General Data Protection Regulation (GDPR)
GDPR Privacy Statement for
MeDirect Website, Products and Services
This privacy statement explains what information we gather about you, what we use that information for and who we give that information to. It also sets out your rights concerning your information and who you can contact for more information or queries.
Who does this Privacy Statement Apply to and What does it Cover?
This privacy notice explains how MDB Group Limited and its subsidiaries, whether direct or indirect (including MeDirect Bank (Malta) plc, but excluding MeDirect Bank SA/NV), hereinafter referred to as the MeDirect Group intends to look after your personal information. Personal information includes what you tell us about yourself, what we learn about you by having you as a customer, and your preferences with respect to the marketing material you would like us to send you. This notice explains how we do this and tells you about your privacy rights and how the law protects you. We are committed to protecting your privacy and handling your information in an open and transparent manner.
This privacy statement sets out how we will collect, handle, store and protect information about you when:
- we provide services to you,
- you use “our Website” or
- we perform any other activities that form part of the operation of our business.
When we refer to “our Website” or “this Website” in this policy we mean the specific webpages of MeDirect Bank (Malta) plc – www.medirect.com.mt
When we refer to “we” or “us” this means MeDirect Group.
This privacy statement also contains information about when we share your personal data with other third parties (for example, our service providers).
In this privacy statement, your information is sometimes referred to as “personal data” or “personal information”. We may sometimes also collectively refer to handling, collecting, protecting and storing your personal information as “processing” such personal information.
We collect and use different types of personal information and group them as follows.
Type of Personal Information | Description |
---|---|
Financial | Your financial position, status and history. The products you hold with us, your risk appetite, your investment objectives, your investment horizon and your net worth. |
Contact | Where you live, your telephone number, email address and how to contact you. |
Socio-Demographic | This includes details about your work or profession, nationality, education and where you fit in general social or income groupings. |
Transactional | Details about payments to and from your accounts with us as well as details relating to any investments held with us. |
Contractual | Details about the products or services we provide to you. |
Behavioural | Details about how and when you use our products and services, and the channels of communication used in the course of our relationship. |
Communications | What we learn about you from letters, emails and conversations (including by way of telephone) between us. We may record phone calls to confirm details of our conversations, to confirm and record transactions, for your protection, to train our staff and to maintain the quality of our service. |
Social Relationships | Your family, business partners, persons associated with you and other relationships. |
Open Data and Public Records | Details about you that are in public records and information about you that is openly available on the Internet. |
Usage Data | Other data about how you use our products and services. |
Documentary Data | Details about you that are stored in documents in different formats, or copies of them. This could include your passport, driver’s licence or birth certificate. |
Special types of data | The law and other regulations treat some types of personal information as special. We will only collect and use these types of data if the law allows us to do so, such as when there is:
|
Consents | Any permissions, consents or preferences that you give us. This includes things like how you want us to contact you, whether you prefer receiving paper statements or e- statements, and whether you allow us to send you marketing and other promotional material. |
National Identifier | A number or code given to you by a government to identify who you are, such as your national identity number. |
Photo Verification | Photos provided by you which we use for verification purposes during on-boarding. |
Technical | Details on the devices and technology you use. |
Information relating to the deceased customer’s succession and the relative heirs | Wills, court decrees and other deeds relating to deceased customers’ succession and the personal details of legatees, heirs and testamentary executors as nominated by the deceased. This also includes the contact details, personal relationship details and other information communicated by the notary or other legal representative duly authorised to represent the heirs/legatees/testamentary executors. |
What information do we collect?
We may collect or obtain such data because you give it to us (for example through a form on our Website), because other people give that data to us (for example a person acting on your behalf) or because it is publicly available.
The General Data Protection Regulation states that we are permitted to use personal information only if we have a proper reason to do so. This includes sharing it outside MeDirect Group. The regulation states that we must have one or more of these reasons:
- To fulfil a contractual obligation we have with you;
- When it is our legal duty;
- When it is in our legitimate interest;
- When you consent to it.
A legitimate interest is when we have a business or commercial reason to use your information. But even then, it must not unfairly go against what is right and best for you. If we rely on our legitimate interest, we will tell you what that is.
Here is a list of how we may use your personal information, and when relying on a legitimate interest, a description of the legitimate interest which we are pursuing.
What we use your personal information for | Our Reasons | Our Legitimate Interests |
---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
|
|
|
Where do we Collect Data from?
In the course of providing products and services to you and performing Know your Client (KYC) checks in connection with our products and services (or discussing possible products and services we might provide), we will collect or obtain personal data about you. We may also collect personal data from you when you use this Website.
We may collect personal information about you (or your business) from other companies within the MeDirect Group and the following sources.
Data you give to us:
- When you apply for our products and services (including when providing us with collateral in relation to such product/services);
- When you talk to us on the phone or meet us in person at our offices/branches;
- When you use our websites;
- Through secured messages (via e-banking), emails and letters including complaints;
- During financial reviews and interviews;
- During customer assessments;
- During customer surveys;
- When subscribing to our newsletters;
- When you participate in our promotions or attend an event organised by us.
Data we collect when you use our products and services. This includes the amount, frequency, type, location, origin and recipients:
- Payment and transaction data (including investment transactions);
- Profile and usage data. This includes the profile you create to identify yourself when you connect to our internet, mobile and telephone services. It also includes other data about how you use those services. We gather this data from devices you use to connect to those services, such as computers and mobile phones, using cookies and other internet tracking software.
Data from third parties we work with or use:
- Entities that introduce you to us;
- Your legal and/or financial advisers, consultants and notaries;
- Card associations;
- Credit reference agencies;
- Insurers;
- Social networks and social media channels including Facebook, LinkedIn and YouTube;
- Fraud prevention agencies;
- Public information sources;
- Agents, brokers or other distributors working on our behalf;
- Market researchers;
- Central Credit Register;
- Government and law enforcement agencies.
How to we Use Information about You?
We will use your personal data to provide you with products and services. In this context, we may use your personal data in the course of correspondence relating to the products or services. Such correspondence may be with you, our client, or your legal and/or financial advisers or duly appointed attorneys, other members of the MeDirect Group, our service providers or competent authorities. We may also use your personal data to conduct due diligence checks relating to the products or services we provide.
How we Use your Information in the course of Automated Processing?
We sometimes use automated systems and processes to evaluate certain personal information we have about you or your business. This is known as profiling. This helps us to make sure decisions are quick, fair, efficient, correct and lawful, based on what we know. No decision is solely based on such profiling.
Tailoring products and services | We may place you in groups with similar customers. These are called customer segments. We use these to study and learn about our customers’ needs and to make decisions based on what we learn. This helps us to design products and services for different customer segments and manage our relationships and communications with them (including marketing). |
Providing investment services | In order to comply with applicable regulation, we may (if and as required) compile information about you and use this information to build an investor profile and ensure the suitability of the investment services being provided to you. |
Preventing financial crime | As required by our legal and regulatory obligations and in line with our internal policies and procedures, we undertake a risk assessment on you and categorise you accordingly. |
Credit Reference Agencies
We carry out credit and identity checks when you apply for products or services for you or your business. The Bank may access information from the Central Credit Register (in terms of Directive No. 14 “Central Credit Register” issued on the 15th February 2016 by the Central Bank of Malta) in order to verify information on your present credit records for the assessment of credit risk upon signing the “Information Request Notification Form”.
As a licensed credit institution, we are also bound to provide information on our existing customers (in terms of Directive No. 14 “Central Credit Register” issued on the 15th February 2016 by the Central Bank of Malta) by reporting to the Central Bank of Malta the end-of-month balances of exposures exceeding €5000 of each customer, which information will include personal data such as ID card or passport numbers.
We may also use other Credit Reference Agencies (CRAs) such as Credit Info to help us with this. If you use our services, from time to time, we may also search information that the CRAs have, to help us manage those accounts.
We will share your personal information with CRAs, and they will give us information about you. The data we exchange can include:
- Name, address and date of birth;
- Credit application;
- Details of any shared credit;
- Financial situation and history;
- Public information, from sources such as the electoral register and company registrars.
We will use this data to:
- Assess whether you or your business can afford to make repayments;
- Identify any court order and/or judgments or other claims against you and your business;
- Make sure that what you’ve told us is true and correct;
- Help detect and prevent financial crime;
- Manage accounts with us;
- Trace and recover debts;
- Make sure that we tell you about relevant offers.
We will go on sharing your personal information with CRAs for as long as you are our customer. This will include details about your settled accounts and any debts not fully repaid on time. It will also include details of funds going into the account, and the account balance. If you borrow, it will also include details of your repayments and whether you repay in full and on time. The CRAs may give this information to other organisations that want to check credit status. We will also tell the CRAs when you settle your accounts with us.
When we ask CRAs about you or your business, they will note it on your credit file. This is called a credit search. Other lenders may see this, and we may see credit searches from other lenders.
If you apply for a product with another entity, we will link your records with theirs. We will do the same if you tell us you have a spouse, partner or civil partner – or that you are in business with other partners or directors. You should tell them about this before you apply for a product or service. It is important that they know that your records will be linked together, and that credit searches may be made on them.
CRAs will also link your records together. These links will stay on your files unless one of you asks the CRAs to break the link. You will normally need to give proof that you no longer have a financial link with each other.
For more information about CRAs please visit the websites of the main credit agencies:
Use of Personal Information Collected via our Website
In addition to the purposes connected to the operation of our business, as outlined above, we may also use your personal data collected via our Website:
- to manage and improve our Website;
- to tailor the content of our Website to provide you with a more personalised experience and draw your attention to information about our products and services that may be of interest to you;
- to manage and respond to any request you submit through our Website.
Who do we disclose your information to?
We may share your personal information with companies within the Medirect Group and the following organisations:
- Credit reference agencies;
- Financial intelligence agencies;
- Law enforcement agencies;
- Tax authorities;
- Other competent authorities (including competent courts and tribunals and other authorities regulating us such as the Malta Financial Services Authority and the European Central Bank);
- Deposit Compensation Scheme;
- Any party linked with you or your business’s product or service;
- Individuals who are legally entitled to receive such information;
- Companies with which we have a joint venture or agreement of co-operation;
- Entities that introduce you to us;
- Entities that we introduce you to;
- Market researchers;
- Our independent Financial and Legal Advisors;
- Companies and other persons you ask us to share your data with;
- Third parties that provide services to MeDirect Group;
- Any other company being part of the MeDirect Group.
We may need to share your personal information with other organisations to provide you with the product(s) or service(s) you have chosen:
- If you require transactions effected via SWIFT (Society for Worldwide Interbank Financial Telecommunication), SEPA (Single Euro Payments Area) or via any other payment method, we will share transaction details with the relevant payment institutions.
- If you require use of a debit card, we may be required to share your personal information to ensure compliance with all applicable terms and conditions issued by the Card Provider in relation to the use of such card.
- If you have a secured loan or mortgage with us, we may share information with other lenders who also hold a charge on the property.
Aggregated / Anonymised information:
We may share non-personal, de-identified and aggregated information with third parties for several purposes, including data analytics, research, submissions, thought leadership and promotional purposes.
We may also share your personal information if the structure of MeDirect Group changes in the future:
- We may choose to sell, transfer, or merge parts of our business, or our assets. Or we may seek to acquire other businesses or merge with them.
- During any such process, we may share your data with other parties. We will only do this if they agree to keep your data safe and private.
- If the change to our Group happens, then other parties may use your data in the same way as set out in this notice.
Sending Data Outside of the European Economic Area (‘EEA’)
Please note that some of the recipients of your personal data referenced above may be based in countries outside of the EEA whose laws may not provide the same level of data protection. In such cases, we will ensure that there are adequate safeguards in place to protect your personal data that comply with our legal obligations.
Where the recipient is not a member of the MeDirect Group, the adequate safeguard might be a data transfer agreement with the recipient based on standard contractual clauses approved by the European Commission for transfers of personal data to third countries. You are welcome to contact us for more information regarding the adequate safeguards we have in place in relation to such data transfers.
Marketing
We may use your personal information to tell you about relevant products and offers. This is what we mean when we talk about ‘marketing’.
The personal information we have for you is made up of what you tell us, and data we collect when you use our products and services, or from third parties, we work with.
We study this to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which products, services and offers may be relevant to you.
We can only use your personal information to send you marketing material if we have either your consent or a legitimate interest. That is when we have a business or commercial reason to use your information. It must not unfairly go against what is right and best for you.
You can ask us to stop sending you marketing messages by contacting us at any time.
Whatever you choose, you’ll still receive statements and other important information such as changes and/or updates to your existing products and services.
We may ask you to confirm or update your choices if you take out any new products or services with us in the future. We will also ask you to do this if there are changes in the law, regulation, or the structure of our business.
If you change your mind, you can update your choices at any time by contacting us.
What if you Choose Not to give Personal Information?
We may need to collect personal information by law, or under the terms of a contract we have with you.
If you choose not to give us this personal information, it may delay or prevent us from meeting our obligations. It may also mean that we cannot perform services needed to run your accounts or policies. It could mean that we cancel a product or service you have with us.
Any data collection that is optional would be made clear at the point of collection.
Protection of your Personal Information?
We use a range of physical, electronic and managerial measures to ensure that we keep your personal data secure, accurate and up to date. These measures include the following:
- education and training to relevant staff to ensure they are aware of our privacy obligations when handling personal data;
- administrative and technical controls to restrict access to personal data on a ‘need to know’ basis;
- technological security measures, including firewalls, encryption and anti-virus software;
- physical security measures, such as staff security passes to access our premises;
- in line with our information security policy various security measures are in place to protect the group’s data from unauthorised disclosure, unauthorised modification and unauthorised loss;
- in line with our incident management procedure employees are guided on the steps which need to be followed in the event of a security and/or a data privacy breach;
- where data is processed by a third-party organisation as outlined in this privacy statement, we ensure that such third parties provide sufficient guarantees to implement appropriate technical and organisational measures in such a manner that any processing by them meets the GDPR requirements including the protection of your rights. Furthermore, we also ensure that processing by third parties is governed by an agreement between us and the third party which includes the necessary contractual clauses required to meet the relevant GDPR requirements.
Although we use appropriate security measures once we have received your personal data, the transmission of data over the internet (including by e-mail) is never completely secure. We endeavour to protect personal data, but we cannot guarantee the security of data transmitted to us or by us.
How long do we keep your Information for?
We will hold your personal data on our systems for the longest of the following periods:
- as long as you are a customer of MeDirect Group;
- any retention period that is required by law;
- the end of the period in which litigation or investigations might arise in respect of the product and services.
After you stop being a customer, we may keep your data for up to 10 years for one of these reasons:
- To respond to any questions or complaints;
- To show that we treated you fairly;
- To maintain records according to rules that apply to us.
We may keep your data for longer than ten years if we cannot delete it for legal, regulatory or technical reasons. We may also keep it for research or statistical purposes. If we do, we will make sure that your privacy is protected and only use it for those purposes.
Your Rights
You have various rights in relation to your personal data. You have a right to:
- obtain confirmation that we are processing your personal data and request a copy of the personal data we hold about you;
- ask that we update the personal data we hold about you, or correct such personal data that you think is incorrect or incomplete;
- ask that we delete personal data that we hold about you, or restrict the way in which we use such personal data;
- withdraw consent to our processing of your personal data (to the extent such processing is based on consent);
- receive a copy of the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and to transmit such personal data to another party (to the extent the processing is based on consent or a contract);
- object to our processing of your personal data.
You may also use these contact details if you wish to make a complaint to us relating to your privacy.
Should your requests in exercising the abovementioned rights be clearly unfounded or excessive, in particular because of their repetitive nature, we reserve the right to charge you a reasonable fee which shall be determined at our sole discretion, taking into account the administrative costs incurred by us to provide the information or communication or taking the action requested by you. We shall communicate to you in advance the fee amount that will be charged in the given circumstances.
How can you Avail of your Right to Complain?
Changes to this Privacy Statement
From time to time, we may modify or amend this privacy statement.
To let you know that we made changes to this privacy statement, we will amend the revision date at the top of each page. The new modified or amended privacy statement will apply from this revision date.
New versions will be posted to our website and changes will be effective after the date of posting. We therefore encourage you to periodically review this statement to be informed about how we are protecting your information. If we make any material changes, we will notify you of such changes.