Privacy Policy


We/Us/Our/CSB means CSB Legal

You/Your/Yourself means the User of the Website

You might be reading this Policy either because You are a visitor to Our Website or because You have been directed to the said Policy through Our Engagement Letter.

Data Policy

The said Privacy Policy sets out how we deal with Your personal data. CSB Legal respects Your privacy and seeks to protect Your personal data. In this Policy, the data that shall be referred to shall be personal data that relates to an identified or identifiable natural person being the User of the Website or client of any of the legal services we offer. Indeed, this Policy shall provide a detailed description on how and why Your personal data has been processed, on Your rights as data subject and also on which legal basis We base Ourselves to process certain personal data and the purpose of the said processing.

Kindly be informed that we will treat your personal data in strict confidence and in accordance with the requirements of the provisions of the Data Protection Act, 2001 as well as the various subsidiary legislation issued under the same Act. We shall also protect Your data in line with the General Data Protection Regulation (GDPR) on the protection of natural persons with regard to the processing of personal data on the free movement of such data which regulation has become effective from the 25th of May 2018 and which repealed Directive 95/46/EC.

Kindly also note that apart from the strict rules emanated from the DPA & GDPR, We are also bound by professional secrecy which stems from our profession and Code of Ethics.

What kind of personal data is collected?

As already mentioned, personal data related to any information that identifies You as an individual or else that relates to an identifiable individual. CSB Legal collects personal data through various ways, such as the following:

– From the Website itself – when a query is sent through the contact form;

– From Yourself either through digital mediums such as email correspondence or else through non-digital mediums such as when documents are provided;

– From other sources such as social media platforms, publicly accessible data and any other third parties.

 When We collect personal data from third parties, We shall inform You about the source of such personal data as well as the categories of personal data We collect and process. The latter information shall not be provided to You if We are specifically prohibited from disclosing such activity from the law itself.

It is very important to understand what data is specifically collected and more importantly which categories of personal data. CSB Legal requires to receive Your contact details such as Your name, surname, email address, telephone/mobile number and mailing address.

We would also collect due diligence documents on Yourself such as name, surname, proof of residential address, nationality, financial information, source of wealth, source of funds, and passport or any other identification document and any other due diligence document that We might require in order to satisfy our anti-money laundering and counter-funding of terrorism obligations, and in order to accede to Your request for Our legal services. We would require further documentation as a means to securely identify Yourself or else for any other lawful purpose that would be explained to You before requesting such documentation, should this not be provided in the said policy.

As lawyers, We would also request to collect data in relation to the brief at hand such as contact details, financial information, due diligence documentation and any other personal data relation to the specific case.

We would also collect personal data automatically through the Website itself. This is better explained within our Cookies Policy which is found further hereunder.

When You provide Us with personal data in relation to another person rather than Yourself, We would be of the understanding that You have the necessary authority from the said person to provide Us with his/her personal data.

We shall do Our best efforts to keep the data on Yourself as accurate and up to data as possible.

Why do we collect the Personal Data?

It is very important to understand that We do not request any personal data with respect to Your person other than that which We need in order to satisfy legal requirements and assist You in Our legal capacity as lawyers or that data which You choose to provide Us Yourself when You request Our services.

Apart from the data collected to be able to provide You with the legal service requested, We would also collect data that is legally required from Us to collect and to keep for a certain period of time as well as any data that We think is in Our legitimate interests to ask for.

What is the purpose and the legal basis of the processing of the data?

Contact Details in relation to Yourself are collected to open a record on Yourself in Our system and the data is processed on the basis of Our legitimate interest (our interest is that to have accurate data on Yourself) as well as a contractual necessity. Contact Details as well as communication data are also processed in order to manage our business relationship with You. Contact Details and due diligence data are also processed for the specific requirements that emanate from the anti-money laundering laws. Thus, in the latter case, data is being collected and processed in order for Us to be compliant with a legal obligation.

IP addresses are collected in order to monitor the usage and traffic on Our Website, and this would be based on a legitimate interest of Ours to do so.

Data in relation to Your case, shall be processed on a contractual necessity between the two parties as well as a legitimate interest and an obligation of Ours to comply with a legal obligation. The said data would be processed in order to accede to Your request to receive and use any of Our legal services.

Kindly note that if data shall be processed for a new purpose other than the here above mentioned, We shall immediately inform You.

It is also important to highlight that if certain data is not provided to Us, then We are unable to provide You with the legal service You require.

What happens when processing is based on consent?

When CSB Legal would need to process certain personal data and is unable to find any legal ground for the said processing, We shall request Your consent before We proceed with the processing of the data. We shall never assume that We have Your consent. In this respect, We shall obtain Your consent in a clear and manifest manner and We shall request Your specific consent in an unambiguously manner. You shall have the right to withdraw Your consent any time You want and the withdrawal shall occur in the same manner the consent has been given.

When You decide to withdraw Your consent, We can at that point in time, still continue to process Your data if We determine another legal ground to process the data apart from Your consent. Should We identify another legal basis, You shall be informed without undue delay of the said ground as well as of the fact that Your data shall not be processed any more solely on Your consent.

Electronic Communications

Kindly be aware that CSB Legal may intercept some mail and e-mails addressed to individuals within the law firm. Security of CSB Legal and of its personnel is the reason this might occur. Indeed, We might intercept mail in order to detect and prevent any crime, to identify the correct recipients or to make sure mail is dealt with whilst staff is away from the office, or after a resignation of a staff member. In the case of e-mails, We may reject, delay or remove content from e-mails which have a nature, content or attachments which may disrupt Our systems or because they may pose security issues such as viruses. We may also filter out e-mails which contain certain content on the basis that content is offensive or the e-mail is unwanted or considered spam. In certain circumstances this may unfortunately result in “innocent” e-mails being affected but we do try and reduce such occurrences.

Most e-mail messages sent from CSB Legal have been automatically scanned for viruses and as such should be free from any virus, malicious code, script or other executable attachment. However, the accuracy of scanning products is not guaranteed. The recipient(s) should therefore carry out any checks that they deem to be appropriate in this respect. We cannot be held responsible for loss of or damage to data or other damages, resulting from such actions out of Our control, howsoever incurred. All e-mail messages from Us are sent in good faith. We cannot be held responsible for any modification that happens by any virus, or other third party after they have been sent. All messages are intended for the recipient only. If You are not the intended recipient specifically identified as the addressee on the email then You should delete the message and all its attachments and You are prohibited from using, reading, disclosing to any person or otherwise acting on the information contained in it and/or its contents in any way and should also notify Us as soon as possible of this fact.

Also, it is important to understand that data that is sent through electronic means such as the Internet, could be transmitted across international borders even where the sender and the receiver are located in the same country. CSB Legal shall not accept any responsibility or liability for the security of Your data whilst in transit through the internet. The transfer of data from You to Us can take place through other mediums, such as Dropbox or Skype, which run on the internet.

Transfer of Personal Data

We do not pass on Your details collected from You as a visitor to any third party unless you give us your consent to do so, or in the instances indicated below.

Without prejudice to anything contained in this Privacy Policy, we reserve the right to disclose personal data relating to You to any third party, inside and outside the EU/EEA if such disclosures are allowed by the DPA or the GDPR or else if it is necessary inter alia for the following purposes:

  •  for the purpose of preventing, detecting or suppressing fraud;
  •  to protect and defend Our rights and property or that of users of Our Website;
  •  to protect against abuse, misuse or unauthorised use of Our Website;
  •  to protect the personal safety or property of users of Our Website (e.g. if You provide false or deceptive information about Yourself or attempt to pose as someone else, we shall disclose any information we may have about You in our possession so as to assist any type of investigation into Your actions);
  •  for any purpose that may be necessary for the performance of any agreement You may have entered into with us; or as may be allowed or required by or under any law;
  •  for any purpose that may be necessary for the management, maintenance, upkeep of Our Website and the management, maintenance, upkeep of marketing initiatives such as the management of email marketing as well as communications via email;
  •  to comply with any legal obligation;
  •  as approved or authorised by any other law; and
  •  if CSB Legal is involved in the future in a merger, acquisition, sale, restructuring etc..

 Also, as a default rule, We shall only process data within the EU/EEA or any other non-EEA country which is considered by the European Commission to provide adequate level of protection. If for any reason whatsoever, data is transferred to countries which are not listed by the European Commission to have adequate level of protection, We would put in place additional adequate measures apart from all the appropriate safeguards that We would implement.

Sharing of Personal Data

Personal data shall be shared with adequate and authorised personnel of CSB Legal and with any of Our service providers who would facilitate the usage of the Website. Personal data would only be shared in order for Us to provide You with the requested legal service or else because We have a lawful reason to share the data which does not necessarily require Your consent.

All the said disclosures shall occur in accordance with the DPA and the GDPR and as provided by the Regulation, Our relationship with Our processors shall be a contractual one whereby both parties agree to abide by the obligations found in the GDPR such as the obligation of confidentiality on all the personnel of the processor.

Currently, We share Your data with Our IT service providers which maintain and support Our IT system and Website. Nevertheless, it is important to understand that such sharing of data shall be restricted and under Our control. We would also share data with public authorities if there is a legal obligation to do so.

Security of Personal Data

We use reasonable efforts to safeguard the confidentiality of all personal data that we process relating to You and regularly review and enhance our technical, physical and managerial procedures so as to ensure that Your personal data is protected from

  •  unauthorised access;
  •  improper use or disclosure;
  •  unauthorised modification; and
  •  unlawful destruction or accidental loss.

In this respect, kindly be informed that We have implemented security policies, rules as well as technical measures to protect the personal data that We have under Our control. All Our employees and data processors, who have access to and are associated with the processing of personal data, are further obliged to respect the confidentiality of Our visitors’ personal data. Nevertheless, kindly be aware that by its very nature, the Internet is not a secure medium and data sent via this medium can potentially be subject to unauthorised acts by third parties. Indeed, We cannot guarantee the privacy or confidentiality of any information passing over Our Website. As explained earlier on, We shall accept no responsibility or liability whatsoever for the security of Your data while in transit through the Internet.

Authorised third parties or else Our service providers, are required by the GDPR itself to apply appropriate technical and organisational security measures in order to protect the data they shall have access to from Us.

Retention Period

We shall take into consideration the purpose for which the data shall be obtained in order to understand for how long we can retain Your personal data. Data shall only be retained for as long as it is necessary. In order to come to define the latter, We shall look at the data We have collected on Yourself as well as the relationship We have with You.

Firstly, to determine the actual retention period, as lawyers, we shall look to see whether there is any EU or Maltese law that puts an obligation on Us to retain certain data for a certain period of time. In this case, We would keep the data for as long as that specific law says as there is a legal obligation on Us to do so.

Once the above has been determined, We shall determine if there is any EU or Maltese law that could be invoked by You against Us after Our professional relationship with You ends. In this case, We would look at the prescriptive period during which You could bring an action against Us and We shall keep that data for all the time We deem it is necessary so that We could defend Ourselves against any claims or actions by You or any other third party.

Taking into consideration that We are regulated legal professionals, We shall be released from any obligation whatsoever to be accountable for any legal papers relating to lawsuits or advice given on the expiration of one year from the day when such lawsuit was decided or when such advice was given. The same reasoning shall be upheld in relation to any papers given to Us for the commencing of a lawsuit, in which case the term shall be that of two years from the said delivery if the lawsuit was never commenced. Nevertheless, it is important to understand that We as lawyers, may be called upon to declare on oath whether We are in possession of such legal papers or whether We are aware where they are to be found. We could decide to keep the said papers if We have a legal obligation or ground to do so.

When Your data is no longer needed, We shall proceed to delete it or else We shall anonymise it in order to not be able to link the data with an identifiable person.


Our Website also uses a technology called “cookies.” A “cookie” is a piece of software, which may be sent to Your computer and which can be stored on Your system. Cookies enable us to collect information about how our Website and services are being used and to manage them more efficiently. These cookies are created for each session when You visit our website. Until You have registered on Our Website, the cookie will only track general usage patterns and technical information about Your computer type and will not be used to identify You individually.

The information so gathered through cookies may include:  

  •  the date and time when You access our Website;
  •  the Website pages that You view and any download that You may make through such pages;
  •  whether or not such viewing or download is successful;
  •  the Internet address of the Website or the domain name of the computer from which You access our Website;
  •  the operating system of the machine running Your Web browser; and the type and version of Your Web browser.

Kindly note that You may reject all or certain cookies that are used by our Website and You may also modify Your Web browser preferences to do so. Nevertheless, kindly note that if You reject all cookies, then You might be unable to use some of the services available on our Website. Moreover, kindly note that You may set Your browser in a certain way in order to be notified when You receive a cookie so that You have the option to choose whether to accept the cookie or not. In this regard, You should note that if You do so, this may materially distort the quality of service and data You receive. Thus, You would be doing this at Your own risk.

If the product You are using has digital certificates/certificate signatures then Your name and related details may be displayed as part of any certificate issued to You. It will be seen by those to whom Your certificate or signature is presented or who rely on it. Your details may also need to be entered into a related status directory of certificates issued.

Data Subjects Rights

As a data subject, the individual on which We collect and process data, has certain rights that he/she can ask for. These rights are the following:

-Right of Access;

You have every right to request at any time whether We are processing any data in relation to Yourself and You can request Us to provide You with what data We have on You, why We process it, with whom We disclose that information, the retention period of that data, where We got the data, what are Your rights, how can You file a complaint, if We transfer Your data abroad and if We carry out automated decision-making. We shall accede to Your request within a months’ time which can be extended to two months if it is impossible for Us to accede to Your request in one month.

-Right of Restriction;

You can ask Us to restrict the processing of Your data when the processing is unlawful, when We no longer need Your data for the purposes for which it is collected and when the accuracy of the data is questioned. Once We are in receipt of Your request to restrict Our processing of Your data, We can only process the data if We have Your consent, for the exercise or defence of legal claims, for the protection of the rights of another individual or for any reason in relation to public interest.

-Right of rectification;

You have to right to request Us to rectify any data that We may have on Yourself.

-Right of Erasure;

You have also the right to request Us to delete Your data. We shall only accede to this request, if the data is no longer necessary for the purposes for which it has been collected, consent has been withdrawn as well as processing of data was unlawfully. We shall not accede to Your request if We have a legal obligation to retain the data or else for the exercise of any legal claims.

-Right to Data Portability;

You can ask Us to provide You on a commonly used machine readable format a copy of Your data in order to have that data transferred to another data controller. This shall only when the processing of data is based on consent or on the performance of a contract or else it is carried out by automated means.

-Right to Object; and

You shall have the right to object to processing of Your personal data when We are performing a task in the public interest or pursuing our legitimate interests or those of a third party. When We receive an objection from You, the processing of data shall cease unless We can provide You with legal grounds that can let Us continue to process Your data even if You filed an objection to it. When We process data either on the performance of a contract, on the basis of a legal obligation or on the basis to protect Your interests, than this right cannot be used by Yourself.

-Right to file a complaint

You can file a complaint with the Supervisory Authority which in Malta is the IDPC – Information Data Protection Commissioner. We suggest to first try and contact Us before the complaint is filed.

You have the right to request to Us any of the above rights to which We shall reply within one month. However, before We proceed to look at Your request, We would need to verify Your identity. We can refuse any of Your requests if We have a legal obligation that allows us to do so, such as when You request to delete Your data and We are obliged by a legal obligation to keep that data as explained in more detail here above in the retention period section.


This Privacy Policy has been updated and completed according to the date provided at the end of the said document. We can decide to modify, remove certain sections or add to them and this shall occur at Our discretion. If You are a User of Our Website, it is Your responsibility to read Our Policy every time You use Our Website. If You are a client with whom We have a business or professional relationship, We shall advise You if any amendments occur to Our Policy.

Version 1.1

Date 29.05.2018