Bank of Valletta p.l.c. Privacy Notice for Suppliers and Service Providers
1. Purpose of this document
In this notice “BOV”, “the Bank”, “we”, and “us” refers to Bank of Valletta p.l.c. and its subsidiaries; BOV Asset Management Ltd and BOV Valletta Fund Services Ltd, and “our” shall be construed accordingly.
“You” or “your”, refers to our suppliers and service providers who are individuals (such as self-employed persons), the representatives, employees, or contact persons of our contractors, suppliers and service providers who are legal entities.
BOV is committed to protecting the privacy and security of your personal data. This privacy notice describes how BOV processes your personal data. This notice applies to the processing of your personal data in the context of supplier and consultant relationships or when otherwise working with us as an external person.
This Notice can be updated at any time to reflect changes in requirements or relevant laws. If there are any substantial changes to the way we process data or changes that will affect you directly, we will notify you of these changes. The latest version can be accessed through BOV Website.
2. Who are we?
Bank of Valletta p.l.c is licensed as a credit institution in terms of the Banking Act (Cap. 371 of the Laws of Malta) and is also in possession of a licence under the Investment Services Act (Cap. 370 of the Laws of Malta). The registered address of the Bank is situated at 58, Triq San Żakkarija, Il-Belt Valletta, VLT 1130, Malta.
3. What information do we have about you?
We obtain your personal information either directly from you, through third party or any publicly available sources or through the supplier or service provider for whom you work.
We may collect various types of personal data about you, including:
- your personal information (e.g., first name, last name, email address, address, phone number, identification document or information, photo or video recording);
- information about your employer (e.g., name of your company and your title, position);
- information for due diligence purposes (e.g., information on the ultimate beneficiary owners); and
- any other information necessary for the purposes of managing our relationship
Additionally, for our suppliers and service providers who are individuals (such as self-employed persons), we may collect the following types of personal data, including:
- certain financial information (e.g., bank account details and invoices).
Additionally, for any person from our suppliers and service providers who have access to our Bank systems, we may collect the following types of personal data, including:
- information regarding your function (e.g., position, business unit, location)
- work related information (e.g., work order number, identification number, start date and end date, status of any required training, billing rate and amount);
- your electronic identification data where required for the purpose of delivering products or services to our company (e.g., login, passwords, badge number and photograph, IP address, online identifiers/cookies, logs, access and connection times, and CCTV footage or other video surveillance (only if legally permitted and where clearly indicated)); and
- certain compliance related information (e.g., records of required training).
If you intend to provide us with personal data about other individuals (e.g., your colleagues), you must provide a copy of this Privacy Notice to them directly or through your employer.
4. For which purposes do we use your personal data and why is this justified?
4.1 Legal basis for the processing:
We will not process your personal data without a proper legal basis. Therefore, we will only process your personal data if:
- the processing is necessary to take pre-contractual steps with you or to perform our contractual obligations towards you (or the supplier or service provider for whom you work);
- it is necessary to comply with our legal or regulatory obligations (e.g., conducting supplier due diligence or exercising our audit rights);
- it is necessary for our legitimate interests and does not unduly affect your interests or fundamental rights and freedoms. Please note that, when processing your personal data on this basis, we always seek to maintain a balance between our legitimate interests and your privacy. Examples of ‘legitimate interests’ are data processing activities performed:
- to benefit from cost-effective services (e.g., we may opt to use certain platforms offered by suppliers or service providers to process data),
- to offer our products and services to our customers,
- to prevent fraud or criminal activity, misuse of our products or services, and to protect the security of our IT systems, architecture, and networks,
- to sell any part of our business or its assets or to enable the acquisition of all or part of our business or assets by a third party,
- to meet our corporate and social responsibility objectives;
- we have obtained your prior consent; and/or
- we are otherwise permitted or required by law to do so.
4.2 Purpose for processing
We always process your personal data for a specific purpose and only process the personal data which is relevant to achieve that purpose. In particular, we process your personal data t
- manage our suppliers and service providers;
- organise tenders, implement tasks in preparation of, or to perform existing contracts;
- monitor our facilities to ensure compliance with applicable policies and laws;
- grant you access to our facilities and/or certain technologies to allow you to perform services;
- manage our technology resources (e.g., cyber-risk management, infrastructure management and business continuity);
- preserve our economic interests and ensure compliance (e.g., complying with our policies and legal requirements, tax and deductions, managing alleged cases of misconduct or fraud, conducting audits and participating in litigation);
- preserve our legal interests (e.g., managing mergers and acquisitions involving our company, enforcing, or defending our legal rights);
- archiving and record-keeping;
- billing and invoicing; and
- any other purposes imposed by applicable law and governmental authorities.
You are under no obligation to provide the Bank your personal data. However, if you fail to provide personal data when requested which is necessary for us to manage our relationship with you or your employer as a service provider or supplier (e.g., information necessary to evaluate your qualifications or meet our regulatory and legal obligations), we may not be able to retain your services.
5. Who has access to your personal data and to whom are they transferred?
We will never sell your personal data.
In the course of our activities and for the purposes listed in this Privacy Notice, your personal data may be processed by the following categories of recipients on a need-to-know basis to achieve such purposes:
- personnel (e.g., employees, directors, investors, interns, contractors, etc., working in various departments);
- other suppliers and services providers that provide services and products to us;
- technology systems providers, including cloud and database providers, and related consultants;
- the subsidiaries of BOV Group;
- any third party to whom we assign our rights or obligations; and
- professional advisors and external lawyers.
Such recipients are obligated to protect the confidentiality and security of your personal data.
In certain limited circumstances, your personal data may be accessed by or transferred to law enforcement, regulatory bodies, or judicial authorities. This will occur only when legally required.
The personal data we collect from you may be processed, accessed, or stored by BOV Group in a different country than where you are located including outside of the European Economic Area.
We will not be sending personal data outside of the EEA. However, in case we transfer your personal data to another entity located in a country that do not offer adequate protections, we make use of the European Commission's standard contractual clauses. Standard contractual clauses are a set of contract terms approved by certain jurisdictions and deemed to provide adequate protection for cross-border transfers.
When we transfer your personal data to an external company in a country that does not offer adequate protections, we will make sure to protect your personal data by (i) requiring that the third party apply the level of protection required under the applicable local data protection laws, (ii) requiring that the third party act in accordance with our written instructions and our policies and standards and, (iii) unless otherwise specified, only transferring your personal data on the basis of an appropriate contractual mechanism (such as the standard contractual clauses approved by the European Commission).
6. How do we protect your personal data?
We implement appropriate technical and organizational measures to provide a level of security and confidentiality to your personal data. These measures take into account the state of the art of technology; the costs of its implementation; the nature of the personal data; and the risk of its processing.
The purpose of these measures is to protect your personal data against accidental or unlawful destruction or alteration, accidental loss, unauthorized disclosure, or access, and against other unlawful forms of processing.
While we take reasonable care to implement such measures, the internet is inherently unsafe and we cannot guarantee the security of your personal data when transmitted over the internet, email, or on our websites.
Moreover, when handling your personal data, we:
- only collect and process personal data which is adequate, relevant, and tailored to meet the related purpose; and
- ensure that your personal data remains up to date and accurate.
We may request that you confirm the personal data we hold about you. You are invited to inform us whenever there is a change in your personal circumstances so we can update your personal data.
7. How long do we store your personal data?
We will not retain your personal data for longer than it is required for the maintenance of your relationship with us, or for any legal or regulatory requirements. Your information will be processed and kept for as long as necessary for us to be in compliance with our legal obligations, industry practices and/or accepted standards (including where processing may be necessary for the establishment, exercise or defence of legal claims).
Data will be kept within the Bank according to the schedule set out in our internal data retention policy. Further information about retention periods for different aspects of your personal data can be requested by contacting us at [email protected].
8. What are your rights?
Your rights in connection with personal data under certain circumstances, by law you have the right t
- Request access to your personal data (known as a subject access request). This enables you to receive a copy of the personal data we hold about you and how we process it.
- Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected.
- Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing (see below).
- Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal data for direct marketing purposes.
- Request the restriction of processing of your personal data. This enables you to ask us to suspend the processing of personal data about you, for example if you want us to establish its accuracy or the reason for processing it.
- Request the transfer of your personal data to another party.
9. Contact details
The Bank has appointed a Data Protection Officer as the main point of contact between individuals and itself in relation to queries about personal data and the processing involved thereof. The Data Protection Officer can be contacted on the hereunder details. Should you feel the need to escalate the matter further, you can make a complaint to the Supervisory Authority in Malta which is the Information and Data Protection Commissioner; contact details are below.
Bank’s Data Protection Officer Contact Details:
Land Line: (356) 2275 3700
Address: Bank of Valletta p.l.c.
Level 4, Centris Business Gateway,
Triq is-Salib tal-Imrieħel Zone 3,
Central Business District
Birkirkara CBD 3020 – Malta
Email: [email protected]
Supervisory Authority Contact Details:
Land Line: (356) 2328 7100
Address: Information and Data Protection Commissioner
Floor 2, Airways House
Tas-Sliema, SLM 1549
Email: [email protected]