Privacy Policy

Home / Privacy Policy

Last updated Oct 3, 2025

Last Modified: October 2018
This Privacy Policy is effective from 25 May 2018.

Privacy Policy Notice

This policy (“Privacy Policy”) applies to any person who interacts with the Regulator for Energy and Water Services’ (REWS). In this context this shall include individuals who apply for any service, licence permit or other authorisation issued by REWS, regulated parties, customers, viewers, readers, and internet users who are exposed to the media and content of the REWS or who interact with the REWS by providing Personal Data in any other manner.

The REWS is concerned with protecting the privacy of any personal information that you provide to us (“Personal Information”), as part of the REWS’ regulatory and non-regulatory functions, operations and activities that are carried out by us (‘activities’). The REWS will seek to ensure that the use of your Personal Information is compliant with the General Data Protection Regulation, (“GDPR”), (Regulation (EU) 2016/679). Accordingly, the REWS is issuing this policy to inform you of our use of your Personal Information.

1.Introduction

1.1 This Privacy Policy sets out the way in which the REWS, a body established by virtue of ACT No. XXV of 2015, (with offices at ‘Zentrum Business Centre’ Level 1, Mdina Road, Qormi, Malta) collects and processes Personal Information, as well as the steps we take to protect such information. Reference to this Policy is made in the various forms and documentation issued by the REWS with regard to its operations and activities and non-regulatory operations assigned to it.

1.2 Definitions: Any term used herein shall be interpreted in accordance with the GDPR. In case of any conflict between any term as described here and the GDPR, the interpretation used in the GDPR shall prevail.
In this Policy, “Supervisory Authority” means the Information and Data Protection Commissioner (IDPC).

1.3 Principles: This policy is based on the data protection principles listed in Article 5 of the GDPR

1.4 Scope: This policy applies to information that we collect when you:

engage with us as part of the regulatory and non-regulatory functions that we carry out;
make enquiries about any of our activities;
correspondence with us through email or any other form;
contact us, seek information and/ or submit any complaint;
submit any application in connection with any vacancy notice that we may issue;
visit our website, or make use of any online service we offer.

2.Information Collected:

2.1 As part of the activities that we carry out, we collect your Personal Information. “Personal Information” means any information from which you can be personally identified, including your name, surname, email address, home address, telephone number, mobile number and date of birth.

2.2 In the course of our activities, we may also collect payment details, including details of payment cards (if applicable).

2.3 In the course of our activities we may collect information regarding your criminal conduct (if any), when this is specified in the authorisation application form. This is done in compliance with our obligations under the Authorisations (Suspension, Refusal and Revocation) Regulations (S.L. 545.19).

3. How we will use your Personal Information

3.1 We will process your Personal Information in accordance with the GDPR. We will process your Personal Information to enable us to:

Fulfil our regulatory functions as established by the Regulator for Energy and Water Services Act and/or any subsidiary legislation;
Fulfil any other task and/or obligation which does not necessarily emanate from primary or secondary legislation;
Set-up, administer and manage your records;
Receive and respond to your communications and requests;
Notify you about updates to any of our activities;
Ensure that we are able to fulfil our regulatory obligations including (but not limited to) the development of regulatory rules to protect the interests of consumers, monitoring and investigating the activities of regulated persons and other persons engaged in commercial and non-commercial activities relating to the energy and water services, and enforcing non-compliance with regulatory rules and legislation;
Comply with our obligations under Applicable Laws and regulations;
Investigate and assist with the investigation of, suspected unlawful, fraudulent or other improper operations and activities and non-regulatory operations (including, where appropriate, dealing with requests from authorised entities/Authorities for the sharing of information);
Prepare statistics relating to regulated operations and activities and other non-regulatory operations;
Monitor the use of our website and online services in accordance with our legitimate interests;
Support any other purpose necessary for performance of our legal and contractual obligations.

3.2 To ensure that we may provide a good quality of service we may monitor any communication with us whether in writing or by electronic mail or by phone. Any communications remain the property of the REWS and will be used only for the purposes listed above.

3.3 In the event that the purposes for processing Personal Data changes, we undertake to obtain your consent before processing your data, unless such processing is required by law.

3.4 In the course of our activities, we may also seek information regarding an applicant or a licence holder, with regard to: past criminal conduct or to any pending charges or relating to enforcement action by any official authority, or in relation to any refusal, suspension, revocation or cancellation of a licence or permit and, or other form of registration (when this is specified in the authorisation application form). This information will be used strictly, and for the purposes only, of assessing the suitability of the applicant or of the licence holder, to carry out an operation or activity regulated under the Regulator’s Act or legislation issued there under. Such personal information which may be collected during such an exercise shall be processed in accordance with the GDPR.

3.5 The REWS may cross check information submitted by yourself in your interactions with the Regulator, with other government entities, and relative only to the business in question, and when this is specified in the document through which the information is submitted. The REWS, in view of its power to require the submittal of information under article 5 (4) of the REWS Act, may require such government entities to provide any required information for such purposes.

4.Disclosing your Personal Data

4.1 Except as described in this Policy, we will not disclose to third parties any Personal Data that we collect or store unless this is done in the performance of a function or task carried out in the exercise of official authority vested in the REWS and, or in compliance with any relevant legislation.

4.2 We may also disclose your Personal Data to:

any employee and/or contractor who assists us in carrying out our regulatory and/or non-regulatory functions, operations and activities or who otherwise has a need to know such information so that we attain these ends;
any other third party who may assist us in carrying out our regulatory and/or non-regulatory functions, operations and activities, including (but not limited to) payment processors;
any third party who may assist us in verifying the accuracy of your Personal Data;
any third party who may assist us in detection and prevention of fraud and collusion;
any contractor or other adviser who may audit any of our business processes or who has the need to access such information for the purpose of advising us;
any law enforcement body and/or statutory auditing body which may have a reasonable requirement to access your Personal Data in accordance with the law;
any regulatory body or authorised entity which may have a reasonable requirement to access your Personal Data in accordance with the law;

5. Data Subject Rights

5.1 We respect your privacy rights and provide you with reasonable access to the Personal Data that you may have provided to us through our activities. Your principal rights under the GDPR are:

the right for information;
the right to access;
the right to rectification;
the rights to erasure, to restrict processing and to object to processing and this subject that there is no overriding reason in the public interest or a legal obligation constraining any of such rights;
the right to data portability;
the right to complain to a Supervisory Authority; and
the right to withdraw consent, where such consent has been requested and granted.

5.2 If you wish to access or amend any Personal Data we hold about you, or to request that we delete any information about you (where applicable and lawful under the GDPR), you may submit such request in writing to:
The Data Protection Officer
Regulator for Energy and Water Services
Zentrum Business Centre
Level 1
Mdina Road
Hal Qormi QRM9010
Malta
Email: dpo@rews.org.mt

5.3 We will acknowledge your request and we shall handle it promptly. The REWS shall respond to these requests within twenty-eight (28) days, with a possibility that, in accordance with the GDPR, it may extend this period for particularly complex requests.

5.4 When we refuse a request, we will tell you the reasons for such refusal. You have the right to complain to the Supervisory Authority and to have recourse to a judicial remedy.

5.5 We will retain your information for as long as required in relation to our functions, operations and activities, and /or to comply with our legal obligations, to resolve disputes and to enforce our agreements.

5.6 At any time, you may object to the processing of Personal Data, and such objection will be considered within the provisions of the GDPR and relevant legislation.

5.7 We will not charge you for complying with a request for a copy of your Personal Data. The REWS may charge a reasonable administrative-cost fee if further copies are requested.

6. Contacting us

6.1 If at any time you believe that we have not adhered to this Privacy Policy, please contact us and we will seek to promptly determine and correct the problem.

6.2 Our contact details are:
The Data Protection Officer
Regulator for Energy and Water Services
Zentrum Business Centre
Level 1
Mdina Road
Hal Qormi QRM9010
Malta
Email: dpo@rews.org.mt

7.Use of Cookies

7.1 We may collect anonymous information about your use of the REWS Website using “cookies” and similar functionality. A “cookie” is a small file of text which is downloaded onto your computer when you access the Website and it allows us to recognise when you come back to the Website. We use cookies for the operation of the Website, including (for example) to allow you to remain logged in as you move between different parts of the Website. We also use cookies for our own analytical purposes so that we can identify where customers have encountered technical problems on the Website, and therefore help us improve our customers’ experience.

7.2 If you object to our use of cookies or you wish to delete any cookies that are already stored on your computer, you should follow the instructions for deleting existing cookies and disabling future cookies on your web browser or equivalent software. Further information is available at www.aboutcookies.org. Please note that by deleting or disabling cookies you may not be able to access certain areas or features of the Website.

7.3 Google Analytics is a web analytics service which we use to collect information about how viewers and internet users use our site. Cookies are used as part of the service to store information on the user’s device. This is done to make sure that this site is meeting users’ needs and to enable us to understand how it may be improved.

7.4 Google Analytics stores information about pages you visit, how long you are on the site, how you got there and what you click on. We do not collect or store your personal information (e.g. your name or address) so this information cannot be used to identify who you are. We do not authorise Google to use or share our analytical data. The following cookies are set by Google Analytics:

Name	Purpose	Expires
_utma	This randomly generated number is used to determine unique visitors to our site	2 years
_utmb	This randomly generated number works with _utmc to calculate the average length of time users spend on our site	30 minutes
_utmc	This randomly generated number works with _utmb to calculate when you close the average length of time users spend on our site your browser	when you close your browser
_utmz	This is a randomly generated number and information about how the site was reached (e.g. direct or via a link, organic search or paid search)	6 months
GDS_successEvents	These cookies help identify how people use rews.org.mt so we can make the site better	4 months
GDS_analyticsTokens	These cookies help identify how people use rews.org.mt so we can make the site better	4 months

7.5 You can opt out of Google Analytics cookies by visiting this page on Google.

7.6 Where on-line services are provided as part of the Website’s operation, and for our own statistical analysis of site traffic, our Website automatically logs internet IP addresses. We do not log any e-mail address of visitors to our Website.

7.7 While the Website may contain links to websites operated by third parties, we are not responsible for the privacy practices or content of such websites.

8.Security

8.1 We take appropriate security measures to protect against loss, misuse and unauthorized access, alteration, disclosure, or destruction of your Personal Data. The REWS has taken steps to ensure the ongoing confidentiality, integrity, availability, and resilience of systems and mechanisms processing personal information,
and will restore the availability and access to information in a timely manner in the event of a physical or technical incident.

8.2 No method of transmission over the Internet, or method of electronic storage, is 100% secure. We cannot ensure or warrant the security of any information you transmit to us or stored by us, and you do so at your own risk. While we take reasonable steps to implement safety and security measures to protect your Personal Data, we recognise that we cannot guarantee that such information may not be accessed, disclosed, altered, or destroyed by breach of any of our physical, technical, or organisational safeguards. If you believe your Personal Data has been compromised, please contact our Data Protection Officer.

8.3 If we learn of a security breach, we will inform you of the occurrence of such breach in accordance with the GDPR and relevant legislation.

8.4 If we learn of a security breach, we will also inform the Supervisory Authority of the occurrence of such breach in accordance with the GDPR and relevant legislation.

9.Privacy Settings of Our Website

9.1 We cannot and do not guarantee that information you post on or transmit to the our website will not be viewed by unauthorized persons. We have taken the necessary steps to protect as much as possible your Personal Data in transit by utilising HTTPS on our Website and TLS 1.2 (a strong protocol), ECDHE_RSA with P-256 (a strong key exchange), and AES_128_GCM (a strong cipher).

10. Data Retention

10.1 Personal Data that we process for any purpose shall not be retained longer than is necessary or as otherwise required by any law or legal obligation or in terms of any overriding public interest.

10.2 We may retain your Personal Data where such retention is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person.

11. International Transfers

11.1 The information you provide to us may be transferred to and stored in third countries as we may use data hosting services which may be based outside of the European Union and the EEA, or use servers based outside of the European Union and the EEA. It may also be processed by staff operating outside the European Union and the EEA who work for one of our suppliers. The transfer of your Personal Data may happen if any of our servers are located in a country outside of the European Union and the EEA or one of our service providers is located in a country outside of the European Union and the EEA. If we transfer or store your Personal Data outside the European Union and the EEA in this way, we will take steps with the aim of ensuring that your privacy rights continue to be protected, as outlined in this privacy policy and in accordance with the GDPR and other applicable laws.

12. Data Controller

12.1 The Regulator for Energy and Water Services is the “data controller” for the purposes of this policy. You may contact the REWS via the following contact details:
Regulator for Energy and Water Services
Zentrum Business Centre
Level 1
Mdina Road
Hal Qormi QRM9010
Malta
Tel: +356 2122 0619
Email: enquiry@rews.org.mt

13. Data Protection Officer

13.1 The Regulator for Energy and Water Services has appointed a Data Protection Officer (“DPO”) who is responsible for matters relating to privacy and data protection. The DPO can be reached at:
The Data Protection Officer
Regulator for Energy and Water Services
Zentrum Business Centre
Level 1
Mdina Road
Hal Qormi QRM9010
Malta Tel: +356 2295 5114
Email: dpo@rews.org.mt

14. Changes to this Privacy Policy

14.1 This Privacy Policy may change from time to time. If we change this Privacy Policy in ways that affect how we use your Personal Information, we will advise you through our website of the choices you may have as a result of such changes. We will also post a notice that this Privacy Policy has changed.

Last Modified: October 2018This Privacy Policy is effective from 25 May 2018.