The MGA is the regulatory body responsible for the governance and supervision of all gaming activities in and from Malta. It is assigned with the responsibility and official authority to ensure that Malta’s gaming regime is based on a fair, responsible, safe and secure provision of gaming services and it seeks to ensure that the three main pillars of gaming, namely (i) the fairness of games, (ii) the protection of minors and vulnerable persons, and (iii) the prevention of crime, fraud and money laundering, are safeguarded as much as possible.
It is, therefore, the duty and responsibility of the Authority to process all the data and information as may be required to effectively safeguard the public interest with regards to gaming activities in and from Malta.
When determining the purposes and means of the processing of such personal data, the MGA – whose principal place of business is situated at Building SCM 02-03, Level 4, SmartCity Malta, Ricasoli SCM1001, Malta – is acting as the ‘Data Controller’ for the purposes of the General Data Protection Regulation (GDPR).
Personal Information We Process
The Authority (“MGA” or “We”, “Us”, “Our”) may collect your personal information in accordance with the terms of this privacy notice. Personal information consists of personal data and, in some cases, may also consist of special categories of personal data. The term ‘personal data’ refers to personally identifiable information about you, such as your name, e-mail or mailing address, CV, or any other supporting documentation you may as a user of the website, or as job-candidate for instance, choose to submit to the Authority.
Certain information may be classified as ‘special category personal data’, such as information about you that may reveal your race, ethnic origin, or political opinion. Should we require your special category personal data, we will request your explicit consent.
The Authority also collects your personal information when you make use of the following facilities which are provided by the Authority which require, to varying degrees, the voluntary submission of your personal information:
- the services available on the Authority website, namely:
- subscription to the Authority’s Newsletter and News Alerts; and,
- the Online Gaming Support and Land-based Gaming Support facilities;
- the Licensee Relationship Management (LRM) Portal; and,
- the Recruitment Management System.
How is Personal Information Gathered Used?
While fulfilling its role as the regulatory body responsible for the governance and supervision of all gaming activities in and from Malta, the MGA processes certain personal data relating to licensees, players, employees, and the general public, including candidates using the Recruitment Management System.
The Authority may collect and process your personal information for the following purposes:
- to provide its services;
- to carry out its regulatory, licensing and enforcement functions;
- to meet its legal responsibilities as a Regulator and employer; and,
- generally, for regulatory and legal reasons.
Collection of Data from the Recruitment Management System
As part of its recruitment processes, the MGA also collects and processes personal data relating to job applicants. The Authority is committed to being transparent about how it collects and uses that data and to meeting its data protection obligations.
The MGA collects a wide range of information including:
- your name, address and contact details, including email address and telephone number;
- details of your qualifications, skills, experience and employment history;
- information about your current level of remuneration, including benefit entitlements;
- whether or not you have a impairment for which the Authority needs to make reasonable adjustments during the recruitment process; and
- information about your entitlement to work in Malta.
The MGA may collect this information in a variety of ways. Data might be contained in documents which are submitted to the Authority via the ‘Recruitment Management System’, in the form of CVs or resumes, identification documents such as passports or through other means such as interviews or any other form of assessment. The MGA may also collect personal data such as references from third parties such as your former employers. We will seek information from third parties only when the Authority is providing you with a job offer. You will be informed by the Authority that it will be doing so.
Data may be stored in a range of different places, including on your candidate profile as created by yourself, in HR management systems and on other IT systems (including email).
Data relating to the Recruitment Management System
If you are accessing this website as a candidate seeking employment, you shall be required to fill out details, including data referred to above, in the ‘create your profile’ section which can be found on the Recruitment Management System which is accessible through the ‘About Us’ tab. Further details related to this system can be found down below. Such details and information provided may be deemed confidential.
The Authority’s scope in this regard is to provide you with the most appropriate and suitable employment opportunities matching your interests and qualifications. This will also save your time since you will not be required to go through information about jobs and services which are not relevant to your skillset. To this end, we will also use the data internally for research purposes to enhance user experience.
Candidates shall take full responsibility for the integrity and the accuracy of the data provided.
Should you decline to provide us with any such data we will not be able to provide you with our Service.
Creation of a Candidate Profile on the Recruitment Management System
When you successfully create your profile, you will gain and retain full access to the data inputted in the profile and you will also have the facility to change, delete, amend or modify such data independently. You shall have full responsibility for the accuracy of the data that you have entered when creating your profile.
The MGA may send you an automated email to alert you about any changes to the profile you could have made, including for example the removal of a CV or any other information which is considered integral to your job search.
Once your profile is fully active, you may be contacted about your profile. We may or may not enable or disable job alerts based on your preferences. When you are approached by us about a specific vacancy, we would require your consent to be able to proceed.
Should your profile not show any activity for twelve (12) months, you will receive an automated email asking you to activate your profile to ensure that this will not be deleted by us. Should you not activate your profile for a continuous period of six months following this notification, your profile and all data which would have been stored by us will be deleted.
If your application for employment is a successful one, personal data gathered during the recruitment process will be transferred to your Human Resources file (electronic and/or paper-based) and retained during your employment. Your data will then be held in terms of our data retention periods and data protection policy that will be made available to you.
Why does the MGA process personal data?
The MGA may need to process your data to be able to enter into a contract with you.
In some cases, we need to process data to ensure that we are complying with our legal obligations. For example, it is mandatory to check a successful applicant’s eligibility to work in Malta before employment starts.
The MGA has a legitimate interest in processing personal data during the recruitment process and for keeping records of the process. Processing data from job applicants allows us to manage the recruitment process, assess and confirm a candidate’s suitability for employment and ultimately decide who shall be offered the job. We may also need to process data from job applicants to respond to and defend against legal claims.
The MGA may, for the purposes of ensuring that it is an equal opportunities employer, collect information about whether or not applicants have a disability to be able to make reasonable adjustments for such candidates. We process such information to carry out our legal obligations and to exercise specific rights in relation to employment.
Following the activation of your profile and after the commencement and finalisation of the recruiting process, and where your application for employment with the Authority is unsuccessful, the MGA will hold your personal data on file for a further twelve (12) months in case there are future employment opportunities for which you may be suited. We will ask for your consent before keeping your data for this purpose when you submit your documentation on the recruitment system and you will remain free to withdraw your consent at any time. You may also seek to have your information rectified at any time. At the end of that period, or once you withdraw your consent, your data is deleted or destroyed.
Who has access to data?
Your information may be shared internally strictly for the recruitment exercise. This includes members of the HR and recruitment team, interviewers involved in the recruitment process, managers in the business area of the relative vacancy and IT staff if they require access to the data for the performance of their roles.
We may share your data with the employers you identified in your documentation in order to obtain references about you. We may also share your data with employment background check-providers in order to obtain the necessary background checks.
We process this data on the basis of a contractual relationship between you and the Authority which is deemed to have become effective once you confirm that you have read and agreed to this Privacy Notice. By entering into this agreement, you are confirming that your former employers referred to within the documentation, you submitted through the recruitment process, as well as any employment background check providers, may forward any information concerning yourself to the Authority.
Sharing Personal Data
All profiles created by you on the Recruitment Management System are created on a system called Talexio which is a third-party platform. This platform is wholly owned by Preeo Studios Limited, used by the MGA and hosted on Amazon Web Services. The data provided to create a profile shall be kept on this third-party platform. The MGA shall treat all CVs, profiles and documentation related thereto in strict confidence provided that per the aforesaid, it may refer to a candidate’s former employer or employers and background check service providers.
How does the MGA protect data?
We take the security of your data seriously. We have internal policies and controls in place to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by our employees in the proper performance of their duties.
What if you do not provide personal data?
You are under no statutory or contractual obligation to provide data to the MGA during the recruitment process. However, if you do not provide such information, we may not be able to process your application properly or at all.
The Authority is required to adhere to the Data Protection Act (Cap. 586 of the Laws of Malta) (the “Data Protection Act”) and other relevant regulations, legal notices and similar instruments that may be in force, taking account of the General Data Protection Regulation (Regulation (EU) 2016/679) and the Electronic Communications Privacy Directive (Directive 2002/58/EC as amended by Directive 2009/136/EC) (the “Directives”) (the “Data Protection Laws”).
All this is in place in order to assure you that at all times your personal information is:
- processed in accordance with your rights
- processed fairly and lawfully
- obtained only for a specific and lawful purpose
- adequate, relevant and not excessive to its purpose
- accurate and updated
- kept in a secure manner
- not kept longer than is necessary for its purpose
- not transferred to jurisdictions which do not adhere to the aforementioned Directives.
Any person about whom we hold information has rights under the Data Protection Laws. You may:
- be informed if we hold personal information relating to you;
- request the specific purpose of the processing, and categories processed, of your personal information;
- request the envisaged period for which your personal information will be stored by us, or, if this is not possible, the criteria used to determine this period;
- have any inaccurate data corrected or removed in certain circumstances; and
- submit a complaint to the Information and Data Protection Commissioner in Malta where you believe that we have not complied with the Data Protection Laws.
For further information on how your personal information is used, how we maintain the security of your personal information, and your rights to access the information we hold on you, please get in touch with us in the manner specified in the ‘Getting in Touch with Us’ section of this notice.
Further to the above rights, please note that if your application for employment is unsuccessful, as a data subject, subject to certain conditions and limitations, you have several rights.
- access and obtain a copy of your data on request
- require the MGA to change incorrect or incomplete data
- require the MGA to delete or stop processing your data, for example where the data is no longer necessary for the purposes of processing
- object to the processing of your data in cases where the MGA is relying on its legitimate interests as the legal ground for processing.
Access, corrections and deletions
If you wish to view any of your personal information we hold, or have any inaccurate data corrected or removed, you can make a request (“A Data Subject Request”) to this effect.
A data subject request shall be made by sending an email to that Authority’s Data Protection Officer (DPO) to the following email address: [email protected]. The email shall contain your full name, address, and a description of the information you wish to view, correct or delete.
The Authority’s DPO may request further information from the data subject making the request should any clarifications be required. Furthermore, to ensure confidentiality and to verify the identity of the person making the data subject request, the DPO may request a photo to be taken of the subject person holding a photo identification document clearly showing name, identification number and facial photo on document.
It is important to note that the rights of data subjects are tied with certain conditions and limitations that are stipulated within the GDPR itself.
The Authority reserves the right to charge a reasonable fee for repetitive requests, requests for further copies of the same data, and, or requests which are deemed to be manifestly unfounded or excessive. We may also refuse to act upon requests that are deemed to be manifestly unfounded or excessive.
Cookies, tags and other identifiers (“Cookies”)
- to ensure that any selections you make on our Websites are adequately recorded; and
- for analysis of the traffic on our Websites, so as to allow us to make suitable improvements.
The Authority Website contains several hyperlinks and redirections to other websites, including the LRM Portal. You are therefore kindly reminded to read the privacy notices of any other websites you access which are not covered by this privacy notice.
The Authority does not provide quality control of the hyperlinks to websites that are not operated by the Authority. The Authority accepts no responsibility for the content, performance, accuracy, security, privacy or availability of the hyperlinks to such external websites.
Changes to our Privacy Notice
The Authority is continually improving and adding new functionality and features to its Websites. Because of these ongoing changes, changes in the law, and the changing nature of technology, the Authority’s data practices may change from time to time. If there are any changes to this privacy notice, we will replace this page with an updated version. It is in your interest to check this privacy notice frequently so as to be aware of any changes which may occur from time to time.
This privacy notice was last updated on 21/04/2020.
We are committed to protecting your privacy. If you find anything on the Authority’s Website and/or the LRM Portal that causes concern, please get in touch with us.
Any comments or suggestions that you may have, and which may contribute to a better quality of service will be welcome.
Getting in Touch with Us
If you would like to exercise any of these rights, please make your request by sending an email containing all the necessary information to the Authority’s Data Protection Officer on the following email address: [email protected] or write to us at:
Data Protection Officer,
Malta Gaming Authority,
Building SCM 02-03, Level 4,
Your Right to Lodge a Complaint
The Authority endeavours to protect your personal information. However, if you believe that the Authority has not complied with your data protection rights, you may complain to the Information and Data Protection Commissioner (IDPC).
The following are the contact details:
Information and Data Protection Commissioner
Telephone: (+356) 2328 7100
Email: [email protected]
The Authority makes every effort to maintain the accuracy of the information that is published on the Websites but accepts no responsibility and expressly excludes liability for any direct, indirect or consequential loss or damage which may arise from the usage of, and / or reliance on, such information.