1. Purpose of this document
In this notice “BOV”, “the Bank”, “we”, and “us” refers to Bank of Valletta p.l.c. and its subsidiaries; BOV Asset Management Ltd and BOV Valletta Fund Services Ltd, and “our” shall be construed accordingly.
“You” or “your”, refers to you, any attorney duly appointed by means of a power of attorney/mandate, trustees, executors, curators, guardians or any other legitimate representatives. If you are an insurance customer it also means you, named insured parties or beneficiaries under your policy, dependants, claimants and other third parties involved in an insurance policy or claim (such as witnesses).
BOV is committed to protecting the privacy and security of your personal data.
BOV is a "data controller". This means that we are responsible for deciding how we hold and use personal information about you. We are required under data protection legislation to notify you of the information contained in this Privacy Notice.
This Privacy Notice sets out the basis for which any of your personal data is collected and processed by us. It covers the types of information that we collect about you, why this is collected, with whom this will be shared and what measures we take to protect your data, in line with data protection legislation, including the General Data Protection Regulation and Data Protection Act (Chapter 586 of the Laws of Malta). Additionally, this Notice also details your rights in terms of data protection and how to approach the Bank on this subject matter.
This Notice can be updated at any time to reflect changes in requirements or relevant laws. If there are any substantial changes to the way we process data or changes that will affect you directly, we will notify you of these changes. The latest version can be accessed through http:www.bov.com/content/privacy.
2. Who are we?
Bank of Valletta p.l.c is licensed as a credit institution in terms of the Banking Act (Cap. 371 of the Laws of Malta) and is also in possession of a licence under the Investment Services Act (Cap. 370 of the Laws of Malta). The registered address of the Bank is situated at 58, Triq San Żakkarija, Il-Belt Valletta, VLT 1130, Malta.
3. General Data Protection Regulation Principles
In complying with the GDPR, we ensure that the personal information that we hold about you is:
· Used lawfully, fairly and in a transparent way.
· Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
· Relevant to the purposes we have told you about and limited only to those purposes.
· Accurate and kept up to date.
· Retained only for as long as required for the identified purposes and in line with our retention policy.
· Stored securely.
4. The data we collect about you
We are data controllers of your personal data and shall process your personal data for the purposes of providing service/s and/or products and to improve the same and for the other reasons set out in this notice, including clause 7 below. If you are availing yourself of our investment services we shall also process your personal data for the purposes of providing the service/s set out in the Terms of Business provided to you.
The term “personal data” refers to all personally identifiable information about you and includes all information which may arise or may be derived or collected about you throughout the relationship with us and that can identify you personally.
There are other types of data known as ‘special category’ that include sensitive personal information which require additional levels of protection.
We collect and process your personal data mainly to provide you with access to our services and products, and to help us improve same. The following is the data that we collect:
· Personal details: your names, gender, date and place of birth;
· Personal contact details:, address, contact numbers and personal e-mail address;
· Identification information: identity card/ passport, , nationality and citizenship, signature, TIN (taxpayer identification number);
· Information obtained when using our online services: usernames and login credentials;
· Localisation information;
· Information obtained by our monitoring systems for security and privacy purposes: recordings of telephone calls, CCTV in and around our premises;
· Banking information: financial information arising from your relationship with us and decisions we may have taken about your ability to manage credit terms, transaction and payments history, salary information, documentation necessary to evidence source of wealth and source of funds, or when necessary for the provision of investment services ;
· Records of your correspondence and other communications between us;
· Information provided to us by yourself when filling out forms, visiting our branches etc.;
· Risk rating information: credit risk rating, transactional behaviour and underwriting information;
· Investigations data: due diligence checks, sanctions and anti-money laundering checks, external intelligence reports, content and metadata related to relevant exchanges of information between and among individuals and/or organisations;
· Any other information we need to support our regulatory obligations;
· Information about detection of any suspicious and unusual activity and information about parties connected to you or these activities.
4.1 Our Job Applicants/Potential Employees:
We are the data controllers for the information you provide during a recruitment process, unless otherwise stated.
We will not share any of the information you provide during the recruitment process with any third parties for marketing purposes.
We do not collect more information than we need to fulfil our stated purposes and will not keep it longer than necessary. The provision of Personal Data is on a voluntary basis. However, if you do not provide us with your Personal Data it may affect your application.
We may collect the following personal data about you during this process:
· Identity data: first name; last name; date of birth, identity card number/passport number;
· Contact Data: Email address; Telephone/Mobile phone number; Postal address;
· Other information: Personal data included in a CV, application form, cover letter or interview notes, such as qualification, skills, experience and employment history; Information about your entitlement to work in Malta (where applicable); References; Any other information, voluntarily disclosed by you, for which the Bank needs to make reasonable assessments during the recruitment process;
· Health data including medical condition, health and sickness records or confirmation if you are able to perform a given position (as applicable), information about any disabilities you might have. Information about criminal convictions and offences: As part of the recruitment process we may, depending on the position you have applied for, perform background checks on you in order to further evaluate and validate your application. Such background checks may include criminal records, public social media checks etc. Data about criminal records will only be processed if necessary to fulfil a legal and/or regulatory obligation to which the Bank is subject to.
All of the information we collect on you during the process will only be used for the purpose of assessing your suitability for the role you have applied for; progressing your application with a view to offering you an employment contract with us; and to fulfil our legal or regulatory requirements where necessary. Processing is necessary in order to take steps at the request of the data subject prior to entering into a contractual agreement.
5. How do we collect your personal information?
We may collect personal data about you from different sources, data including the following:
- Data given to us directly by yourself;
- Data collected automatically when you use BOV services including when you visit our websites and mobile channels;
- Data collected from communications with the Bank;
- Data collected from CCTV present around our premises;
- Data collected from other publicly available sources; and
- Data collected from third-parties including but not limited to Group entities, business partners or our clients’ business partners, service providers (e.g. payment initiation providers, service providers of account information such as account aggregators), credit reference agencies and fraud prevention agencies.
6. Scope of Processing
We will only use your personal information when the law allows us to. In general and most commonly, we will use your personal information in the following circumstances:
· Where it is necessary for performing the contract we have entered into with you;
· Where we need to comply with a legal obligation;
· Where it is in the public interest to do so; or for official purposes; and
· Where it is in our business legitimate interests.
There can be rare occasions where it becomes necessary to use your personal information to protect your interests (or someone else's interests).
More specifically, the Bank will process personal data for the purposes mentioned hereunder only, namely:
- To be able to provide the product or service that you have applied for, in order to fulfil our contract with you;
- To provide you with statements and other data regarding those products and services;
- For internal assessment and analysis (including credit and/or behaviour scoring, market, product analysis, risk management, and in order to protect our legitimate interest);
- For the detection and prevention of fraud, prevention of money laundering, prevention and detection of market abuse and other criminal activity which the Bank is bound to report, including the carrying out of customer due diligence. This will be done in order to fulfil our legal obligations and to safeguard our legitimate interest as well as public interest;
- In furtherance of our legitimate interest in developing and improving the Bank’s products and services. We will look at your information to identify possible service and product improvements. We’ll use your information to understand how you use these products and what are your preferences. The lawful basis for processing your information for this purpose is our legitimate interest. We do this to improve our products and services to best meet the needs of our customers;
- For the purpose of data analytics i.e. we’ll look at your information to identify opportunities to promote products and services to existing or prospective customers and to understand how our products and services are used. For example, this may include reviewing historical customer transactional behaviour, comparison of customer activity or it may include an analysis of your transactional information. We do this to help us provide you with products and services we think will be of most relevance to you. The lawful basis for using your information in this way is our legitimate interest;
- For direct marketing, such as to inform you, by mail, telephone, e-mail or other electronic means, about other products and services supplied by the Bank, its subsidiaries, associates, agents and by other carefully selected third parties, and for research purposes;
- To safeguard our legal rights, such as in the case of enforcing or protecting our security, or recovering amounts owed to us by you or your co-debtors, or other persons whose borrowing you have secured;
- In compliance with legal obligations which are imposed on us, including (amongst others) MiFID II, money-laundering detection and reporting, obligations under FATCA and CRS, and other obligations imposed upon us in terms of applicable law;
- If you have opted in, to inform you about our services and products.
We may use your data to protect you in the following ways:
- We may record phone calls to confirm details of our conversations, for your protection, to train our staff and to maintain the quality of our service.
- We use CCTV to record images in and around our premises to prevent and detect crime.
- Before we provide any service, we will carry out anti-money laundering checks, which may include searches to confirm your identity.
Your data may be transferred to and stored in locations outside the European Economic Area (EEA), including countries that may not have the same level of protection for personal data.
In doing so we shall ensure that transfers to each of these countries will be protected by appropriate safeguards, namely that such third party recipients are either subject to an adequacy decision or to appropriate safeguards in accordance with the applicable privacy laws and/or any other applicable legislation. We shall also ensure that we have a justifiable ground for such a transfer, such as our legitimate interest.
7. Lawful basis for processing your personal data
Since we process your data for various reasons, the lawful basis behind each process varies but the hereunder is the exhaustive list of all bases for processing your data in line with the GDPR:
· You as the data subject has given consent to the processing of your personal data Article 6(1)(a)).
· Processing required for us to perform a contract (Article 6(1)(b)).
· Processing required for us to carry out our legal obligations as a financial institution (Article 6(1)(c)).
· Processing required to protect your interests or those of another person (Article 6(1)(d)).
· Processing required to enable us to perform a public task (Article 6(1)(e)).
· Processing required for the purposes of our legitimate interest (Article 6(1)(f)).
The Bank will only use your personal information for the purposes for which it was collected, unless it is reasonable to consider that we need to use it for another reason and that reason is compatible with the original purpose.
8. Other Products and Services
From time to time, we would like to tell you about our other products and services, and those arranged by us with other suppliers such as insurance companies.
Any personal data you provide in the process of enquiring/ arranging any of our other products and services is provided in the strictest confidence. If you have already provided your consent, we will continue to rely on this permission until you request us to stop contacting you or to withdraw consent.
The Bank would like to send you information about BOV products and services which we think may be of interest to you and also products from our partners and relevant third parties. Processing for direct marketing will only be lawful if prior consent has been acquired. If you have previously agreed to us contacting you about marketing but have now changed your mind, we kindly ask you to contact us as advised below so that we can update your preferences.
You have the right to stop the Bank from using your contact details for marketing purposes at any time, as advised in Sections 13 and 16.
In case of social media marketing, you can control the delivery of certain advertising or social campaigns through the settings offered by the respective third-party platforms (e.g. Facebook).
In addition, if you download our mobile applications from the Apple AppStore or Google Play, the only way to prevent receipt of notifications is by changing the settings on the device itself.
9. Data we share and with whom
We do not share personal data with companies, organisations and individuals outside of the Bank unless one of the following circumstances applies:
- With your consent - We will share personal data with companies, organisations or individuals outside of the Bank when we have your consent to do so
- For external processing - We provide personal data to trusted businesses or persons to whom we may outsource certain functions from time to time, in order to provide you with the products or services you have requested, and in compliance with our Privacy Notice and any other appropriate confidentiality and security measures
- For legal reasons - We will share personal data with companies, organisations or individuals outside of the Bank if we have a good-faith belief that access, use, preservation or disclosure of the data is reasonably necessary to
- meet any applicable law, regulation, legal process or enforceable governmental request
- enforce applicable terms of service, including investigation of potential violations
- detect, prevent, or otherwise address fraud
- protect against harm to the rights, property or safety of the Bank, our users or the public as required or permitted by law
We may share your information for the above mentioned purposes with others such as:
· Our employees and representatives, members of the BOV Group and our affiliates; our third party service providers, agents, delegates, sub-contractors and/or any other party which may be engaged or otherwise used by us (including suppliers of the Bank and any person engaged by us to carry out services) for any purpose as mentioned in section 6 above;
· Any other individuals with whom you hold a joint account, beneficiaries, and intermediaries;
· Any transactional data shared amongst parties involved in the transactions;
· Maltese or foreign authorities who may request such data in carrying out their functions such as law enforcements units, government, courts and other regulatory bodies;
· Other financial institutions, lenders and holders of security over any property you charge to us or pledge in our favour, tax authorities, trade associations, credit reference agencies, payment service providers and debt recovery agents;
· The Central Bank of Malta in order to update the Central Credit Register maintained by the Central Bank of Malta;
· Fraud and crime prevention agencies who will use the data provided to verify your identity, detect and prevent fraud and other financial crimes;
We may share non-personally identifiable data publicly. For example, we may share data publicly to show trends about the general use of our services.
If the Bank is involved in a merger, acquisition or asset sale, we will continue to ensure the confidentiality of any personal data and give affected users notice before personal data is transferred or becomes subject to a different Privacy Notice.
10. Transferring Your Data Outside the EEA
Your personal data may be transferred to and stored in locations outside the European Economic Area (EEA), including countries that may not have the same level of protection for personal data. When we do this, we will ensure it has an appropriate level of protection and that the transfer is in line with applicable legal requirements. We may need to transfer your personal data in this way to carry out our contract with you, to fulfil a legal obligation, to protect the public interest and/or for our legitimate interests. In some countries the law might mean we have to share certain information, for example, with tax authorities. Even in these cases, we will only share your personal data with people who have the right to see it.
11. Data Retention
We will not retain your personal data for longer than it is required for the maintenance of your relationship with us, or for any legal or regulatory requirements. Your information will be processed and kept for as long as necessary for us to be in compliance with our legal obligations, industry practices and/or accepted standards (including where processing may be necessary for the establishment, exercise or defence of legal claims).
Data will be kept within the Bank according to the schedule set out in our internal data retention policy. Further information about retention periods for different aspects of your personal data can be requested by contacting us at [email protected].
12. Data Security
We make sure to use reasonable measures to protect the personal data within the Bank. If you have reason to believe that your interaction with us is no longer secure, please advise us immediately.
When you visit any of BOV’s websites, we use (and authorised third parties to use) cookies and similar technologies (the “Cookies”).
The Cookies allow us to automatically collect information about you and your online behaviour, as well as your device (for example your computer or mobile device), for different purposes such as in order to enhance your navigation on our website, improve our websites’ performance and customize your experience on our websites, perform analytics, deliver content which is tailored to your interests and administer services to our users and customers.
14. Data Subject Rights
Your rights in connection with personal data under certain circumstances, by law you have the right t
- Request access to your personal data (known as a subject access request). This enables you to receive a copy of the personal data we hold about you and how we process it;
- Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected.
- Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing (see below).
- Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal data for direct marketing purposes.
- Request the restriction of processing of your personal data. This enables you to ask us to suspend the processing of personal data about you, for example if you want us to establish its accuracy or the reason for processing it.
- Request the transfer of your personal data to another party.
15. Withdrawal of consent
In the case where you have provided your consent to the collection, processing and transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time.
To withdraw your consent, please contact the Bank via the available channels as detailed in Section 16. All requests will be responded to in a timely manner.
16. Use of data processors
As controllers of data, we make use of data processors who are third parties and provide services to us. To regulate our relationship, we have contractual agreements in place to safeguard our interests and your personal data. They are not authorised to do anything with your personal data unless specifically instructed by us. When we do this, we will make sure that it has an appropriate level of protection and that the transfer is lawful. We may need to transfer your data in this way to carry out our contract with you, to fulfil a legal obligation, to protect the public interest and/or for our legitimate interests.
17. Updates to this Privacy Notice
We reserve the right to update this privacy notice at any time. The updated privacy notice will be published on our website. If you have any questions about this Privacy Notice, please contact us at [email protected]
Should you have any queries or would like to update your data processing preferences, please contact us on the Data Protection Officer’s details hereunder. All requests and queries related to data protection should be directed to the DPO’s attention whilst queries in relation to other matters should be directed to the Bank’s contact details.
If you believe there are areas within which our service could be improved, please contact the Bank’s customer service as advised here.
18. Contact details
The Bank has appointed a Data Protection Officer as the main point of contact between individuals and itself in relation to queries about personal data and the processing involved thereof. The Data Protection Officer can be contacted on the hereunder details. Should you feel the need to escalate the matter further, you can make a complaint to the Supervisory Authority in Malta which is the Information and Data Protection Commissioner; contact details are below.
Bank’s Data Protection Officer Contact Details:
Land Line: (356) 2275 3700
Address: Bank of Valletta p.l.c.
Level 4, Centris Business Gateway,
Triq is-Salib tal-Imrieħel Zone 3,
Central Business District
Birkirkara CBD 3020 – Malta
Email: [email protected]
Bank contact Details:
Land Line: (356) 2131 2020
Address: Customer Issues Unit,
Bank of Valletta p.l.c.
Level 4, 45 Triq ir-Repubblika,
Il-Belt Valletta VLT 1113 – Malta
Email: [email protected]
Supervisory Authority Contact Details:
Land Line: (356) 2328 7100
Address: Information and Data Protection Commissioner
Floor 2, Airways House
Tas-Sliema, SLM 1549
Email: [email protected]