Privacy Notice

The Financial Intelligence Analysis Unit (“FIAU”) is a government agency set up under the Prevention of Money Laundering Act (Cap. 373) (“PMLA”), and is responsible for the collection, collation, processing, analysis and dissemination of information to combat money laundering and the financing of terrorism through the generation and dissemination of useful intelligence, and the application of effective and proportionate preventative measures, in collaboration with its private and public sector partners.

The General Data Protection Regulation (EU) 2016/679 (“GDPR”),the Data Protection Act (Cap 586) and subsidiary legislation issued thereunder (collectively referred to as the “Data Protection Legislation”) regulate the processing of personal data, whether held electronically or in manual form. The FIAU is set to fully comply with the principles enshrined in the Data Protection Legislation.

By using the FIAU’s website, including the Compliance and Supervision Platform for Assessing Risk (“CASPAR”), the goAML system to submit reports to the FIAU, as well as the Central Bank Account Registry System (“CBAR System”) you indicate that you have understood and accept the content of this Privacy Notice.

1. KEY TERMS

For the purposes of this Privacy Notice, the key terms shall be defined as follows in accordance with the Data Protection Legislation:

Data Controller

means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Data Subject (“You”)

means an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Personal Data

means any information relating to an identified or identifiable natural person.

Special Categories of Personal Data

Means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

Processing

means any operation which is performed on personal data, whether or not by automated means, such as collection, recording, storage, use and erasure.

2. DATA CONTROLLER

For the purposes of the Data Protection Legislation, the FIAU shall be considered the Data Controller that is processing personal data.

The FIAU is committed to protect the privacy of those individuals who use its website and those who submit personal data to the FIAU in any manner or form. This Privacy Notice explains what personal data the FIAU may collect and how the FIAU protects it.

3. PURPOSE FOR COLLECTING PERSONAL DATA

The FIAU collects and processes personal data and special categories of personal data to carry out its obligations in accordance with legislation aimed at combatting money laundering and funding of terrorism, particularly the PMLA and any subsidiary legislation thereunder, including the Prevention of Money Laundering and Funding of Terrorism Regulations (“PMLFTR”), the Centralised Bank Account Register Regulations (“CBAR Regulations”), and the Use of Cash (Restriction) Regulations . All data is collected and processed in accordance with Data Protection Legislation, the PMLA, the PMLFTR, the CBAR Regulations, Use of Cash (Restriction) Regulations and any binding procedures issued thereunder.

Therefore, it is the duty and responsibility of the FIAU to process all the data and information as may be required to effectively safeguard Malta’s financial system, particularly the financial sector and other relevant sectors, from being misused for money laundering and the funding of terrorism from or within Malta, as well as to safeguard their integrity.

4. DATA THE FIAU COLLECTS

The FIAU collects personal data in order to perform the functions conferred on it by the PMLA and subsidiary legislation thereunder, and/or responding to your communications with us, whether collected online or through offline interactions. The FIAU is committed to ensuring privacy and security of personal data and strives to use it solely for the purposes stated in this privacy notice and in compliance with Data Protection Legislation.

The FIAU collects personal data from a range of sources in the exercise of its functions. For example, it may collect data for its intelligence analysis and supervisory functions from subject persons, via direct reporting from the public as well as from information that is publicly available. In order to effectively perform its functions, the FIAU may also collect data from local and international authorities. It may also collect personal data through your interactions with the FIAU such as via online portals, by telephone and/or telephone communications.

The FIAU also processes personal data that is collected in the course of its administrative functions. For example, staff administration, recruitment, procurement, property management, advertising and media.

The FIAU’s Website and Log Information

The FIAU is the owner of this website (accessible at www.fiaumalta.org) (“FIAU’s website”),

The FIAU’s website does not automatically retrieve, capture or store information on the person who is browsing it, other than session information, like the type of browser used, the date and time of the visit, the duration of the visit, the request for webpage and download, and whether requests were successful or not. This information is collected and stored as a server log. Any such data is not  personal data since no person is/can be identified. The Internet Protocol (IP) address of users of the FIAU’s website is not recorded as part of the session information.

This above-mentioned information, which is documented as a server log, may be accessed by the service provider for system administration purposes and to provide the FIAU with statistics on the use of the website, including visitor numbers, traffic sources and content access information.

Cookies

Cookies are small text files placed on your computer or other device when you visit a website. They are commonly used to ensure the proper functioning of websites or enhance their efficiency, while also supplying information to the site owners.

These would expire on logout or twenty-four (24) hours after the last request was made. The cookies are not retained. The only exception relates to CASPAR, where a return user cookie is dropped to identify users of the website .

The FIAU’s website, including CASPAR, goAML and the CBAR Portal, does not have or make use of any third-party cookies.

 

 

 

Collection and processing of personal data

The following table outlines the types of personal data that the FIAU may process, what it may use it  for and the corresponding legal bases:

Activity and why the information may be used

Personal Data the FIAU may process

Corresponding Legal Bases

1. Use of FIAU Website and/or Newsletter Subscriptions

  1. To respond to your communications with the FIAU.
  2. To fulfil the FIAU’s functions in terms of law.
  3. To provide you with updates and news.

Your personal details such as:

  • Name
  • Surname
  • E-mail Address
  • Contact Number
  • Device Information
  • Any other information you may provide to the FIAU through the ‘Contact’ Form

For the FIAU’s legitimate interests: Responding to your communications with the FIAU, including complaints or claims made by you.
In fulfilment of a legal obligation: In satisfaction of any obligation imposed on the FIAU by law.
Consent: On the basis of the consent that you have provided to the FIAU, where this is required, such as subscribing to its newsletter. Such consent may be withdrawn by you at any time.

2. Use of CASPAR – User registration, submission of Risk Evaluation Questionnaires (‘REQ’) and creation of ‘SP Profile’

  1. To set up and run your account on CASPAR.
  2. To communicate with you.
  3. To carry out a risk assessment.
  4. To process payment fees   received for the submission of the REQ.

These include personal data relating to you whether as a sole practitioner, MLRO, Designated Employee and/or information relating to the shareholders and directors of legal entities, being:

  • first and surname
  • Designation
  • Date of Birth
  • Country of Residence
  • Nationality
  • Identification Document details
  • Contact number
  • Email address
  • Any other data you provide.

For the FIAU’s legitimate interests: To be able to communicate with you.
In fulfilment of a legal obligation: In satisfaction of any obligation imposed on the FIAU by law.

3. Reporting suspected breach of Use of Cash  (Restriction) Regulations on FIAU Website or through goAML

To ensure compliance with the Use of Cash (Restriction) Regulations.

Any personal details provided by the person making the report, including:

  • Full name of reporter
  • Email address of reporter
  • Contact number of reporter
  • Organisation of reporter
  • Information on a person allegedly breaching the Use of Cash (Restriction) Regulations, including identification details.
  • Any other data provided by the reporter.

 

In fulfilment of a legal obligation: In terms of the Use of Cash (Restriction) Regulations, the FIAU has the function to monitor and ensure compliance with the applicable restriction on the use of cash for the purchase or sale of certain high value goods.

4. Examination Visits or Requests for Information by Cash Restriction Section

To ensure compliance with  the Use of Cash (Restriction) Regulations

Any personal details pertaining to the trader or notary, including:

  • Full name
  • Contact details
  • Email address
  • Residential Address
  • Transaction Data
  • Personal details of third parties forming part of a transaction

In fulfilment of a legal obligation: In terms of the Use of Cash (Restriction) Regulations, the FIAU has the function to monitor and ensure compliance with the applicable restriction on the use of cash for the purchase or sale of certain high value goods, through the carrying out of onsite examinations on any trader and notary subject to the Regulations.

5. Registration and Use of the CBAR Application

  1. To maintain the register as required by the CBAR Regulations.
  2. To enable the timely identification of persons holding or controlling payment accounts and bank accounts identified by IBAN, and safe custody services.

Details of the reporting entity, including:

  • Company information
  • User full name
  • User date of birth
  • User identification number
  • User email address

When reporting, the reporting entity shall disclose information relating to its customers, including:

  • Full name of customer
  • Full name of beneficial owner (where applicable)
  • Date of Birth of customer/beneficial owner
  • Residential address of customer/beneficial owner
  • Country where the individual was born
  • Known nationalities of the individual
  • Identification document details
  • Full name of agent (if applicable)
  • The IBAN associated with the customer account
  • Code used to identify safe deposit box of customer
  • Details of business relationship

In fulfilment of a legal obligation: In terms of the CBAR Regulations, the FIAU is required to establish, manage and administer the Centralised Bank Account Register consisting of data made available by credit and financial institutions.

 

6. Compliance  examinations by the Supervision Section (onsite and off-site visits)

To ensure subject persons’ compliance with legal obligations relating to AML/CFT.

When conducting a compliance examination, the FIAU collects information and documents pertaining to a select sample of the subject person’s customers and their beneficial owner/s in order to assess compliance with the PMLFTR. Such details include:

  • Publicly available information, such as shareholder details obtained through the Registry of Companies (“ROC”)
  • First name and surname
  • Date of Birth
  • Residential Address
  • Nationality
  • Identification Document details
  • Contact details
  • Source of wealth information and documentation
  • Client list of the subject person.

Other details collected by subject persons and examined by the FIAU include:
Transactional data of the subject person’s clients which may include corporate or individual details of third parties involved in the transaction

  • Source of the origin of funds, such as full names and details of banks and other institutions
  • Credit card details of the subject person’s clients and other third parties linked with clients’ transactions
    – IP address
    – Email address
    – Transaction information

Any other data requested by the subject person for the fulfilment of their AML/CFT obligations

In fulfilment of a legal obligation: In terms of the PMLA, the FIAU is vested with the function to monitor compliance by subject persons with their AML/CFT obligations and to co-operate and liaise with supervisory or regulatory authorities.

For the FIAU’s legitimate interests: To safeguard Malta’s and the EU’s financial system from money laundering and terrorist financing.

7. Financial Intelligence Analysis whether through submission of reports by subject persons on goAML or through the receipt  of information from local or foreign  authorities and FIUs

  1. To carry out a financial intelligence analysis.
  2. To disseminate an analytical reports where required in terms of law.

Personal data collected and processed by the FIAU from reports submitted by subject persons regarding their customers and/or information received from other authorities, whether local or foreign, as well as FIU counterparts.  Such details include:

  • Full name
  • Gender
  • Date of birth
  • Nationality
  • Identification document, details
  • Residential address
  • Bank account and transactional details
  • Known occupation and employment history
  • Whether politically exposed
  • Whether a known terrorist or a suspect
  • Details on the business relationship or occasional transaction between the reporting person and the subject of the report
  • Any other details submitted to the FIAU.

In fulfilment of a legal obligation: In terms of the PMLA, the FIAU is vested with the function to receive, supplement, and analyse reports of suspicious activities/transactions(SARs/STRs) and draw up analytical reports on the results of such analysis, and disseminate same as necessary.

8. Registration on the Courses Portal and applying for training, seminars or webinars through the FIAU’s website

  1. To provide you with the service.
  2. For statistical purposes.
  3. To process payment for the event in question.
  4. To issue Continuing Professional Education (CPE) certifications.

These include details required for the processing of the booking, including:

  • Name and surname
  • Email Address
  • Contact numbers
  • Profession
  • Organisation Name
  • ID Card Number
  • Address

Due to a contractual necessity: To fulfil a contractual obligation.
For the FIAU’s legitimate Interests: For the organisation of the event and for statistical purposes.
Performance of training is carried out in the public interest.
In fulfilment of a legal obligation: In satisfaction of obligations imposed on the FIAU by law.

9. Registration for Public-Private Partnerships

To communicate with you regarding any upcoming events and initiatives.

These include details relating to the attendees of the Public-Private Partnership Initiatives as applicable, being:

  • Full name
  • Email address
  • Contact number
  • Organisation/Authority and designation (where applicable)

In fulfilment of a legal obligation: In adherence to any obligation imposed on the FIAU by law.
For the FIAU’s legitimate interests: To be able to communicate with you.
To foster its relationships with the private sector in the collective fight against money laundering and funding of terrorism.

10. Email Correspondence or Letters

To respond to your communications and queries.

Your personal details such as:

  • Email address
  • Postal Address
  • Name and surname
  • Other personal details you may provide.

For the FIAU’s legitimate interests: To provide information, support and services to the public. Responding to your communications with the FIAU, including complaints or claims made by you.

11. Telephone Calls

  1. To respond to your communications and queries.
  2. For quality and assurance purposes.

Any call made to or received from the FIAU telephone line may be recorded.

Data processed in this regard include:

  • Telephone number
  • Other personal details you may provide during the conversation.

For the FIAU’s legitimate interests: To provide information, support and services to the public.
Responding to your communications with the FIAU, including complaints or claims made by you.

12. Communication through Social Media Platforms such as LinkedIn and Facebook

  1. To respond to your communications and queries.
  2. For quality and assurance purposes.

Your personal details such as:

  • Email address
  • Name and surname
  • Other personal details you may provide via chat.

For the FIAU’s legitimate interests: To provide information, support and services to the public.
Responding to your communications with the FIAU, including complaints or claims made by you.

13. Processing of job applications submitted with the FIAU, whether directly or through recruitment agencies

  1. To assess whether applicants possess the necessary qualifications, skills, experience, and education to be considered for the job position applied for.
  2. To conduct screening of potential employees.
  3. To communicate with you.
  4. To obtain security clearance.  

Personal details for the processing of your job application, including:

  • Curriculum Vitae
  • Details contained in the covering letter
  • Name and surname
  • Contact details
  • Job history
  • Academic background
  • Copy of identification document
  • Police Conduct
  • Drug Test Results
  • Any other information that you may provide.

For the FIAU’s legitimate interests: To respond to your communications with the FIAU.
To ensure safety and integrity at the workplace.
Consent: On the basis of the consent that you have provided to  the FIAU, where this is required.

14. CCTV

To monitor the premises in order to ensure the safety and security of the FIAU’s employees and visitors.

Images captured through the use of CCTV cameras located inside and outside the FIAU’s premises, including parking areas.

For the FIAU’s legitimate interests: Ensuring the security and safety of the FIAU’s employees and visitors safe by preventing crime, misconduct and potential hazards.

15. Visiting FIAU premises

Data submitted to the visitors log upon visiting the FIAU’s premises, including:

  • Full name
  • Organisation
  • Contact Number

Consent: On the basis of the consent that you have provided to the FIAU, where this is required.
Legitimate Interest – To ensure controlled access and risk mitigation.
To ensure swift response and emergency preparedness.

Once the FIAU’s retention periods lapse, data will be disposed of in an efficient manner ensuring that such information is no longer available within the FIAU. Requests for the FIAU’s envisaged periods of data retention may be forwarded to the FIAU’s Data Protection Officer, and in cases where disclosure is not possible, the criteria used to determine this period will be communicated.

5. WHO THE FIAU SHARES YOUR DATA WITH

Your personal data, may be disclosed to those authorities which the PMLFTR considers to be supervisory authorities or any other body or authority having supervisory or regulatory functions, as well as to those authorities which the PMLFTR considers to be competent authorities, as the case may be, when the FIAU is of the view that this disclosure or exchange of information would assist the FIAU in ensuring that the financial sector and other relevant sectors are not used for criminal purposes or to safeguard their integrity.

Disclosure by the FIAU can also be made to the Commissioner of Police or other third parties, including any foreign body, authority or agency, including counterpart financial intelligence units,  in pursuance of its functions at  law. In terms of the PMLA, the FIAU is required to forward the analytical reports to the Commissioner of Police for further investigation if the FIAU has reasonable grounds to suspect that the transaction or activity is suspicious and could involve money laundering or funding of terrorism or property that may have been derived from, or constitutes the proceeds of, criminal activity. Furthermore, the FIAU is also empowered to disseminate the information to other local or foreign authorities or counterpart FIUs.

When the FIAU shares or discloses your personal data to the aforementioned bodies or authorities, these authorities or bodies are consequently rendered Data Controllers of your personal data.

Some of the bodies or individuals to whom the FIAU may disclose personal data are situated outside of the European Union. In the event that  the FIAU transfers personal data outside of the EU, it will ensure that the conditions laid down in Data Protection Legislation are complied with.

The FIAU may also share personal data with third-party service providers ,including cloud storage providers, website hosting providers, consultants and legal service providers situated in or outside Malta. Personal data is shared with third-party service providers only to the extent that such data is required for the provision of the services requested by the FIAU and that the service provider is compliant with Data Protection Legislation.

6. YOUR RIGHTS

In terms of the Data Protection Legislation, under certain circumstances, you have the following rights (“Data Subject Rights”) in relation to your personal data processed by the FIAU:

Right to access The right to access and be provided with a copy of your personal data.
Right to data portability The right to receive your personal data which you provided to us, in a structured, commonly used and machine-readable format and the right to transmit that data to another data controller in certain circumstances
Right to erasure The right to require the FIAU to delete your personal data in certain circumstances.
Right to object to processing The right to object to the processing of your personal data in certain circumstances
Right to rectification The right to require the FIAU to correct any inaccurate personal data about you.
Right to restriction of processing The right to require the FIAU to restrict processing your personal data in certain circumstances

In accordance with Data Protection Legislation, the FIAU has the right to restrict the aforementioned rights where necessary and proportionate so as not to disturb or jeopardise the prevention, detection  analysis and/or investigation of money laundering and the funding of terrorism. Thus, the FIAU reserves the right to restrict data subject rights and not to disclose the information it holds and processes about you, including the reasons why this information is being held.

To exercise any of these rights, a request must be made in writing and sent to the FIAU’s Data Protection Officer at [email protected]. Your identification details, such as ID number, name and surname, have to be submitted with the request. A copy of your identification document is also to be submitted. The FIAU may request further documentation or information to verify the identity of the person making the request, such as request a photo to be taken of the subject person holding a photo identification document clearly showing the name, identification number and facial photo on the document. This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it.

 

When the FIAU is in a position to adhere to data subject requests, the FIAU aims to comply as quickly as possible and will ensure that your request is fulfilled within a reasonable timeframe, and this by not later than one (1) month from receipt of the request. This notwithstanding, the FIAU reserves the right to extend such period where necessary and justified. In such a scenario, the FIAU will inform you of the extension and the reasons for the delay within one (1) month of receipt of the request.

7. HOW LONG DOES THE FIAU KEEP YOUR PERSONAL DATA?

The FIAU will retain your personal data in line with the requirements of Data Protection Legislation, and will therefore not retain data for longer than is necessary. Once retention periods lapse, data will be securely disposed of in an efficient manner, ensuring that such information is no longer available within the FIAU.

8. HOW DOES THE FIAU KEEP YOUR DATA SECURE?

The FIAU takes all necessary technical and organisational measures to safeguard all its data, and to prevent unauthorised access. Personal data will be processed securely, having measures in place to prevent your data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. For example, during registration and log-in, the FIAU’s website uses Secure Sockets Layer (SSL) technology to ensure the secure transmission of your personal data. In addition, the FIAU limits access to your personal data to those employees, contractors and other third parties on a strict need-to-know basis. They will only process your personal information on the FIAU’s instructions.

 

9. LINKS

Any links within the FIAU’s website to other sites not operated by the FIAU are not covered by this Privacy Notice. The FIAU has no control over how your data is collected, stored, or used by other websites. You are therefore advised  to check the privacy notices of such third-party websites, = before providing any data thereon.

10. CHANGES TO THIS PRIVACY NOTICE

The FIAU may update this Privacy Notice from time to time as deemed necessary to match its practices or meet new legal requirements. You are advised to review this Privacy Notice periodically for any changes. If there are any changes to this Pivacy Notice, the FIAU will replace this webpage with an updated version.

You will find an update notice on the website when substantive changes are made, and a notice date will be indicated at the end of each Privacy Notice.

Changes to this Privacy Notice are effective when they are posted on this webpage.

11. DATA PROTECTION OFFICER

Any queries in relation to your rights under Data Protection Legislation, this Privacy Notice and the usage of your personal data by the FIAU may be forwarded to the FIAU’s Data Protection Officer.

The FIAU’s Data Protection Officer may be contacted at:

Trident Park, No. 5,
Triq l-Mdina,
Central Business District, Birkirkara,
CBD 2010

Telephone: 21231333
Email Address: [email protected]
Contact Form: Contact Us

Notwithstanding the above, it is important to note that the rights of data subjects are tied to certain conditions and limitations that are stipulated within the Data Protection Legislation.

12. THE INFORMATION AND DATA PROTECTION COMMISSIONER

The FIAU endeavours to protect your personal data and to assist you in the exercise of your rights. The FIAU is therefore open to resolve any concern that you may have about the processing of your personal data directly with you. However, you have the right to lodge a complaint with the Office of the Information and Data Protection Commissioner which may be contacted at:

Level 2 Airways House
High Street
Sliema SLM 1549

Telephone: 23287100

Last updated on 1st March 2024