MFSA Privacy Notice
This Privacy Notice provides information on the processing of personal data by the Malta Financial Services Authority (“MFSA”) in connection with its statutory functions, employment obligations and procurement procedures as explained hereunder.
The MFSA is the controller of personal data in terms of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation – “the GDPR”) and the Data Protection Act (Chapter 586 of the Laws of Malta – “the DPA”).
The MFSA ensures that personal data are processed in accordance with the GDPR, the DPA and any other relevant European Union (“EU”) and national law. The MFSA ensures inter alia the confidentiality and security of such personal data.
The MFSA is situated at Triq l-Imdina, Zone 1, Central Business District, Birkirkara, CBD 1010, Malta.
Processing of Personal Data for Regulatory, Supervisory and Related Purposes
The MFSA processes personal data to perform its functions under the Malta Financial Services Authority Act (Chapter 330 of the Laws of Malta), and any other relevant EU and national law.
These functions include:
– Regulating, monitoring and supervising financial services in Malta;
– Promoting the general interests and legitimate expectations of consumers of financial services, and promoting fair competition practices and consumer choice in financial services;
– Monitoring and keeping under review trading and business practices relating to the supply of financial services to private and other persons, and providing relevant information and guidance to the public;
– Monitoring the working and enforcement of laws that directly or indirectly affect consumers of financial services in Malta;
– Investigating allegations of practices and activities detrimental to consumers of financial services, generally keeping under review trading practices relating to the provision of financial services, and identifying and taking measures to suppress and prevent any practices which may be unfair, harmful or otherwise detrimental to consumers of financial services;
– Processing applications of individuals for the exercise of Article 56(21) of the Income Tax Act (Chapter 123 of the Laws of Malta) and, consequently, for a formal determination relating to eligibility under the Highly Qualified Persons Rules.
The MFSA also processes personal data for the purposes of regulation and surveillance of financial markets and investigation of the activities of unauthorised providers of financial services. To this end, the MFSA may process personal data of individuals, who may or may not be connected with financial services providers, for the purposes of identification of possible risks or threats to financial markets or to the stability of the financial system, and to take the appropriate policy or other action as may be required in this regard.
The MFSA processes personal data of:
– “Fitness and properness” applicants, that is, individuals applying to the MFSA for approval to perform a role or be a qualified shareholder or be a controller within a regulated financial services provider. Such individuals are required to submit a Personal Questionnaire (“PQ”). The personal data the MFSA collects are used for the purposes of the application process, which includes a due diligence process and the “fitness and properness” test to assess the suitability of the applicant to perform the respective role;
-The European Central Bank (“ECB”) is responsible for assessing the fitness and properness of the Management Board of all credit institutions applying for authorisation and also key function holders of significant credit institutions. The MFSA transmits such applications to the ECB for assessment in accordance with Council Regulation (EU) No 1024/2013 (the SSM Regulation);
– Individuals connected to financial services providers including shareholders, directors, employees and clients of financial services providers, and any related third parties, in connection with its regulation of financial services providers and markets. The MFSA processes such personal data for various reasons including the authorisation and ongoing supervision of regulated financial services providers;
– The MFSA shall upload personal data on its Financial Services Register and Licence Holder Portal following approval of the entity’s / individual’s application. Regulated financial services providers may also provide personal data to the MFSA in connection with the submission of regulatory returns or other information required by the MFSA;
– Applicants for the exercise of Article 56(21) of the Income Tax Act and, consequently, for a formal determination relating to eligibility under the Highly Qualified Persons Rules. The personal data the MFSA gathers is used for the purposes of the application process, which includes a due diligence process, or the “fitness and properness” test, and to make a formal determination in regard to eligibility under the Highly Qualified Persons Rules;
– If the individual’s application for the exercise of Article 56(21) of the Income Tax Act is successful and he or she will be eligible under the Highly Qualified Persons Rules, his or her personal data will be transferred to the Inland Revenue Department;
– Individuals investigated by the MFSA where a concern arises that a breach of financial services law has been, or is being, committed. The purpose of such investigations is to allow the gathering of sufficient information to enable the MFSA to determine inter alia whether any breach of financial services law has occurred and whether the imposition of sanctions may be appropriate.
The provision of personal data arises from statutory requirements. Where applicable, failure of the provision thereof will prevent the MFSA from considering the individual and / or the entity’s application.
Most of the personal data the MFSA will hold will have been provided by the individual concerned but some personal data may be obtained from a third party. In those instances where personal data are not obtained from the individual in question, the latter will be informed of the categories of personal data collected and the source from which the personal data originate, unless the provisions of Article 14(5) and Article 23 of the GDPR are applicable.
Processing of Personal Data when Calling the MFSA
The MFSA may collect personal data through the recording of calls made by data subjects to the Communications function on the following numbers: Freephone 80074924 or +356 2548 5700 (foreign calls). When calling these numbers the data subjects’ call will be automatically recorded for quality, training and security purposes. Should any personal data be disclosed in such calls, the personal data shall be anonymised and such anonymised data may, in certain circumstances, be used for statistical purposes. The MFSA shall ensure that any personal data contained in any call recordings shall be removed prior to being used for quality and training purposes by its employees.
Processing of Personal Data in connection with Protected Disclosure Reports
Any information including personal data received from a whistleblower by the MFSA, which information is considered as a protected disclosure, may be used by the MFSA for the purpose of performing its statutory functions. The MFSA is legally obliged to protect the identity of an individual who makes a protected disclosure and not to disclose any information that might identify that individual as provided by the Protection of the Whistleblower Act, 2013 (Chapter 527 of the Laws of Malta).
Processing of Personal Data for Recruitment Purposes
The MFSA collects personal data from candidates for recruitment purposes. The MFSA needs to process personal data in order to decide whether to enter into a contract of employment with a particular candidate and may also process certain data to ensure that it is complying with its legal obligations. The MFSA has a legitimate interest in processing personal data during the recruitment process and in keeping records of the process in order to manage the recruitment process, assess and confirm a candidate’s suitability for employment, and decide to whom to offer a particular role. The MFSA may also need to process candidates’ data to respond to and defend itself against legal disputes.
In assessing the candidate’s suitability for the role, the MFSA may contact third parties for information, however, this shall only be done once consent has been obtained from the candidate prior to contact. In all other cases, the MFSA will not share a candidate’s data with third parties, unless his or her application for employment is successful and an offer of employment is made to him or her. In those instances where the MFSA processes personal data which have not been obtained from the candidate in question, he or she will be informed of the categories of personal data collected and the source from which the personal data originate unless the provisions of Article 14(5) and Article 23 of the GDPR are applicable.
Processing of Personal Data for the Tendering and Supply of Goods or Services
The MFSA may process personal data submitted by tenderers to manage procurement award procedures and decide whether to enter into a contract with a particular tenderer. Personal data collected for this purpose may relate to the tenderer, its staff or its sub-contractors. Following finalisation of the procurement procedure in question and the entry into a contract with the chosen supplier(s), the MFSA may process the personal data in order to perform its contractual obligations.
Processing of Personal Data included in the Contact Form
Any information collected in the ‘Get in Touch’ section of our website shall be processed solely by the MFSA and its staff as may be necessary to provide you with the necessary information relating to your request and to answer any of your queries.
Any information collected in the ‘Payment Accounts Fees Comparison Tool’ page of our website shall be processed solely by the MFSA in the exercise of official authority vested in the Authority. This information shall be processed by its staff as may be necessary, in order for MFSA to provide consumers with information regarding the fees being charged by payment service providers, in relation to the products and services featuring on the ‘Payment Accounts Fees Comparison Tool’, as per the Credit Institutions and Financial Institutions (Payment Accounts) Regulations (S.L. 371.18).
Disclosure of Information for the purposes of protecting consumers of Financial Services
Persons approved by the Malta Financial Services Authority (“MFSA”) to provide investment advice and/or discretionary portfolio management under the Investment Services Act or any Regulations or Rules issued thereunder are advised that the following information may be disclosed to consumers of financial services and/or their representatives following a written request received therefrom, this being in line with MFSA`s objectives set out at law in relation to investor protection. The information disclosed shall be limited to (a) name and surname of the individual approved by the MFSA as investment advisor and/or portfolio manager, (b) his/her Identity Card/Passport Number, (c) the financial instrument(s) in relation to which he/she is authorised to provide services of investment advice and/or portfolio management and (d) the date of approval by the Authority. This shall be applicable only to investment advisors and or portfolio managers approved by the MFSA at the time the formal request is received and acknowledged by the MFSA. No other information shall be disclosed to third parties unless allowed by law .
Retention Periods of Personal Data
The MFSA retains personal data obtained in relation to its supervisory function for at least ten years from date of receipt of such data.
In case of fitness and properness-related information, the MFSA holds personal data for a period of twenty-five years after the individual’s relationship with the MFSA has been terminated and no longer occupies a role within a financial services provider authorised by the MFSA.
The MFSA retains all information obtained in connection with an investigation, including a market abuse investigation, for a period of fifteen years after the case is closed.
In addition, the MFSA retains information provided by whistleblowers for a period of fifteen years after any related case is closed.
In cases of recruitment, if a candidate’s application is unsuccessful, the MFSA may keep his or her personal data for a period of five years following the conclusion of the recruitment exercise.
In cases of call recordings, data shall be retained for a period of 15 days from date call has been made.
Furthermore, the MFSA retains files relating to procurement procedures for a period of six years following the closure thereof. The MFSA may retain procurement contracts signed with individuals or containing personal contact details related to the execution of a contract for a period that is longer than six years depending on the nature of the contract.
Disclosure of Personal Data
Other than as aforementioned, the MFSA will only disclose personal data to third parties if it is legally obliged to do so or where it is necessary in view of the application, due diligence, investigation, recruitment and procurement processes.
Third parties are generally regulators, public authorities and law enforcement agencies situated in other European Economic Area (“EEA”) Member States or in countries outside of the EEA. The MFSA will only transfer personal data outside the EEA if permitted by the GDPR, DPA or any other relevant EU or national law.
In cases where the transfer of personal data is between EEA and non-EEA securities regulators, the MFSA is a signatory to the IOSCO-ESMA Administrative Arrangement (“the Administrative Arrangement”) which acts as an appropriate safeguard for such transfers, without prejudice to any other legal basis for international transfers of personal data such as an adequacy decision by the European Commission.
In particular, when the MFSA collects and processes personal data transferred under the administrative arrangement, it guarantees the following:
- The Authority will only transfer personal data that are relevant, adequate and limited to what is necessary for the purposes for which they are transferred and further processed;
- The Authority will have in place appropriate technical and organisational measures to protect personal data that are transferred to it against accidental or unlawful access, destruction, loss, alteration, or unauthorised disclosure;
- The Authority will retain personal data for no longer than is necessary and appropriate for the purpose for which the data are processed;
- No decision will be taken by the Authority concerning a natural person based solely on automated processing of personal data, including profiling, without human involvement;
- The Authority will not divulge your personal data for other purposes, such as for marketing or commercial purposes.
As regards the personal data shared under the administrative arrangement, you can make a request to the Authority to receive information about the processing of your personal data, to access the personal data and to correct any inaccurate or incomplete personal data, as well as to make request about the erasure, restriction of processing or to object to the processing of your personal data on written request to be addressed to [email protected]. Given the often sensitive nature of our work, and the risk of prejudice to the discharge of our public functions, in some cases your safeguards might be restricted in view of MFSA’s obligation not to disclose confidential information pursuant to professional secrecy or other legal obligations, or to prevent prejudice or harm to its supervisory or enforcement functions or to the supervisory or enforcement functions of a transferring or receiving Authority under the Administrative Arrangement acting in the exercise of the official authority vested in it. This may include functions relating to the monitoring or assessment of compliance with applicable laws, prevention or investigation of suspected infringement; for important objectives of general public interest, or for the supervision of regulated individuals and entities. In each case, MFSA will assess whether the restriction is appropriate. The restriction should be necessary and provided by law, and will continue only for as long as the reason for the restriction continues to exist.
If you believe that your personal data have not been handled consistent with these safeguards, you can lodge a complaint or claim at the transferring Authority, the receiving Authority or both Authorities: for doing so, you can contact [email protected]. In such event, the Authority or the Authorities will use best efforts to settle the dispute or claim amicably in a timely fashion.
In the event where the matter is not resolved, other methods can be used, by which the dispute could be resolved unless the request is manifestly unfounded or excessive. Such methods include participation in non-binding mediation or other non-binding dispute resolution proceedings initiated by the natural person or by the Authority concerned. If the matter is not resolved through cooperation by the Authorities, nor through non-binding mediation or other non-binding dispute resolution proceedings, in situations where you raise a concern and a transferring Authority is of the view that a receiving Authority has not acted consistent with the safeguards set out in the administrative arrangement, the transferring Authority will suspend the transfer of personal data under this Arrangement to the receiving Authority until the transferring Authority is of the view that the issue is satisfactorily addressed by the receiving Authority, and will inform you thereof.
If you have questions or concerns, please contact [email protected].
In terms of the GDPR and the DPA, an individual may request from the MFSA access to and rectification of personal data, and, in certain circumstances, has:
– The right for erasure of personal data;
– The right for restriction of the processing;
– The right to object to the processing of the personal data;
– The right to data portability.
Such requests may be made in writing to the MFSA’s Data Protection Officer on any of the details indicated hereunder. In addition, an individual has a right to lodge a complaint with the Office of the Information and Data Protection Commissioner in Malta (www.idpc.gov.mt).
Contact Details of the Data Protection Officer
The Data Protection Officer may be contacted by:
– E-mail at [email protected];
– Phone on (356) 21441155;
– Postal mail at Malta Financial Services Authority, Triq l-Imdina, Zone 1, Central Business District, Birkirkara, CBD 1010, Malta.
Changes to this Privacy Notice
If there are any changes to this Privacy Notice, the MFSA will replace this page with an updated version. Therefore, it is in one’s own interest to check the “Privacy Notice” page in order to be aware of any changes which may occur from time to time.