Privacy Policy

Definitions

• Personal data: any information relating to an identified or identifiable natural person.
• Processing: any operation performed on personal data, whether by automated means or otherwise, such as collection, recording, storage, retrieval, use, disclosure, or erasure.
• Data controller: the entity that determines the purposes and means of processing personal data. For this platform, the TAC is the data controller.
• Data subject: any identified or identifiable natural person whose personal data is processed.
• Cookies: small text files stored on your device by your web browser when you visit a website.

What Information We Collect

We collect personal information that you voluntarily provide when using our platform. This includes information submitted through the following:

• Manufacturer registration applications: company name, registration number, contact details, representative name and contact information, and supporting documentation.
• Technical service designation applications: organisation details, accreditation information, scope of competence, personnel qualifications, and supporting documentation.
• Individual vehicle approval applications: vehicle identification details, owner or applicant information, and supporting technical documentation.
• User account registration: name, email address, and role within an organisation, managed through our secure identity provider.
• Contact form submissions: name, email address, and the content of your message.
• Payment transactions: payment reference information (full card details are processed by our third-party payment provider and are not stored on our systems).

How We Use Your Information

The TAC collects and processes your personal information for the following purposes:

• To process and assess type approval applications, technical service designation applications, and individual vehicle approval applications
• To issue, manage, and verify type approval certificates
• To conduct audits and manage non-conformity procedures
• To process payments for application and service fees
• To communicate with you regarding your applications, certificates, and other regulatory matters
• To maintain accurate records as required by Regulation (EU) 2018/858, applicable UN Regulations, and Maltese legislation
• To improve the platform and our services

Lawful Basis for Processing

We process your personal data on the following lawful bases under Article 6 of the General Data Protection Regulation (GDPR):

• Legal obligation: processing is necessary for compliance with our obligations under Regulation (EU) 2018/858, applicable UN Regulations, and related Maltese legislation governing vehicle type approval.
• Public interest: processing is necessary for the performance of a task carried out in the public interest, namely ensuring vehicle safety and environmental compliance.
• Consent: where you have given consent for specific processing activities, such as receiving non-essential communications.
• Contractual necessity: processing is necessary for the performance of services you have requested through the platform.

Data Sharing

Your personal information may be shared with:

• Designated technical services involved in the assessment of your application
• The Malta Type Approval Committee for regulatory oversight purposes
• Third-party payment processors for the purpose of handling transactions
• Other public authorities where required by law or regulation
• The European Commission or other EU Member State type approval authorities, as required under Regulation (EU) 2018/858 and applicable UN Regulations

We will not sell your personal data to any third party. Data sharing is limited to what is necessary for the purposes described above.

Data Retention

We retain your personal information only for as long as necessary to fulfil the purposes for which it was collected:

• Application records: retained for the duration of the approval and any subsequent review or appeal period, plus the period required by applicable regulations.
• Certificate records: retained for the validity period of the certificate and for a minimum of 10 years after expiry or withdrawal, as required by EU type approval legislation.
• Audit and non-conformity records: retained for a minimum of 10 years in accordance with regulatory requirements.
• Contact form submissions: retained for up to 2 years unless the enquiry leads to formal proceedings.
• Account data: retained for the duration of the account and deleted upon account closure, subject to regulatory retention requirements.

Security of Your Information

We implement appropriate technical and organisational measures to protect your personal data, including:

• Encryption of data in transit using TLS (Transport Layer Security)
• Secure, encrypted storage of documents and files
• Role-based access control ensuring that personal data is only accessible to authorised personnel
• Secure authentication through a dedicated identity provider with multi-factor authentication support
• Regular security reviews and updates

Your Rights

Under the GDPR, you have the following rights in relation to your personal data:

• Right of access: you may request a copy of the personal data we hold about you.
• Right to rectification: you may request correction of inaccurate or incomplete data.
• Right to erasure: you may request deletion of your data where there is no compelling reason for its continued processing, subject to regulatory retention obligations.
• Right to restrict processing: you may request that we limit how we use your data in certain circumstances.
• Right to data portability: you may request to receive your data in a structured, commonly used, machine-readable format.
• Right to object: you may object to the processing of your data in certain circumstances.

To exercise any of these rights, please contact our Data Protection Officer at [email protected]. We may need to verify your identity before processing your request. We aim to respond within one month of receipt.

Cookies

Our platform uses a limited number of cookies that are essential for its operation. We do not use advertising or tracking cookies. For full details, please refer to our Cookie Policy.

Browsing Information

When you visit our platform, our servers may automatically record standard technical information such as your IP address, browser type, device type, and pages visited. This information is used in aggregate to monitor platform performance and improve our services. It is not used to identify individual users unless combined with other information you have provided.

Third-Party Links

Our platform may contain links to third-party websites. We are not responsible for the privacy practices or content of those websites. We recommend that you review the privacy policy of any third-party site you visit.

Changes to This Privacy Policy

We may update this policy from time to time. Any changes will be posted on this page with an updated "Last updated" date. We encourage you to review this page periodically.

Contact Us

If you have any questions about this privacy policy or wish to exercise your data protection rights, please contact our Data Protection Officer:

How to Make a Complaint

If you are not satisfied with how we handle your personal data, you have the right to lodge a complaint with the Office of the Information and Data Protection Commissioner (IDPC):