MFSA Privacy Notice
This Privacy Notice provides information on the processing of personal data by the Malta Financial Services Authority (“MFSA”) in connection with its statutory functions, employment obligations and procurement procedures as explained hereunder.
The MFSA is the controller of personal data in terms of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation – “the GDPR”) and the Data Protection Act (Chapter 586 of the Laws of Malta – “the DPA”).
The MFSA ensures that personal data are processed in accordance with the GDPR, the DPA and any other relevant European Union (“EU”) and national law. The MFSA ensures inter alia the confidentiality and security of such personal data.
The MFSA is situated at Notabile Road, Attard BKR 3000.
Processing of Personal Data for Regulatory, Supervisory and Related Purposes
The MFSA processes personal data to perform its functions under the Malta Financial Services Authority Act (Chapter 330 of the Laws of Malta), and any other relevant EU and national law.
These functions include:
– Regulating, monitoring and supervising financial services in Malta;
– Promoting the general interests and legitimate expectations of consumers of financial services, and promoting fair competition practices and consumer choice in financial services;
– Monitoring and keeping under review trading and business practices relating to the supply of financial services to private and other persons, and providing relevant information and guidance to the public;
– Monitoring the working and enforcement of laws that directly or indirectly affect consumers of financial services in Malta;
– Investigating allegations of practices and activities detrimental to consumers of financial services, generally keeping under review trading practices relating to the provision of financial services, and identifying and taking measures to suppress and prevent any practices which may be unfair, harmful or otherwise detrimental to consumers of financial services;
– Processing applications of individuals for the exercise of Article 56(21) of the Income Tax Act (Chapter 123 of the Laws of Malta) and, consequently, for a formal determination relating to eligibility under the Highly Qualified Persons Rules.
The MFSA also processes personal data for the purposes of regulation and surveillance of financial markets and investigation of the activities of unauthorised providers of financial services. To this end, the MFSA may process personal data of individuals, who may or may not be connected with financial services providers, for the purposes of identification of possible risks or threats to financial markets or to the stability of the financial system, and to take the appropriate policy or other action as may be required in this regard.
The MFSA processes personal data of:
– “Fitness and properness” applicants, that is, individuals applying to the MFSA for approval to perform a role or be a qualified shareholder or be a controller within a regulated financial services provider. Such individuals are required to submit a Personal Questionnaire (“PQ”). The personal data the MFSA collects are used for the purposes of the application process, which includes a due diligence process and the “fitness and properness” test to assess the suitability of the applicant to perform the respective role;
-The European Central Bank (“ECB”) is responsible for assessing the fitness and properness of the Management Board of all credit institutions applying for authorisation and also key function holders of significant credit institutions. The MFSA transmits such applications to the ECB for assessment in accordance with Council Regulation (EU) No 1024/2013 (the SSM Regulation);
– Individuals connected to financial services providers including shareholders, directors, employees and clients of financial services providers, and any related third parties, in connection with its regulation of financial services providers and markets. The MFSA processes such personal data for various reasons including the authorisation and ongoing supervision of regulated financial services providers;
– The MFSA uploads personal data as necessary in its Financial Services Register and Licence Holder Portal following approval of the entity’s / individual’s application. Regulated financial services providers may also provide personal data to the MFSA in connection with the submission of regulatory returns or other information required by the MFSA;
– Applicants for the exercise of Article 56(21) of the Income Tax Act and, consequently, for a formal determination relating to eligibility under the Highly Qualified Persons Rules. The personal data the MFSA gathers is used for the purposes of the application process, which includes a due diligence process, or the “fitness and properness” test, and to make a formal determination in regard to eligibility under the Highly Qualified Persons Rules;
– If the individual’s application for the exercise of Article 56(21) of the Income Tax Act is successful and he or she will be eligible under the Highly Qualified Persons Rules, his or her personal data will be transferred to the Inland Revenue Department;
– Individuals investigated by the MFSA where a concern arises that a breach of financial services law has been, or is being, committed. The purpose of such investigations is to allow the gathering of sufficient information to enable the MFSA to determine inter alia whether any breach of financial services law has occurred and whether the imposition of sanctions may be appropriate.
The provision of personal data arises from statutory requirements. Where applicable, failure of the provision thereof will prevent the MFSA from considering the individual and / or the entity’s application.
Most of the personal data the MFSA will hold will have been provided by the individual concerned but some personal data may be obtained from a third party. In those instances where personal data are not obtained from the individual in question, the latter will be informed of the categories of personal data collected and the source from which the personal data originate, unless the provisions of Article 14(5) and Article 23 of the GDPR are applicable.
Processing of Personal Data in connection with Protected Disclosure Reports
Any information including personal data received from a whistleblower by the MFSA, which information is considered as a protected disclosure, may be used by the MFSA for the purpose of performing its statutory functions. The MFSA is legally obliged to protect the identity of an individual who makes a protected disclosure and not to disclose any information that might identify that individual as provided by the Protection of the Whistleblower Act, 2013 (Chapter 527 of the Laws of Malta).
Processing of Personal Data for Recruitment Purposes
The MFSA collects personal data from candidates for recruitment purposes. The MFSA needs to process personal data in order to decide whether to enter into a contract of employment with a particular candidate and may also process certain data to ensure that it is complying with its legal obligations. The MFSA has a legitimate interest in processing personal data during the recruitment process and in keeping records of the process in order to manage the recruitment process, assess and confirm a candidate’s suitability for employment, and decide to whom to offer a particular role. The MFSA may also need to process candidates’ data to respond to and defend itself against legal disputes.
In assessing the candidate’s suitability for the role, the MFSA may contact third parties for information, however, this shall only be done once consent has been obtained from the candidate prior to contact. In all other cases, the MFSA will not share a candidate’s data with third parties, unless his or her application for employment is successful and an offer of employment is made to him or her. In those instances where the MFSA processes personal data which have not been obtained from the candidate in question, he or she will be informed of the categories of personal data collected and the source from which the personal data originate unless the provisions of Article 14(5) and Article 23 of the GDPR are applicable.
Processing of Personal Data for the Tendering and Supply of Goods or Services
The MFSA may process personal data submitted by tenderers to manage procurement award procedures and decide whether to enter into a contract with a particular tenderer. Personal data collected for this purpose may relate to the tenderer, its staff or its sub-contractors. Following finalisation of the procurement procedure in question and the entry into a contract with the chosen supplier(s), the MFSA may process the personal data in order to perform its contractual obligations.
Retention Periods of Personal Data
The MFSA retains personal data obtained in relation to its supervisory function for at least ten years from date of receipt of such data.
In case of fitness and properness-related information, the MFSA holds personal data for a period of twenty-five years after the individual’s relationship with the MFSA has been terminated and no longer occupies a role within a financial services provider authorised by the MFSA.
The MFSA retains all information obtained in connection with an investigation, including a market abuse investigation, for a period of fifteen years after the case is closed.
In addition, the MFSA retains information provided by whistleblowers for a period of fifteen years after any related case is closed.
In cases of recruitment, if a candidate’s application is unsuccessful, the MFSA may keep his or her personal data for a period of five years following the conclusion of the recruitment exercise.
Furthermore, the MFSA retains files relating to procurement procedures for a period of six years following the closure thereof. The MFSA may retain procurement contracts signed with individuals or containing personal contact details related to the execution of a contract for a period that is longer than six years depending on the nature of the contract.
Disclosure of Personal Data
Other than as aforementioned, the MFSA will only disclose personal data to third parties if it is legally obliged to do so or where it is necessary in view of the application, due diligence, investigation, recruitment and procurement processes.
Third parties are generally regulators, public authorities and law enforcement agencies situated in other European Economic Area (“EEA”) Member States or in countries outside of the EEA. The MFSA will only transfer personal data outside the EEA if permitted by the GDPR, DPA or any other relevant EU or national law.
In terms of the GDPR and the DPA, an individual may request from the MFSA access to and rectification of personal data, and, in certain circumstances, has:
– The right for erasure of personal data;
– The right for restriction of the processing;
– The right to object to the processing of the personal data;
– The right to data portability.
Such requests may be made in writing to the MFSA’s Data Protection Officer on any of the details indicated hereunder. In addition, an individual has a right to lodge a complaint with the Office of the Information and Data Protection Commissioner in Malta (www.idpc.gov.mt).
Contact Details of the Data Protection Officer
The Data Protection Officer may be contacted by:
– E-mail at firstname.lastname@example.org;
– Phone on (356) 21441155;
– Postal mail at Malta Financial Services Authority, Notabile Road, Attard BKR 3000.
Changes to this Privacy Notice
If there are any changes to this Privacy Notice, the MFSA will replace this page with an updated version. Therefore, it is in one’s own interest to check the “Privacy Notice” page in order to be aware of any changes which may occur from time to time.