Lifenat logo web site

Privacy – Lifenat project

Privacy policy

Last Updated: 01.01.2026

This Privacy Policy describes the ways in which personal data are processed through the LIFENAT – Little Footsteps IN NATure project website.

The processing is carried out in compliance with Regulation (EU) 2016/679 (“GDPR”), the applicable Maltese legislation on the protection of personal data, including the Data Protection Act, Chapter 586 of the Laws of Malta, and the principles of lawfulness, fairness, transparency, minimization, accuracy, storage limitation, integrity and confidentiality. The Office of the Information and Data Protection Commissioner (IDPC) is the competent supervisory authority in Malta.

This information only concerns the processing carried out through this website. Any additional processing carried out in the context of project activities, events, applications, surveys or project management may be governed by separate specific disclosures.

  1. Data Controller

The data controller of the personal data collected through this site is:

MACTT Educational Group LtdCompany Registration Number: C 44520VAT Number: MT18927427
Registered Office: Level One, Triq Dun Karm, Birkirkara BKR 9037, MaltaEmail for privacy issues: privacy@mactt.eu

The project’s Grant Agreement identifies MACTT Educational Group Ltd as the coordinator of the LIFENAT project.

  1. Scope of the Notice

This Privacy Policy applies to personal data collected:

  • while browsing the site;
  • via any contact forms;
  • through communications sent to the email addresses published on the site;
  • through technical tools and cookies, within the limits indicated in the Cookie Policy.
  1. Categories of data processed

We may process the following categories of personal data:

  1. a) Browsing data

During the normal operation of the site, computer systems and software procedures may acquire some data whose transmission is implicit in the use of Internet protocols, such as:

  • IP address or equivalent identifiers;
  • browser type and device;
  • operating system;
  • date and time of the request;
  • pages visited;
  • Referring URLs, if available;
  • Technical information about the session.

These data are used for technical, aggregate statistics, security and proper functioning of the site.

  1. b) Data provided voluntarily by the user

If the user contacts the project or the owner via form or email, the following may be processed:

  • name and surname;
  • email address;
  • organization to which they belong, if provided;
  • content of the message;
  • any other personal data voluntarily included in the communication.

The user is invited not to transmit data in excess of the request sent and, in particular, not to communicate special categories of personal data, unless strictly necessary and subject to a suitable legal basis. Special categories of data are subject to specific conditions in EU law.

  1. Purposes of processing and legal bases

Personal data are processed for the following purposes:

4.1 Technical management of the site and security

To enable the operation of the site, ensure its security, prevent unauthorized access, abuse, fraud, cyber attacks, technical errors and malicious activity.

Legal basis: legitimate interest of the data controller pursuant to Article 6, paragraph 1, letter f) GDPR, as well as, where applicable, the need to provide the service requested by the user. The GDPR principles require transparency and clear information on the purposes of the processing.

4.2 Responding to contact requests and information

To respond to questions, requests for clarification, institutional communications or requests relating to the project and its activities.

Legal basis: execution of pre-contractual measures adopted at the request of the data subject, pursuant to Article 6, paragraph 1, letter b) GDPR, or legitimate interest of the data controller to correctly manage the communications received, where relevant.

4.3 Fulfilment of legal obligations

To comply with obligations under European Union law, Maltese law or lawful requests from competent authorities.

Legal basis: Art. 6 (1) (c) GDPR.

4.4 Protection of the rights of the owner

To ascertain, exercise or defend a right in or out of court.

Legal basis: legitimate interest of the controller pursuant to Article 6, paragraph 1, letter f) GDPR.

4.5 Cookies and similar non-technical technologies

If the site uses non-anonymized analytical cookies, profiling cookies, retargeting or other tools that are not strictly necessary, the related data will be processed only after obtaining consent, where required.

Legal basis: consent of the data subject pursuant to Art. 6 (1) (a) GDPR. Consent must be revocable at any time. The European Commission expressly states that the right to withdraw consent must be informed.

  1. Nature of the provision of data

The provision of navigation data is necessary for the technical use of the site.

The provision of the data requested in the contact forms or emails is optional; however, failure to provide the data marked as necessary may prevent the Data Controller from responding to the request or providing the requested service.

  1. Processing methods

Personal data are processed electronically and, where necessary, on paper, according to logics strictly related to the purposes indicated and by means of appropriate technical and organisational measures to protect them from unauthorised access, loss, destruction, alteration or undue disclosure.

Also in the Erasmus+ context, beneficiaries are required to apply appropriate technical and organisational measures and to ensure security, confidentiality and access control.

  1. Recipients of the data

Personal data may be communicated, within the limits strictly necessary, to the following categories of subjects:

  • providers of IT services, hosting, technical maintenance and site security, appointed as data processors where required;
  • consultants, professionals or suppliers acting as independent controllers, where applicable;
  • personnel authorized by the Data Controller and bound by confidentiality obligations;
  • public authorities, control bodies, law enforcement agencies or institutional subjects, in cases provided for by law or at a legitimate request.

Personal data are not disclosed to the public, unless this is required by regulatory obligations or by specific initiatives for which a dedicated information notice is provided.

  1. Data transfers to third countries or international organisations

If, for technical or organisational reasons, data is transferred to countries outside the European Economic Area, such transfer will only take place in accordance with Chapter V of the GDPR, for example:

  • on the basis of an adequacy decision by the European Commission; or
  • by means of standard contractual clauses (SCCs) or other appropriate safeguards provided for by law.

The European Commission indicates that international transfers must be accompanied by appropriate safeguards, including adequacy and SCCs.

Important: References to providers, hosting, and server location countries must be technically verified before the privacy policy is published. This part must therefore be completed with the real data of the site actually online.

  1. Retention period

Personal data are stored for a period not exceeding that necessary to achieve the purposes for which they are collected.

In particular:

  • browsing data are stored for the time strictly necessary for technical, security and diagnostic purposes, except for further needs to ascertain unlawful acts;
  • the data received through contact forms or emails are stored for the time necessary to manage the request and, subsequently, for an appropriate administrative period, normally not exceeding 24 months, except for further storage needs deriving from legal obligations or the protection of the rights of the Data Controller;
  • Data processed on the basis of consent is stored until consent is revoked, unless further storage is justified by legal obligations or defensive needs.

The GDPR requires that data subjects be informed of the retention period or the criteria used to determine it.

  1. Automated decision-making and profiling

The Data Controller does not adopt, through this website, automated decision-making processes that produce legal or similarly significant effects with regard to the data subject pursuant to art. 22 GDPR.

Any profiling activities through cookies or similar tools, if any, will be described in the Cookie Policy and subject to consent, where required. The European Commission requires you to inform the data subject of any automated decisions and the logic involved, where applicable.

  1. Rights of the data subject

The data subject may exercise, within the limits provided for by the GDPR, the following rights:

  • right of access to personal data;
  • right to rectification of inaccurate or incomplete data;
  • right to erasure of data;
  • right to restriction of processing;
  • right to object to processing, in the cases provided;
  • the right to data portability, where applicable;
  • the right to withdraw consent at any time, without prejudice to the lawfulness of the processing based on the consent given before the withdrawal;
  • right to lodge a complaint with the competent supervisory authority.

The European Commission expressly lists this information among those to be provided to data subjects; The Maltese IDPC is the competent national supervisory authority.

  1. Right to lodge a complaint

If you believe that the processing of your personal data infringes applicable law, you have the right to lodge a complaint with the competent supervisory authority.

For Malta, the competent authority is:

Office of the Information and Data Protection Commissioner (IDPC)
MaltaInstitutional website: IDPC Malta.

  1. Contacts for the exercise of rights

To exercise your rights or for any request relating to this Privacy Policy, you can contact the Data Controller at:

privacy@mactt.eu

  1. Minors

The site is not intended for the intentional collection of personal data of minors without the involvement of the parent, guardian or other legitimate person, except as may be provided for by specific project activities accompanied by appropriate dedicated information.

Since the project also concerns minors in the educational field, any processing of children’s personal data carried out outside the mere navigation of the site must be managed with specific information, adequate protection measures and, where necessary, the involvement of parents or those exercising parental responsibility. The Erasmus+ Programme requires specific protections for minors in project activities.

  1. Relationship with the Erasmus+ framework

This Privacy Policy governs the processing carried out through the project website.

For some processing carried out in the context of the management of the Erasmus+ project, reporting to the National Agency, the use of Erasmus+ institutional tools or the management of participants and stakeholders, MACTT and the other beneficiaries may be subject to additional specific obligations provided for by the Grant Agreement and the Erasmus+ documentation on data protection. In such cases, additional and dedicated information may be provided. The project’s Grant Agreement contains a specific article on data protection and the additional Erasmus+ document clarifies the obligations of the beneficiary when operating as a processor.

  1. Changes to this Privacy Policy

The Data Controller reserves the right to update or modify this Privacy Policy at any time, including as a result of regulatory changes, technological developments or changes in the services offered by the site. The updated version will be published on this page with an indication of the date of last update.