;

Request the correction of personal data:
This means that if any personal information we hold about data subjects is incomplete or incorrect, they may have the right to have this corrected. In order to allow such a request, we may request evidence and identification documentation (such as an ID card, passport or proof of address);

Request the erasure of personal data (aka the right to be forgotten):
This means that data subjects may request the erasure of their personal data where BMIT no longer have a legitimate reason to continue using or retaining it. This right is not absolute, and (amongst other reasons) we will not be able to fulfil such a request while the data subjects are still our clients and for a further period of five years thereafter as well as if we are under a legal obligation to retain this information, or where the retention of this information is necessary for us to defend ourselves in a legal dispute or to execute a legal title, or where we have an overriding legitimate interest to continue processing;

Object to the processing of personal data:
If we rely on our legitimate interests (or those of a third party) to process personal data and the data subject feels that such processing impacts their fundamental rights and freedoms they may object to data processing. However, in some cases, we may be able to demonstrate that we have a compelling legitimate ground to process such personal data which may override a data subject’s rights and freedoms. Objections to processing of personal data on the grounds of the above-mentioned legitimate company interests may be submitted by contacting our Data Protection Officer;

Request the restriction of the processing of personal data:
Data subjects may ask us to temporarily suspend the processing of their personal data in one of the following scenarios: (a) where they want us to establish the accuracy of the data, (b) where our use of the data is unlawful but they do not wish for us to delete it, (c) where they need us to retain the data even when we no longer need it in order for them to establish, exercise, or defend legal claims, or (d) where they have objected to the use of their data but we still need to verify whether we have overriding legitimate grounds to use it;

Request the transfer of personal data (aka data portability):
This means that data subjects may ask us to transfer certain data we process about them to themselves or others. This right only applies to data which was provided to us by the data subject with adequate consent, if applicable, and which was necessary for us to honour our mutual contractual obligations.

Withdrawal of consent to the processing of personal data:
‘Opting out’ or withdrawing consent will not affect the lawfulness of the processing carried out by us up until the time consent was withdrawn. Withdrawing consent means that, going forward, you no longer wish for us to process your data in such a manner. This means that you no longer consent for us to provide you with certain services (such as marketing). You will need to allow us 48 hours to action such a request.

However, if consent is withdrawn, we may still have other lawful grounds or legal obligations to continue to use such information. If there are, we shall inform the data subject accordingly.

File a complaint with a supervisory authority:

We hope to be able to resolve any difficulties or complaints that a data subject may have by bringing them to the attention of any of our client support services or by forwarding whatever query, request or issue they may have to our Data Protection Officer. This can be done by sending an email on gdpr@bmit.com.mt, by ordinary mail at BMIT Ltd, Floor 2, SCM02, Smart City Malta, Kalkara Malta.

However, should the data subject consider at any time that we are handling their personal information in a manner that leaves them dissatisfied or at a disadvantage, they may at any time file a complaint with Office of the Information and Data Protection Commissioner by email on idpc.info@idpc.org.mt, by ordinary mail at Information and Data Protection Commissioner, Level 2, Airways House, High Street, Sliema, SLM 1549, Malta or by calling (+356) 2328 7100.

Except for their right to file a complaint with a supervisory authority, for us to be able to action any of their requests made in accordance with your rights described above, we may need to request specific information about them to help us verify their identity. This is a security measure to ensure that we are certain that the person to whom we disclose your personal data is really the data subject.

We will do our utmost to respond to all legitimate requests within one month from when we receive a request. If such a request is particularly complex, or if multiple requests in a certain time period have been made, it may take us a little longer. In such a case, we will notify the data subject of this extension.

Other important information

Personal Information of our Customers’ Clients
If you think or are aware that we may be hosting your personal information as a result of your relationship with any one of our business customers whom we provide hosting services to, then this section applies to you.

The hosting services we provide mean that our business customers process, store and have access to their information which we host for them on our servers. This information may include your personal data. We do not decide what information our business customers collect, how they collect it or how they use it. They are therefore typically the Controllers of any such personal information, as defined under applicable data protection legislation. On our part, we generally do not have access to that information ourselves unless as part of the services we offer our customers and any such access is not due to any need of ours. BMIT will not review, share, distribute or reference any such data which it may have access to, including any of your personal data, except as provided in the contractual relationship between us and our business customer or as may be required by law. Furthermore, any such processing by us will only take place within the limits set out by the law.

Our business customers shall remain responsible at all times for the personal information they process and for complying with their own data protection obligations. To this effect, they are responsible for maintaining the security and confidentiality of their own accounts and of access to their hosted systems and for encrypting any personal data which is in transit to or from our hosted system.

Should you wish to learn more about how our business customers may process your personal information, or how to access your rights in relation to such personal information, you should refer directly to their privacy policy. Should you get in touch with us to access any of your rights as a data subject, we will inform and refer such request to our business customer.

Requests for Information from our Customers
We shall not accede to a request for reports or any other form of documentation on the usage of services of any identifiable employee or end-user which we consider go beyond our contractual or legal obligations without the declared knowledge of that employee or end-user that you are seeking such information from us. We may refuse to provide any such requested information to you if we are not satisfied that your employee or end-user has not been warned or informed that this information may or is being requested by you. We may also contact your employee or end-user directly in order to verify that he/she is aware of this request.

If we consider that your request may put you and/or us in breach of applicable data protection legislation, we will not provide such information to you.

Legitimate Interest
Please note that where we process your information on the basis of our legitimate interest, you may contact us to obtain further information on our legitimate interests and respective balancing test.

Changes to our Privacy Policy
We may change this privacy policy from time to time. We will post any privacy policy changes on this page and, if the changes are significant, we will provide a more prominent notice on our website and/or by sending you a notification within the service or via your contact information. We will also keep prior versions of this policy in an archive which you can access. We encourage you to review our privacy policy whenever you use our services to stay informed about our information practices and the ways you can help protect your privacy.

Contact Us
Your information is processed by BMIT. If you have any questions or concerns about how your information is handled, please direct your inquiry by email on gdpr@bmit.com.mt.