This privacy notice (‘the Privacy Notice’) sets out the ways in which GVZH Advocates (a civil partnership established in terms of Maltese law registered in Malta, Europe) (hereafter ‘GVZH’ or ‘We’ or ‘Us’) processes your personal data when you visit and use our website, when you approach and engage Us to provide our legal and advisory services and when We provide the requested services to you.

GVZH Advocates is the data controller of your personal data and processes personal data in accordance with Regulation (EU) 2016/679 General Data Protection Regulation (GDPR), the Maltese Data Protection Act (Chapter 586 of the Laws of Malta) and any other relevant data protection and privacy legislation which is applicable (the “Data Protection Laws”). The terms “personal data”, “data subject”, “data controller”, “data processor” and “process” shall have the same meanings given to them according to the Data Protection Laws.

GVZH Advocates fully owns and controls GVZH Trustees Limited (“GVZH Trustees”), GVZH Services Limited (“GVZH Services”) and GVZH Management Limited (“GVZH Management”) which might process your data as independent controllers or jointly with GVZH Advocates, depending on the services provided to you. For example, GVZH Trustees might process your data when offering company and secretarial services whilst GVZH Service limited when providing regulatory, compliance or other professional services not involving legal advice or corporate and trust services. If you have any question about this notice or you need any additional information, please contact Us on dataprotection@gvzh.mt

Contact Details of the Data Controller

• • Full name of legal entity: GVZH Advocates

• • Postal address: 192, Old Bakery Street, Valletta, VLT 1455

• • Email: dataprotection@gvzh.mt

• • DPO contact: dpo@gvzh.mt

How is your data collected

Your data might be collected from you directly, when you access and use our website, when you request our services and when you contact us. We can also collect your data indirectly from publicly available sources such as public court documents, the Malta Business Registry (MBR), anti-fraud databases, from the organisation where you work and from other entities such as banks and credit reference agencies.

Data We Process

During our engagement with you, We process your personal data for purposes which are related to the provision of the services and might include different type of data, as specifically indicated in the table below.

We may also need to occasionally process special categories of personal data about you as part of our statutory due diligence and sanction screening requirements. This may comprise personal data revealing your political opinions or affiliations and also personal data relating to criminal convictions and offences or related measures.

If you provide us with personal information of third parties, you warrant and represent that you obtained personal data in accordance with GDPR and that they are made aware of this Notice prior to us receiving their information.

If you attend an event or meeting at our offices, We may hold images of you captured by our CCTV cameras.

Legal Basis

The law requires Us to have a legal basis for collecting and using Your personal data. We rely on one or more of the following legal bases:

• • Performance of a contract with you: Where We need to perform the contract We are about to enter into or have entered into with You.

• • Legitimate interests: We may use your personal data where we have a legitimate interest to develop and grow Our business, to protect Our network, to prevent fraud and maintain the confidentiality of communications. In addition, We may process your data to operate our business, in case of mergers, acquisitions, reorganisations, bankruptcy and other business transactions, to administer and/or plan our accounting, auditing, compliance, recordkeeping activities, to exercise or defend legal claims and to pursue any legal remedy available.  From time to time, We may also transfer your personal data between our internal systems to ensure efficient client management, billing and communications.We make sure We consider and balance any potential impact on you and your rights (both positive and negative) before We process your personal data for our legitimate interests. We do not use your personal data for activities where Our interests are overridden by the impact on you (unless We have your consent or are otherwise required or permitted to by law.

• • Legal obligation: We may use your personal data where it is necessary for compliance with a legal obligation that We are subject to. We will identify the relevant legal obligation when We rely on this legal basis.

• • Consent: We rely on consent only where We have obtained your active agreement to use your personal data for a specified purpose, for example if You subscribe to an email newsletter.

The personal data We collect/process in your regard may be any of the following:

ACTIVITY	TYPE OF DATA	PURPOSE	LEGAL BASIS
Website access and maintenance	IP address, Device information, Pages Viewed, Duration Visits, Site/App Usage, Access Logs, User’s Operating System	To enable users to access and navigate the Platforms, ensuring functionality and network security, to diagnose network and IT issues, to administer the Platford etc.	Performance of contract / legitimate interest (ensuring the proper functioning, security, and improvement of our website and online platforms)
Tracking Data and Cookies Data about your use of the Website	Cookie identifiers Browsing behaviour Preferences and settings Usage data Analytics data As applicable to the relevant cookie(s).	For functionality and security purposes – To analyse the use of the Website  -Personalizse, improve and optimize content available to you on the Website.	Legitimate interest (to provide necessary functionalities on our website, by allowing strictly necessary cookies) Consent (We continually strive to improve our Website offerings and our services based on the manner in which the Website is used. With your consent, additional cookies may be used to analyse the website performance, enhance your experience, and serve targeted advertising)
Recruitment/ Internship	Name, address, contact details CV, cover letter, qualifications, employment history, Interview notes, communication records, email, phone number, address	-To assess suitability for the role and manage the recruitment process -To evaluate skills, experience, and suitability for the role -To verify candidate identity, qualifications, and suitability for specific roles	Performance of contract
Communication  with you Data provided to Us when You complete a ‘‘Get in touch’ Form or otherwise communicate with Us in relation to our products and services.	Name and surname, email address, IP address, Phone number and other information You may enter into the form or otherwise provide.  It also includes your browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, device ID and other technology on the devices you use to access this website.	– To reply to Your queries -Advise you of industry and legislative updates, -Notify you about changes to our terms of business or privacy notices – Deal with your enquiries, requests, complaints or reported issues – Contact you in the course of providing the requested services – Inform you about our events and training  – Providing periodic legal and regulatory updates	Performance of a contract/Legitimate interest (managing and nurturing client relationships, growing and improving our business).  We might send legal updates as part of our legitimate interest in keeping our clients and network informed about legal and regulatory developments that may affect them and their business.  You may opt out of receiving such updates at any time by clicking the ‘unsubscribe’ link included in each communication or by contacting us at marketing@gvzh.mt.
New client onboarding Information / AML and “KYC” Processes	When you show interest in becoming a GVZH customer, We may request information in order to carry out our onboarding process, such as name and surname, address, DOB, city, post code, country, email address, telephone number, identity card details, Tax identification number, passport number, source of wealth or similar details, utility bills; professional references; screening database checks, PEP’s related data and any other documentation that may be mandated by applicable anti-money laundering or sanctions laws. This information might be requested in relation to yourself if you engage us in a personal capacity, or in relation to specific persons if you engage us on behalf of an entity (e.g. beneficial owners, directors, other officers).	-On onboarding new client engagements and comply with our internal policies and procedures. -To assess your suitability and integrity to enter into an engagement with you and commence the service provision. – To fulfil our regulatory and legal obligations relating to the prevention of money laundering, fraud prevention, counter-terrorist financing – For security and to assess potential customer’s standing and integrity.	Performance of contract / necessary to comply with a legal obligation/ legitimate interest (for security and fraud prevention)
Provision of Service	Your identity details and all necessary details and ongoing information needed to provide you with the requested legal advice and/or services.	To provide the service requested.	Performance of contract / legitimate interest (To carry out our business activities)
For billing and invoice purposes and debt recovery	Full name or registered business name, billing address, email address, telephone number, customer account or reference number, product/service description, contract or agreement reference, invoice numbers and amounts, bank account or IBAN, transaction history, payment dates and amounts received, overdue amounts, VAT number or tax identification number.	To send our invoice for the legal advice requested; to manage payments, fees and charges; to collect and recover money owed to US; and to issue the relevant receipt of payment.	Performance of a contract/Necessary to comply with a legal obligation (accounting and other record-keeping requirements)/ legitimate interests (to recover debts due to us and our record keeping).
Security	IP address, device identifiers, login credentials, access logs, timestamps of logins and activities, location data, user account details, security event logs, network traffic data, details of failed authentication attempts, MAC address, browser type and version, operating system details, session identifiers, metadata	-To ensure security of the network and troubleshooting -To detect fraud, unauthorised activities and access -To investigate, prevent or take actions regarding illegal activities and suspected fraud.	Legitimate interest (network security, prevention of fraud and to maintain the confidentiality of communications)/ Necessary to comply with a legal obligation

We may also process your data when it is necessary to comply with legal and regulatory obligations. For example when We have to investigate, prevent and report breaches of our policies and fraudulent /criminal activities. When We have to assist and cooperate in any criminal or regulatory investigations.

We also collect, use and share aggregated data such as statistical or demographic data which does not directly (or indirectly) reveal your identity. For example, We may aggregate individuals’ usage data to calculate the percentage of users accessing a specific website feature in order to analyse general trends in how users are interacting with our website to help improve the website and our services.

If you share with us any Personal Data relating to other people, you represent that you have the authority to do so and to permit us to use the information in accordance with this Privacy Notice.

Consent

Whenever We process your personal data based on consent, you may withdraw such consent at any time, by contacting us at dataprotection@gvzh.mt. Please note that withdrawing your consent does not impact the lawfulness of the processing that was carried out based on your consent prior to its withdrawal.

If you fail to provide your Personal Data

If you fail to provide the Personal Data requested, We might not be able to provide you with our services.

Cookies & Other Tracking Mechanisms

A cookie is a small file of letters and numbers that are stored on your browser or the hard drive of your computer and contain information that is transferred to your computer’s hard drive. We use tracking technologies, such as cookies,  which are used by site owners or third parties to collect information about you as well as your device for different purposes, in order to enhance your navigation on platforms, improve services’ performance and customise your experience. We might also use this information to collect statistics about the usage of our services.

For further information on what cookies are, which cookies We use and how you can change your preferences, please read our Cookie Policy.

Please note that you can block cookies at any time by activating the setting on your browser that allows you to refuse the setting of all or some cookies. To find out more about cookies, including how to see what cookies have been set and how to manage and delete them visit: www.allaboutcookies.org.

Data processing and AI systems

When processing your data We might interact with Artificial intelligence (AI)-powered services and products to support the provision of our legal services, including document review, contract analysis and regulatory compliance monitoring.

The Company does not use AI systems for automated decision-making. All outputs generated by AI tools are subject to human review and oversight. We do not use your data for AI training purposes.

Your personal data is only processed through AI-assisted tools to the extent necessary for delivering our services and in line with our professional duties of confidentiality and ethical standards.

Security of Data

We implement a variety of security measures to maintain the safety of your personal information when you place an order or enter, submit, or access your personal information. We offer the use of a secure server. The security measures We have implemented to ensure safe transmission and storage of personal data include:

• • Use of secure servers;

• • Use of firewalls;

• • Use of encryption;

• • Physical access controls at data centres;

• • Information access controls;

• • Use of back-up systems;

All supplied sensitive/credit information is transmitted via Secure Socket Layer (SSL) technology and then encrypted into Our payment gateway provider’s database only to be accessible by those authorised with special access rights to such systems and required to keep the information confidential. After a transaction, your private information (credit cards, social security numbers, financials, etc.) is never kept on file.

We also regularly review and, where practicable, improve upon these security measures. We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where We are legally required to do so. While We do our utmost to safeguard your personal data, no data transmission over the internet can be totally secure and therefore We cannot guarantee or warrant that no unauthorised access will occur. We cannot, however, ensure or warrant the absolute security of any information you transmit to Us or guarantee that your information may not be accessed, disclosed, altered, or destroyed by a breach of any of our physical, technical, or managerial safeguards. We have, however, put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where We are legally required to do so.

Retention of Data

We retain your personal data no longer than strictly necessary i) to realis

e the purpose for which your personal data was originally collected ii) as required by a specific law to which We may be subject and iii) to manage any legal claims in relation to which such data may be required in evidence. To determine the appropriate retention period for personal data, We consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which We process your personal data and whether We can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.

We may retain your data for a period of up to 10 years from the termination of our engagement, although some of your data may be retained for a shorter period of time, according to applicable law. We might also retain your data for a longer period of time based on our legitimate interest to comply with our legal obligation and record keeping duties, in case of legal proceeding/audit or inspection from authorities or and We are subject to an overriding legal or regulatory obligation or reasonable expectation to do so. Should you need to know the complete list of the retention periods We adhere to with respect to the indicated categories of personal data, please contact Us on dataprotection@gvzh.mt.

Who has Access to your Data

GVZH is a Malta-domiciled organisation whose primary offices are in Malta. The Website www.gvzh.mt is hosted in Malta and all data held by GVZH is backed up in the EU.

We may engage trusted third party service providers to perform functions and provide services to Us, such as hosting and maintaining of Our servers and the Website, database storage and management, e-mail management, data storage, marketing, customer service relationship management, online review service provider, email service provider, web developers, affiliates, payment gateway, Search Engine Optimisation agents, product suppliers, delivery and logistics, providers of professional advice (accounting and legal), software providers and automated Know- Your-Customer, fraud and anti-money laundering detection services providers.

We will likely share your personal information, and possibly some non-personal information, with these third parties to enable them to perform these services for Us and for you. We may share portions of our log file data, including IP addresses, for analytics purposes with third parties such as web analytics partners, application developers, and ad networks. If your IP address is shared, it may be used to estimate general location and other technographics such as connection speed, whether you have visited the Website from a shared location, and type of the device used to visit the Website. They may aggregate information about our content and what you see on the Website and then provide auditing, research and reporting for Us and Our advertisers.

We may also disclose personal and non-personal information about you to government or law enforcement officials or private parties as We, in Our sole discretion, believe necessary or appropriate in order to respond to claims, legal process, to protect Our rights and interests or those of a third party, the safety of the public or any person, to prevent or stop any illegal, unethical, or legally actionable activity, or to otherwise comply with applicable court orders, laws, rules and regulations.

We reserve the right to transfer information to a third party in the event of a sale, merger or other transfer of assets of GVZH or any of its corporate, or that portion of GVZH or any of its corporate affiliates, or in the event that We discontinue Our business or file a petition or have filed against us a petition in bankruptcy, reorganisation or similar proceeding. We may also share information with our current and future affiliated companies and business partners. The majority of the service providers who are able to access the Website or any of the personal information collected from or relating thereto are located within the EEA, and where personal data may be shared, We have data processing agreements in place with these parties.

Transfer of data outside the EU/EEA

If We need to send data outside the EEA, We will ensure that We have appropriate legal and security relationships with these parties and have taken steps to ensure that they are complying with the General Data Protection Regulation, including, as necessary, execution of contracts based on the European Union’s Standard Contractual Clauses for cross-border data transfers.

Automated Decision-Making

Other than ‘profiling’ activities carried out in order to display information, announcements and/or advertisements that will be relevant to you as explained above, We do not engage in any automated decision-making.

Personal Data relating to Children

The Website should only be accessible by individuals over the age of 16. It is a parent or legal guardian’s responsibility to ensure that underage persons do not use Our Website.

Links to third-Party Services

We may display, include or make available third-party content (including data, information, applications and other products services) or provide links to third-party websites or services. This Privacy Notice applies only to the products and services provided by Us directly. Please remember that when you use a link to go from the Website to another website, this Privacy Notice is no longer in effect. Your browsing and interaction on any other website, including those that have a link on Our platform, is subject to that website’s own rules and policies. Such third parties may use their own cookies or other methods to collect information about You.

Controller or Processor

When acting exclusively as a data processor on Your behalf, GVZH shall:

1. 1. Act only upon your strict instructions and not process any personal data that may be transferred to Us by you except as may be necessary for the performance of any service or task provided by GVZH to/for you and, in particular, process the said personal data only on documented instructions from you, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by EU or Maltese law;

2. 2. Ensure that persons authorised to process the personal data (including but not limited to GVZH employees) have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

3. 3. Implement appropriate technical and organisational measures to protect any personal data that may be processed your behalf to ensure a level of security appropriate to the risk relating to its processing of the personal data;

4. 4. Not engage another data processor without your specific or general written authorisation. In the case of general written authorisation, GVZH shall inform you of any intended changes concerning the addition or replacement of other processors, thereby giving you the opportunity to object to such changes. Where GVZH engages another processor for carrying out specific processing activities on your behalf, the same data protection obligations as set out in this clause shall be imposed on that other processor or sub-processor by way of a contract or other legal act under EU or Maltese law, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the GDPR. Where that other processor or sub-processor fails to fulfil its data protection obligations, GVZH shall remain fully liable to you for the performance of that other processor or sub-processor’s obligations;

5. 5. To the extent that this is reasonable, provide you with assistance and cooperation in attending to data requests for exercising the data subject’s rights laid down in Chapter III of the GDPR, taking into account the nature of the processing;

6. 6. To the extent required by the Data Protection Laws, assist you in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR (security obligations, notification of personal data breach to the supervisory authority obligation, communication of a personal data breach to the data subject obligation, data protection impact assessment obligation and prior consultation with the supervisory authority obligation) taking into account the nature of processing and the information available to GVZH;

7. 7. Inform you without undue delay, and provide reasonable assistance, as soon as it becomes aware of a personal data breach relating to personal data in GVZH’s possession or control;

8. 8. At your reasonable request, delete or return all the personal data to you at the termination of the Engagement, save to the extent GVZH is legally required to retain any personal data in accordance with the Data Protection Laws;

9. 9. At all times be permitted to store personal data included in routine backups in accordance with Our standard policy;

10. 10. Make available to you all information necessary to demonstrate compliance with the obligations laid down in this clause and the Data Protection Laws, and allow for and contribute to audits, including inspections, conducted by you or another auditor mandated by you. In this regard, GVZH shall immediately inform you if, in its opinion, an instruction infringes the GDPR or other EU or Maltese data protection provisions; and

11. 11. Take all such measures necessary to ensure that processing will meet the requirements of the GDPR and ensure the protection of the rights of data subjects.

About your Rights

At any point in time during Our processing of your data, you have the following rights. All requests in this regard may be made by sending an email to dataprotection@gvzh.mt. We will also forward your request to the relevant 3^rd Parties mentioned above as required.

• • Right of access – You can request a copy of the information that We hold about you.

• • Right of rectification – You can ask Us to correct data that We hold about you if it is inaccurate or incomplete.

• • Right to be forgotten – In some situations, you may ask Us to delete certain data We hold about You and We will always comply to the extent allowed or required by any applicable law. Please note that while We will promptly delete or anonymise your personal data from our active systems and databases upon request, residual copies may temporarily remain in our backup systems. These backups are maintained for security and continuity purposes only and will not be further processed, and your data will be permanently deleted in accordance with our standard backup retention cycles

• • Right to restriction of processing – In some situations, you may ask Us to restrict the processing of your data.

• • Right of portability – You may ask Us to transfer certain data We hold about you to another organisation.

• • Right to object – You have the right to object to certain types of processing such as direct marketing.

• • Right to object to automated processing, including profiling – You also have the right to object to the legal effects of automated processing or profiling.

• • Right to complain about how your Personal Data is being processed by Us (or third parties), or about how your complaint has been handled. You can lodge a complain with us by contacting us at dataprotection@gvzh.mt. However, if you are unsatisfied with the way We managed your complaint, you can lodge a complaint directly with the Office of the Information and Data Protection Commissioner (https://idpc.org.mt/).

• • Right to withdraw your consent – You have the right to withdraw your consent, where given, at any time. This applies in particular to receiving marketing communications, where you are able to opt-out of receiving further notifications by clicking on the ‘unsubscribe’ link found in all such communications. You may also send an email to marketing@gvzh.mt.

Kindly note that none of these data subject rights are absolute and must generally be weighed against our own legal obligations and legitimate interests. If a decision is taken to override your data subject request, you will be informed of this by our data protection team along with the reasons for our decision.

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, We may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, We could refuse to comply with your request in these circumstances.

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, We will notify you and keep you updated.

Changes to our Privacy Notice and your duty to inform us of changes

We keep our Privacy Notice under regular review. We may make changes to it from time to time. If We do, changes will be posted in this document.

It is important that the personal data We hold about you is accurate and current. Please keep us informed if your personal data changes during our relationship with you.

This Privacy Notice was last updated on 03.10.2025.

© 2025 GVZH Advocates – All rights reserved. Unauthorized use and/or duplication of this material without express and written permission is prohibited.