General Data Protection Policy

Personal Data Protection Policy

Consolidated Biscuit Co. Ltd strives to comply with applicable laws and
regulations related to Personal Data protection. This Policy sets forth the basic
principles by which the Company processes the personal data of consumers,
customers, suppliers, business partners, employees and other individuals, and
indicates the responsibilities of its departments and employees while
processing personal data.
Consolidated Biscuit Co. Ltd – (Company Registration C 5600) is registered at
Central Business District, Zone 4, Mdina Road Birkirkara, CBD 4010, Malta and
manufactures and distributes biscuits and snacks. For the purposes of the
General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR),
Consolidated Biscuit is the ‘controller’ of subject data.

Reference Documents

– EU GDPR 2016/679 (Regulation (EU) 2016/679 of the European
Parliament and of the Council  of 27 April 2016 on the protection of
natural persons with regard to the processing of personal data and on
the free movement of such data, and repealing Directive 95/46/EC)
– Privacy Notice for third parties
– Privacy Notice for Employees
– Data Inventory List
– Retention Policy and Information security policy
Personal data will be processed lawfully, fairly and in a transparent manner in
relation to the data subject.

Personal data will be collected for specified, explicit and legitimate purposes
and not further processed in a manner that is incompatible with those

Collected personal data shall be adequate, relevant, and limited to what is
necessary in relation to the purposes for which they are processed.
Employees and third parties are responsible to keep the company updated
with personal data to ensure it is accurate and up to date. The company is to

WI 9 B General Data Protection Policy 2/1119
be informed of any changes and the company will make respective updates

Retention Period

Personal data will be kept for no longer than is necessary for the purposes for
which the personal data is processed as detailed in the Retention Policy and
Information security policy.

Data Security

The Company will use appropriate technical or organizational measures to
process Personal Data in a manner that ensures appropriate security of
personal data, including protection against accidental or unlawful destruction,
loss, alteration, unauthorized access to, or disclosure.

Data Collection

Consolidated Biscuit Co. Ltd strives to collect the least amount of personal data
possible in order to allow us to perform our legal obligations and legitimate

Use and Disposal

The purposes, methods, storage and retention period of personal data will be
consistent with the information contained in the Privacy Notice. Consolidated
Biscuit Co. Ltd will acknowledge the changes advised by employees or third
parties in order to maintain the accuracy, integrity, confidentiality and
relevance of personal data according to the processing purpose.

Adequate security mechanisms designed to protect personal data will be used to prevent personal data from being stolen, misused and prevent personal data breaches.

Disclosure to Third Parties

Personal data can be shared with professional consultants, auditors and
external legal and financial advisors, company approved IT service providers
subject to their agreement to process personal data in line with our Privacy
Policy. No other third party providers have access to data, unless specifically
required by law.

Consolidated Biscuit Co. Ltd will enter in agreements with supplier or business
partners to provide the same level of data protection. The supplier or business
partner will only process personal data to carry out its contractual obligations
towards the Company and not for any other purposes.

WI 9 B General Data Protection Policy 2/1119

Rights of Access

Consolidated Biscuit Co. Ltd will be responsible to provide data subjects access
to their personal data, and allow them to inform the company of any required
update, correction, or other amendments of their Personal Data, if

Data Portability

Data Subjects have the right to receive, upon request in writing, a copy of the
data they provided to the company and allow them to transmit this data to
another controller. Requests, received in other then written format, will not be

Right to be Forgotten

Upon written request, Data Subjects have the right to request the company to
erase their personal data where lawfully possible.

Fair Processing Guidelines

Consolidated Biscuit Co. Ltd has established a data inventory log summarising
data processing activities by department.

Notices to Data Subjects

At the time of collection or before collecting personal data for any kind of
processing activities including but not limited to production and selling of
products, or marketing activities, the respective manager is responsible to
properly inform data subjects of the following: the types of personal data
collected, the purposes of the processing, processing methods, the data
subjects’ rights with respect to their personal data and its retention period.
The manager will also advise data subject whether the data is required to be
shared with third parties and the Company’s security measures to protect such
data. This information is provided through the Privacy Notice.

Obtaining Consents

Whenever personal data processing is based on the data subject’s consent, or
other lawful grounds, the company is responsible for retaining a record of such
consent.  The company is responsible for providing data subjects with options
to provide the consent and must inform and ensure that their consent
(whenever consent is used as the lawful ground for processing) can be
withdrawn at any time.

WI 9 B General Data Protection Policy 2/1119

When written requests to correct, amend or destroy personal data records, are
received the Company must ensure that these requests are handled within one
month from the date the request has been received. The Company must also
record the requests. Entries are automatically logged on the system.
Personal data must only be processed for the purpose for which they were
originally collected. In the event that the Company wants to process collected
personal data for another purpose, Consolidated Biscuit Co. Ltd must seek the
consent of its data subjects in clear and concise writing. Any such request
should include the original purpose for which data was collected, and also the
new, or additional, purpose(s). The request must also include the reason for
the change in purpose(s).

Then company is responsible for creating and maintaining a Single Register of
the Privacy Notices.

Organisation and Responsibilities

The responsibility for ensuring appropriate personal data processing lies with
everyone who works for or with the Company and has access to personal data
processed by the Company.

The key areas of responsibilities for processing personal data lie with the
following organisational roles:

The Management makes decisions about, and approves the Company’s
general strategies on personal data protection.

The head of department where personal data is kept is responsible for abiding
to the personal data protection policies.

The Company will keep up to date with personal data laws and changes in
regulations, develops compliance requirements, and assists business
departments in achieving their Personal data goals.

Management is responsible for:

– Ensuring all systems, services and equipment used for storing data meet
acceptable security standards.
– Performing regular checks and scans to ensure security hardware and
software is functioning properly.
– Improving all employees’ awareness of user personal data protection.

WI 9 B General Data Protection Policy 2/1119
– Organizing Personal data protection expertise and awareness training
for employees working with personal data.
– End-to-end employee personal data protection. It must ensure that
employees’ personal data is processed based on the employer’s
legitimate business purposes and necessity.
– Approving any data protection statements attached to communications
such as emails and letters.
– Addressing any data protection queries from journalists or media outlets
like newspapers.
– Ensure marketing initiatives abide by data protection principles.
Management is responsible for passing on personal data protection
responsibilities to suppliers where applicable, and improving suppliers’
awareness levels of personal data protection as well as flow down personal
data requirements to any third party a supplier they are using. Consolidated
Biscuit Co. Ltd reserves the right to audit suppliers.

Audit and Accountability

Consolidated Biscuit Co. Ltd must ensure that the policy is being implemented.
Any employee who violates this Policy will be subject to disciplinary action and
the employee may also be subject to civil or criminal liabilities if his or her
conduct violates laws or regulations.

Conflicts of Law

This Policy is intended to comply with the laws and regulations in the place of
establishment and of the countries in which Consolidated Biscuit Co. Ltd
operates. In the event of any conflict between this Policy and applicable laws
and regulations, the latter shall prevail.

Managing records kept on the basis of this document

A Data Retention Policy has been designed and implemented to ensure that
established retention periods are in conformity with the law.

Breach procedure

As soon as Management becomes aware of a possible breach of Data
protection, it undertakes to inform the IDPC office and the data subjects at the
earliest possible. In such event the Company will take all the necessary measures to minimise affect. Once the breach causes are identified  Management will also take remedial and preventive action to avoid recurrences. Management will keep a log of such breaches and incidents will be tackled through the non-conformity procedure