The MFSA is the controller of personal data in terms of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regards to the processing of personal data and on the free movement of such data(General Data Protection Regulation – “the GDPR”), and the Data Protection Act (Chapter 586 of the Laws of Malta – “DPA”).

The MFSA processes personal data in accordance with the GDPR, the DPA and any other relevant European Union (“EU”) and national legislation. The MFSA ensures inter alia the confidentiality, integrity and security of this personal data.

The MFSA is located at Triq l-Imdina, Zone 1, Central Business District, Birkirkara, CBD 1010, Malta.

Unless otherwise specified, the MFSA processes personal data on the following legal bases under Article 6 GDPR:

• Article 6(1)(c) – processing is necessary for compliance with a legal obligation to which the MFSA is subject;
• Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the MFSA;
• Article 6(1)(b) – processing is necessary for the performance of a contract or in order to take steps at the request of the data subject prior to entering into a contract (e.g. recruitment, procurement);
• Article 6(1)(f) – processing is necessary for legitimate interests pursued by the MFSA (where applicable and provided such interests are not overridden by the interests or fundamental rights and freedoms of the data subject);
• Article 6(1)(a) – consent, in accordance with Article 7 GDPR.

Where special categories of personal data are processed, the MFSA relies on Article 9(2)(g) GDPR (substantial public interest), Article 9(2)(b) (employment law obligations) or Article 9(2)(f) (processing is necessary for the establishment, exercise or defence of legal claims), or other applicable provisions under EU or national law.

Processing of Personal Data in the Exercise of Statutory Functions

The MFSA processes personal data as necessary for the performance of its statutory functions and the exercise of its official authority as established under applicable financial services legislation. These functions include, inter alia:

• Authorisation and licensing of regulated entities and individuals;
• Ongoing supervision and regulatory oversight;
• Enforcement and compliance investigations;
• Resolution, recovery and crisis management functions;
• Market monitoring and maintenance of statutory registers;
• Promote consumer protection by safeguarding their rights and interests in the financial sector, and
• Cooperation and information exchange with national, European and international competent authorities and/or organisations.

The MFSA may process personal data relating to the following categories of individuals, in the exercise of its statutory functions:

• Applicants for authorisation, licensing, or approval, including individuals subject to fitness and properness assessments;
• Shareholders, beneficial owners, directors, key function holders, and employees of regulated entities;
• Individuals subject to supervisory reviews, inspections, or enforcement investigations;
• Individuals whose personal data is processed in connection with the supervision of licensed entities;
• Persons discharging managerial responsibilities (PDMRs) and persons closely associated with them;
• Individuals connected to resolution, recovery, and crisis management processes;
• Beneficial owners of trusts and other legal arrangements required to be registered under applicable law;
• Individuals applying under specific statutory schemes administered by the MFSA (including tax-related eligibility determinations);
• Members of committees, working groups, and regulatory cooperation structures;
• Complainants, whistleblowers, and other individuals engaging with the MFSA; and
• Other individuals whose personal data is provided to the MFSA pursuant to applicable financial services legislation.

The MFSA may process the following categories of personal data depending on the statutory function exercised:

• Identification data including name, ID/passport details, date of birth;
• Contact details including business and/or residential address, email address, telephone number;
• Professional and employment information;
• Financial information;
• Shareholding and/or ownership information;
• Regulatory and compliance-related information;
• Information relating to suitability, reputation, and fitness and properness assessments;
• Information collected during on-site or off-site supervisory inspections, audits, or monitoring visits, including observations, records, and documents reviewed as part of regulatory oversight;
• Information relevant to investigations and enforcement proceedings;
• Information submitted through statutory registers and reporting obligations; and
• Where strictly necessary and authorised by law, special categories of personal data.

The processing of personal data by the MFSA arises from statutory requirements under applicable Maltese and European Union financial services legislation. Where the provision of personal data is mandatory, failure to provide such data may prevent the MFSA from processing an application, granting approval, or otherwise performing its statutory functions.

Whilst most personal data is obtained directly from the data subject, certain data may be collected from regulated entities, competent authorities, public registers, or other lawful sources. Where personal data are not obtained directly from the individual concerned, the MFSA will provide the information required under Article 14 GDPR, unless an exemption under Article 14(5) or Article 23 GDPR applies.

The MFSA operates the LH Portal, an online platform used to facilitate communication and regulatory interactions between the MFSA and applicants, licence holders, authorised persons, service providers, and other stakeholders.

The LH Portal enables users to submit and manage regulatory applications and reporting, complete due diligence requirements, communicate and exchange documents with the MFSA, maintain corporate and user profile information, track regulatory submissions, and meet applicable legal and regulatory obligations. Users of the LH Portal are responsible for ensuring that any personal data submitted through the portal is accurate, updated and relevant.

Personal data submitted through the LH Portal may be shared with competent authorities, regulatory bodies, law enforcement authorities, external advisors, service providers, or other third parties where permitted or required by law and in accordance with the MFSA’s statutory functions.

The MFSA may record calls made to its Reception and Communications functions. Call recordings are processed for quality, training, and security purposes. Any personal data included in recordings will be anonymised before use for statistical or training purposes.

When you visit the MFSA website (www.mfsa.mt) (“MFSA’s website, the MFSA’s servers automatically record information transmitted by your browser. This information may include:

• The requested web page or downloaded content;
• Whether the request was successful;
• The date and time of your visit;
• The Internet Protocol (“IP”) address or domain name of the device used to access the website;
• The operating system of the device, browser type and version, browser language and browser screen size;
• One or more cookies that identify the browser.

The MFSA collects and processes this information solely for statistical and analytical purposes on an aggregated basis to assess website usage and improve its functionality.

Use of Cookies

Cookies are small text files stored on a user’s device when visiting a website. The MFSA’s website uses cookies to enhance user experience, store preferences, and analyse website traffic on an aggregated basis.

The MFSA’s website also utilises third-party tools to generate aggregated statistical reports on website usage.

Where required, consent for non-essential cookies shall be obtained through the website’s cookie management tool and may be withdrawn at any time.

Any personal data collected through the ‘Get in Touch’ section of our website shall be processed to provide you with the necessary information relating to your request and to respond to your inquiries.

Any personal data collected through the ‘Payment Accounts Fees Comparison Tool’ page of our website shall be processed, to provide consumers with information regarding the fees being charged by payment account providers, in relation to the products and services featured on the ‘Payment Accounts Fees Comparison Tool’, in accordance with the Credit Institutions and Financial Institutions (Payment Accounts) Regulations (S.L. 371.18).

The MFSA processes personal data contained in email communications, letters, and other written correspondence sent to the MFSA through official email addresses or postal mail. This processing is carried out to respond to enquiries, fulfil requests, provide services, manage complaints, and comply with statutory and administrative obligations.

Personal data in such communications may include name, contact details, account references, case references, attachments, and any other information contained in the message.

The MFSA may process personal data provided through its official social media channels or other online platforms including LinkedIn, Facebook, X, Instagram and YouTube. This may include personal data contained in direct messages, public comments, submissions, or profile information provided by individuals when interacting with the MFSA’s official accounts or pages.

Such personal data is processed for the purpose of responding to enquiries, engaging with stakeholders, sharing information, or complying with regulatory and statutory obligations. The MFSA does not routinely use personal data obtained via social media for purposes beyond those expressly communicated unless there is a legal basis under the GDPR.

Any information including personal data received from a whistleblower by the MFSA Whistleblowing Reporting Unit, may be used by the MFSA for the purpose of fulfilling its statutory functions. The MFSA is legally obliged to protect the identity of an individual who makes a report and not to disclose any information that might identify that individual as provided by the Protection of the Whistleblower Act, 2013 (Chapter 527 of the Laws of Malta).

The MFSA collects and processes personal data from candidates to manage the recruitment process, assess suitability for employment, ensure compliance with legal obligations, and, if necessary, respond to legal claims or disputes.

Personal data may be collected directly from candidates or obtained from third parties. These third parties may include recruitment agencies, professional and/or student networks, or other lawful sources that have identified individuals as potential candidates for roles within the MFSA.

In assessing suitability, the MFSA may verify information provided by the candidate and, where necessary, obtain additional information from third parties for reference or background checks, in line with applicable data protection safeguards and employment legislation.

Where personal data is obtained from sources other than the candidate, the MFSA may rely on any consent previously provided by the candidate to that entity. The MFSA will provide the information required under Article 14 GDPR, including the categories of personal data collected and the source of such data, unless an exemption under Articles 14(5) or 23 GDPR applies.

Personal data will only be shared with third parties where necessary for the recruitment process or, where applicable, following an offer of employment and subject to appropriate safeguards.

The MFSA may take photographs and/or record video footage during conferences, seminars, public events, stakeholder meetings, outreach activities and other official engagements organised or attended by the MFSA.

Personal data processed in this context may include images, audio-visual recordings, and, where applicable, names or professional affiliations of participants. Such material may be used for communication, transparency, public interest, archival and promotional purposes, including publication on the MFSA’s website, social media channels, press releases, annual reports or other official publications.

Where required, the MFSA will rely on an appropriate legal basis under Article 6 GDPR, including legitimate interests or consent, as applicable. Individuals are directed to the MFSA Event Photography, Video and Image Release Policy for detailed information on this processing and the applicable safeguards.

The MFSA may pass on to the Malta Accountancy Board or other similar institutions personal data for the purposes of Continued Professional Education or Continued Professional Development, as per the consent acquired from attendees upon registration.

The MFSA processes personal data in relation to training courses, enrolments, complaints and related administrative matters carried out by the MFSA’s Financial Supervisors Academy (FSA). The MFSA uses a third-party communication platform to collect information for enrolment purposes. By clicking to subscribe, you acknowledge that your information will be transferred to the third-party communication platform for further processing. Any personal data provided by you shall be processed for the purpose of sending you updates on the MFSA’s training events. You may unsubscribe at any time by clicking the link provided in the footer of the MFSA’s emails.

For the purposes of Continued Professional Education or Continued Professional Development, personal data may be passed on to the Malta Accountancy Board or other similar institutions, as per the consent acquired from attendees upon registration.

The processing carried out by the MFSA FSA is governed by a separate privacy notice specifically addressing the FSA context, including the purposes, legal basis, retention periods and rights of individuals in that context. Individuals participating in MFSA training courses or otherwise interacting with the FSA should consult the FSA Privacy Notice for detailed information on how personal data is processed in connection with training services and related activities.

The MFSA processes personal data for the purposes of collection of academic material, including manuscripts and proposals, that are submitted by interested parties for their publication onto the JFSA.

The MFSA processes personal data submitted by tenderers to manage procurement processes and contracts. This includes data of tenderers, their staff, or sub-contractors. In assessing the suitability of the tenderers, their staff and any sub-contractors for the role, the MFSA undertakes a due diligence assessment to ascertain that the entities and/or individuals chosen are of good conduct and character. This process may also involve contacting third parties in order determine suitability. Once a contract is awarded, the MFSA processes the data to fulfil its contractual obligations.

For security, safety, and operational purposes, the MFSA may collect and process personal data when individuals visit or access its physical premises. This may include:

• CCTV and video surveillance recordings
• Visitor registration details
• Access control data including visitor tags, visitor sign-in logs

Such processing is carried out on the basis of legitimate interests of the MFSA in ensuring the safety and security of its facilities, personnel, visitors, and property, and in compliance with applicable laws. CCTV recordings and access records are retained only for as long as necessary for security purposes.

The MFSA will disclose personal data to third parties where such disclosure is:

(i) required or authorised by applicable law;
(ii) necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the MFSA; or
(iii) necessary for the establishment, exercise or defence of legal claims.

Any such disclosure shall be limited to what is necessary and proportionate and shall be carried out in accordance with applicable data protection legislation.

Third parties may include local or foreign, regulators, public authorities and law enforcement agencies located within the European Economic Area (“EEA”) or in jurisdictions outside the EEA.

Where personal data is transferred outside the EEA, the MFSA will ensure that such transfers are carried out in compliance with Chapter V (Articles 44–49) of the General Data Protection Regulation (EU) 2016/679 (“GDPR”).

Transfers to non-EEA supervisory or securities regulators may take place on the basis of appropriate safeguards, including administrative arrangements concluded between competent authorities, such as the IOSCO-ESMA Administrative Arrangement, or on the basis of an adequacy decision adopted by the European Commission, or other lawful transfer mechanisms provided under the GDPR.

The MFSA processes and discloses personal data of beneficial owners of trusts as required by law under the Trusts and Trustees Act (Chapter 331 of the Laws of Malta), the Trusts and Trustees Act (Register of Beneficial Owners) Regulations (S.L. 331.10) and the applicable EU legislation for the purpose of establishing and maintaining the Register of Beneficial Owners of Trusts, ensuring transparency of ownership structures, and fulfilling its supervisory and regulatory functions.

In this context, and insofar as the processing activities relating to Trusts Ultimate Beneficial Ownership Register (“TUBOR”) are concerned, the MFSA acts as the data controller. For the specific purpose of determining access privileges and allocation of rights to the Beneficial Ownership Registers Interconnection System (“BORIS”), the MFSA acts as joint controller together with the Malta Business Registry, insofar as both entities jointly determine the purposes and means of such access-related processing.

Personal data of individuals approved by the MFSA to provide investment advice or discretionary portfolio management may be disclosed to consumers of financial services or their representatives upon written request.

Disclosure shall be limited to what is necessary and proportionate for consumer protection purposes and shall be applicable only to investment advisors and/or portfolio managers approved by the MFSA at the time the formal request is received and acknowledged by the MFSA.

The MFSA retains personal data only for as long as necessary to fulfil the purposes for which it was collected, in compliance with the GDPR and applicable legal obligations.

The MFSA does not take decisions concerning individuals based solely on automated processing, including profiling, which produce legal effects concerning them or similarly significantly affect them, without human involvement.

Where elements of automated processing are used to support supervisory, analytical or risk-based assessments, such processing forms part of a broader decision-making process subject to appropriate human review and oversight.

The MFSA is committed to safeguarding your personal data and supporting you in the exercise of your rights. In accordance with the GDPR and the Data Protection Act individuals have the following rights, subject to any applicable legal restrictions:

• The right to be informed;
• The right of access to their personal data;
• The right of rectification of inaccurate or incomplete personal data;
• The right for erasure of personal data;
• The right for restriction of the processing;
• The right to object to the processing of the personal data;
• The right to data portability;
• The right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

Requests to exercise these rights must be submitted in writing to the MFSA’s Data Controller on [email protected]. Furthermore, individuals have the right to lodge a complaint with the Office of the Information and Data Protection Commissioner (www.idpc.gov.mt).

Any queries in relation to your rights under Data Protection Legislation, this Privacy Notice, or the processing of your personal data by the MFSA may be forwarded to the MFSA’s Data Protection Officer.

The Data Protection Officer may be contacted by:

• E-mail at [email protected];
• Postal mail at Malta Financial Services Authority, Triq l-Imdina, Zone 1, Central Business District, Birkirkara, CBD 1010, Malta.

The MFSA’s website may contain links to external sites or third-party services that are not owned or operated by the MFSA. Such websites and/or services are not governed by this Privacy Notice.

The MFSA does not exercise control and is not responsible for, the privacy practices, content or data processing activities of such third party websites. Users are encouraged to review the applicable privacy notices of any external websites they visit before providing personal data.

The MFSA may update this Privacy Notice to reflect changes in its practices or to comply with new legal requirements. It is therefore advisable to periodically review the ‘Privacy Notice’ page to remain informed of any modifications.