Privacy Notice

Last updated 28/02/2023

The Authority for the Responsible Use of Cannabis (hereafter also referred to as ‘ARUC’, ‘Authority’, ‘We’, ‘Our’ or ‘Us’) is committed to protecting the privacy and security of personal data in accordance with the General Data Protection Regulation EU 2016/679 (“GDPR”, “Regulation”), the Data Protection Act (Chap 586 of the Laws of Malta) and any other applicable data protection laws which may be amended from time to time.

This Privacy Notice sets out how the Authority collects and processes your data, why we are using such information and what your rights are under GDPR.

1. Controller Details

The Data Controller, as defined under GDPR, is the Authority for the Responsible Use of Cannabis established by Chapter 628 of the Laws of Malta, having its registered address at Onda Business Centre, Level 4, Aldo Moro Road, Marsa, Malta.

The Authority may be contacted at the registered address, by telephone at +356 23889600 or by email at: [email protected].

The Authority’s Data Protection Officer may be contacted by email at: [email protected].

2. How we collect information about you

The personal data We process is collected directly from you through the submission of our application to register and operate a Cannabis Harm Reduction Association (CHRA), including supporting documentation and follow-up email communication, or through the submission of queries through the Contact Us section on Our website.

We may also collect your personal data from third parties when We request further information in respect of the evidence or documentation provided by you as a part of the application process in order for Us to corroborate and validate your submission.

3. Personal data collected

We collect and process your personal data, including:


  • Identification information such as full name, maiden name, ID and passport number, date and place of birth, nationality, years resident in Malta, copies of Passport/ID card, list of countries where the passport has been issued and passport size photos.
  • Contact Information such as contact numbers, email addresses, residential addresses.
  • Employment information such as role and type of engagement within the CHRA, employment status, experience, employment history, duration of employment, dismissal/resignation information, CV and details of directorships, partnerships or other business interests.
  • Criminal Records such as previous charges, arrests or summons for an offence, access to the Fedina Penali from the Commissioner of Police.
  • Financial information such as bank references, financial details (relating to bankruptcy or insolvency), source of income and wealth, payslips, tax returns, FS3s, bank statement extracts and loan agreements.


  • Full name, email address and contact number.

4. Purposes of the processing

We use your personal data for the purpose of/for:

  • screening and evaluating CHRA/License applications and therefore, including identification and verification purposes;
  • contacting NPOs regarding their application or any issues that may arise;
  • approving or rejecting CHR applications;
  • renewing and re-evaluating the license obtained by the CHRA;
  • listing and maintaining a register of approved CHRAs;
  • a research-based approach when drafting policies, issuing legal frameworks, outreach and education;
  • the prevention of Anti-Money Laundering (AML) or fraud purposes. 

5. Legal Basis

The Authority’s bases for processing your personal data are the following:

  1. Article 6(1)(e) of the GDPR. Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller which is laid down by law.
  2. Article 6(1)(c) of the GDPR. Processing is necessary for compliance with a legal obligation to which the controller is subject.
  3. Article 6(1)(a) of the GDPR. The data subject has given consent to the processing of his or her personal data for one or more specific purposes.

6. Sharing of Data

We may share your personal data in accordance with data protection principles and guidelines and in accordance with other laws and regulations with the following:

  • Other government agencies and/or public authorities as required by law.
  • Third parties who fulfil a service on behalf of and under the express instructions of the Authority.
  • Other bodies and authorities, where it is necessary to do so for such body/authority to carry out its functions.

7. Processing Requirements

Please note that failure to provide your personal data and other supporting information and documentation will impede the Authority from initiating the registration and licensing process, implying that your application will be rejected.

8. Automated Decision-Making and Profiling

At no point in time will your personal data be used for any automated decision-making or profiling tasks and activities.

9. Transfer of Data to Third Countries

Your personal data will not be transferred outside the EU/EEA. However, in such an event, and in the absence of an adequacy decision issued by the European Commission (Art. 45 GDPR), appropriate safeguards shall be provided for such transmissions as per and in accordance with legal requirements (particularly the use of EU standard contractual clauses and any other required measures). In such case, you will be able to obtain a copy of the Standard Contractual Clauses (SCCs) by contacting us at [email protected].

10. Security

The Authority has put in place appropriate technical and organisational security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, We limit access to your personal data to authorised personnel on a need-to-know basis. They will only process your personal data on the Authority’s strict instructions or where the fulfilment of a task demands such access.

11. Data Retention

We will only retain the personal data for as long as necessary to fulfil the purposes for which it was originally collected, more specifically, 10 years from when:

  • an application for registering an CHRA was rejected;
  • an operational license is not approved, rejected, revoked or withdrawn, through a decision taken by the Authority, by Court Order, or voluntarily by the board of administrators of the CHRA.

In the case of personal data being retrieved through the ‘Contact Us’ page via our website, such information will be retained for a maximum period of 1 year from when the query or request is considered as closed.

12. Data Subject Rights

In accordance with the GDPR, you have the following rights:

  1. The right to be informed in a precise, transparent, comprehensible and easily accessible form.
  2. Request access to your personal information. This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it;
  3. Request rectification of personal data that we hold about you.
  4. Request that we provide you with any personal data that you may have provided us, in a structured, commonly used, and machine-readable format;
  5. The right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.

You may exercise the rights indicated in this section by contacting our Data Protection Officer at [email protected].

13. Complaints 

The Authority and its Data Protection Officer may be contacted on complaints regarding the processing of personal data at [email protected]. You have also the right to lodge a complaint with the competent Supervisory Authority, namely the Office of the Information and the Data Protection Commissioner (IDPC) in Malta through its website at

14. Changes to this Notice

The Authority reserves the right to amend and update this Notice from time to time. In such case, We will replace this Notice as shown on this page with an updated version. Whilst we would notify you of any significant changes to this Notice, it is highly advisable for you to regularly check this page in order to be aware of any changes which may occur from time to time.