GDPR Statement

trademark registration
GDPR COMPLIANCE STATEMENT (Patent regn. no. 58363)
Last reviewed: 10 January. 2024. Legal Team

From 25 May 2018, the General Data Protection Regulation (GDPR) will apply across the entire EU. These new privacy rules apply to every organization processing personal data from individuals located in the EU, including BVML and its customers. The GDPR replaces and extends the scope of the former EU directive and its national implementation laws. The fine thresholds for non-compliance have also been increased considerably.

The aim of this document is to:

  • Inform you about the GDPR;
  • Let you know what BVML has done and will continue doing to comply with the GDPR;
  • Help you comply when using BVML’s products and services.

We may update this document whenever we think this will help to better achieve the above purposes.

About this document

Much has already been written and said about the GDPR, and much more will be said and written in the future still. It is widely regarded as one of the most important pieces of legislation applicable to the digital sector in the EU, if not the most important.

A core value of the GDPR is that human beings (‘data subjects’) should have control over their own personal data. When an organization controls personal data (any information that says something about, or can be used to identify, a human being), the organization must comply with the following key obligations.

About the GDPR

All processing of personal data must comply with fundamental principles, such as lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality, and accountability.

All processing of personal data must be founded on a valid and applicable legal basis listed in the GDPR (e.g. if the data subject has given informed consent, or if processing is necessary to perform a contract with the data subject).

Data subjects must be informed about what information is processed about them, why (including the applicable legal basis), for how long, and how it is secured. The following rights of data subjects must be complied with, and data subjects must be explicitly informed about their rights to:

  • Obtain access to the data processed about them;
  • Have their data corrected, erased, or restricted when incorrect or no longer necessary;
  • Object to certain processing of their data;
  • Take their data with them to another provider;
  • Not be subjected to profiling and automated decision-making without their consent;
  • Complain to a supervisory authority about the way their personal data is processed.

Organizations processing personal data more than just occasionally must keep an up-to-date record (overview) of the kinds of personal data they process, about what kinds of data subjects, why (which applicable legal basis), for how long, using which data processors, and where.

Organizations whose core activities revolve around processing personal data must appoint a data protection officer (DPO), a privacy expert who is responsible for helping them comply with the GDPR and should be consulted on all important privacy matters.

For new and riskier forms of personal data processing, a data protection impact assessment (DPIA) must be performed first.

Personal data must be appropriately secured against accidental or unlawful destruction, loss, alteration, and unauthorized disclosure or access. In the event of a personal data security breach, the supervisory authority and/or affected data subjects must be notified.

In designing systems used to process personal data, privacy should be implemented by design and by default.

Where another party (a ‘processor’) is contracted to process personal data on the organization’s behalf, a data processing agreement is required.

Processing of personal data may not be outsourced to countries outside the EEA, unless specific appropriate safeguards are in place, such as contractual model clauses, binding corporate rules, or a specific arrangement such as the EU-US Privacy Shield.

Important terms and definitions of the GDPR

“Personal data”
GDPR art 4(1)
‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

This definition is very broad: all information relating to an identified or identifiable natural person (called the ‘data subject’). Importantly, this does not only cover ‘personally identifiable information’ (known as ‘PII’ mostly in US jurisdictions) which directly identifies a person, such as names, addresses, and telephone numbers; but also IP addresses, information on personal interests, and much of the information stored and read via cookies. Even if someone’s name is not known, a customer profile still contains personal data.

GDPR art 4(2)
‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

This definition is also very broad. ‘Processing’ is every operation that is carried out using personal data: not only viewing or modifying the data, but also its mere storage, transfer, and even its deletion.

GDPR art 4(7)
‘Controller’ means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

In essence, the controller is the party who determines why and how personal data is processed. This often is a party who has a contract with individual persons to provide products or services to them.

GDPR art 4(8)
‘Processor’ means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.

The processor is the party who is engaged by the controller to process personal data on behalf of the controller.

What BVML has done and continues doing to comply with the GDPR

Certain obligations under the GDPR are applicable to ‘controllers’ (the party who determines why and how personal data is processed), whereas other obligations apply to ‘processors’ (the party who processes personal data on behalf of the controller).

BVML’s data processing agreement regulates BVML’s processing of personal data of your (potential) guests, and helps you to demonstrate compliance with the GDPR when using BVML’s products and services.

BVML as Controller

BVML also processes personal data about themselves and their representatives and employees. In this context, BVML determines the purposes and means of the processing activities, and therefore qualifies as a controller.

BVML’s privacy policy regulates the processing of your own personal data, and of your employees or colleagues using, purchasing, or administrating BVML’s products or services, and provides you with all the required information and data subjects’ rights.

Data Processing Principles

Processing of personal data must comply with the GDPR’s fundamental principles. We do our utmost, and will continue doing so, to implement these data processing principles into the very core of our products, services, and organization.

Lawfulness, Fairness, and Transparency

We only process personal data when we deem this necessary for a legitimate purpose under the GDPR, and we do our utmost to provide complete yet concise and easily accessible and understandable information about all of our personal data processing activities.

Besides our privacy policy and data processing agreement, we provide a suggested text which you may consider incorporating into your privacy policy to explain to your (potential) guests why you are using our products and services to help you process their personal data in an efficient and safe manner.

Purpose Limitation

We only use personal data for the purposes for which they were collected, as described in our privacy policy and data processing agreement. For example, BVML will not use email addresses collected during a booking to send advertisements for other competitors or on its own behalf.

Data Minimization

We do not process more personal data than we deem strictly necessary to provide you with optimal products and services. We don’t combine any personal data we have gathered in providing our products and services to you, with any other personal data we may have obtained elsewhere, unless we have first obtained your specific, explicit, informed consent. If your agreement with BVML has ended, we return your data to you upon your request, and/or it will be deleted from BVML’s servers.


The principle of accuracy is a requirement for controllers. It means that data should be kept up to date where necessary and should always be as accurate as possible. If you need us to help you in correcting certain data about your guests or yourself, please let us know and we will provide all the help we can.

Storage Limitation

Personal data should not be kept longer than necessary to reach the predefined goals. This means that if personal data is no longer needed, it should be securely deleted.

Integrity and Confidentiality

To protect, secure, and preserve personal data, controllers should implement an information security framework. BVML takes adequate technical and organizational measures to protect personal data, as explained in our security documentation (see below).


We have drafted the present document specifically to help demonstrate our compliance with the above principles, and also to help you demonstrate your compliance if you decide to purchase our products and services.

We have also drafted and adopted several relevant internal documents and policies, helping us to demonstrate that we actually put the principles and obligations of the GDPR into practice. More information about this is provided further below.

Lawful Basis for Processing Personal Data

Article 6 of the GDPR provides the valid legal grounds for processing personal data. This list is exhaustive, meaning that these grounds listed are the only valid legal grounds, and at least

    In some countries, an international business license is required to operate. Additionally, if you wish to be a major shareholder in a company headquartered in a country that mandates such a license, you will need approval before acquiring a stake. While requirements vary by country, there are several basic steps to obtaining an international business license. Business Ventures Management Limited is your one-stop hub, having structured over 18,000 Global Businesses worldwide to date.


    217/1, 21st September Avenue,
    Naxxar NXR 1013, Malta.