Internal GDPR Procedure Manual

Mirovia (Malta) Ltd.
Effective Date: January 2025
Version: 1.0

1. Purpose of This Manual

This Internal GDPR Procedure Manual establishes the rules and internal processes that Mirovia (Malta) Ltd. must follow to ensure compliance with:

  • GDPR (EU Regulation 2016/679)

  • Maltese Data Protection Act (Chapter 586)

It describes responsibilities, workflows, documentation, data protection measures, and response procedures in relation to:

  • Franchise applications

  • Website contact inquiries

  • Business communication

  • Website analytics and cookies

  • Security monitoring

  • Third-party processors

This manual applies to all staff, directors, consultants, and service providers of Mirovia (Malta) Ltd.

2. Data Controller Details

Mirovia (Malta) Ltd.
30A Wilga Street, St. Julian’s, STJ 3113, Malta
Email: office@mirovia.ltd
Legal Representative: Stephan Holzapfel

3. Scope of Personal Data Processing

Mirovia (Malta) Ltd. processes personal data in the following contexts:

3.1 Franchise Applications

  • Personal contact details

  • Financial suitability information (self-declared)

  • Business plans and preferences

  • Communication with applicants

3.2 Website Interactions

  • Contact form submissions

  • Franchise inquiry submissions

  • Analytics (via cookies, if consented)

  • Security logs (Wordfence)

3.3 Business Communications

  • Email correspondence

  • Meeting notes

  • Application evaluations

  • Contract preparation

3.4 IT & Security

  • Hosting (Hostinger)

  • Email delivery (SMTP)

  • Firewall/security logs (Wordfence)

4. Data Protection Principles (GDPR Article 5)

All processing by Mirovia (Malta) Ltd. follows these mandatory principles:

✔ Lawfulness, fairness, transparency

✔ Purpose limitation

✔ Data minimisation

✔ Accuracy

✔ Storage limitation

✔ Integrity & confidentiality

✔ Accountability

These principles guide all internal procedures.

5. Roles and Responsibilities

5.1 Director (Stephan Holzapfel)

  • Ensures GDPR compliance

  • Maintains oversight of data processing

  • Approves new processors

  • Reviews GDPR documentation annually

5.2 Franchise Application Manager / Staff

  • Handles incoming franchise inquiries

  • Ensures correct storage and deletion timelines

  • Responds to access/rectification/deletion requests

5.3 IT & Security Support

  • Monitors Wordfence security alerts

  • Maintains SSL, hosting security & backups

  • Responds to incidents and escalates breaches

5.4 Third-Party Processors

These include Hostinger, Wordfence, email providers, cloud providers.
They must comply with the DPA and GDPR obligations.

6. Data Inventory & Data Flow Overview

6.1 Data Flows Into the Company

  • Website contact form → WordPress + Email

  • Franchise application form → WordPress + Email

  • Email communication → Mailbox (Hostinger)

  • Cookies (analytics/security) → WordPress tools

6.2 Data Stored

  • Website database (limited)

  • Email inbox (most data)

  • Security logs (IP addresses)

6.3 Data Leaves the Company

  • Shared internally with directors

  • Shared with Mirovia Consulting & Franchising LLC (USA) for evaluation

  • Shared with IT vendors (only when needed)

7. Lawful Bases of Processing

7.1 Franchise Applications

  • Article 6(1)(b) – Steps before entering agreement

  • Article 6(1)(f) – Legitimate interest

  • Article 6(1)(a) – Consent (optional fields)

7.2 Contact Forms

  • Legitimate interest (responding to inquiries)

7.3 Analytics & Cookies

  • Consent (via Complianz)

7.4 Security Logs

  • Legitimate interest (website protection)

  • Legal obligation (incident documentation)

8. Records of Processing Activities (ROPA)

(GDPR Article 30 requirement)

Maintained internally as a spreadsheet or Word table. Must include:

  • Purpose of processing

  • Categories of data & subjects

  • Data retention

  • Processors used

  • Transfer details

  • Technical & organisational measures

9. Data Retention Policy

Data TypeRetention Policy
Franchise applications24 months
Initial inquiries12 months
Email correspondence24 months
Declined applications12–24 months
Security logs14–90 days (Wordfence default)
Backupsper Hostinger policy (up to 30 days)
Legal/financial records10 years

Annual review is required.

10. Data Subject Rights Procedure

The company must respond to any GDPR request within 30 days.

Requests include:

  • Access to data

  • Correction

  • Erasure

  • Restriction

  • Portability

  • Withdrawal of consent

  • Objection

Procedure:

  1. Verify identity (ID copy if needed).

  2. Locate data (email, website logs, documents).

  3. Respond within 30 days.

  4. Apply deletion/export where appropriate.

  5. Document the request and action taken.

11. Security Measures

Technical Measures

  • SSL encryption

  • Up-to-date WordPress, plugins, themes

  • Wordfence firewall

  • Enforced strong passwords

  • Hostinger server security

  • Daily backups

  • SMTP authentication

  • Limited access to admin accounts

Organisational Measures

  • Only directors and authorized staff may access franchise applications

  • No downloading sensitive information to personal devices

  • No forwarding of personal data to unauthorized parties

  • Two-factor authentication recommended for email and hosting

12. Incident & Breach Response Procedure

If a breach is suspected:

  1. Identify affected systems

  2. Contain the issue (e.g., disable plugin, change passwords)

  3. Assess the scope and severity

  4. Notify the Director

  5. Inform the IDPC Malta within 72 hours if required

  6. Inform affected individuals if there is high risk

  7. Document all actions in the Breach Log

Breach Log must include:

  • Date/time

  • Description

  • Data affected

  • Risk assessment

  • Notifications made

  • Preventive steps taken

13. Staff Training & Awareness

All individuals handling personal data must:

  • Understand GDPR principles

  • Follow this manual

  • Maintain confidentiality

  • Avoid using personal email or unapproved devices

  • Immediately report suspicious activity or breaches

Training should occur annually or when major changes happen.

14. Third-Party Processors Management

Before using any service, verify:

✔ Purpose is legitimate
✔ GDPR compliance is documented
✔ Processor has adequate security
✔ A signed DPA exists (or SCCs for non-EU transfers)

Common processors used:

  • Hostinger

  • Wordfence

  • Email delivery (SMTP)

  • CRM or cloud tools (if later added)

New processors require approval from the Director.

15. International Transfers

Some data may be shared with:

Mirovia Consulting & Franchising LLC, Florida, USA

Transfers must use:

  • Standard Contractual Clauses (SCCs)

  • Additional security measures (encryption, limited access)

16. Internal Audit & Manual Review

This GDPR manual must be reviewed:

  • Once per year

  • After major operational changes

  • After an incident

  • Before onboarding new processors

Audit checklist includes:

  • Website compliance

  • Cookie banner functioning

  • Retention periods applied

  • Security configurations

  • User access rights

  • Documentation completeness

Scroll to Top