Privacy Policy

1. Introduction

This Privacy Notice is intended to describe the practices the Malta Business Registry ‘MBR’
follows in relation to the EBRA MALTA ANNUAL GENERAL CONFERENCE 2026 and Post
Conference events, with respect to the privacy of all individuals whose personal data is
processed and stored by the MBR. This Privacy Notice should be read together with the Privacy
Policy – Malta Business Registry, and in case of any conflicts with Privacy Policy – Malta
Business Registry, the terms of this Privacy Notice will prevail. Please read this Privacy Notice
carefully.

2. Who manages the data?

For the purposes of this Privacy Notice, “MBR” means the Malta Business Registry, a
government body established under Subsidiary Legislation 595.27, which determines the
purposes and means of the processing of personal data and therefore acts as a data controller.

The Malta Business Registry, in its capacity as data controller, provides and uses the event
management tool (the “Tool”) through which your personal data will be processed and stored.
MBR is the data controller for the processing described in this Privacy Notice. The event and
attendee management Tool is operated by MBR and is made available through a website built
on WordPress (Automattic/WordPress.com infrastructure). Payments (where applicable) are
processed via Stripe. MBR may share personal data with these service providers to the extent
necessary for hosting, security, functionality, and payment processing. The MBR can be
contacted by telephone on +356 2258 2300 or by email at info.mbr@mbr.mt. You may also
contact the MBR’s Data Protection Officer at dpo.mbr@mbr.mt.

The personal data you provided in the Tool is shared by the Malta Business Registry with other third-parties when strictly necessary for the purposes of the Event (see ‘’Who can access your personal
data’’ section 6 below). The personal data you provided is further processed and stored via the
following:

  • a) WordPress / Automattic Inc, hosting and operating the Tool website, database storage,
    security, logs, and platform functionality, processor hosting/platform services on MBR’s
    instructions, San Francisco, California, USA.
  • b) Stripe, payment processing, payment confirmation, fraud prevention/security, dispute
    handling, Processor, San Francisco, California, USA
  • c) EBRA, attendance/participation verification, independent controller, MBR will disclose only
    what is necessary when requested

The Tool is hosted externally on servers owned by Automattic Inc, Primary Data Centres are located in
San Francisco, California, USA

3. Why do we need your personal data?

The Tool is an event and meeting management platform used by the MBR to organise and administer
the EBRA Malta Annual General Conference 2026 (“EBRA 2026”) and related pre- and post-conference
meetings and events. Your personal data processed in the Tool is used as follows:

  • manage invitations and registrations.
  • create and manage participant lists, attendance lists and agendas.
  • communicate with you before, during and after the event (for example, to send joining
    instructions, logistical details, evaluation forms or certificates of attendance).
  • handle accommodation, catering and accessibility arrangements where applicable.
  • manage billing and payments, if any; and
  • produce high-level, predominantly aggregated reports on participation and event uptake (for
    example, to understand how many participants attended particular sessions).
  • send operational communications (e.g., joining instructions, schedule changes,
    venue/logistical updates, and confirmations)

System user data: (MBR Staff and Administrators)

  • User ID, name, work email, role and permissions in the Tool are used to create and manage
    user accounts, assign appropriate access rights, administer events, and provide technical
    support.

General event data:

  • Information such as event title, date, location, agenda, speakers, session descriptions,
    capacity, and logistical details is used to configure and manage EBRA 2026 and related
    meetings.
  • Where payments are required, limited financial data (for example, invoicing contact details,
    billing address and transaction identifiers) may be used to issue invoices and reconcile
    payments in MBR’s finance systems and in line with Public Procurement Regulations.

Event attendee data:

  • Identity and contact details (for example, name, title, organisation, job role, country, email,
    and in some cases telephone number) are used to register you for the event, manage
    attendance lists, and communicate event-related information.
  • Information on your professional role and organisation may be used to tailor sessions, group
    meetings and networking opportunities.
  • Optional information on dietary requirements, accessibility needs, or other relevant
    preferences is used solely to make appropriate arrangements for your participation.
  • If surveys or feedback forms are used, your responses will be processed to evaluate and
    improve the event, where possible these will be reviewed in aggregated or pseudonymised
    form.

The MBR processes your personal data in the Tool on the following legal bases:

  • Performance of a task carried out in the public interest / exercise of official authority
    (Article 6(1)(e) GDPR), in particular the organisation and management of EBRA 2026
    and related meetings or events and maintaining working relationships with foreign
    registers and other stakeholders in line with the MBR’s statutory functions. This
    includes (where applicable) disclosing limited attendance/participation information
    to EBRA where required for CPD verification, audit, or compliance purposes.
  • Contractual necessity (Article 6(1)(b) GDPR), where needed to manage your
    registration, administer your participation in the event and, where applicable,
    process payments for attendance or related services.
  • Legal obligation (Article 6(1)(c) GDPR), where we are required to keep records for
    accounting, audit, reporting or other statutory purposes.
  • Legitimate interests (Article 6(1)(f) GDPR), for limited ancillary activities which do not
    fall under the above bases, such as basic event statistics or follow-up
    communications that are closely related to the event and do not require consent.
  • Consent (Article 6(1)(a) GDPR), for:
    • sending you marketing material and/or invitations to future events that are
      not strictly necessary to manage EBRA 2026; and
    • processing health-related information or other special categories of data
      that you choose to provide for the purposes of your participation (such as
      information on dietary requirements or accessibility needs), in which case
      we rely on Article 9(2)(a) GDPR.

You have the right to withdraw your consent at any time, without affecting the lawfulness of
processing based on consent before its withdrawal. You also have the right to object at any time, on
grounds relating to your particular situation, to processing based on Article 6(1)(e) or 6(1)(f) GDPR.

4. What type of personal data is processed in the Tool?

The Tool processes these personal data categories: First name, Last name, and Email address. These
personal data categories are used for every event; the final fields for each instance of processing
depends on specific event needs and may include some and/or all the following personal data
categories contained in this Data Fields List.

The Personal Data elements which may be processed in the Tool include the following:

  • First/Last Name
  • Age or Date of Birth
  • Client Personnel Information (Home/Office/Business Information)
  • Customer Information (Home/Office/Business Information)
  • Email Address
  • Gender
  • Work Address
  • Medical Condition or Diagnosis (Allergy or Physical Disability Accommodations)
  • Names of Employers (MBR or Company)
  • Occupation (Job Title)
  • Passport Number or Identification card number
  • Telephone/Fax Number
  • Sponsor or attendee status
  • IP address, device/browser logs, cookies

Payment card details are processed by Stripe; MBR does not store full card numbers.

In addition, a free form text field is available in the Tool for attendees and/or meeting
requestors to include any comments or updates.

If you would like to see a full schedule of all of the personal information fields which may be
processed in the Tool, please contact your usual MBR representative or send an e-mail to
info.mbr@mbr.mt or dpo.mbr@mbr.mt.

The personal data processed in the Tool is obtained from the following sources:

  • information you provide directly when you register for EBRA 2026 or related events,
    complete forms in the Tool, or otherwise communicate with us.
  • information provided by your organisation (for example, when an EBRA contact,
    employer or other competent authority registers you as part of a delegation); and
  • information drawn from MBR’s own internal contact and stakeholder databases where
    an existing professional relationship already exists.

For EBRA 2026 we do not expect to process personal data relating to your family members or
other dependants via the Tool. If, exceptionally, such information is collected (for example,
where a registered attendee is accompanied by a partner for a social event), it will be limited
to what is strictly necessary and processed in accordance with this Privacy Notice.

Data may be transferred to third party contact management systems, virtual event platforms,
webcast providers, onsite solution providers or other contracted service providers to facilitate
participation in and successful execution of meetings or events. The processing of data is the
least necessary, data is shared with third parties to the extent required to carry out meeting
requirements (i.e. name badges, mobile applications, virtual event platforms, marketing
automation and audience response/polling applications.) Please refer to each respective
service provider’s privacy notice for additional information.

5. Sensitive Personal Data

Article 9 of the General Data Protection Regulation (“GDPR”) identifies certain special categories of
personal data which are considered particularly sensitive. These include personal data revealing racial
or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as
well as the processing of genetic data, biometric data for the purpose of uniquely identifying a natural
person, data concerning health, and data concerning a natural person’s sex life or sexual orientation.

The Tool is not designed to collect or process special categories of personal data and the MBR does
not intentionally collect such data via the Tool. Any personal data relating to accommodation or
accessibility requested for the purposes of an event will be treated as confidential and limited to what
is strictly necessary.

In certain cases, health-related information (for example, a medical condition, diagnosis, accessibility
need or food allergy) may be processed in the Tool only where you choose to provide it and give your
consent. This is an optional field for each attendee. Such information is requested solely to enable the
MBR to support attendees during events (for example, arranging suitable catering options or providing
appropriate access where a walker or wheelchair is required).

If payment is made through the Tool, credit or debit card details are collected only to the extent
necessary to process the transaction; the Tool does not collect or store the authorisation PIN.

The Tool may also collect basic demographic information such as gender for logistical or statistical
purposes. Gender, on its own, is not classified as a special category of personal data under Article 9
GDPR.

The following disclaimer will be displayed in connection with any open-text fields in the Tool that could
otherwise be used to enter unnecessary or inappropriate content:

“Please do not enter any unnecessary personal information or any special categories of personal data
(for example, information revealing racial or ethnic origin, political opinions, religious or philosophical
beliefs, trade union membership, genetic or biometric data, health data, or data concerning your sex
life or sexual orientation), government identifiers (such as tax or social security numbers), client or
third-party confidential information, business or commercial secrets, information protected by
professional secrecy or other confidentiality obligations, or any abusive, offensive or clearly irrelevant
content.”

6. Who can access your personal data?

Your personal data is accessed in the Tool by the following persons/teams.

USER GROUPLOCATIONPURPOSEACCESS
MBR StaffMaltaevent team and system administratorsAll
Automattic/WordPress support personnelSan Francisco, California, USAtroubleshooting/securityLimited
Account userGlobalDepends on roleDepends on role
Requester userGlobalSubmit requestDepends on role
MBR IT personnelMaltaSystem updates and troubleshootingAll
Stripe support personnelSan Francisco, California, USAPayment support/disputes, fraud/securityLimited

For EBRA 2026, event sponsors do not have access to personal data in the Tool. The MBR does not
provide sponsors with direct access to participant lists, or any other personal data stored in the Tool.

Sponsors may receive aggregated or anonymised information about the event (for example, total
number of attendees, general breakdown by country or sector) where appropriate and subject to
MBR’s policies. Such information does not allow individual attendees to be identified.

We transfer or disclose the personal data we collect to third-party service providers (and their
subsidiaries and affiliates) who are engaged by us to support our internal ancillary processes. For
example, we engage service providers to provide, run and support our IT infrastructure (such as
identity management, hosting, data analysis, back-up, security, and cloud storage services) and for the
storage and secure disposal of our hard copy files. It is our policy to only use third-party service
providers that are bound to maintain appropriate levels of data protection, security, and
confidentiality, and that comply with any applicable legal requirements for transferring personal data
outside the jurisdiction in which it was originally collected.

To the extent that personal data has been rendered anonymous in such a way that you or your device
are no longer reasonably identifiable, such information will be treated as non-personal data and the
terms of this Privacy Notice will not apply.

7. Cookies and Similar Technologies

When you access the Tool or related EBRA 2026 pages via your web browser, cookies and similar
technologies may be used to ensure the security and functionality of the service and to compile basic
usage statistics.

  • Where you access pages hosted on mbr.mt or its sub-domains, the use of cookies is
    governed by the Cookie Policy – Malta Business Registry
  • Where the Tool is hosted on infrastructure operated by our service provider Automattic
    Inc Cookie Policy | WordPress.org, cookies and similar technologies are governed by that
    provider’s own cookie policy.
  • Where the Tool redirects you to a Stripe-hosted payment page, cookies and similar
    technologies used on that payment page are governed by Stripe’s own cookie policy Stripe
    Cookies Policy

For more information on how MBR uses cookies on its own websites, please refer to our Cookie Policy
– Malta Business Registry and Privacy Policy – Malta Business Registry.

8. Data Retention

Our policy is to retain personal data only for as long as is necessary for the purposes described in the
section “Why do we need your personal data?”, and to comply with any legal, regulatory, accounting,
and archiving obligations. Retention periods are set having regard to the EU General Data Protection
Regulation (GDPR), the Maltese Data Protection Act (Cap. 586) and any applicable sector-specific rules.

Where the Event Tool is used in connection with MBR meetings and events (including EBRA 2026),
personal data in the Tool is retained as follows:

1. After a meeting or event is completed
a) Information relating to event attendees (for example, their contact details, dietary or
accessibility requirements) is retained in the Tool for up to two (2) years from the
end of the event, in order to manage follow-up queries, deal with any incident
reports or claims relating to the event and maintain records of participation.
b) Meeting-management information about the event itself (such as agendas, logistical
information, vendor records and high-level reports) is retained in the Tool for up to
seven (7) years from the end of the event, in line with typical audit, accounting and
record-keeping requirements.

2. MBR staff and partners using the Tool
When an MBR staff member or partner ceases to use the Tool (for example, on leaving their
role), their user account is promptly deactivated. The related contact and user records in the
Tool (including associated personal data) are then deleted in accordance with the MBR
Retention Policy and the relevant Country Retention Schedule, unless a longer retention
period is required for the establishment, exercise, or defence of legal claims or by law.

3. Payment card details
MBR retains payment confirmation and invoicing records (e.g., invoice/receipt details,
payment status, and transaction reference) in its internal finance systems for the period
required for accounting/audit obligations. MBR does not store full payment card numbers;
card details are processed by Stripe under its own retention policies.

4. Archived meeting-spend data
Archived data stored on the MBR Data Broker server (year-over-year meeting-spend
information only) is retained for up to ten (10) years for financial reporting, audit, and
archiving purposes, after which it is deleted in line with the MBR Retention Policy.

After the end of the applicable retention period, personal data is either securely deleted or
irreversibly anonymised, unless we are required by law to retain it for a longer period, or it is needed
for the establishment, exercise, or defence of legal claims.

9. Security

MBR protects the confidentiality and security of information it obtains in the course of its business.
Access to such information is limited, and policies and procedures are in place that are designed to
safeguard the information from loss, misuse, and improper disclosure. Additional information
regarding our approach to data protection and information security is available in our Privacy Policy –
Malta Business Registry

10. Controlling your personal data.

MBR will not transfer your personal data to third parties (other than any external parties referred to
in section 6 above) unless we have your permission or are required by law to do so.

You are legally entitled to request details of the MBR’s Personal data about you.

To confirm whether your personal data is processed in the Tool or to access your personal data in the
Tool or (where applicable) to withdraw your consent, contact your usual MBR representative or email
your request to dpo.mbr@mbr.mt.

11. Object, rectification, erasure, restriction of processing or data portability.

You can confirm your personal data is accurate, updated, and current. You can object to the processing
of your personal data or request rectification, erasure, restriction of processing and other customer
service questions relating to your personal data or to receive a readily portable copy of your personal
data by contacting your usual MBR representative or by sending an email to dpo.mbr@mbr.mt.

The rights described in this section are to be read together with the detailed explanation of your data
protection rights in the Privacy Policy – Malta Business Registry, particularly the section “Your Rights
under the Data Protection Laws”. Where there is any inconsistency, this Privacy Notice prevails for
processing carried out through the Tool.

12. Complaints

If you have concerns about an alleged breach of data protection law or any other applicable regulation,
you may contact the Malta Business Registry (“MBR”) by post at Malta Business Registry, AM Business
Centre, Triq il-Labour, Żejtun, ZTN 2401, Malta, by telephone on +356 2258 2300, by email at
info.mbr@mbr.mt, by contacting your usual MBR representative, or by writing directly to the Data
Protection Officer at dpo.mbr@mbr.mt. The MBR will investigate your complaint and inform you how
it will be handled and resolved.

If you are not satisfied with the way in which the MBR has addressed your complaint, you have the
right to lodge a complaint with the data protection authority in your country of residence, place of
work, or place of the alleged infringement. You also have the right to seek a remedy before a court of
competent jurisdiction. We kindly ask that You please attempt to resolve any issues You may have
with Us first (even though, as stated above, you have a right to contact the competent authority at
any time)

As the MBR operates within the European Union, the primary applicable data protection law is
Regulation (EU) 2016/679 (the General Data Protection Regulation, “GDPR”), together with the
relevant Maltese implementing legislation. With regard to controllers or processors established
outside the EU/EEA that are not otherwise subject to the GDPR, any transfers of personal data are
carried out in accordance with Chapter V of the GDPR and are only permitted where the third
country is covered by an adequacy decision adopted by the European Commission or where the
parties have entered into the Standard Contractual Clauses adopted by the Commission in 2021, or
another appropriate safeguard permitted under the GDPR.

13. Contact us.

If you have additional questions or concerns, contact your usual MBR representative or email
dpo.mbr@mbr.mt.

14. Acknowledgement

By registering for and/or attending the EBRA Malta Annual General Conference 2026 (“EBRA 2026”) or
any other meeting(s) or event(s) organised by the Malta Business Registry (“MBR”), you acknowledge
that this Privacy Notice applies for the entire duration of your participation in such meeting(s) and
event(s). Where you choose to opt in, you consent to the processing of your personal data so that you
may receive electronic communications from the MBR for real time updates during the dates of the
event and/or invitations to future events.

The MBR is the Maltese government organisation established under Subsidiary Legislation 595.27. It
is responsible, among other things, for the registration of new commercial partnerships and legal
entities, the registration of documents relating to commercial partnerships, the issuing of certified
documentation (including certificates of good standing), the reservation of company names, the
collection of registration and other fees, the publication of notices, the imposition and collection of
penalties, the conduct of investigations of companies, and the keeping of the companies and
partnerships register. You may withdraw your consent to receive such communications at any time by
informing the MBR through communication.mbr@mbr.mt within 7 days following the event.

Where you choose to do so, you may also consent in the event management tool (the “Tool”) to the
processing of personal data that you voluntarily provide to the MBR for the purposes of the event you
are attending, including any health-related or other special categories of personal data (for example,
information on medical conditions, accessibility needs or dietary requirements).

If you provide the MBR, via the Tool or otherwise, with personal data relating to your spouse or any
family member attending an MBR meeting or event with you, you confirm that you have clearly
informed them of the contents of this Privacy Notice and of the processing of their personal data
(including any health-related or other special categories of personal data) and that you have the
necessary authority, or have obtained their consent where required, to enable the MBR to process
their information in accordance with this Privacy Notice

Shopping Cart
Scroll to Top