Privacy Notice for Third Parties

Last updated: 26.02.2025

1.        Introduction

This Privacy Notice (referred to as the “Notice) outlines how The General Soft Drinks Co. Ltd and GSD Marketing Ltd. (thereafter referred to as “GSD”, “Company”, “we” or “us”), collects and processes personal data relating to third parties, such as partners, services providers and contractors. This may include individuals, such as self-employed persons, influencers, brand ambassadors as well as representatives, employees, or contact persons of legal entities.

We take data protection seriously and we are committed to processing your personal data in compliance with the General Data Protection Regulation EU 2016/679 (“GDPR”, “Regulation”), the Data Protection Act (Chap 586 of the Laws of Malta) and any other applicable data protection laws which may be amended from time to time.

2.        Controller Details

The controller of your personal data is The General Soft Drinks Co. Ltd, a company registered in Malta, bearing company registration number C1591, and having its registered address at Marsa Industrial Estate, Marsa, Malta.

 

For influencers and brand ambassadors, the controller of the personal data is also GSD Marketing Ltd., a company registered in Malta, bearing company registration number C3774, and having its registered address at Marsa Industrial Estate, Marsa, Malta.

Updated contact details and other information on the Company can be found on our website at https://gsd.com.mt/.

The Company has appointed a Data Protection Officer (“DPO”). If you have any queries relating to this Notice, including any requests to exercise your rights, please contact the DPO at [email protected].

3.        Definitions

The definition of “personal data”, “automated decision”, “data controller” and “processing” have the same meaning as in the GDPR.

4.        Personal Data collected and purpose of the processing

We obtain personal data relating to you, either directly from you or indirectly through the partner, supplier or service provider for whom you work. We may collect various types of personal data about you, including:

  • Identification data (e.g. title, name, surname, passport/ID card number, language)
  • Contact data (e.g. email address, mobile/telephone number, residential address)
  • Information about your employer (e.g. name of your company and your title, position)

Additionally, in respect of those partners, suppliers and service providers who are individuals (such as self-employed persons, influencers or brand ambassadors), we may also collect financial data including VAT registration number, IBAN, bank account, bank key, country, payment method and any outstanding balances.

Please note that failure to provide personal data impedes the Company from being able to enter into the contract, thereby affecting the establishment of a business relationship and/or the continuation of the existing relationship.

We process personal data for the following purposes:

  • Performance of contractual obligations, including pre-contractual communications and negotiations preceding the establishment of a commercial agreement with you.
  • Management of the relationship with our partners, suppliers and service providers.
  • Billing, invoicing, issuing payments, debtor transaction processing and debt collection.
  • General administration purposes, archiving and record keeping.
  • Compliance and reporting.
  • Defending ourselves in the event of a legal claim or dispute.
  • Insurance purposes.
  • Other purposes which may be imposed by applicable law and authorities.

In the case of influencers and brand ambassadors, in addition to the above, we also process personal data to send branded products for use in content creation.

5.        Legal Basis

The Company’s legal basis for processing your personal data is the following:

  1. 6 (1) (b) of GDPR. Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
  2. 6 (1) (c) of GDPR. Processing is necessary for compliance with a legal obligation to which the Controller is subject.
  3. 6 (1) (f) of GDPR. Processing is necessary for our legitimate interests in conducting an existing or new business relationship, performing our business activities and to establish, exercise or defend legal claims and to pursue any remedies available (including debt recovery).

6.        Sharing of data

We may share Your Personal Data as follows:

  1. Selected individuals within the Company
  2. To the extent necessary, with any Court, Tribunal, Authority, or Governmental Entity and Law Enforcement Bodies where such disclosures are permitted or required pursuant to applicable law.
  3. Other entities/subsidiaries/affiliates of GSD
  4. Trusted service providers and suppliers we are using to run our business, including systems, cloud and database
  5. Professional advisers and any service providers that may require access to your personal data in rendering us with their services including lawyers, bankers, auditors and insurers.
  6. In the event that we are acquired by or merged with a third-party entity, or in the event of bankruptcy or a comparable event, or in the event of restructuring of the business, we reserve the right to transfer, or assign personal data in connection with the foregoing events, when allowed or imposed by applicable law and in compliance with legal and regulatory requirements.

7.        Automated Decision-Making and Profiling

Your personal data will not be used for any automated decision making or profiling.

8.        Transfer of data to third countries

Your personal data are not transferred to third countries outside the EU/EEA. However, in any case of transfer of data outside the EU/EEA, in the absence of an adequacy decision issued by the European Commission (Art. 45 GDPR), appropriate safeguards are provided for such data transmissions as per and in accordance with legal requirements (particularly the use of EU standard contractual clauses). You can obtain a copy of the Standard Contractual Clauses (SCCs) by contacting us at [email protected].

9.        Data Retention

We will only retain personal data relating to you for as long as is necessary (taking into consideration the purpose for which it was originally obtained). We establish the retention period taking into account several factors and criteria, which includes but is not limited to any retention period set out by legal or regulatory requirements. We also take into consideration the time periods established by law, regulations and directives to exercise legal actions, to defend rights, to carry out procedural actions when determining the relevant data retention periods. Thereafter, personal data shall be immediately and irrevocably erased. We might retain your data for a longer period of time based on our legitimate interest to comply with our legal obligation, in case of a legal proceeding/audit or inspection form Authorities.

10.   Data Subject Rights

According to the GDPR you have the following rights:

  1. Request access to your personal data. This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it;
  2. Request rectification of personal data that we hold about you.
  3. Request erasure of personal data relating to you (where applicable). This enables you to ask the Company to delete or remove personal information where there is no good reason for us continuing to process it.
  4. Object to the processing of your personal data (where applicable) where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground.
  5. Request that we provide you with any personal data that you may have provided us, in a structured, commonly used and machine-readable format;
  6. Request the restriction of processing of your personal information.
  7. Request that we transmit your personal data directly to you or to another controller indicated by you.
  8. Right to be informed of the source – where the personal data we hold about you was not provided to us directly by you, you may also have the right to be informed of the source from which your personal data originates.

Please note that the rights indicated above are not absolute and can be subject to specific legal requirements or exemptions and therefore may not always be applicable.

There is no charge for the provision of the information, following your request, except in circumstances where the request is manifestly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances. The Company may withhold certain information which is exempt from the right of access in accordance with the applicable law.

We may need to request specific information from you to help us confirm your identity and ensure the exercise of your rights. This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

To exercise any of your rights, file a complaint relating to your privacy or if you have any other questions about our use of your personal data, please send an email to our Data Protection Officer (DPO).

Although all reasonable efforts will be made to keep your information updated, you are requested to inform us of any change referring to the personal data we hold about you.  In any case, if you consider that certain information about you is inaccurate, you may request rectification of such data, as explained above.

11.   Complaints

The Company and its DPO may be contacted on complaints regarding the processing of personal data. You have also the right to lodge a complaint with the Data Protection Supervisory Authority, the Office of the Information and the Data Protection Commissioner in Malta (www.idpc.gov.mt).

12.   Updates

We may update this Notice at our sole discretion including as a result of a change in applicable law or processing activities. Any such changes will be communicated to you prior to the commencement of the relevant processing activity.