Reference to ‘we’, ‘our’ and ‘us’ refers to afe Trading Limited, bearing registration number C58689, this being a company incorporated in and registered under the laws of Malta, having its registered address and business office at Faber-Castell | the concept, Oscar Zammit Street, Msida, MSD 1282, Malta, and, includes purchases from and services rendered by us to you via our ‘brick and mortar’ retail outlet as well as the Pack to School online service available via the website www.packtoschool.com.mt owned and operated by us.
The processing of your personal data is governed by the General Data Protection Regulation (the ‘GDPR’), namely, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC. The GDPR became directly applicable, repealing and replacing the Maltese Data Protection Act (Chapter 440 of the Laws of Malta), including the various subsidiary legislation issued under the same (the ‘DPA’), on 25th May 2018.
2 Personal data – what data is collected, when and why is this processed?
i. Our retail customers
When you place an order with us, whether online via our website or in person at our retail outlet, as the case may be, you may be required to submit personal data including your name and surname, email address, fixed telephone or mobile number, and other contact details such as your residential address. When you place an order you may also be asked to provide additional information regarding the name of the school associated with your purchase.
If you are a ‘walk-in’ client at our retail outlet, you shall typically only be required to provide personal information to us, as afore-described, if/where you decide to become a member of our loyalty program.
This personal data will be included in our customer database. We therefore invite you to notify us in the event of any change in circumstances or to your personal data so that we can update our records accordingly.
This personal data may only be collected and processed by us – including the company’s officers, employees and other duly appointed representatives or agents, all of whom are bound by confidentiality obligations towards our company – on the following legal basis and for the purposes outlined below:
a. Pursuant to and in satisfaction of the performance of a contractual obligation/undertaking we have towards you –
• to process your purchase/order and provide you with the requested service/products;
• to respond to customer queries and provide after-sales service to you;
b. Our legitimate interest –
• to personalize and optimize your customer experience from the moment you place your order online to the processing and collection/delivery of your order;
• to enable us to improve our service and/or website on the basis of the customer feedback received from you or otherwise observed/analysed when you use our website;
• to enable you to benefit from our loyalty scheme and enable us to administer and manage your loyalty membership, where applicable;
• to enable us to comply with any contractual obligation we may have with third parties;
c. Your consent –
• to include you in our mailing list for the purpose of distributing marketing communications, including, updates and information re specific and/or new products or services, special discounts and/or offers, information regarding our loyalty program and your membership thereto, news regarding events, competitions or courses organised by us or our contacts/partners/other associated entities/persons which we believe may be relevant to you, and so on, if, during the check-out process or otherwise, you explicitly provided your consent to receiving such marketing communications. Please note that you are entitled to oppose any such processing, at any time, and, further to this, you will always be given the option to unsubscribe from our mailing list upon receiving a marketing communication from us. You are further informed that when you become a member of our group/page on any social media, the likes of facebook, you are automatically consenting to receiving or otherwise having access to marketing communications issued/made by us on/via such social media.
ii. Our other customers
We collect and process personal data about our B2B wholesale customers, including personal information about the owners, directors and managers running/managing the said business – such as name and surname, email address, fixed telephone or mobile number, and other contact or personal details – as part of our customer acceptance procedures and in pursuit of our respective contractual undertakings, to enable us to provide services to them and administer and manage our relationship with them.
iii. Our suppliers
We collect and process personal data about our suppliers including any sub-contractors or other third parties providing a service to us, including personal information about the owners, directors and managers running/managing the said business – such as name and surname, email address, fixed telephone or mobile number, and other contact or personal details – to enable us to receive services from them and administer and manage our relationship with them.
iv. Our staff
We collect and process personal data – including name and surname, email address, fixed telephone or mobile number, residential address, and other contact or personal details – concerning our staff to enable us to administer and manage our relationship with them in our quality as employer in accordance with the relevant employment contract binding us and such employee and applicable law.
Furthermore, when applying for a vacancy with us, applicants are informed that their CV and personal data is collected and processed by us for the purpose of enabling us to process their application and contact them in the eventuality of any other vacancies with us for a reasonable time in the future.
3 The transfer and processing of personal data and engagement of processors
We shall refrain from transferring, disclosing, selling or otherwise making available your personal data to third parties, save to trusted third parties, including third parties which constitute processors in terms of applicable data protection legislation, where:
• this is required to help us conduct and improve our business or to enable the performance of the contract to which you are a party or the delivery of the product or service you requested/purchased;
• this is required to assist us in better understanding website traffic and website interaction including the behaviour of visitors of our website or users of our online service and consequently provide an improved customer experience;
• this is required for the purpose of operating and maintaining our website and providing you with the online service;
• you have expressly given your consent thereto;
• this is required to protect our rights and interests at law or otherwise enable us to comply with any legal or statutory obligation;
• we are required to do so to be able to comply with any contractual obligation we may have.
Third party processors may be appointed by us to provide services to us or on our behalf pending any purchases made by you from us or services received by you from us, or your use of our website and/or online store, thereby partaking in the processing of your personal data, as follows:
• Shopify Inc., a Canadian corporation with offices at 150 Elgin Street, Suite 800, Ottawa, ON, K2P 1L4, acting on its own behalf and its Irish affiliate, Shopify International Ltd (‘Shopify’), provide us with the e-commerce service platform/store accessible through our website. Where a data subject is located in the EEA, that data subject’s personal data will be processed by Shopify’s Irish affiliate. As part of the services provided to us by Shopify, this personal data may also be transferred to other regions, including non-EEA, namely Canada and the United States, and, any and all such transfers will be made in compliance with applicable data protection legislation;
• we use the services of Braintree for the purpose of allowing us to accept, receive and process credit card payments online. For merchants with a registered office address/seat in the EU, like us, Braintree services are provided via PayPal (Europe) S.à.r.l. et Cie, S.C.A., a limited liability partnership registered as number R.C.S. Luxembourg B 118 349, having a registered office at 22-24 Boulevard Royal, L-2449, Luxembourg;
• we use Global Payments Limited for the provision of card processing services on our ePOS systems at our ‘brick and mortar’ retail outlet;
• when making a purchase online, and, during the check-out process, you have requested that your order be delivered to you at the address of your choice, we may share your personal data with reputable persons or companies providing courier delivery services on our behalf. These courier delivery service providers may contact you directly to coordinate with you a convenient time for delivery.
We undertake to require any and all such third parties and processors to be bound by confidentiality obligations and to guarantee compliance with the requirements prescribed by applicable data protection legislation including the protection of your rights as data subjects.
4 Security of information
We implement appropriate technical and operational measures, practices and policies to safeguard the privacy of your personal data.
In the event of a data breach, we also have the obligation to report any security breaches to the competent data protection supervisory authority, the Information and Data Protection Commissioner, within 72 hours of becoming aware of such breach, and to notify you, without undue delay, if any such breach is deemed to cause a ‘high risk’ to your privacy.
Any credit card data and associated sensitive transaction information (other than order details) submitted on our website in order to effect payment for your order online is not accessible by us nor is it stored on our servers. With a view to keeping your information secure and confidential at all times, our website uses secure encryption technology to ensure that your credit card information is encrypted before being transmitted over the internet to our payment platform, Braintree, for further processing.
5 Retention of personal data
The periods of retention for which we keep your personal data depends on the nature of the information and why we need it, provided that, the general rule is that we retain your personal data only for as long as it is necessary to fulfil any legitimate purpose as outlined above.
We retain personal information regarding you or your use of our website for as long as needed to continue to service you. In so far as visitors of our website and users of our service may be seasonal and/or constitute, over time, repeated customers, we may keep a record of your purchasing history and personal data for a reasonable period of time so that it will be readily available to/for you if you decide to come back.
If you are a loyalty scheme member and you have not effected any transactions with us, whether via our website or through our retail outlet, for a reasonable period of time from when you first started to benefit from such loyalty program, we shall remove your personal data from our database.
Thereafter, factors which help us determine the appropriate retention periods of personal data comprise the minimum retention period mandated by contract or applicable employment, tax, accounting, regulatory or other relevant legislation, the period recommended as being best practice in the industry, the period during which a claim may be made or within which we can assert, enforce, defend, protect our rights and interests at law or with respect to/under an existing contractual arrangement or undertaking, our legitimate interest to maintain proper business and financial records, and other relevant criteria.
Please note that in the course of using our website and providing a service to you, we may collect and maintain aggregated, anonymized information. and this, we may retain indefinitely.
6 Third party privacy policies
Please note that our website may include links to third party websites.
7 Cookies policy
A cookie is a small amount of information that is downloaded to your device when you visit a website. Cookies make your browsing experience better by allowing the website to remember your actions and preferences (such as login details and region selection). This means that you don’t have to re-enter this information each time you return to the site or browse from one page to another.
Some cookies are necessary to allow you to browse our website, use its features, and access secure areas. The use of these cookies is essential for the website to work properly. For example, we use user-input cookies for the duration of a session to keep track of a user’s input when filling in forms that span several pages.
We also use functional cookies to remember choices you have made or information you have provided. This allows us to tailor your website experience specifically to your preferences.
We also use reporting and analytics cookies to collect information about how you use our website in order to be able to make relevant improvements to your browsing experience. These cookies only gather information for statistical purposes and only use pseudonymous cookie identifiers that do not directly identify you. We also use Google Analytics and other third-party analytics providers to help measure how users interact with our website content. These cookies ‘remember’ what our users have done on previous pages and how they’ve interacted with the website. For more information on Google Analytics, please visit Google’s information page.
We may also use advertising cookies on our website to tailor marketing to you and your interests and provide you with a more personalized service in the future. Although these cookies can track your device’s visits to our website and other sites, they typically cannot personally identify you.
The length of time that a cookie remains on your device depends on whether it is a ‘persistent’ or ‘session’ cookie. Session cookies last until you stop browsing and persistent cookies last until they expire or are deleted. Most of the cookies we use are persistent and will expire between 30 minutes and two years from the date they are downloaded to your device.
You can control and manage cookies in various ways. Most browsers automatically accept cookies, but you can choose whether or not to accept or to otherwise filter cookies through your browser settings. If you prefer, you can choose to have your device warn you each time a cookie is being sent, or you can choose to turn off all cookies via your browser settings. Please keep in mind that removing or blocking cookies can negatively impact your user experience and parts of our website may no longer be fully accessible or function properly.
8 Your rights as data subjects
• the right of access to your personal data which is being processed by us;
• the right to request the rectification of inaccurate personal data concerning you and which is in our possession;
• the right ‘to be forgotten’ hence to request us to delete any or all personal information upon the occurrence of one or more circumstances, including the information being no longer necessary to fulfil its purpose, the withdrawal of your consent where consent was the legal basis for processing, your personal data being processed unlawfully, where you object to the processing provided that no over-riding legitimate grounds exist that justify the continued processing of such data, and so on;
• the right to restrict us from processing your data upon the occurrence of one or more circumstances, including where you are contesting the accuracy of your data, or your personal data is being processed unlawfully, or you require this restriction to be able to establish, enforce or defend a legal claim, or you have requested to restrict processing pending verification as to whether our legitimate interests for processing over-ride yours, and so on;
• the right to object to the processing of your personal information on grounds relating to your situation, unless we have compelling legitimate grounds for processing which over-ride your rights and freedoms, or which enable us to establish, enforce or defend legal claims. Where personal data is processed for direct marketing purposes, you may also object to such processing, at any time, to the extent that it is related to such direct marketing. You may do so by clicking on any ‘unsubscribe’ button following receipt of any such marketing communications, where possible, by withdrawing your membership from our group/page on social media, where applicable, or by contacting us in furtherance of the exercise of your right; and
• the right of data portability hence the right to receive from us personal data concerning you in a structured and machine-readable form, and the ability to transmit that data to another controller without interruption.
You also have the right to lodge a complaint with a competent data protection supervisory authority, subject to applicable data protection legislation. If you believe we possess and process your personal data, you may direct any queries to or lodge complaints with our Maltese data supervisory authority at:
Information and Data Protection Commissioner
Level 2, Airways House
Sliema, SLM 1549
Tel: +356 2328 7100
Additionally, if we rely on consent for the processing of your personal information, you have the right to withdraw it at any time and free of charge, provided that, we may notify you of an alternative legal basis, if any, on which we may determine to continue processing such data. When you do so, this will not affect the lawfulness of the processing before your consent withdrawal.
9 Contact us
afe Trading Limited
Faber-Castell | the concept
Oscar Zammit Street
Msida, MSD 1282
Email (when using the Pack to School online service): firstname.lastname@example.org
Email (other matters): email@example.com
Tel: +356 21225665