QuirkyGiftsMalta GDPR Compliance Statement
Effective Date: October 6, 2025

This General Data Protection Regulation (GDPR) Compliance Statement outlines how Quirky Gifts Malta (“we”, “us”, “our”) processes, protects, and ensures the free movement of personal data for individuals within the European Economic Area (EEA), in compliance with Regulation (EU) 2016/679.

1. Our Commitment to GDPR Principles
Quirky Gifts Malta is committed to processing personal data in accordance with the seven core principles of GDPR:

Lawfulness, Fairness, and Transparency: Data is processed legally, transparently, and fairly.

Purpose Limitation: Data is collected for specified, explicit, and legitimate purposes only (e.g., fulfilling orders, marketing with consent).

Data Minimization: Only data strictly necessary for the stated purpose is collected.

Accuracy: Data is kept accurate and up-to-date.

Storage Limitation: Data is kept for no longer than necessary.

Integrity and Confidentiality (Security): Data is processed securely, protecting against unauthorized or unlawful processing.

Accountability: We maintain documentation to demonstrate GDPR compliance.

2. Legal Basis for Processing Personal Data
We process personal data only when we have a legal basis to do so. The primary bases for data processing at Quirky Gifts Malta are:

Legal Basis

Processing Activity Examples

Contractual Necessity

Processing Name, Shipping Address, and Financial Data to fulfill and manage your product purchases, orders, payments, and delivery.

Legitimate Interest

Using your information to prevent fraudulent transactions, improve the efficiency of our Service, monitor usage, and analyze trends.

Consent

Processing data for optional activities like sending marketing communications (newsletters, targeted advertising) after you have explicitly opted-in.

Legal Obligation

Retaining certain transactional data for financial auditing and legal compliance purposes.

3. Data Subject Rights (Your Rights)
Under GDPR, every data subject has the right to:

A. Right of Access (Art. 15)
You have the right to request copies of your personal data held by us. We will provide this information in an easily readable format.

B. Right to Rectification (Art. 16)
You have the right to request that we correct any information you believe is inaccurate or complete information you believe is incomplete. You may also review and change your data by logging into your account settings.

C. Right to Erasure / “Right to be Forgotten” (Art. 17)
You have the right to request that we erase your personal data under certain conditions (e.g., the data is no longer necessary for the purpose for which it was collected).

D. Right to Restrict Processing (Art. 18)
You have the right to request that we restrict the processing of your personal data under certain conditions, such as challenging the accuracy of the data.

E. Right to Object to Processing (Art. 21)
You have the right to object to our processing of your personal data for direct marketing purposes or where processing is based on our legitimate interests.

F. Right to Data Portability (Art. 20)
You have the right to request that we transfer the data that we have collected to another organization, or directly to you, under certain conditions.

G. Right to Withdraw Consent (Art. 7)
Where the legal basis for processing is consent, you have the right to withdraw that consent at any time. This will not affect the lawfulness of processing carried out before the withdrawal.

4. Data Storage, Security, and Retention
A. Data Security
We implement administrative, technical, and physical security measures to help protect your personal information against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. This includes, but is not limited to, encryption, secure server hosts, and regular security monitoring.

B. International Data Transfers
When we transfer personal data to third-party service providers outside the EEA (such as payment processors or marketing services), we ensure appropriate safeguards are in place, typically relying on Standard Contractual Clauses (SCCs) approved by the European Commission or ensuring the third party adheres to other approved data transfer mechanisms.

C. Data Retention
We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements. Transactional data related to purchases is typically retained for [SPECIFIC RETENTION PERIOD, e.g., seven years] to comply with Maltese tax and accounting laws.

5. Data Protection Officer (DPO) and Supervisory Authority
A. Data Controller
The Data Controller responsible for the processing of personal data under this statement is: Quirky Gifts Malta.

B. Supervisory Authority
Should you have a concern about our data handling practices that we are unable to resolve directly, you have the right to lodge a complaint with a supervisory authority. Given our location, the primary supervisory authority is the Information and Data Protection Commissioner (IDPC) of Malta.

6. Contact Information for Data Subject Requests
For any requests regarding your rights (Access, Erasure, Rectification, etc.) or if you have questions about this GDPR Compliance Statement, please contact us using the following details:

Quirky Gifts Malta
Address: Quirky gifts, 125, Triq in Naxxar, SAN GWANN
Phone: +356 9989 188
Email: info@quirkygiftsmalta.com

This document provides a strong foundation for your GDPR compliance. Please ensure you fill in the placeholder text for the specific retention period (Section 4.C) and any other applicable operational details before publishing.