We at Izola Bank are committed to safeguard your privacy at all times.
This policy applies where we are acting as a data controller with respect to your personal data; in other words, where we determine the purposes for and means of processing of your personal data.
In this policy, “we”, “us” and “our” refer to “the Bank, Izola Bank”.
Izola Bank is licensed as a credit institution in terms of the Banking Act (Cap. 371 of the Laws of Malta).
We may update this policy from time to time by publishing a new version on our websites. You should check this page occasionally to ensure that you are happy with any changes to this policy.
We may notify you of changes to this policy by email or other means.
We (the Bank, Izola bank plc, the data controller) are registered in Malta under registration number C-16343, and our registered office is at 53-58, East Street, Valletta, VLT1251.
You can contact us:
General categories of personal data that we may process include:
Depending on the purpose of our processing activity, the processing of your personal data is:
We always process your personal data for a specific purpose and only process the personal data which is relevant to achieve that purpose. In particular, we process personal data to:
Personal data will not be used for any decision solely taken on the basis of automated decision-making processes, including profiling, without human intervention. Prior to the provision of the Bank’s services, we may collect information from you in order to, amongst others, comply with our obligations at law, determine your risk profile and/or for any other purpose connected with the agreement of service. We may process your personal data on the basis of and/or pursuant to the performance of such agreement and/or the performance of our obligations at law. As stated, no automated decision will result from our use of such systems.
We may disclose your personal data to any member of our group of companies, which means our ultimate holding company and all its subsidiaries, insofar as reasonably necessary for the purposes as set out in this policy.
In respect of home loan services, personal data may be exchanged between ourselves and authorised credit intermediaries of the Bank.
We may also disclose your personal data to third parties where lawful to do so. Such third parties may be:
In this section, we provide information about the circumstances in which your personal data may be transferred to countries outside the European Economic Area (“EEA”).
Your personal data may be transferred to other controllers or processors, and/or stored in locations outside the European Economic Area (EEA), including countries that may not have the same level of protection for personal information. When we do this, we’ll ensure that the transferee has an appropriate level of protection and that the transfer is lawful. We may need to transfer your information in this way to carry out our contract with you, to fulfil a legal obligation, to protect the public interest and/or for our legitimate interests e.g. for tax authorities or anti-money laundering.
We have ensured the lawful processing of your personal data by putting in place the appropriate safeguards in accordance with the applicable privacy laws. With our data processors we have included EU Model Clauses in their service agreements or/and considered the applicability of the Privacy Shield protection for US based processors.
Even in these cases, we will only share your information with people who have the right to see it.
You can obtain more details of the protection given to your information when it is transferred outside the EEA by contacting us using the details provided in the controller’s details section.
This section sets out our data retention policies and procedure, which are designed to help ensure that we comply with our legal obligations in relation to the retention and deletion of your personal data.
Your personal data that we process for any purpose shall not be kept for longer than is necessary for that purpose, unless other overriding regulations oblige the Bank to hold such data for longer.
As a general overview and also as set out in the GDPR banking industry guidelines issued by the Malta Banking Association (MBA), the Bank’s retention policy for banking operations is as follows:
Documentation to be kept in terms of Article 163 of the Companies Act/ Article 19 of the Income Tax Management Act.
10 years, starting from the end of the relative financial year.
10 years from the date of the transaction.
10 years from the date of closure of the account.
10 years from the date of recording if this is the only proof of a debit authority or of a contract.
Otherwise, maximum 30 days, but
If recordings are used for training purposes, retention period is at bank’s discretion, provided recordings are suitably edited.
Maximum 30 days for customer-facing footage (unless footage is required in connection with an ongoing investigation).
Maximum 90 days for back-office operations footage.
Periodically reviewed records (e.g. attendance, vacation leave, sick leave)
Records kept for the entire duration of the employment relationship:
Payroll and other financial records
Other employment records
1 year is deemed sufficient, unless specific disputes arise.
10 years following termination of employment.
Maximum 5 years following termination of employment.
At bank’s discretion, provided no personal data which is not public is contained therein.
Deceased Customers’ Files
10 years from when the account balance was fully distributed to the heirs.
6 years from date of transaction.
6 years from the date when the account is closed.
Obsolete Collateral (Security) Item
6 years from the date when the item was discharged.
Advances Files (Including “Classified Debt” files)
6 years from the date when the facility has been closed (unless legal proceedings are in train).
Note: “Old” advances files, other than files relating to home loans, need not be retained for more than 30 years, even if facilities to the customer concerned have been ongoing.
Fact finds, KYC records or similar investment- related reviews, portfolio management instructions, statements of compliance, etc.
Other documentation related to the sale of investment products
6 years after the end of the investment relationship.
6 years from the date when the sale was concluded.
Documentation related to Home Loan products
To be retained for the duration of the service plus a period of six years thereafter.
Documentation related to all other contracts (e.g. safe deposit lockers, guarantees issued by the banks, letters of credit, etc.)
6 years from the date when the contract is terminated, paid off or expired.
Where we process your personal data and that processing is based solely on consent, your personal data shall be deleted upon your withdrawal of such consent, or, at the point where the purpose for holding your personal data is no longer valid.
These cookies enable the user to have the best possible service when browsing the websites.
Performance and tracking cookies are used to further improve the websites. These cookies collect information about how the websites are being used (example which pages are mostly visited). All information gathered is anonymous and no personal data is obtained which might identify you as an individual.
These cookies are used to memorize options that you choose (such as user name, language or the region). The information these cookies collect is anonymous and they cannot track your browsing activity on other websites.
These expire when you close the browser, due to lack of activity or at logging off from the online banking.
To ensure that we can provide suitable content to meet your needs, all cookies must be enabled. You will not be able to utilize our online internet banking if you opt out of all cookies from the portal.
For more information about cookies please refer to www.allaboutcookies.org.
We shall implement and maintain appropriate and sufficient technical and organizational security measures, taking into account the nature, scope, context and purposes of the processing, to protect your personal data against any unauthorized accidental or unlawful destruction or loss, damage, alteration, disclosure or access to personal data transmitted, stored or otherwise processed and shall be solely responsible to implement such measures.
We shall ensure that our staff who process your data are aware of such technical and organizational security measures and we shall ensure that such staff are bound by a duty to keep your personal data confidential.
The technical and organizational security measures in this clause shall mean the particular security measures intended to protect your personal data in accordance with any privacy and data protection laws.
If you are a trader, a company, an intermediary or other corporate entity, and you supply us with personal data of third party data subjects such as your employees, affiliates, service providers, customers or any other individuals connected to your business, you shall be solely responsible to ensure that:
You hereby fully indemnify us and shall render us completely harmless against all costs, damages or liability of whatsoever nature resulting from any claims or litigation (instituted or threatened) against us as a result of your provision of said personal data to us.
In this section, we have summarized the rights that you have under the EU General Data Protection Regulation (EU) 2016/679 (“GDPR”). Due to the complexities of some of the rights, not all of the details found at law have been included in this policy with respect to your rights. Should you require any clarification please contact our DPO (Data Protection Officer). We also refer you to the relevant privacy laws and guidance from the regulatory authorities for a full explanation of these rights, including but not limited to the GDPR and the Data Protection Act, Chapter 440 of the Laws of Malta, as may be amended from time to time (the “Applicable Privacy Laws”).
For as long as we retain your personal data, you have certain rights under the applicable privacy laws, including:
Please note that your rights in relation to your personal data are not absolute and we may not be able to entertain such a request; for instance, if we are prevented from doing so in terms of a statutory obligation imposed on us by law.
You may exercise any of your rights in relation to your personal data, where applicable, through the online portal facility, or, if such facility is not applicable or available, by sending an email directly to the Bank’s DPO (Data Protection Officer). The details of the Bank’s designated DPO are given below.
Our data protection officer will be available to respond to any data protection related requests and queries you may have. If you wish to contact the DPO, please do so by sending an email to [email protected].