Privacy Policy
Data Protection Policy
The Financial Intelligence Analysis Unit (FIAU) is a government agency set up under the Prevention of Money Laundering Act (PMLA), and is responsible for the collection, collation, processing, analysis and dissemination of information to combat money laundering and the financing of terrorism.
The General Data Protection Regulation (EU) 2016/679 (GDPR) and the Data
Protection Act (Cap 586) (Data Protection Legislation) regulate the processing of personal data, whether held electronically or in manual form. The FIAU is set to fully comply with the Data Protection Principles as set out in this Data Protection Legislation.
By using the FIAU’s website, including the Compliance and Supervision Platform for Assessing Risk (CASPAR), you indicate that you have understood and accept the content of this Data Protection Policy.
Purpose for Collecting Data
The FIAU collects and processes information to carry out its obligations in accordance with present legislation, particularly the PMLA and the Prevention of Money Laundering and Funding of Terrorism Regulations (PMLFTR). All data is collected and processed in accordance with Data Protection Legislation, the PMLA, the PMLFTR and any binding procedures issued thereunder.
Therefore, it is the duty and responsibility of the FIAU to process all the data and information as may be required to effectively safeguard the financial sector and other relevant sectors from being misused for money laundering and the funding of terrorism from or within Malta, as well as to safeguard their integrity.
Data Controller and Recipients of Data
The FIAU is the data controller of this website (www.fiaumalta.org) (FIAU’s website), which is to be understood as including CASPAR (https://caspar.fiaumalta.org).
When determining the purposes and means of the processing of this personal data, the FIAU acts as the Data Controller for the purposes of Data Protection Legislation.
The FIAU is committed to protect the privacy of those individuals who use its website and those who submit personal data to the FIAU in any manner or form.
Personal Information is accessed by the employees who are assigned to carry out the functions of the FIAU.
Your data, with the inclusion of personal data, may be disclosed to those authorities which the PMLFTR considers to be supervisory authorities or any other body or authority having supervisory or regulatory functions, as well as to those authorities which the PMLFTR considers to be competent authorities, as the case may be, when the FIAU is of the view that this disclosure or exchange of information would assist the FIAU in ensuring that the financial sector and other relevant sectors are not used for criminal purposes or to safeguard their integrity.
Disclosure by the FIAU can also be made to the Commissioner of Police or other third parties, including any foreign body, authority or agency, including counterpart financial intelligence units, but only as authorised by law.
The FIAU discloses your data to other bodies or authorities where it is legally required or permitted to do so in terms of Article 34 of the PMLA. These disclosures or exchanges of information are necessary for the FIAU to carry out its functions as described in Article 16 of the PMLA, and are specifically regulated by Articles 27, 27A, 27B and 31 of the PMLA.
When the FIAU shares or discloses your data to the aforementioned bodies or authorities, these authorities or bodies are consequently rendered Data Controllers of your data.
Your Rights
Restriction by the FIAU of Data Subject Rights
Where necessary and proportionate so as not to disturb or jeopardise the prevention, detection and investigation of money laundering and the funding of terrorism, the FIAU reserves the right to restrict data subject rights and not to disclose the information it holds and processes about you, including the reasons why this information is being held.
Adherence by the FIAU to Data Subject Rights
In the remainder of cases or scenarios where the FIAU does not consider it necessary to restrict data subject requests, you have the right to access any personal information held about you by the FIAU. Furthermore, in the cases or scenarios mentioned, you are entitled to know what type of information the FIAU holds and processes about you and why, who has access to it, how it is held and kept up to date, for how long it is kept and what the FIAU is doing to comply with Data Protection Legislation.
Data subject requests are to be made in writing and sent to the FIAU’s Data Protection Officer at [email protected]. Your identification details, such as ID number, name and surname, have to be submitted with the request. A copy of your identification document is also to be submitted. The FIAU may request further documentation or information to verify the identity of the person making the request, such as request a photo to be taken of the subject person holding a photo identification document clearly showing the name, identification number and facial photo on the document. This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it.
The first copy of data being processed by the FIAU shall be provided free of charge. The FIAU reserves the right to charge a reasonable fee to provide additional copies or to reply to repetitive or excessive requests to cover administrative costs it incurs.
When the FIAU is in a position to adhere to data subject requests, the FIAU aims to comply as quickly as possible and will ensure that your request is fulfilled within a reasonable timeframe. In any case, the FIAU will comply with data subject requests not later than one month from receipt of the request, unless there is good reason for delay. When data subject requests cannot be met within a reasonable time, the reason will be explained in writing to the data subject making the request. Should there be any data breaches, the data subject will be informed accordingly.
Where the FIAU is in a position to adhere to data subject requests, data subjects have the right to request that their information be amended, erased or not used in the event the data results to be incorrect.
In case you are not satisfied with the outcome of your request, you may refer a complaint to the Information and Data Protection Commissioner, whose contact details are provided below.
Data Collected by the FIAU
The FIAU’s website and Log Information
The FIAU’s website does not automatically retrieve, capture or store information on the person who is browsing it, other than session information, like the type of browser used, the date and time of the visit, the duration of the visit, the request for webpage and download, and whether requests were successful or not. This information is collected and stored as a server log. Any such data is not linked to Personal Identifiable Information (PII). The Internet Protocol (IP) address of users of the FIAU’s website is not recorded as part of the session information.
This above-mentioned information, which is documented as a server log, may be accessed by the service provider for system administration purposes and to provide the FIAU with statistics on the use of the website, including visitor numbers, traffic sources and content access information.
Cookies
The FIAU’s website uses cookies solely to track the user session. These would expire on logout or twenty-four (24) hours after the last request was made. The cookies are not retained. The only exception relates to CASPAR, where a returnuser cookie is dropped to identify users of the website.
The FIAU’s website, including CASPAR, does not have or make use of any third-party cookies.
Personal Data
Your personal data is collected through:
- Registration on the FIAU's website;
- Registration of Applicants on CASPAR;
- The creation of Subject Persons on CASPAR;
- Onsite and off-site visits carried out by the Compliance section of the FIAU;
- The submission of Suspicious Transaction Reports ("STRs");
- Payment transactions made on CASPAR;
- Payment transactions made on the FIAU Training Portal;
- Newsletter subscriptions through the FIAU's website.
The following schedule outlines the Personal Data and Personal Identifiable Information ("PII") which may be collected by the FIAU.
PII collected
Justification
1. Registrations on the FIAU Website
Data collected by the FIAU:
Name
Surname
ID/Passport Number
E-mail Address
Telephone Number
Username
Personal information submitted to the FIAU upon registration is only processed to authorise and allow you to fulfil your obligations and submit specific documentation to the FIAU as required under Regulation 19 of the PMLFTR.
2. Registration of Applicants on CASPAR
Data collected by the FIAU:
Title, first name, last name
Designation
Date of Birth
Country of Residence
Nationality
Identification Document number, expiry date, and country of its issue
Contact number
Email address
Regulation 19 of the PMLFTR vests in the FIAU the authority to require subject persons to submit periodical reports on the measures and procedures they maintain and to provide any other information or documents as the FIAU may deem necessary.
3. Registration of Subject Persons on CASPAR
Data collected by the FIAU:
Name of MLRO/Designated Employee Appointment Date
Email
Phone number
Designation of contact
Regulation 19 of the PMLFTR vests in the FIAU the authority to require subject persons to submit periodical reports on the measures and procedures they maintain and to provide any other information or documents as the FIAU may deem necessary.
4. Data collected by the Compliance section of the FIAU through onsite and off-site visits
Data collected by the FIAU and data which may be passed on by relevant supervisory authorities where these conduct an onsite or off-site AML/CFT examination on behalf of or jointly with the FIAU:
- Public available information, such as shareholder details obtained through the Registry of Companies ("ROC")
- Information and documents pertaining to a select sample of the subject person's customers, which may include the following personal data:
1. Where these are natural persons:
- Title, first name, last name
- Designation
- Date of Birth
- Country of Residence
- Nationality
- Identification Document number, expiry date, and country of its issue
- Contact number
- Email address
2. Where these are legal persons:
- Email
- Phone number
- Designation of contact
- Transactional data which may include:
- Corporate or individual details of third parties involved in the transaction
- Source of the origin of funds, such as full names and details of banks and other institutions
- Credit card details of clients and other third parties linked with clients' transactions, which may include card number, card holder full name, card expiry date
- IP address
- Email address
- Transaction information
- Wealth information and documentation which may contain PII on third parties.
Article 16(1)(c) of the PMLA vests in the FIAU the function to monitor compliance by subject persons and to co-operate and liaise with supervisory or regulatory authorities.
Article 27(3) of the PMLA enables the FIAU to request a supervisory authority, having supervisory powers over certain categories of subject persons (such as the MFSA and the MGA) to carry out onsite or off-site AML/CFT examinations on behalf of or jointly with the FIAU. In all cases where onsite and off-site examinations are conducted by those authorities which the PMLFTR considers to be Supervisory Authorities, the findings of the examination are reported to the FIAU and the FIAU determines whether any subsequent administrative action is necessary.
5. Financial Analysis
Personal data processed and collected by the FIAU on reporting persons and the subjects of a financial analysis:
- Title, first name, middle name and last name
- Gender
- Date of birth
- Nationality
- Identification document, number and its expiry date
- Residential address, including country of residence
- Bank account and transactional details
- Known occupation and employment history
- Whether politically exposed
- Whether a known terrorist or a suspect
- Details on the business relationship between the reporting person and the subject of the STR, including the service(s) offered, the status of business, the date of establishment of the business relationship and where applicable, its date of termination
- First name and last name of UBOs (where applicable)
- The reporting person’s reference number
- Any other details held by the reporting entity on subjects of STRs.
Article 16(1)(a) of the PMLA grants the FIAU the function to receive, supplement, and analyse STRs and draw up analytical reports on the results of such analysis.
On the basis of its functions under Article 16 of the PMLA, particularly Article 16(1)(b), and in accordance with the provisions of Article 31 of the PMLA, the FIAU is required to forward the analytical reports mentioned above to the Commissioner of Police for further investigation if the FIAU has reasonable grounds to suspect that the transaction or activity is suspicious and could involve money laundering or funding of terrorism or property that may have been derived from, or constitutes the proceeds of, criminal activity.
PII collected by Payment Transactions
Retention Period
Justification
1. Payment transactions made on CASPAR
Collected by the FIAU:
First five (5) and last four (4) digits of the card number provided
Card expiry date
Card holder full name
Registration country
Email address
Collected by the Service Provider:
Credit card number
Card expiry date
Card holder full name
Registration country
Email address
Service Provider shall store and retain transactional information for eighteen (18) months as from the date of the transaction.
The FIAU may charge fees in respect of its supervisory functions as laid out in Article 35(a) of the PMLA.
2. Payment transactions made on the FIAU Training Portal
Collected by the FIAU:
First six (6) and last four (4) digits of the card number provided
Card expiry date
Card holder full name
Email address
IP address
Collected by the Service Provider:
Card number provided
Card expiry date
Card holder full name
Email address
IP address
Service Provider shall store and retain card numbers for one hundred and twenty (120) days from last transaction. Remainder transactional information shall be stored and retained by the Service Provider for twelve (12) months as from the data of transaction.
Attendees are under no obligation to attend training provided by the FIAU. The FIAU collects the mentioned information so as to be able to determine if attendees have effected payment.
3. Newsletter subscriptions through the FIAU's website:
Collected by the FIAU:
Email address provided by subscriber
The email address used to subscribe to the newsletter shall be retained until the subscriber opts to unsubscribe.
The email address provided when subscribing, which is submitted entirely voluntarily and based on consent, is necessary in order for the FIAU to be able to transmit the contents of the newsletter. Subscribers may unsubscribe at any time by clicking on a link in any email received through the newsletter.
Once the FIAU's retention periods lapse, data will be disposed of in an efficient manner ensuring that such information is no longer available within the FIAU. Requests for the FIAU's envisaged periods of data retention may be forwarded to the FIAU's Data Protection Officer, and in cases where disclosure is not possible, the criteria used to determine this period will be communicated.
Security Measures taken by the FIAU
The FIAU takes all necessary technical and organisational measures to safeguard all its data, including personal data and PII, and to prevent unauthorised access.
During registration and log-in, the FIAU’s website uses Secure Sockets Layer (SSL) technology to ensure the secure transmission of your personal data.
Links
This Data Protection Policy covers and is limited to the FIAU’s website and CASPAR, and their users. Any links within the FIAU’s website to other sites not operated by the FIAU are not covered by this Data Protection Policy.
Changes to this Data Protection Policy
The FIAU may update this Data Protection Policy from time to time.
You are advised to review this Data Protection Policy periodically for any changes. If there are any changes to this Data Protection Policy, the FIAU will replace this webpage with an updated version.
Changes to this Data Protection Policy are effective when they are posted on this webpage.
Data Protection Officer
Any queries in relation to your rights under Data Protection Legislation, the FIAU’s Data Protection Policy and the usage of your personal data by the FIAU may be forwarded to the FIAU’s Data Protection Officer. It is important to note that the rights of data subjects are tied to certain conditions and limitations that are stipulated within the Data Protection Legislation itself and are further limited under other legislation, as noted above.
The FIAU’s Data Protection Officer may be contacted at:
Trident Park, No. 5,
Triq l-Mdina,
Central Business District Birkirkara,
CBD 2010
Telephone: 21231333 or by using the contact form here.
The FIAU endeavours to protect your personal data and to assist you in the exercise of your rights. If you are not satisfied with the FIAU’s response or action, you have a right to lodge a complaint with the Information and Data Protection Commission in terms of the GDPR.
The Information and Data Protection Commissioner
The Information and Data Protection Commissioner may be contacted at:
Level 2 Airways House
High Street
Sliema SLM 1549
Telephone: 23287100