Privacy Policy

Privacy Policy

This Privacy Policy is effective from 13th August 2019. We reserve the right to modify this Privacy Policy at any time. Changes and clarifications will take effect immediately upon their posting on the website. If we make material changes to this policy, we will notify you here that it has been updated.

The Energy and Water Agency forms part of the Ministry for Energy and Water Management and therefore data collated from and by the Agency may be shared with the Ministry. Furthermore, if the Agency merges with another agency or governmental entity, your information may be transferred to the new (merged) entity.

This policy is made compliant with the General Data Protection Regulation EU 2016/679 (“GDPR”, “Regulation”), and the Data Protection Act (Chapter 586 of the Laws of Malta).


1.1 This Privacy Policy sets out the way in which The Energy and Water Agency (hereunder referred to as “we”, “us” or “the Agency”), collects and processes Personal Data, as well as the steps we take to protect such information (as defined in Section 2 below).

1.2 By using the Services, you acknowledge that you have read and understood, the terms of this Privacy Policy, including how your Personal Data shall be used by the Agency, as well as any partners and subcontractors for the purposes set out in Section 3 of this Privacy Policy. If you do not wish to provide your Personal Data on the basis set out in this Privacy Policy, you should not enter the relevant information on the Website or provide your Personal Data to us otherwise. However, if you do not provide your Personal Data, you may not be able to use all of our Services.

1.3 This policy is based on the following data protection principles:

  • The processing of personal data shall take place in a lawful, fair and transparent way;
  • The collecting of personal data shall only be performed for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
  • The collecting of personal data shall be adequate, relevant and limited to what is necessary in relation to the purpose for which they are processed;
  • The personal data shall be accurate and where necessary, kept up to date;
  • Every reasonable step shall be taken to ensure that personal data that are inaccurate having regard to the purposes for which they are processed, are erased or rectified without delay;
  • Personal data shall be kept in a form which permits identification of the data subject for no longer than it is necessary for the purpose for which the personal data are processed;
  • All personal data shall be kept confidential and stored in a manner that ensures appropriate security;
  • Personal data shall not be shared with third parties except when necessary for them to provide services upon agreement;
  • Data subjects shall have the right to request access to and rectification or erasure of personal data, or restriction of processing, or to object to processing as well as the right of data portability.



 2.1 Any information we collect which you can be personally identified by shall be considered as Personal Data. As such your name, email address, home address, telephone number and date of birth are all considered as Personal Data. When you browse our website, we also automatically receive your computer’s internet protocol (IP) address to provide us with information that helps us learn about your browser and operating system.

2.2 We collect different types of information from or through the following Services:

  • By using online forms;
  • When you email us your details;
  • Through surveys which we, or companies engaged by us for such purpose, undertake;
  • With your explicit consent when signing up for our Newsletter.



All information provided to the Agency will be solely used as may be necessary to provide you with the required service. The Agency processes your personal data on the basis of the following legal bases:

  • Official authority vested in the Controller – we process your personal data on the basis of Article 6(1)(e) of the GDPR i.e. the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller;
  • Entering into and performing a contract – we process your personal data on the basis of Article 6(1)(b) of the GDPR, in particular to provide you with the services you have requested from us and as necessary for the performance of a contract;
  • Compliance with legal obligations – we process your personal data on the basis of Article 6(1)(c) of the GDPR, in particular obligations imposed on us to adequately carry out our functions related to the design, implementation and dissemination of water, conventional energy and alternative energy policy;
  • Our legitimate interests – we process your personal data on the basis of Article 6(1)(f) of the GDPR, in particular legitimate interests which may arise directly or indirectly in relation to the services provided e.g. we may process your personal data for the purposes of establishing, exercising or defending legal proceedings. The Agency shall always ensure that your own interests, rights and freedoms are safeguarded.
  • Consent – we process your personal data on the basis of Article 6(1)(a) of the GDPR, in particular when the data subject has given consent to the processing of his or her personal data for one or more specific purposes, for example, to share our Newsletter with our subscribers. Should the data subject, after opting-in change his/her mind, s/he may withdraw his/her consent at any time by clicking here and filling the form. By doing so, all information we hold about you in relation to the Newsletter subscription shall be deleted.

4.1 Your Personal Data is processed by us to provide you with the requested Services and for the following Purposes:

  • Set-up, administer and manage your records;
  • Provide and personalise the Services;
  • Receive and respond to your communications and requests;
  • Ensure that we can fulfil our statutory obligations regarding your records, including by verifying the accuracy of any information you give us;
  • Carry out market research campaigns;
  • Preparing statistics relating to the use of the Services by you and other customers;
  • Provide you with information about, and support for, the Services, including this Privacy Policy; and
  • Support any other purpose necessary for the performance of our contractual obligations or specifically stated at the time at which you provided your Personal Data.

5.1. Except as described in this Policy, we will not intentionally disclose the Personal Data that we collect or store on the Service to third parties without your consent. We may disclose information to third parties if you explicitly consent to us doing so, as well as in the following circumstances:

  • Any company which assists us in providing the Services or which otherwise has a need to know such information;
  • Any third party which assists us in providing the Services;
  • Any third party which can assist us in verifying the accuracy of your Personal Data, including financial institutions and credit reference agencies (a record of the search may be retained by such third party);
  • Any third party which assists us in monitoring use of the Services;
  • Any contractors or other advisers auditing any of our business processes or who have the need to access such information for the purpose of advising us;
  • Any law enforcement body which any reasonable requirement may have to access your Personal Data;
  • With the responsible Ministry under which the Agency forms part of and reports to;
  • In the event of the Agency merging with another agency or governmental entity, your information may be transferred to the new (merged) entity; and
  • Any statutory body or authorised entity which have any reasonable requirement to access your Personal Data.

5.2. If at any time you wish us to stop processing your Personal Data for the above purposes, then you must contact us, and we will take the appropriate steps to stop doing so. Please note that this may mean that you may not be able to use all our Services.


6.1 As a data subject you have certain rights in relation to your personal data including:

  • Right of Access – you have the right to ask us for copies of your personal data that is being processed. There are some restrictions which means you may not always receive all the information we process;
  • Right to Erasure – you have the right to ask us to delete your personal data in certain circumstances. This is not an absolute right and shall depend on our established retention periods;
  • Right to Object – you have a right to object and request that we cease the processing of your personal data where we rely on our, or a third party’s legitimate interests for processing your personal data or a task carried out in the public interest;
  • Right to Portability – you may request that we provide you with certain personal data which you have provided to us in a structured, commonly used and machine-readable format. Where technically feasible, you may also request that we transmit such personal data to a third-party controller indicated by you;
  • Right to Rectification – you have the right to update or correct any inaccurate personal data which we hold about you;
  • Right to Restriction – you have the right to request that we stop using your personal data in certain circumstances including if you believe that we are unlawfully processing your personal data or the personal data that We hold about you is inaccurate;
  • Right to withdraw your consent – where our processing is based on your consent, you have the right to withdraw your consent. Withdrawal of your consent shall not affect the lawfulness of the processing based on your consent prior to the withdrawal of your consent;
  • Right to be informed of the source – where the personal data we hold about you was not provided to us directly by you, you may also have the right to be informed of the source from which your personal data originates; and
  • Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority, you shall also have the right to an effective judicial remedy where you consider that your rights under the Regulation have been violated as a result of the processing of your personal data in contravention of the Regulation.

6.2 Your rights in relation to your personal data are not absolute. If you intend to exercise one or more of your rights, please send your request to

6.3 No fees are applicable when exercising your rights. Moreover, you will be provided with a response without undue delay, and in any event within one month from which starts running as soon as your identity is verified.

Following your request to exercise your rights, the Agency may need to request specific information from you to help verify your identity. This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it.


7.1 The Service may contain features or links to websites and services provided by third parties.

7.2 The Agency will not send you unsolicited information regarding any third party’s products or services.

7.3 Once you leave our website or are redirected to a third-party website or application, you are no longer governed by this Privacy Policy. 

7.4 When you click on links on our website, they may redirect you away from our site. We are not responsible for the privacy practices of other sites and encourage you to read their privacy statements.



  • We take appropriate security measures to protect against the loss, misuse and unauthorised access, alteration, disclosure, or destruction of your information. The Agency has taken steps to ensure the ongoing confidentiality, integrity, availability, and resilience of systems and services processing Personal Data, and will restore the availability and access to information in a timely manner in the event of a physical or technical incident.
  • The Website is protected by industry-standard SSL (Secure Socket Layer) encryption. This technology encrypts all personal data transferred between you and us.
  • However, no method of transmission over the Internet, or method of electronic storage, is 100% secure. If you believe your Personal Data has been compromised, please contact the Agency’s Data Protection Officer at
  • If we learn of a security systems breach, we will inform you of the occurrence of the breach in accordance with Applicable Law.


  • Our Website uses cookies. Cookies are a small text file that is downloaded onto your computer or mobile device when you access a website using that device to gather certain information. Please note that by blocking or deleting cookies, certain parts of the website may not function properly. For more information about what cookies we use and how we use them, please refer to our Cookie Policy.

9.1  This Section sets out our data retention policies and procedure, designed to help ensure that we comply with our legal obligations in relation to the retention and deletion of personal data.

9.2 Personal Data that we process for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

9.3 We only retain the Personal Data collected from a User for as long as we need it to fulfil the purposes for which we have initially collected it, unless otherwise required by law. We will retain and use information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements, after which point your data will be erased.

9.4 In some cases, it is not possible for us to specify in advance the periods for which your personal data will be retained. In such cases, we will determine the period of retention based on the following criteria:

  • What the purpose(s) was for which your information was collected in the first place;
  • Whether there are any statutory obligations, obliging us to continue to process your information;
  • Whether we have a legal basis in place to continue to process your information, including but not limited to consent;
  • What the value attached to your information is;
  • Whether there are any industry practices stipulating how long information should be retained;
  • The risk, cost and liability attached to such retention; and
  • Any other relevant circumstances.

10.1 As part of the services offered to you, for example through our website, the information you provide to us may be transferred to and stored in countries outside of the European Economic Area (EEA) as we use remote website server hosts to provide the website and some aspects of our Service, which may be based outside of the EEA, or use servers based outside of the EEA – this is generally the nature of data stored in “the Cloud”. It may also be processed by staff operating outside the EEA who work with one of our suppliers, e.g. our website server host, or work for us when temporarily outside of the EEA. A transfer of your personal data may happen if any of our servers are located in a country outside of the EEA or one of our Service providers is located in a country outside of the EEA. If we transfer or store your personal data outside the EEA in this way, we will take steps with the aim of ensuring that your privacy rights continue to be protected, as outlined in this Privacy Policy and in accordance with data protection laws.


 The Agency has a Data Protection Officer who is responsible for matters relating to privacy and data protection. The Agency’s DPO can be reached at the following address:

Data Protection Officer

Energy & Water Agency

Pinto Business Centre

Mill Street,

Qormi, QRM 3104



Version 2019.01| Last Update: 13th August 2019

Download document here

Skip to content