Privacy Policy


Consolidated Biscuit Co. Ltd strives to comply with applicable laws and regulations related to Personal Data protection. This Policy sets forth the basic principles by which the Company processes the personal data of consumers, customers, suppliers, business partners, employees and other individuals, and indicates the responsibilities of its departments and employees while processing personal data.
Consolidated Biscuit Co. Ltd –  (Company  Registration C 5600) is   registered  at:
Mdina Road, Zone 4, Central Business
District,  Birkirkara CBD 4010, Malta | Europe,
Malta and manufactures and distributes biscuits and snacks. For the purposes of the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR), Consolidated Biscuit is the ‘controller’ of subject data.


Reference Documents

– EU GDPR 2016/679 (Regulation (EU) 2016/679 of the European Parliament and of the Council  of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC)
– Privacy Notice for third parties
– Privacy Notice for Employees
– Data Inventory List
– Retention Policy and Information security policy
Personal data will be processed lawfully, fairly and in a transparent manner in relation to the data subject.
Personal data will be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
Collected personal data shall be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.
Employees and third parties are responsible to keep the company updated with personal data to ensure it is accurate and up to date. The company is to be informed of any changes and the company will make respective updates accordingly.


Retention Period

Personal data will be kept for no longer than is necessary for the purposes for which the personal data is processed as detailed in the Retention Policy and Information security policy.


Data Security

The Company will use appropriate technical or organisational measures to process Personal Data in a manner that ensures appropriate security of personal data, including protection against accidental or unlawful destruction, loss, alteration, unauthorised access to, or disclosure.


Data Collection

Consolidated Biscuit Co. Ltd strives to collect the least amount of personal data possible in order to allow us to perform our legal obligations and legitimate interests.


Use and Disposal

The purposes, methods, storage and retention period of personal data will be consistent with the information contained in the Privacy Notice. Consolidated Biscuit Co. Ltd will acknowledge the changes advised by employees or third parties in order to maintain the accuracy, integrity, confidentiality and relevance of personal data according to the processing purpose. Adequate security mechanisms designed to protect personal data will be used to prevent personal data from being stolen, misused and prevent personal data breaches.


Disclosure to Third Parties

Personal data can be shared with professional consultants, auditors and external legal and financial advisors, company approved IT service providers subject to their agreement to process personal data in line with our Privacy Policy. No other third party providers have access to data, unless specifically required by law.
Consolidated Biscuit Co. Ltd will enter in agreements with supplier or business partners to provide the same level of data protection. The supplier or business partner will only process personal data to carry out its contractual obligations towards the Company and not for any other purposes.


Rights of Access

Consolidated Biscuit Co. Ltd will be responsible to provide data subjects access to their personal data, and allow them to inform the company of any required update, correction, or other amendments of their Personal Data, if appropriate.


Data Portability

Data Subjects have the right to receive, upon request in writing, a copy of the data they provided to the company and allow them to transmit this data to another controller. Requests, received in other then written format, will not be processed.


Right to be Forgotten

Upon written request, Data Subjects have the right to request the company to erase their personal data where lawfully possible.

Fair Processing Guidelines

Consolidated Biscuit Co. Ltd has established a data inventory log summarising data processing activities by department.


Notices to Data Subjects

At the time of collection or before collecting personal data for any kind of processing activities including but not limited to production and selling of products, or marketing activities, the respective manager is responsible to properly inform data subjects of the following: the types of personal data collected, the purposes of the processing, processing methods, the data subjects’ rights with respect to their personal data and its retention period.  The manager will also advise data subject whether the data is required to be shared with third parties and the Company’s security measures to protect such data. This information is provided through the Privacy Notice.

Obtaining Consent

Whenever personal data processing is based on the data subject’s consent, or other lawful grounds, the company is responsible for retaining a record of such consent.  The company is responsible for providing data subjects with options to provide the consent and must inform and ensure that their consent (whenever consent is used as the lawful ground for processing) can be withdrawn at any time.
When written requests to correct, amend or destroy personal data records, are received the Company must ensure that these requests are handled within one month from the date the request has been received. The Company must also record the requests and keep a log of these.
Personal data must only be processed for the purpose for which they were originally collected. In the event that the Company wants to process collected personal data for another purpose, Consolidated Biscuit Co. Ltd must seek the consent of its data subjects in clear and concise writing. Any such request should include the original purpose for which data was collected, and also the new, or additional, purpose(s). The request must also include the reason for the change in purpose(s).
Then the company is responsible for creating and maintaining a Single Register of the Privacy Notices.

Organisation and Responsibilities

The responsibility for ensuring appropriate personal data processing lies with everyone who works for or with the Company and has access to personal data processed by the Company.
The key areas of responsibilities for processing personal data lie with the following organisational roles:
The Management makes decisions about, and approves the Company’s general strategies on personal data protection.
The head of the department where personal data is kept is responsible for abiding to the personal data protection policies.
The Company will keep up to date with personal data laws and changes in regulations, develops compliance requirements, and assists business departments in achieving their Personal data goals.
Management is responsible for:
– Ensuring all systems, services and equipment used for storing data meet acceptable security standards.
– Performing regular checks and scans to ensure security hardware and software is functioning properly.
– Improving all employees’ awareness of user personal data protection.
– Organizing Personal data protection expertise and awareness training for employees working with personal data.
– End-to-end employee personal data protection. It must ensure that employees’ personal data is processed based on the employer’s legitimate business purposes and necessity.
– Approving any data protection statements attached to communications such as emails and letters.
– Addressing any data protection queries from journalists or media outlets like newspapers.
– Ensure marketing initiatives abide by data protection principles.
Management is responsible for passing on personal data protection responsibilities to suppliers where applicable, and improving suppliers’ awareness levels of personal data protection as well as flow down personal data requirements to any third party a supplier they are using. Consolidated Biscuit Co. Ltd reserves the right to audit suppliers.


Audit and Accountability

Consolidated Biscuit Co. Ltd must ensure that the policy is being implemented.
Any employee who violates this Policy will be subject to disciplinary action and the employee may also be subject to civil or criminal liabilities if his or her conduct violates laws or regulations.


Conflicts of Law

This Policy is intended to comply with the laws and regulations in the place of establishment and of the countries in which Consolidated Biscuit Co. Ltd operates. In the event of any conflict between this Policy and applicable laws and regulations, the latter shall prevail.
Managing records kept on the basis of this document
A Data Retention Policy has been designed and implemented to ensure that established retention periods are in conformity with the law.
Breach procedure
As soon as Management becomes aware of a possible breach of Data protection, it undertakes to inform the IDPC office and the data subjects at the earliest possible.   In such event the Company will take all the necessary measures to minimise affect.   Once the breach causes are identified Management will also take remedial and preventive action to avoid recurrences. Management will keep a log of such breaches and incidents will be tackled through the non-conformity procedure SOP 8.5 Improvements.


Privacy Notice – 3rd Parties

Our Personal Data Protection Policy governs the use and storage of your data. You can see our Personal Data Protection Policy by accessing our website on
Consolidated Biscuit Co. Ltd (Company Registration C 5600) is the Controller of the personal data you (data subject) provide us.
Your data is processed in accordance with good practice and is not kept longer than necessary. The data is adequate and relevant to the legitimate and legal obligations of the company. No personal data is processed more than necessary having regard to the purpose of the processing.
As a Consolidated Biscuit Co. Ltd customer or supplier we shall safely retain your details on file for invoice, purchase order, accounting, legislative and food safety requirements.
At any time you may request to see the personal data we hold on you. If any of the data is incorrect or incomplete you may request correction.