General Data Protection Regulation (GDPR)

GDPR Privacy Statement for MeDirect Website, Products and Services

This privacy statement explains what information we gather about you, what we use that information for and who we give that information to. It also sets out your rights concerning your information and who you can contact for more information or queries.

Who does this Privacy Statement Apply to and What does it Cover?

This privacy notice explains how MDB Group Limited and its subsidiaries, whether direct or indirect (including MeDirect Bank (Malta) plc, but excluding MeDirect Bank SA/NV), hereinafter referred to as the MeDirect Group intends to look after your personal information. Personal information includes what you tell us about yourself, what we learn about you by having you as a customer, and your preferences with respect to the marketing material you would like us to send you. This notice explains how we do this and tells you about your privacy rights and how the law protects you. We are committed to protecting your privacy and handling your information in an open and transparent manner.

This privacy statement sets out how we will collect, handle, store and protect information about you when:

When we refer to “our Website” or “this Website” in this policy we mean the specific webpages of MeDirect Bank (Malta) plc –

When we refer to “we” or “us” this means MeDirect Group.

This privacy statement also contains information about when we share your personal data with other third parties (for example, our service providers).

In this privacy statement, your information is sometimes referred to as “personal data” or “personal information”. We may sometimes also collectively refer to handling, collecting, protecting and storing your personal information as “processing” such personal information.

We collect and use different types of personal information and group them as follows.

Type of Personal InformationDescription
FinancialYour financial position, status and history. The products you hold with us, your risk appetite, your investment objectives, your investment horizon and your net worth.
ContactWhere you live, your telephone number, email address and how to contact you.
Socio-DemographicThis includes details about your work or profession, nationality, education and where you fit in general social or income groupings.
TransactionalDetails about payments to and from your accounts with us as well as details relating to any investments held with us.
ContractualDetails about the products or services we provide to you.
BehaviouralDetails about how and when you use our products and services, and the channels of communication used in the course of our relationship.
CommunicationsWhat we learn about you from letters, emails and conversations (including by way of telephone) between us. We may record phone calls to confirm details of our conversations, to confirm and record transactions, for your protection, to train our staff and to maintain the quality of our service.
Social RelationshipsYour family, business partners, persons associated with you and other relationships.
Open Data and Public RecordsDetails about you that are in public records and information about you that is openly available on the Internet.
Usage DataOther data about how you use our products and services.
Documentary DataDetails about you that are stored in documents in different formats, or copies of them. This could include your passport, driver’s licence or birth certificate.
Special types of dataThe law and other regulations treat some types of personal information as special. We will only collect and use these types of data if the law allows us to do so, such as when there is:
  • Criminal convictions and offences
  • Political exposure
ConsentsAny permissions, consents or preferences that you give us. This includes things like how you want us to contact you, whether you prefer receiving paper statements or e- statements, and whether you allow us to send you marketing and other promotional material.
National IdentifierA number or code given to you by a government to identify who you are, such as your national identity number.
Photo VerificationPhotos provided by you which we use for verification purposes during on-boarding.
TechnicalDetails on the devices and technology you use.
Information relating to the deceased customer’s succession and the relative heirsWills, court decrees and other deeds relating to deceased customers’ succession and the personal details of legatees, heirs and testamentary executors as nominated by the deceased. This also includes the contact details, personal relationship details and other information communicated by the notary or other legal representative duly authorised to represent the heirs/legatees/testamentary executors.

What information do we collect?

We may collect or obtain such data because you give it to us (for example through a form on our Website), because other people give that data to us (for example a person acting on your behalf) or because it is publicly available.

The General Data Protection Regulation states that we are permitted to use personal information only if we have a proper reason to do so. This includes sharing it outside MeDirect Group. The regulation states that we must have one or more of these reasons:

A legitimate interest is when we have a business or commercial reason to use your information. But even then, it must not unfairly go against what is right and best for you. If we rely on our legitimate interest, we will tell you what that is.

Here is a list of how we may use your personal information, and when relying on a legitimate interest, a description of the legitimate interest which we are pursuing.

What we use your personal information forOur ReasonsOur Legitimate Interests
  • To manage our relationship with you.
  • To develop new ways to meet our customers’ needs and to grow our business.
  • To develop and carry out marketing activities.
  • To evaluate how our customers use products and services from us and other organisations.
  • To keep track of our customers’ preferences, choices and decisions.
  • To provide information or guidance about our products and services.
  • Your consent.
  • Fulfilling contracts.
  • Our legitimate interests.
  • Our legal duty.
  • Keeping our records up to date, working out which of our products and services may interest you and tell you about them.
  • Developing products and services, and what we charge for them.
  • Defining types of customers for new products or services.
  • Seeking your consent when we need it to contact you.
  • Being efficient about how we fulfil our legal duties.
  • To develop and manage our brands, products and services.
  • To test new products.
  • To manage how we work with other companies that provide services to our customers and us.
  • Fulfilling contracts.
  • Our legitimate interests.
  • Our legal duty.
  • Developing products and services, and what we charge for them.
  • Defining types of customers for new products or services.
  • Being efficient about how we fulfil our legal and contractual duties.
  • To deliver our products and services.
  • To make and manage customer payments.
  • To manage fees, charges and interest due on customer accounts.
  • To collect and recover money that is owed to us.
  • To manage and provide treasury and investment products and services.
  • Fulfilling contracts.
  • Our legitimate interests.
  • Our legal duty.
  • Being efficient about how we fulfil our legal and contractual duties.
  • Complying with regulations that apply to us.
  • To detect, investigate, report, and seek to prevent financial crime.
  • To manage risk for our customers and us.
  • To obey laws and regulations that apply to us.
  • To respond to complaints and seek to resolve them.
  • Fulfilling contracts.
  • Our legitimate interests.
  • Our legal duty.
  • Developing and improving how we deal with financial crime, as well as doing our legal duties in this respect.
  • Complying with regulations that apply to us.
  • Being efficient about how we fulfil our legal and contractual duties.
  • To run our business in an efficient and proper way. This includes managing our financial position, business capability, planning, communications, corporate governance, and audit.
  • Our legitimate interests.
  • Our legal duty.
  • Complying with regulations that apply to us.
  • Being efficient about how we fulfil our legal and contractual duties.
  • To exercise our rights set out in agreements or contracts.
  • Fulfilling contracts.
  • In the context of the provision of discretionary management services, to ensure suitability of our products and services with your investment objectives, risk appetite and investment horizon.
  • Fulfilling contracts.
  • Our legitimate interests.
  • Our legal duty.
  • Complying with regulations that apply to us.
  • Being efficient about how we fulfil our legal and contractual duties.

Where do we Collect Data from?

In the course of providing products and services to you and performing Know your Client (KYC) checks in connection with our products and services (or discussing possible products and services we might provide), we will collect or obtain personal data about you. We may also collect personal data from you when you use this Website.

We may collect personal information about you (or your business) from other companies within the MeDirect Group and the following sources.

Data you give to us:

Data we collect when you use our products and services. This includes the amount, frequency, type, location, origin and recipients:

Data from third parties we work with or use:

How to we Use Information about You?

We will use your personal data to provide you with products and services. In this context, we may use your personal data in the course of correspondence relating to the products or services. Such correspondence may be with you, our client, or your legal and/or financial advisers or duly appointed attorneys, other members of the MeDirect Group, our service providers or competent authorities. We may also use your personal data to conduct due diligence checks relating to the products or services we provide.

How we Use your Information in the course of Automated Processing?

We sometimes use automated systems and processes to evaluate certain personal information we have about you or your business. This is known as profiling. This helps us to make sure decisions are quick, fair, efficient, correct and lawful, based on what we know. No decision is solely based on such profiling.

Tailoring products and servicesWe may place you in groups with similar customers. These are called customer segments. We use these to study and learn about our customers’ needs and to make decisions based on what we learn. This helps us to design products and services for different customer segments and manage our relationships and communications with them (including marketing).
Providing investment servicesIn order to comply with applicable regulation, we may (if and as required) compile information about you and use this information to build an investor profile and ensure the suitability of the investment services being provided to you.
Preventing financial crimeAs required by our legal and regulatory obligations and in line with our internal policies and procedures, we undertake a risk assessment on you and categorise you accordingly.

Credit Reference Agencies

We carry out credit and identity checks when you apply for products or services for you or your business. The Bank may access information from the Central Credit Register (in terms of Directive No. 14 “Central Credit Register” issued on the 15th February 2016 by the Central Bank of Malta) in order to verify information on your present credit records for the assessment of credit risk upon signing the “Information Request Notification Form”.

As a licensed credit institution, we are also bound to provide information on our existing customers (in terms of Directive No. 14 “Central Credit Register” issued on the 15th February 2016 by the Central Bank of Malta) by reporting to the Central Bank of Malta the end-of-month balances of exposures exceeding €5000 of each customer, which information will include personal data such as ID card or passport numbers.

We may also use other Credit Reference Agencies (CRAs) such as Credit Info to help us with this. If you use our services, from time to time, we may also search information that the CRAs have, to help us manage those accounts.

We will share your personal information with CRAs, and they will give us information about you. The data we exchange can include:

We will use this data to:

We will go on sharing your personal information with CRAs for as long as you are our customer. This will include details about your settled accounts and any debts not fully repaid on time. It will also include details of funds going into the account, and the account balance. If you borrow, it will also include details of your repayments and whether you repay in full and on time. The CRAs may give this information to other organisations that want to check credit status. We will also tell the CRAs when you settle your accounts with us.

When we ask CRAs about you or your business, they will note it on your credit file. This is called a credit search. Other lenders may see this, and we may see credit searches from other lenders.

If you apply for a product with another entity, we will link your records with theirs. We will do the same if you tell us you have a spouse, partner or civil partner – or that you are in business with other partners or directors. You should tell them about this before you apply for a product or service. It is important that they know that your records will be linked together, and that credit searches may be made on them.

CRAs will also link your records together. These links will stay on your files unless one of you asks the CRAs to break the link. You will normally need to give proof that you no longer have a financial link with each other.

For more information about CRAs please visit the websites of the main credit agencies:

Use of Personal Information Collected via our Website

In addition to the purposes connected to the operation of our business, as outlined above, we may also use your personal data collected via our Website:

Who do we disclose your information to?

We may share your personal information with companies within the Medirect Group and the following organisations:

We may need to share your personal information with other organisations to provide you with the product(s) or service(s) you have chosen:

Aggregated / Anonymised information:

We may share non-personal, de-identified and aggregated information with third parties for several purposes, including data analytics, research, submissions, thought leadership and promotional purposes.

We may also share your personal information if the structure of MeDirect Group changes in the future:

Sending Data Outside of the European Economic Area (‘EEA’)

Please note that some of the recipients of your personal data referenced above may be based in countries outside of the EEA whose laws may not provide the same level of data protection. In such cases, we will ensure that there are adequate safeguards in place to protect your personal data that comply with our legal obligations.

Where the recipient is not a member of the MeDirect Group, the adequate safeguard might be a data transfer agreement with the recipient based on standard contractual clauses approved by the European Commission for transfers of personal data to third countries. You are welcome to contact us for more information regarding the adequate safeguards we have in place in relation to such data transfers.

Read more on the EU Data Protection site.


We may use your personal information to tell you about relevant products and offers. This is what we mean when we talk about ‘marketing’.

The personal information we have for you is made up of what you tell us, and data we collect when you use our products and services, or from third parties, we work with.

We study this to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which products, services and offers may be relevant to you.

We can only use your personal information to send you marketing material if we have either your consent or a legitimate interest. That is when we have a business or commercial reason to use your information. It must not unfairly go against what is right and best for you.

You can ask us to stop sending you marketing messages by contacting us at any time.

Whatever you choose, you’ll still receive statements and other important information such as changes and/or updates to your existing products and services.

We may ask you to confirm or update your choices if you take out any new products or services with us in the future. We will also ask you to do this if there are changes in the law, regulation, or the structure of our business.

If you change your mind, you can update your choices at any time by contacting us.

What if you Choose Not to give Personal Information?

We may need to collect personal information by law, or under the terms of a contract we have with you.

If you choose not to give us this personal information, it may delay or prevent us from meeting our obligations. It may also mean that we cannot perform services needed to run your accounts or policies. It could mean that we cancel a product or service you have with us.

Any data collection that is optional would be made clear at the point of collection.

Protection of your Personal Information?

We use a range of physical, electronic and managerial measures to ensure that we keep your personal data secure, accurate and up to date. These measures include the following:

Although we use appropriate security measures once we have received your personal data, the transmission of data over the internet (including by e-mail) is never completely secure. We endeavour to protect personal data, but we cannot guarantee the security of data transmitted to us or by us.

How long do we keep your Information for?

We will hold your personal data on our systems for the longest of the following periods:

After you stop being a customer, we may keep your data for up to 10 years for one of these reasons:

We may keep your data for longer than ten years if we cannot delete it for legal, regulatory or technical reasons. We may also keep it for research or statistical purposes. If we do, we will make sure that your privacy is protected and only use it for those purposes.

Your Rights

You have various rights in relation to your personal data. You have a right to:

To exercise any of your rights, or if you have any other questions about our use of your personal data, please email or write to us at the following address: Data Protection Officer, Level 2, The Centre, Tigne Point, Sliema TPO 0001, Malta.

You may also use these contact details if you wish to make a complaint to us relating to your privacy.

Should your requests in exercising the abovementioned rights be clearly unfounded or excessive, in particular because of their repetitive nature, we reserve the right to charge you a reasonable fee which shall be determined at our sole discretion, taking into account the administrative costs incurred by us to provide the information or communication or taking the action requested by you. We shall communicate to you in advance the fee amount that will be charged in the given circumstances.

How can you Avail of your Right to Complain?

If you are unhappy with the way we have handled your personal data or any privacy query or request that you have raised with us, you have a right to complain to the Office of the Information and Data Protection Commissioner.  Find out on the IDPC website how to send a complaint

Changes to this Privacy Statement

From time to time, we may modify or amend this privacy statement.

To let you know that we made changes to this privacy statement, we will amend the revision date at the top of each page. The new modified or amended privacy statement will apply from this revision date.

New versions will be posted to our website and changes will be effective after the date of posting. We therefore encourage you to periodically review this statement to be informed about how we are protecting your information. If we make any material changes, we will notify you of such changes.


To find out more about how we use cookies, please read our cookie policy.


We strive to ensure a streamlined account opening process, via a structured and clear set of requirements and personalised assistance during the initial communication stages. If you are interested in opening a corporate account with MeDirect, please complete an Account Opening Information Questionnaire and send it to

For a comprehensive list of documentation required to open a corporate account please contact us by email at or by phone on (+356) 2557 4444.