Data Protection Policy

Definitions

Personal Data

Any information relating to an identified or identifiable natural person ('data subject'). An identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, identification number, location data, online identifier, or factors specific to their physical, physiological, genetic, mental, economic, cultural, or social identity.

Processing

Any operation or set of operations performed on personal data, whether by automated means or otherwise, including collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.

About the TAC

The TAC is the Type Approval Authority for Malta by virtue of S.L. 427.109 of the Laws of Malta. The TAC is responsible for vehicle type approval under Regulation (EU) 2018/858 of the European Parliament and of the Council, and applicable UN Regulations as referenced by EU type approval legislation.

Purposes for Collecting Data

The TAC collects and processes personal data to carry out its obligations under the following legislation:

• Regulation (EU) 2018/858 on the approval and market surveillance of motor vehicles and their trailers, and of systems, components, and separate technical units intended for such vehicles
• Applicable UN Regulations as referenced by Regulation (EU) 2018/858 and related EU directives
• Motor Vehicles (Type-Approval) Regulations and related subsidiary legislation under Maltese law
• The General Data Protection Regulation (EU) 2016/679 and the Data Protection Act (Chapter 586 of the Laws of Malta)
• Other applicable EU regulations, EU directives, and UN Regulations that fall within the remit of the TAC

Lawful Basis for Processing

The TAC ensures that it only processes personal data when at least one of the following lawful bases under Article 6 of the GDPR is met:

• The data subject has given consent for one or more specific purposes.
• Processing is necessary for the performance of a contract to which the data subject is party, or in order to take steps at the request of the data subject prior to entering into a contract.
• Processing is necessary for compliance with a legal obligation to which the TAC is subject.
• Processing is necessary to protect the vital interests of the data subject or another natural person.
• Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the TAC.
• Processing is necessary for the legitimate interests pursued by the TAC, except where such interests are overridden by the fundamental rights and freedoms of the data subject.

Special Categories of Personal Data

The special categories of personal data as defined in Article 9 of the GDPR include data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, and data concerning a person's sex life or sexual orientation.

The TAC does not routinely collect special categories of personal data. In the exceptional circumstances where such data may be processed, it is done only when at least one of the following conditions under Article 9(2) of the GDPR is met:

• The data subject has given explicit consent.
• Processing is necessary for the purposes of carrying out obligations in the field of employment and social security law.
• Processing is necessary to protect vital interests where the data subject is incapable of giving consent.
• Processing relates to personal data manifestly made public by the data subject.
• Processing is necessary for the establishment, exercise, or defence of legal claims.
• Processing is necessary for reasons of substantial public interest.

Recipients of Data

Personal data is accessed by TAC personnel who are authorised and assigned to carry out relevant functions. Access is controlled through role-based access controls. Your personal data may be disclosed to:

• Designated technical services involved in the assessment of applications
• Other TAC officers assigned to relevant tasks
• Third-party payment processors for the handling of fee payments
• The European Commission or other EU Member State type approval authorities, as required under Regulation (EU) 2018/858 and applicable UN Regulations
• Other public authorities where disclosure is required or authorised by law

Your Rights

Under the GDPR, you are entitled to know what personal data the TAC holds and processes about you, who has access to it, how it is held and kept up to date, for how long it is retained, and what measures are taken to comply with data protection legislation.

You have the following rights:

• Right of access: request a copy of the personal data held about you.
• Right to rectification: request correction of inaccurate or incomplete data.
• Right to erasure: request deletion of your data where there is no compelling reason for continued processing, subject to regulatory retention requirements.
• Right to restrict processing: request limitation of how your data is used.
• Right to data portability: receive your data in a structured, commonly used, machine-readable format.
• Right to object: object to the processing of your data in certain circumstances.

Requests for access to personal data should be made in writing to the Data Protection Officer at the contact details below. You may be required to provide identification to verify your identity. The TAC will respond within one month of receipt, or provide reasons for any delay.

Right to Erasure Limitations

The right to erasure may be restricted where personal data is necessary for:

• Compliance with a legal obligation or the performance of a task carried out in the public interest or in the exercise of official authority
• The establishment, exercise, or defence of legal claims
• Archiving purposes in the public interest, scientific or historical research, or statistical purposes where erasure would seriously impair the achievement of those objectives

Retention Policy

The TAC retains personal data only for as long as necessary to fulfil its obligations:

• Type approval certificate records: retained for the validity period of the certificate and for a minimum of 10 years after expiry or withdrawal, as required by EU type approval legislation.
• Application records: retained for the duration of the application process and any subsequent review or appeal period, plus the period required by applicable regulations.
• Audit and non-conformity records: retained for a minimum of 10 years in accordance with regulatory requirements.
• Contact form and general correspondence: retained for up to 2 years unless the enquiry leads to formal proceedings.
• User account data: retained for the duration of the account and securely deleted upon account closure, subject to overriding regulatory retention requirements.

Once the purpose of retaining personal data ceases to exist and no regulatory retention obligation applies, the data will be securely deleted or anonymised.

Security Measures

The TAC implements appropriate technical and organisational measures to protect personal data, including:

• Encryption of data in transit using TLS (Transport Layer Security)
• Secure, encrypted storage of documents and files
• Role-based access control limiting data access to authorised personnel
• Secure authentication through a dedicated identity provider
• Regular security reviews and system updates

Contact Details

The Data Protection Officer of the TAC may be contacted at:

The Information and Data Protection Commissioner

If you are not satisfied with how the TAC handles your personal data, you have the right to lodge a complaint with the Office of the Information and Data Protection Commissioner (IDPC):

Related Policies

For further information, please also refer to our:

• Privacy Policy
• Cookie Policy