GDPR stands for General Data Protection Regulation and is the European Union Regulation set to replace the Data Protection Directive (DPD). GDPR was approved by the EU Parliament on April 14th 2016 and involves the protection of personal data and the rights of individuals. Its aim is to ease the flow of personal data across the 28 EU member states. GDPR came into effect on the 25th May 2018.

GDPR introduces 8 fundamental rights under GDPR. These are: The right to be informed – Organisations must be completely transparent with regards to how they use personal data. The right of access – Data subjects (identifiable people) have the right to access their personal data and supplementary information. This means that you are aware of and able to verify the lawfulness of the processing of your data.  The right to erasure (or right to be forgotten) – You are entitled to have your personal data erased or removed without the need for a specific reason as to why you wish to discontinue. The right to object – You have the right to object to the processing of your data based on legitimate interests and/or direct marketing and/or processing for scientific, historical research or statistical purposes. The right to rectification – You have the right to rectify or complete any personal information that an organisation holds about you. The right to data portability – You have the right to obtain and reuse your personal data for your own purposes, across different services. You are also entitled to move, copy or transfer your data from one organisation to another. The right to restriction of processing – You have the right to restrict or suppress access to your personal data. The right of automated decision-making and profiling – GDPR has introduced controls to protect individuals against the risk that a potentially damaging decision is made without human intervention. For example you can choose not to be the subject of a decision where the consequence has a legal bearing on you or is based on automated processing.

MeDirect has worked on a GDPR compliance programme. Different initiatives have been carried out with both customers and employees in mind, including: Updating our Data Protection Policy Providing Data Privacy awareness training to all our employees Delivering training to employees on how to deal with GDPR requests Revising our Privacy Notices, Terms and Conditions and Cookie policy Revising our Marketing Consent statements Updating our internal policies to ensure that they are in line with GDPR legislation

MeDirect ensures that your data is stored securely. Therefore, we have implemented and constantly updated our technologies to ensure that your personal data is protected from unauthorised access, unauthorised modification or loss. In instances where a third-party provides a service to MeDirect we ensure that they are contractually bound to implement adequate information security controls to safeguard access to your data including encryption. Data provided to those third-parties shall only be utilised for the sole purposes stipulated in the contractual agreement.

We have updated our Privacy Notice to reflect GDPR requirements. The Notice provides an explanation of what information we gather about you, what we use the information for and who we give the information to. The Privacy statement also sets out your rights as a Data subject and provides the MeDirect point of contacts to clarify any questions you might have on Data Privacy.

GDPR requires that at least one of the following six ‘lawful basis’ apply, in order for us to process your data: Consent – As a Data subject you must provide clear consent to process personal data for a specific purpose. For the purposes of documentation, your declaration of consent must be obtained in writing, electronically or through a recorded oral statement. Contract – Processing your data is necessary to fulfil the obligations of a contract. Legal obligation – Processing your data is necessary to comply with a legal obligation. Vital interests – Processing your data is necessary to protect someone’s life. Public task – Processing your data is necessary to perform a task in the public interest or for official functions. In this scenario the task or function must have a clear basis in law. Legitimate interests – Processing your data is necessary for the legitimate interests of an individual or the legitimate interests of a third-party, unless there is good reason to protect the individual’s personal data which overrides those legitimate interests.

MeDirect uses a number of channels to inform its customers on new products, services and promotions including post, telephone, email and SMS. We give an option to our clients to specify whether they would like to receive marketing communications together with the channels they would like to receive communication on. Following submission of your marketing consent preferences these may still be updated in the future through one of the following ways: Calling our Customer Service Centre on (+356) 2557 4400 Emailing our Data Protection Officer (DPO) on dataprotection@medirect.com.mt Visiting any one of our investment centres Updating your profile on our secure online banking platform