BNF Bank p.l.c. takes the confidentiality and security of Your personal data very seriously.
Our full details, including contact details, can be read below.
As an entity established in Malta, EU, and the United Kingdom the main privacy laws that are applicable to Us in so far as You are concerned, are as follows:
- The Maltese Data Protection Act (Chapter 586 of the Laws of Malta) as well as the various subsidiary legislation issued under the same – the ”DPA”;
- The UK Data Protection Act 2018 as well as any various subsidiary legislation issued under the same – the “UK DPA”;
- The Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC ( Data Protection Regulation) – the “GDPR”, including its relative implementation into the laws of the UK.
All the above referred to together as the “Data Protection Laws”
What is Personal Data?
“PERSONAL DATA” means any information that identifies You as an individual or that relates to an identifiable individual.
Personal Data We Collect About You
We collect Personal Data in various ways both digitally on www.bnf.bank, (either when You choose to provide Us with certain data or in some cases, automatically, or via our Facebook chat or from third parties) as well as non-digitally (for example when You fill in a physical form to benefit from one or more of Our services).
There are various categories of Personal Data that We collect about You, namely:
- CONTACT DETAILS - Such as Your name, surname, country, residential and corresponding address, telephone and mobile number.
- REGISTRATION DATA - Such as the Bank’s Internet Banking portal username, password, country of residence, gender.
- IDENTIFICATION DATA - Such as an official photo identification document, passport information, National Insurance Number, Tax Identification Number, Social Security Number, Date of Birth, nationality and citizenship.
- FINANCIAL DATA - Such as invoices, pay slips, the value of Your property or other assets, Your credit history, credit capacity, financial products You have with BNF Bank, payment arrears and information on Your income.
- TRANSACTION DATA - Such as information we use to identify and authenticate You (e.g. Your signature), Your bank account number, deposits, withdrawals and transfers related to Your account.
- SOCIO-DEMOGRAPHIC DATA - Such as Your marital status and whether have any dependents.
- OTHER DATA YOU MAY PROVIDE TO US DURING OUR INTERACTIONS WITH YOU - Such as other information about You that You give us by filling-in forms or communicating with us, whether face-to-face, by phone, email, online, or otherwise.
- MARKETING DATA - Such as proof of opt-in consent (where needed), objections to marketing, mailing address and data obtained when participating in market research.
- GEOGRAPHIC INFORMATION - Such as information about which branches or ATMs You use, information included in customer documentation, marketing and sales information, as well as online identifiers such as cookies and IP address which we use to recognize You when accessing our services online.
- RISK RATING INFORMATION - Such as credit risk rating and transactional behavior,
- INVESTIGATION DATA - Such as due diligence checks, sanctions and anti-money laundering checks, external intelligence reports, content and other data related to relevant exchanges of information between and among individuals/organisations, including emails, voicemail and live chat.
- RECORDS OF CORRESPONDENCE - Such as communication between us, including snail mail, telephone calls, emails, live chat, instant messages and social media communications.
- ESIS QUOTE INFORMATION - Such as information we collect about You in order to provide You with a quote for a credit agreement secured by a residential immovable property
In some cases, (for example, if You are a client, or prospective client of Our services, via the Bank’s Site, telephone, app or otherwise) We may request additional Personal Data as a means of securely identifying You or for another similar lawful purpose. The additional information We may request from You to be able to provide You with Our services includes:
- More secure identification methods
Many of the categories of Personal Data above are collected directly from You (for example, Your Contact Details and Your Registration Data).
WE MAY ALSO COLLECT PERSONAL DATA FROM OTHER SOURCES, including data companies, publicly accessible databases (e.g. Malta Business Registry and/or the UK Companies House), joint marketing partners, social media platforms, Credit Reference Agencies, the Central Credit Register maintained by the Central Bank of Malta, the UK Bankruptcy and Insolvency Register and Disqualified Directors Register, and other publicly available sources of information and other third parties.
We may also receive Personal Data about You from third parties when We need to confirm Your Contact Details or even certain Financial Information. Should this be the case, We will take all measures as required by law to further inform You about the source of such Personal Data as well as the categories of Personal Data We collect and process. There are certain instances at law where We are specifically forbidden from disclosing to You such activity (for example, when carrying out due diligence for anti-money laundering purposes).
For a detailed description of the reasons why We process the categories of personal data above (and any other specific personal data We process) as well as the corresponding legal ground(s) for doing so please see the ‘What We Use Your Personal Data For (Purpose of Processing)’ below.
For information/Personal Data that We may collect automatically via the Bank’s Site, please see the Cookies section below.
How And Why We Collect Personal Data
Generally, We collect Personal Data that You provide directly to Us when registering with Our Site (where this is available), when contacting Us with enquiries relating to Our goods and/or services, when subscribing to any service offered by Us or via Our Site, such as any newsletters as may be issued by Us from time to time or even when subscribing to any offers We (and/or Our affiliates and/or corporate partners) may offer from time to time (see Personal Data We Collect About You above).
Unless otherwise specified and subject to various controls, as a general rule, We only collect Personal Data (from You or elsewhere) that We:
- Need to be able to provide You with the goods and/or services You request from Us; or
- Are legally required to collect/use and to keep for a predetermined period of time; or
- Believe to be necessary for Our legitimate business interests; or
- Received consent from You.
For a detailed description of the reasons why we process specific categories of personal data as well as the corresponding legal ground(s) for doing so, please see the ‘What We Use Your Personal Data For (Purpose of Processing)’ below.
What We Use Your Personal Data For (Purpose Of Processing)
Special Note on Consent
For the avoidance of all doubt, We would like to point out that in those limited cases where We cannot or choose not to rely on another legal ground (for example, Our legitimate interests), We will process Your Personal Data on the basis of Your consent. In some cases, We will require Your explicit consent, for example, when, on the basis of Your explicit consent We will process special categories of data concerning You such as Your health data (what was previously referred to as ‘Sensitive Personal Data’) that might be needed as part of Our processing of Your application for a credit facility with Us.
In those cases where We process on the basis of Your consent (which We will never presume but which We shall have obtained in a clear and manifest manner from You), YOU HAVE THE RIGHT TO WITHDRAW YOUR CONSENT AT ANY TIME and this, in the same manner as You shall have provided it to Us.
Should You exercise Your right to withdraw Your consent at any time (by writing to Us at the physical or email address below), We will determine whether at that stage an alternative legal basis exists for processing Your Personal Data (for example, on the basis of a legal obligation to which We are subject) where We would be legally authorised (or even obliged) to process Your Personal Data without needing Your consent and if so, notify You accordingly.
When We ask for such Personal Data, You may always decline, however should You decline to provide Us with necessary data that We require to provide requested services, We may not necessarily be able to provide You with such services (especially if consent is the only legal ground that is available to Us). Just to clarify, consent is not the only ground that permits Us to process Your Personal Data. In the last preceding section above We pointed out the various grounds that We rely on when processing Your Personal Data for specific purposes.
Personal Data Relating To Third Parties
Accuracy Of Personal Data
All reasonable efforts are made to keep any Personal Data We may hold about You up-to-date and as accurate as possible. You can check the information that We hold about You at any time by contacting Us in the manner explained below. If You find any inaccuracies, We will correct them and where required, delete them as necessary. Please see below for a detailed list of Your legal rights in terms of any applicable data protection law.
We only send mail, messages and other communications relating to marketing where We are authorised to do so at law. We rely on Your consent to do so (especially where We use electronic communications). If, at any time, You no longer wish to receive direct marketing communications from Us please let Us know by contacting Us at the details below or update Your preferences on any of Our Site(s) or apps (where applicable).
In the case of direct marketing sent by electronic communications (where We are legally authorised to do so) You will be given an easy way of opting out (or unsubscribing) from any such communications.
Please note that even if You withdraw any consent You may have given Us or if You object to receiving such direct marketing material from Us (where We do not need Your consent), from time to time We may still need to send You certain important communications such as information relating to Your account or other administrative emails from which You cannot opt-out.
Transfer To Third Countries
As a general rule, the data We process about You (collected via the Site, any of our apps or otherwise) will be stored and processed within the European Union (EU)/European Economic Area (EEA), the UK or any other non-EEA country deemed by the European Commission or the UK (as appropriate) to offer an adequate level of protection (the so-called ‘white-listed’ countries recognized by the European Commission are listed here: https://ec.europa.eu/info/law/law-topic/data-protection_en).
In some cases, it may be necessary for Us to transfer Your Personal Data to a non-EEA country not considered by the European Commission or the UK (as appropriate) to offer an adequate level of protection (for example to one or more of Our data processors located there). For the implementation of Your desired transaction it can be necessary that We disclose Your Personal Data to other banks outside the EEA or the UK.
In such cases, apart from all appropriate safeguards that We implement, in any case, to protect Your Personal Data, We have put in place additional adequate measures. For example, We have ensured that the recipient is bound by the EU Standard Contractual Clauses (the EU Model Clauses), as well as any other data protection frameworks designed to protect Your Personal Data as though it were an intra-EEA transfer.
You will be aware that data sent via the Internet may be transmitted across international borders even where sender and receiver of information are located in the same country. We cannot be held responsible for anything done or omitted to be done by You or any third party in connection with any Personal Data prior to Our receiving it, including but not limited to any transfers of Personal Data from You to Us via a country having a lower level of data protection than that in place in the European Union, and this, by any technological means whatsoever.
As the Internet is an inherently insecure medium of communication, We do not send any customer information via electronic mail even if You (Our customer) requests it.
We shall accept no responsibility or liability whatsoever for the security of Your data while in transit through the internet unless Our responsibility results explicitly from a law having effect in Malta.
- For the purpose of preventing, detecting or suppressing fraud (for example, if You provide false or deceptive information about Yourself or attempt to pose as someone else, We may disclose any information We may have about You in Our possession so as to assist any type of investigation into Your actions);
- in the event of BNF being involved in a merger, sale, restructure, acquisition, joint venture, assignment, transfer;
- to protect and defend Our rights (including the right to property), safety, or those of Our affiliates, of Users of Our Site or even Your own;
- to protect against abuse, misuse or unauthorised use of Our Site and Services;
- for any purpose that may be necessary for the performance of any agreement You may have entered into with Us (including the request for provision of services by third parties) or in order to take steps at Your request prior to entering into a contract;
- to comply with any legal obligations such as may arise by way of response to any Court subpoena or order or similar official request for Personal Data;
- to comply with our legal and contractual obligations arising from and as a result of Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC (‘Payment Services Directive II’ or ‘PSD2’); or
- as may otherwise be specifically allowed or required by or under any applicable law (for example, under anti-money laundering legislation).
Sharing Of Personal Data With Other Categories Of Recipients
Any such authorised disclosures will be done in accordance with the Data Protection laws (for example all Our processors are contractually bound by the requirements in the said Data Protection Laws, including a strict obligation to keep any information they receive confidential and to ensure that their employees/personnel are also bound by similar obligations). The said service providers (Our processors) are also bound by a number of other obligations (in particular, Article 28 of the GDPR).
Your Personal Data will never be shared with third parties for their marketing purposes (unless You give Your consent thereto).
Your Personal Data will be made available to those people in our organisation who need it to carry out their duties and provide You with the services You expect from us. We also share it with:
- Any sub-contractors, agents or service providers who work for Us or provide services to Us, now or in the future (including their employees, sub-contractors, service providers, agents, directors and officers);
- Your joint account holders, administrators, attorneys appointed via a power of attorney, appointed advisors, curators or executors or court appointed representatives;
- People who give guarantees or other security for any amounts You owe Us such as guarantors and sureties;
- People You make payments to and receive payments from;
- Other financial institutions, lenders and holders of security over any property You charge to Us or pledge in Our favour, tax authorities, trade associations, credit reference agencies, payment service providers and debt recovery agents;
- Your heirs, intermediaries, correspondent and agent banks and clearing houses
- Law enforcement, government, courts, dispute resolution bodies, Our regulators, auditors, advisors, consultants and any party appointed or requested by Our regulators or duly appointed board or authority to request information, carry out investigations or audits of Our activities;
- The Central Bank of Malta to update the Central Credit Register maintained by the Central Bank of Malta;
- Bankruptcy and Insolvency Register, Register of Disqualified Directors
- Third party payment service providers to whom We are obliged to provide personal data in terms of PSD2;
- Other parties involved in any dispute, including disputed transactions;
- Fraud prevention agencies who will also use it to detect and prevent fraud and other financial crime and to verify Your identity;
The personal information which We may hold and/or transfer will be held securely in accordance with Our internal security policy and the law.
We use reasonable efforts to safeguard the confidentiality of any and/or all Personal Data that We may process relating to You and regularly review and enhance Our technical, physical and managerial procedures so as to ensure that Your Personal Data is protected from:
- unauthorised access
- improper use or disclosure
- unauthorised modification
- unlawful destruction or accidental loss.
To this end We have implemented security policies, rules and technical and organisational measures to protect the Personal Data that We may have under Our control. All our members, staff and data processors (including specific subcontractors, including cloud service providers established within the European Union), who may have access to and are associated with the processing of Personal Data, are further obliged (under contract) to respect the confidentiality of Our Users’ or clients’ Personal Data as well as other obligations as imposed by the Data Protection Laws.
Despite all the above, We cannot guarantee that a data transmission or a storage system can ever be fully secure. For more information about Our security measures please contact Us in the manner described below.
As stated above, the said service providers (Our data processors) are also bound by a number of other obligations in line with the Data Protection Laws (particularly, Article 28 of the GDPR).
Additional Security Measures In Internet Banking
All data exchanged in Our Internet Banking environment is processed in a secure session (SSL – Secure Socket Layer) and encrypted using 256 bit technology, DigiCert certified), protecting You against any attempted access by third parties. This technology does not require You to possess any additional software.
This is a process whereby the information sent by You or Our Internet Banking is transformed, so that it cannot be read or deciphered by anyone, except the intended recipient. The data is encrypted through the use of private keys/public keys method.
- SSL (Secure Socket Layer)
Standard protocol ensuring security and privacy in internet communications. The protocol supports client and server authentication. The SSL negotiates the opening of a secure session and the exchange of public keys before the exchange of data between the parties involved.
- Approved browsers
Access to Internet Banking is limited to browsers that meet the minimum security standards (as may be relevant from time to time) and support data encryption at 256 bits. Internet Banking must therefore be accessed through Microsoft Internet Explorer 11.0 or higher. Your latest browser must be able to handle at least TLS1.2
- Contract number and individual secret code
In order to authenticate access to Internet Banking You will need to enter a contract number (username) and a password using the randomised virtual keyboard or if You prefer Your normal keyboard. This will identify the client. The contract number and the password are encrypted when sent over the internet. The access keys are assigned on registration.
- Two Factor Authentication
At login stage the first two level authentication system is activated, whereby You will be required to insert Your username and password, together with a 6 digit code. You shall receive from us, a one- time password (also known as “OTP Code”), on Your approved mobile phone number for accessing bank account details and opening term deposits. After login stage at payment initiation, the BNF Internet Banking system will also require You to authorise the payment via two factor authentication, by inserting Your password and an OTP Code sent on Your approved mobile phone number.
- Automatic suspension of access
If the customer enters the Internet Banking access codes incorrectly on consecutive occasions, access will be automatically suspended.
- Automatic cancellation of access
If the customer fails to log out of Internet Banking after using the service, BNF has developed an automatic cancellation device, which takes effect after a given period of time.
Note also that customers must also accept an important part of the responsibility for the security of the service, keeping their access codes and contract numbers secret and logging out of Internet Banking (through the "Logout" option) whenever they end a session, or need to move away from the computer where they have opened the Internet Banking session. You are also advised to logout of an active Internet Banking Session while using Your browser for another non-secure internet browsing.
By maintaining our commitment to these principles, we at BNF will ensure that we respect the inherent trust that You place in us.
Payment Services Directives II
We are obliged by PSD2 to provide customer personal data to third party payment service providers (‘TPPs’) which hold recognition certificates issued by the MFSA and are authorised to access Your personal data to provide You with payment services when You so request them. TPPs shall have access to such personal data at any time via [the Modified User Interface]. The MUI is a platform that enables an authenticated Third Party Provider (TPP) to have access to customer balance, transition history and the ability to enable payments on such accounts through a web interface using a secured channel.
We will retain Your Personal Data only for as long as is necessary (taking into consideration the purpose for which it was originally obtained). The criteria We use to determine what is ‘necessary’ depends on the particular Personal Data in question and the specific relationship We have with You (including its duration).
Our normal practice is to determine whether there is/are any specific EU and/or Maltese law(s) (for example tax or corporate laws) permitting or even obliging Us to keep certain Personal Data for a certain period of time (in which case We will keep the Personal Data for the maximum period indicated by any such law). For example, any data that can be deemed to be ‘accounting records’ must be kept for ten (10) years. As a further example, data which we collect in order to provide You with a quote for Our services is retained for one (1) year, unless You accept such quote, in which case We will retain such data for the duration of Our contractual relationship with You and an additional five (5) years following the termination of such relationship.
We would also have to determine whether there are any laws and/or contractual provisions that may be invoked against Us by You and/or third parties and if so, what the prescriptive periods for such actions are (this is usually five (5) years in Malta and (6) years in the UK). In the latter case, We will keep any relevant Personal Data that We may need to defend Ourselves against any claim(s), challenge(s) or other such action(s) by You and/or third parties for such time as is necessary.
Where Your Personal Data is no longer required by Us, We will either securely delete or anonymise the Personal Data in question.
In line with the special concessions given to banks within the ‘Data Protection Guidelines for Banks’ issued by the Malta Bankers’ Association in collaboration with the Information and Data Protection Commissioner, any footage capturing customer/client images may be kept for up to 30 days.
Processing For Research And Statistical Reasons
Research and statistics using User or client information is only carried out so that We may understand Our Users' and/or clients’ needs, to develop and improve Our services/activities and/or for philanthropic goals representative of BNF’s purpose. In any case, We will always ensure to obtain any consent We may legally require from You beforehand. As in all other cases, We will also ensure to implement all appropriate safeguards as may be necessary.
Links To Third Party Sources
Links that We provide to third-party websites are clearly marked and We are not in any way whatsoever responsible for (nor can We be deemed to endorse in any way) the content of such websites (including any applicable privacy policies or data processing operations of any kind). We suggest that You should read the privacy policies of any such third-party websites.
Cookies, Web Beacons & Spotlight Tags
In any case You should note that if Your browser is set to disable cookies, You won't be able to access Internet Banking.
BNF web pages may also contain electronic images, known as web beacons or spotlight tags. These enable BNF to count users who have visited certain pages on Our Site. Web beacons and spotlight tags are not used by us to access Your personal data. They are simply a tool We use to analyse which web pages customers view, in an aggregated manner.
The Site and Our services are not intended to be used by any persons who are under the legal age of the jurisdiction in which You reside and therefore We will never intentionally collect any Personal Data from such persons. If You are under the legal age of consent, You will need Your parent’s or legal guardian’s permission to use the Site and to use Our services.
We shall consider that any Personal Data from under-age persons received by Us, shall be sent with the proper authority and that the sender can demonstrate such authority at any time, upon Our request.
If You are a prospective client trying to apply for a credit with Us, You will be subject to decision making taken solely by automated means, including profiling (at least at the first stage).
We use a system to decide whether to lend You money, when You apply for credit such as a loan, credit card or overdraft. This is called Credit Scoring. It uses data to assess how You are likely to act while paying back the amount of money You borrowed from Us. This includes data about similar accounts You may have had before. Credit Scoring uses data given to Us by You (through the application form), data We may already hold and other information We collect from other sources (e.g. information received from Credit Reference Agencies, the Central Bank of Malta’s Central Credit Register and other reference databases).
Since such processing solely by automated means is necessary for You to enter into a contract with Us (if for example, Your credit score is acceptable to Us), We will process Your Personal Data in this manner on the basis of Our Contractual Necessity without needing Your consent (as per Article 22 of the GDPR). However, please note, where we make an automated decision about You, You have the right to obtain human intervention, to express Your point of view with respect to the processing or contest the decision. You can do this by contacting us using the information provided below.
If You are already a client of the Bank, We use Your personal information to help decide if Your accounts may be being used fraudulently, money-laundering purposes or financing of terrorism. We may detect that an account is being used in ways that fraudsters work. Or We may notice that an account is being used in a way that is unusual for You. If We think there is a risk of fraud, We may stop activity on the accounts or refuse access to them.
Your Rights Under The Data Protection Law
Before addressing any request You make with Us, We may first need to verify Your identity. In all cases We will try to act on Your requests as soon as reasonably possible.
As explained in the Retention Periods section above, We may need to keep certain Personal Data for compliance with Our legal retention obligations but also to complete transactions that You requested prior to the change or deletion that You requested.
In certain circumstances, the following rights may be available to You and You can exercise these rights by making a request to us. Where these rights are not available to You and we cannot fulfil Your request, we will inform You of this and provide our reasons for such refusal.
Your Right of Access
You may, at any time request Us to confirm whether or not We are processing Personal Data that concerns You and, if We are, You shall have the right to access that Personal Data and to the following information:
- What Personal Data We have,
- Why We process them,
- Who We disclose them to,
- How long We intend on keeping them for (where possible),
- Whether We transfer them abroad and the safeguards We take to protect them,
- What Your rights are,
- How You can make a complaint,
- Where We got Your Personal Data from and
- Whether We have carried out any automated decision-making (including profiling) as well as related information.
Upon request, We shall (without adversely affecting the rights and freedoms of others including Our own) provide You with a copy of the Personal Data undergoing processing within one month of receipt of the request, which period may be extended by two months where necessary, taking into account the complexity and number of the requests. We shall inform You of any such extension within one month of receipt of the request, together with the reasons for the delay.
Your Right to Rectification
You have the right to ask Us to rectify inaccurate Personal Data and to complete incomplete Personal Data concerning You. We may seek to verify the accuracy of the data before rectifying it.
Your Right to Erasure (The Right to be Forgotten)
You have the right to ask Us to delete Your Personal Data and We shall comply without undue delay but only where:
- The Personal Data are no longer necessary for the purposes for which they were collected; or
- You have withdrawn Your consent (in those instances where We process on the basis of Your consent) and We have no other legal ground to process Your Personal Data; or
- You shall have successfully exercised Your right to object (as explained below); or
- Your Personal Data shall have been processed unlawfully; or
- There exists a legal obligation to which We are subject; or
- Special circumstances exist in connection with certain children’s rights.
In any case, We shall not be legally bound to comply with Your erasure request if the processing of Your Personal Data is necessary:
- for compliance with a legal obligation to which We are subject (including but not limited to Our data retention obligations); or
- for the establishment, exercise or defence of legal claims.
There are other legal grounds entitling Us to refuse erasure requests although the two instances above are the most likely grounds that may be invoked by Us to deny such requests.
Your Right to Data Restriction
You have the right to ask Us to restrict (that is, store but not further process) Your Personal Data but only where:
- The accuracy of Your Personal Data is contested (see the right to data rectification above), for a period enabling Us to verify the accuracy of the Personal Data; or
- The processing is unlawful and You oppose the erasure of Your Personal Data; or
- We no longer need the Personal Data for the purposes for which they were collected but You need the Personal Data for the establishment, exercise or defence of legal claims; or
- You exercised Your right to object and verification of Our legitimate grounds to override Your objection is pending.
Following Your request for restriction, except for storing Your Personal Data, We may only process Your Personal Data:
- Where We have Your consent; or
- For the establishment, exercise or defence of legal claims; or
- For the protection of the rights of another natural or legal person; or
- For reasons of important public interest.
Your Right to Data Portability
You have the right to ask Us to provide Your Personal Data (that You shall have provided to Us) to You in a structured, commonly used, machine-readable format, or (where technically feasible) to have it 'ported' directly to another data controller, provided this does not adversely affect the rights and freedoms of others. This right shall only apply where:
- The processing is based on Your consent or on the performance of a contract with You; and
- The processing is carried out by automated means.
Your Right to Withdraw Consent (when We rely on consent)
See Our Special Note on Consent for detailed information on this right (which You may exercise at any time).
Your Right to Object to Certain Processing
In those cases where We only process Your Personal Data when this is 1.) necessary for the performance of a task carried out in the public interest or 2.) when processing is necessary for the purposes of the legitimate interests pursued by Us or by a third party, You shall have the right to object to processing of Your Personal Data by Us. Where an objection is entered, the processing of data shall cease, unless We as data controller provide compelling and legitimate grounds requiring the continuation of the data processing which outweigh the objections You may have raised.
When your data is processed for direct marketing purposes, You have the right to object at any time to the processing of Your Personal Data, which includes profiling to the extent that it is related to such direct marketing.
For the avoidance of all doubt, when We process Your Personal Data when this is necessary for the performance of a contract, when necessary for compliance with a legal obligation to which We are subject or when processing is necessary to protect Your vital interests or those of another natural person, this general right to object shall not subsist.
Your Right to lodge a Complaint
You also have the right to lodge complaints with the appropriate Data Protection Supervisory Authority. The competent authority in Malta is the Office of the Information and Data Protection Commissioner (OIDPC).
We kindly ask that You please attempt to resolve any issues You may have with Us first (even though, as stated above, You have a right to contact the competent authority at any time).
WHAT WE MAY REQIURE FROM YOU
As one of the security measures We implement, before being in the position to help You exercise Your rights as described above We may need to verify Your identity to ensure that We do not disclose to or share any Personal Data with any unauthorised individuals.
TIME LIMIT FOR A RESPONSE
We try to reply to all legitimate requests within one month from receiving them. In some particular cases (for example, if the matter is particularly complex or if You send Us multiple requests), it may take Us longer than a month. In such cases, we will notify You accordingly and keep You updated.
If You have any questions/ comments about privacy or should You wish to exercise any of Your individual rights, please contact Us at: firstname.lastname@example.org or by writing to the Data Protection Officer (at the address above) by phoning Us using telephone number (+356) 2260 1000 (during normal office hours).