Skip to main content

Customer Privacy Notice


Krypton Chemists Limited (C8933) of Plot 4, Cantrija Complex, Triq it-Tarġa, Magħtab, Naxxar, NXR 6613, Malta (“Krypton Chemists”; “we”; “us”; “our”) respects your privacy and is committed to protecting your personal data. We (Krypton Chemists) are a leading distributor of medical devices, materials and consumables in Malta and registered with the Malta Medicines Authority.

For the most part, we supply and distribute to the national public health service (“NHS”) and private hospitals and clinics in Malta. However, we may and have on occasion been approached for product orders directly by private individuals, rather than through the NHS or a hospital and clinic, and we refer to these as “direct sales”. This Privacy Notice (“Notice”) is addressed to those individuals who request and place direct sales with us, such as yourself. Its purpose is to explain what personal data we collect about such individuals, how and why we collect that data and the ways in which we may disclose it and our reasons for doing so. It also provides information on how you may exercise your rights as a data subject in relation to your personal data (see Section 11 – “your legal rights”).

This Notice should be read together with our terms of sale. We may change, modify, add, or remove portions from this Notice at any time, but we will never do so in a manner that undermines your rights.



We are providing this Notice to you as a controller of your personal data. We are responsible for treating it in a lawful and appropriate manner in accordance with the General Data Protection Regulation (“GDPR”) and Maltese data protection laws.

It is important that you read this Notice, together with any other notice that we may provide when we are processing personal data about you, so that you are fully aware of how and why we are using your personal data. If you have any questions or requests, including any requests to exercise your legal rights as a data subject, please contact us using the details set out below:

Contact details:

Full name of legal entity: Krypton Chemists Limited

Email address:

Postal address: Plot 4, Cantrija Complex, Triq it-Tarġa, Magħtab, Naxxar, Malta

Please use the words ‘Data Protection Matter’ in the subject line of your communication to us

Your Duty to Inform Us of Changes

It is imperative that the personal data we hold about you is accurate and current. Otherwise, this will prevent us from being able to process, fulfil and deliver (or make arrangements for delivery of) your order. Please keep us informed if your personal data changes during your relationship with us.


Set out below are key definitions of certain terms which appear in and apply to this Notice:

  • data subjects” means living, natural persons about whom we process personal data;
  • data controller” or “controller” means any entity or individual who determines the purposes for which, and the manner in which, any personal data is processed;
  • data processor” or “processor” means any entity or individual that processes data on our behalf and on our instructions (we being the data controller);
  • legitimate interest” means our interest to conduct our business appropriately and responsibly and protect its reputation, and to provide the best possible services. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests;
  • personal data” means data relating to a living individual (i.e., natural person) who can be identified from the data we possess about him or her. This includes, but is not limited to, your name and surname, address, date of birth, contact details. It does not include information relating to a legal person (such as a company);
  • processing” means any activity or set of operations that involves use of personal data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including, organising, amending, using, disclosing, erasing or destroying it. Processing also includes transferring personal data to third parties; and
  • sensitive personal data” includes information about a person’s racial or ethnic origin, political opinions, religious, philosophical, or similar beliefs, trade union membership, physical or mental health or condition or sexual life or his or her biometric data.


Personal data means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

We may collect, use, store and disclose different kinds of personal data about you in connection with or as a result of your order request or placement, which we have grouped together as follows:

  • Identity Data: your name, surname and identity card or passport number;
  • Contact Data: your e-mail address, delivery address, contact number;
  • Order Data: details about your order, including product type, supplier, customisations;
  • Payment Data: invoice amount, billing address, payment details and payment method;
  • Health Data: means information disclosed or revealed to us, or which we are otherwise able to deduce, about your health status or any medical conditions which you may have as a result of your order and its details (including any customisations). Collecting and processing this health data is an essential part of the order process and necessity for being to obtain and supply the correct and proper product which you have requested.

If you Fail to provide Personal Data

Where we need to collect personal data about you:

  • by law; or
  • under the terms of, or in connection with, your order (as discussed above);

and you either fail to provide that data when requested, or else provide incomplete or insufficient data, we might not be able to process or fulfil your order. In such case, we might have no other option but to terminate or cancel your order. We will however expressly inform you should that be case.


This personal data is/will be primarily collected from the following sources:

  • through interactions with us. This includes personal data which you provide when communicating with us about your order (whether by phone, e-mail or otherwise);
  • through the forms you submit to us. This includes personal data which you provide when completing the order forms which we require (which may be online or physical).


We have set out below, in a table format, a description of all the ways we plan to use your personal data, and which of the legal bases we rely upon to do so. We have also identified what our legitimate interests are where appropriate. Note that we may process your personal data pursuant to more than one lawful ground or basis, depending on the specific purpose for which we are using your data.

Please contact us if you need details about the specific legal grounds we are relying on to process your personal data where more than one ground has been set out in the table below.

Change of Purpose

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and it is compatible with the original purpose, or we are obliged to process your data by applicable laws or court or other enforceable orders.

If we need to use your personal data for any other purpose, we will notify you and we will explain the legal basis which allows us to do so.

Please contact us at if you need further details, or even if you simply wish to enquire about the specific lawful basis we are relying on to process your personal data where more than one lawful basis has been set out in the table below.


We may need to share your personal data with third parties for the purpose set out above.

Information we may share to other parties:

  • external third-party consultants, (sub-)contractors, suppliers or other service providers who may access your data when providing services to us (including but not limited to IT support services). This includes IT experts who assist us with technical support and maintenance for our computer systems and general service companies. These are carefully selected to ensure they meet high data protection and security standards. We only share data with them that is required for the services offered and we contractually bind them to keep any data we share with them as confidential and to process personal data only according to our instructions;
  • auditors or other advisors auditing, assisting with or advising on any of our business purposes;
  • our successors in title or third parties to whom we may choose to sell, transfer, or merge parts of our business or assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, the new owners may use your data in the same way as set out in this Notice; or
  • government bodies and law enforcement agencies and in response to other legal and regulatory requests or by instruction from a court, tribunal or public authority.

We do not, unless exceptionally required, share or make available customer health data.

Where your details are provided to any other party in accordance with an express purpose, we will require them to be kept safe and secure your personal data and only use it for the intended purpose.

Furthermore, we may also disclose your data to enforce our contractual terms against you, or to protect our rights, property or safety. This includes exchanging information with other companies and organisations for the purposes of fraud protection.



We do not generally transfer your personal data to entities outside the EU/EEA, unless exceptionally required (such as due to a legal requirement which arises). We will inform you where it the case and ensure that the transfer is carried out using appropriate safeguards.


We have put in place a range of security procedures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. We regularly review and, where practicable, improve upon these security measures. We limit access to your personal data to personnel who ‘need-to-know’ such information, as based on their respective work duties with us.

Additionally, we have also put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.


Unless a different timeframe has been specifically stated in this Notice, personal data will be retained for as long as is necessary for the purpose(s) for which we originally collected it or to resolve disputes, establish legal defense, conduct audits, pursue legitimate business purposes, and enforce our contractual terms. We may also retain information as required by applicable law.

Outside of exceptional cases, we normally apply a retention period of five (5) years from the date of delivery or, as the case may be, termination / cancellation of your order.

There may also be other instance where we may need to retain your personal data for longer period(s), such as in relation to threatened or commenced claims, litigation, ongoing or pending investigations, requests made by competent authorities or for audits or investigations by them.

Kindly contact us for further details about the retention periods that we apply.


In certain circumstances, you have rights under data protection laws in relation to your personal data.

  • Request access to your personal data.
  • Request correction (rectification) of your personal data.
  • Request erasure of your personal data.
  • Object to processing of your personal data.
  • Request restriction of processing your personal data.
  • Request transfer of your personal data.
  • Right to withdraw consent.

If you wish to exercise any of these rights, please contact us on:

No fee usually required

You will not normally have to pay a fee to exercise your data subject rights.

However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in the above circumstances.

What we may need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to exercise what you have requested from us. This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up or facilitate our response.

Time limit to respond

We try to respond to all legitimate requests within the period of one month from receipt of the request.

Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

These rights are explained below.

  • Access: You have the right to obtain confirmation that your data is being processed and to obtain access to your data, e.g., by receiving a copy of it.
  • Rectification: You have the right to have your data corrected if it is inaccurate or incomplete.
  • Erasure: You have the right to request us to delete or remove your data in certain circumstances. Please note that there may be circumstances where it is not possible to fulfil the request for your data to be deleted, e.g if there is a legal reason to retain it.
  • Object: You have the right to object to processing of your data where we are relying on a legitimate interest or those of a third party, and you want to object as you feel it impacts on your fundamental rights or freedoms. Similarly, you may also object where we are using your data for marketing purposes (including marketing communications).
  • Restrict: You have the right to request the processing of your data to be restricted in certain circumstances. Again, there may be cases where we are legally entitled to refuse.
  • Data Portability: You have the right to request the transfer of your personal data to you or to a third party. We will provide that data in a structured, commonly used, machine-readable format. This right only applies to automated information for which you gave us your consent to use or where we used the information to perform a contract with you.
  • Withdrawal: You may withdraw your consent at any time where we are relying on consent to process your personal data. This will not affect the lawfulness of any processing carried out before you withdrew your consent, and any processing activities that are not based on your consent will remain unaffected. Once we have been made aware that you have withdrawn your consent, we will no longer process your data for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.

Kindly note that none of these data subject rights are absolute and must generally be weighed against our own obligations and legitimate interests. If a decision is taken to override your request, we will inform you of this together with the reasons for our decision.


This Notice may be updated from time to time.

Please note that if our business, or any part of it, is sold or transferred at any time, the data and other information we hold may form part of the assets transferred, although it will still only be used in accordance with this Notice.

You have the right to lodge a complaint at any time to a competent supervisory authority on data protection matters, such as in particular the supervisory authority in the place of your habitual residence or your place of work. In the case of Malta, this is the Office of the Information and Data Protection Commissioner ( We would, however, appreciate the opportunity to deal with your concerns before you approach the supervisory authority, so please contact us in the first instance. Please use the words ‘Data Protection Matter’ in the subject line.