Privacy Notice and Cookie Notice

Privacy Notice

Version: June 2021

Sparkasse Bank Malta public limited company (the “Bank”, “we” or “us”) has prepared this Privacy Notice in order to provide information on the personal data we collect and process when visiting our website, in accordance with the General Data Protection Regulation (Regulation (EU) 2016/679; “GDPR”) and the Maltese Data Protection Act (Chapter 586 of the Laws of Malta).

Sparkasse Bank Malta public limited company, whose registered address is 101, Townsquare, Ix-Xatt ta' Qui-si-Sana, Sliema SLM3112, Malta, is the data controller of your personal data in terms of the GDPR, which means that it determines the purpose (why) and means (how) of the processing of personal data.

We have appointed a Data Protection Officer, who can be contacted at dpo@sparkasse-bank-malta.com

A specific privacy notice applies to the Spar Key App (the “App”) and the Online Services to which the App gives access (the Spar Key Privacy Notice, available on our website). Other notices and information are available to customers and individuals connected to them and may be given separately for particular products or services or for specific purposes, e.g. the use of cookies on our website or CCTV monitoring at the Bank’s offices.

When we refer to “personal data”, this means any information in relation to an identified or identifiable individual (natural person), who is referred to as the “data subject”. The term “processing” includes various types of operations such as the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction of personal data.

What personal data do we process?

We collect the personal data you provide us voluntarily via the data collection points on our website, e.g. e-mail, online login, contact-us forms and newsletter subscription, if applicable. The personal data collected may include name, surname, telephone or mobile number, e-mail address and login details for Online Services. Information on the processing of personal data related to customers and other users of the Online Services is given in the General Data Protection Notice to Customers and the Spar Key Privacy Notice, available on our website.

We also collect details of your visits to the site, such as traffic data, site information, weblogs, and other communication data.

Failure to provide certain personal data will prevent you from using certain features of the website.

When you use links provided on our website in relation to organisations of which we are a member or sponsor or to social media websites, you are being redirected to third party websites, over which we have no control. We encourage you to read and refer to their respective privacy notices.

Why do we process personal data?

We process your personal data to respond to your enquiries and to allow you to use our website. We may also use your personal data to improve user experience.

We may need to share data with our service providers, with whom we would have established safeguards to protect your data. Further information can be requested by sending us an e-mail at dataprotection@sparkasse-bank-malta.com

The legal basis for processing your personal data collected through our website will be one or more of the following:

to enter into or perform a contract, including the Bank’s Terms of Use of the website and other specific agreements which may be entered into for the provision of services or products by the Bank, including the use of the App and the Online Services;
compliance with a legal or regulatory obligations to which the Bank is subject;
legitimate interests to protect our website or services from abuse, prevent fraud and manage cyber security risks. This also allows us to ensure the security, integrity, accessibility and availability of our website and services;
consent to the processing of personal data for one or more specific purposes (e.g. marketing), if applicable

If you wish to receive more information on the Bank’s processing of personal data for the provision of its services, please refer to our General Data Protection Notice to Customers available on our website.

Cookies and Widgets

We use cookies on our website and for our Online Services. A cookie is a small file stored on the browser of the person who accesses the website or the Online Services. For information about the use of cookies, please refer to our Cookie Notice.

For information about processing of personal data in connection with the App and the Online Services, please refer to the Spar Key Privacy Notice.

For security purposes, we have integrated Google reCaptcha on our website: this tool will collect some personal data related to your browser window, in order to confirm that you are a human and not a bot. For further information, please refer to Google’s Privacy Policy and Terms of Service.

Our website may feature links to social media websites or social media widgets, such as the LinkedIn “connect with us” button. These social media features are either hosted by a third party or directly on our website. When using these links or widgets, or our respective pages on these providers' platforms, we encourage you to read and make reference to the service provider’s privacy notice.

Sharing of personal data

We will keep information related to visitors and users of the website confidential but may share personal data with third-party service providers which help us in operating the website.

A list of such service providers is available upon request.

International transfer of personal data

In certain cases, personal data may be transferred to a third country (that is, a country which is not an EEA State) or an international organisation.

Personal data may also be transferred to third countries by third parties and authorities.

The Bank may transfer data to a third country or international organisation, where the European Commission has decided that the third country or the international organisation in question ensures an adequate level of protection, or in the absence of such decision, adequate safeguards are provided for (for example, by means of standard data protection clauses approved by the European Commission, and additional measures if required). In the absence of an adequacy decision by the European Commission or appropriate safeguards, the transfer may only take place in specific situations, for example, where the data subject explicitly consents to the proposed transfer or the transfer is necessary for the performance of a contract.

Marketing Communications

We may offer marketing communications via a newsletter subscription, to provide you with information about our services and products. If we do so, we will require your explicit consent. The information collected through marketing activities enables the Bank to improve its services and provide subscribers with information on its products and services. As a rule, the Bank we will not send any unsolicited communications by means of an automatic calling machine, fax, or electronic mail (including via the Online Services) for third parties or other direct marketing purposes, unless prior consent in writing is given. You will be able to withdraw your consent to receiving marketing communications any time and at no cost by sending us an email at dataprotection@sparkasse-bank-malta.com

Data storage

Personal data related to the use of the website will be stored on servers located within the EU. These servers may in turn be accessed through encrypted connections over the internet. In order to ensure the security of the information we keep, we have adopted security measures and use service providers which ensure an adequate level of security.

The period for which the Bank stores personal data will depend on the type of information held, the purpose and legal basis for processing and the legal or regulatory requirements that may apply to the retention of information and record keeping.

The Bank determines the time for which data are stored (retention periods) primarily on the basis of the legal and regulatory obligations to which it is subject. Data may be held for a longer period if the Bank is requested to do so by a competent authority, court or law enforcement agency or to pursue or defend legal claims.

Information on retention periods for cookies is given in our Cookie Notice.

Data subjects’ rights

An individual has certain rights regarding his or her personal data, subject to applicable law. Data subjects’ rights under the GDPR include:

1. Right of access

Individuals have the right to request the Bank to confirm whether or not personal data concerning him or her are being processed. If it is confirmed that the Bank processes his or her personal data, the data subject has the right to request access to the personal data and the following information:

(i) the purposes of processing;
(ii) the categories of personal data concerned;
(iii) the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
(iv) where possible, the envisaged period for which the personal data will be stored, or if not possible, the criteria used to determine that period;
(v) the existence of the right to request rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
(vi) the right to lodge a complaint with a supervisory authority;
(vii) where the personal data are not collected from the data subject, any available information as to their source.

Where personal data are transferred to a third country or to an international organisation, the data subject also has the right to be informed of the appropriate safeguards relating to the transfer.

2. Right to request rectification

Data subjects have the right to request the Bank to rectify inaccurate personal data concerning him or her without undue delay. Taking into account the purposes of the processing, the data subject has the right to have incomplete personal data completed, including by means of providing a supplementary statement.

3. Right to request erasure (“right to be forgotten”)

Data subjects have the right to request the Bank to erase personal data concerning him or her without undue delay. However, the Bank is only required to erase personal data upon request, on one of the following grounds:

(i) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
(ii) the data subject withdraws consent on which the processing is based (see below), and where there is no other legal ground for the processing;
(iii) the data subject objects to the processing (see below) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing for direct marketing purposes;
(iv) the personal data have been unlawfully processed;
(v) the personal data have to be erased for compliance with a legal obligation in EU or national law to which the Bank is subject;
(vi) the personal data have been collected in relation to the offer of information society services to a child.

The right to erasure does not apply, and the Bank is not required to erase personal data, to the extent that processing is necessary for exercising the right of freedom of expression and information, compliance with a legal obligation which requires processing by EU or national law to which the Bank is subject or the establishment, exercise or defence of legal claims.

4. Right to restriction of processing

Data subjects have the right to request the Bank to restrict processing where one of the following applies:

(i) the accuracy of the personal data is contested by the data subject, for a period enabling the Bank to verify the accuracy of the personal data;
(ii) the processing is unlawful, and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
(iii) the Bank no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
(iv) the data subject has objected to processing (see below) pending the verification whether the legitimate grounds of the Bank override those of the data subject.

Where processing has been restricted, the personal data will (with the exception of storage) be processed only: (a) with the data subject's consent, (b) for the establishment, exercise or defence of legal claims, (c) for the protection of the rights of another natural or legal person, or (d) for reasons of important public interest of the EU or of a Member State.

5. Right to data portability

Data subjects have the right to receive the personal data concerning him or her, which he or she has provided to the Bank, in a structured, commonly used and machine-readable format and the right to transmit those data to another controller without hindrance from the Bank, if the following conditions are met:

(i) the processing is based on consent or on a contract; and
(ii) the processing is carried out by automated means.

In exercising his or her right to data portability, the data subject has the right to have the personal data transmitted directly from the Bank to another controller, where technically feasible.

6. Right to object to processing

A data subject has the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on legitimate interests pursued by the Bank or a third party, including profiling based on such ground. The Bank is required to no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

Where personal data are processed for direct marketing purposes, the data subject has the right to object at any time to processing of personal data concerning him or her for such marketing.

7. Rights in relation to automated decision-making, including profiling

The Bank has certain systems in place that may result in decisions being taken based on automated processing, including profiling, that could significantly affect the data subject concerned. Such systems may be used in relation to Customers and users of the Spar Key App; further information in this regard is given in the General Data Protection Notice to Customers and Spar Key Privacy Notice, available on our website.

If automated decision-making is necessary for the performance of a contract or based on consent, the data subject has the right to obtain human intervention, to express his or her point of view and to contest the decision.

8. Right to withdraw consent

In cases where personal data are processed based on consent, the data subject has the right to withdraw his or her consent at any time and at no cost. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

9. Right to lodge a complaint with a supervisory authority

You have the right to lodge a complaint with a supervisory authority. In Malta, this is the Office of the Information and Data Protection Commissioner; its contact details are available from, and complaints can be submitted via, the IDPC website.

For a list and contact details of national supervisory authorities within the EEA (Data Protection Authorities or DPAs), please visit https://edpb.europa.eu/about-edpb/board/members_en

Any request regarding the exercise of data subjects’ rights must be made by the data subject or a person duly authorised by him or her, in writing, by mail or e-mail, using the contact details set out below. The Bank facilitates the exercise of data subjects’ rights by making available a request form on its website or upon request. We will do our best to comply with your request within a month from confirmation of your identity; such period may be extended to two months, in the event of complex, repetitive or excessive requests. We will notify you if such case occurs, explaining the reason for the delay. We may also charge you a reasonable fee in the case of repetitive requests.

Updates to this Notice

This Notice may be amended from time to time, for example, if there are changes in the processing activities of the Bank, due to legal and regulatory developments or guidance issued by a competent authority or to clarify information given.

A copy of the latest version of this Notice will be available from our website and will be provided upon request (our contact details are given below). If changes to this Notice have a significant impact on the nature of processing or data subjects concerned, we will give advance notice.

Contact information

Individuals who have any questions about this Notice or would like more information about their rights or wish to exercise them, may submit a request by e-mail to: dataprotection@sparkasse-bank-malta.com; or by mail to: Attn: Compliance Department; Sparkasse Bank Malta p.l.c.; 101 Townsquare, Ix-Xatt ta' Qui-si-Sana; Sliema SLM3112; Malta

The contact details of the Bank’s Data Protection Officer (DPO) are:

E-mail: dpo@sparkasse-bank-malta.com

Mail: The Data Protection Officer; Sparkasse Bank Malta plc.; 101 Townsquare, Ix-Xatt ta' Qui-si-Sana; Sliema SLM3112; Malta.

Sparkasse Bank Malta public limited company is a public limited liability company registered under the laws of Malta, with registration number C27152 and with registered office and head office at 101 Townsquare, Ix-Xatt Ta’ Qui-Si-Sana, Sliema SLM 3112, Malta.

Sparkasse Bank Malta public limited company is licensed by the Malta Financial Services Authority to carry out the business of banking as a credit institution in terms of the Banking Act (Chapter 371 of the Laws of Malta), and to provide certain investment services in terms of the Investment Services Act (Chapter 370 of the Laws of Malta). The MFSA maintains a register of licence holders on its website: www.mfsa.com.mt

Cookie Notice

Version: April 2021

The purpose of this notice is to inform you about the cookies that we use on our website, and their purpose.
We are required to obtain your consent for certain cookies.

What are cookies?

Cookies are small files which are stored by your browser on your computer, tablet or smart phone. Each cookie is designed to hold different types of data specific to a particular user (yourself) and the website (us).

Cookies can be categorised as essential or non-essential.

Essential cookies are required for the proper operation of the website and collect very little data about you. We are not required to obtain your consent to the use of these cookies. If you prevent these cookies, you may not be able to use the website or certain functions and we cannot be certain that our website security controls will function properly during your visit.

Essential cookies can be sub-divided as follows:

Strictly necessary
These cookies let you move around the website and use its essential features. These cookies do not collect data that can be used for marketing or remembering where you have been on the internet.
These are used, for example, to:

Make sure you connect to the right service on our website when we make any changes to the way the website works.
To route you to the specific areas you have requested when navigating through the site.

Functionality
These cookies are used to remember your settings, to improve your visit and for the provision of our online services.
These are used, for example, to:

Remember if we have already asked you if you have read and understood the information about the cookies used on the website.
Remember your preference or settings (if any).
Allow us to ensure that the session is authenticated when logging in to our Online Services.

Non-essential cookies collect more targeted data and are used either for statistics and analytics and targeted advertising and marketing. Since these cookies do not contribute to the operation of the website, we are required to obtain your consent (if we use any through the website).

Non-essential cookies can be sub-divided as follows:

Performance
These cookies collect information about how you use a website. These cookies do not collect data that could identify you and are only used to help in improving the website and how it works. They also help in understanding visitors’ interests and measure effectiveness.
These are used, for example, for:

Analytics, to provide statistical data on how the website is used.
Affiliates, to let partners know if a visitor visited their website or vice versa.
Error and content management, to help monitor errors and content usage to solve any issues and help optimise content.
Maintaining and testing designs, to let web developers maintain the current site and possibly test for new designs.

Targeting
These cookies are linked to services by third parties and are placed through the website for advertising service providers. They work by uniquely identifying your browser and device. These cookies are not necessary for the functioning of the website and you can choose not to allow them (if any).
These are used, for example, to:

Link to social media pages.
Provide advertisers (directly or indirectly) with information on your visit.
Provide data for audience research and segments.

The list of cookies that we presently use on our website is given below.

What cookies do we use?

The cookies currently used for visitors of our website are the following:

Cookie Name	Cookie Classification	Cookie Lifespan	Domain	Cookie Purpose
rc::a	Functional	Persistent	Google	This cookie is used to distinguish between humans and bots. This is beneficial for the website, in order to make valid reports on the use of their website.
rc::c	Functional	Session	Google	This cookie is used to distinguish between humans and bots.
__RequestVerificationToken	Functional	Session	sparkasse-bank-malta.com (first party)	This is an anti-forgery cookie set by web applications built using ASP.NET MVC technologies. It is designed to stop unauthorized posting of content to a website, known as Cross-Site Request Forgery. It holds no information about the user and is destroyed on closing the browser.
ASP.NET_SessionId	Functional	Session	sparkasse-bank-malta.com (first party)	Keeps the user session ID for security reasons.
CookieConsent	Functional	1 year	Cookiebot	Stores the user's cookie consent state for the current domain

For visitors using the Online Services, through the login page accessible via our website, we use the following cookies:

Cookie Name	Cookie Classification	Cookie Lifespan	Domain	Cookie Purpose
JSESSIONID	Functional	Session	sbm.services (first party)	Online Banking Session Cookie
NODEGROUP_FE	Functional	Session	sbm.services (first party)	Nodegroup Assignment of the Load Balancer
BNIS_STCookie	Functional	Session	sbm.services (first party)	Inserted by WAF to sign/hash the former two cookies to avoid “Cookie Hijacking”
BNES_ JSESSIONID	Functional	Session	sbm.services (first party)	Helper Cookied for BNIS_STCookie
BNES_ NODEGROUP_FE	Functional	Session	sbm.services (first party)	BNIS_STCookie

Some of these cookies are managed for us by third parties. Where this is the case, we do not permit the third party to use the cookies for any purpose other than those listed above.

Consent and withdrawal

When you first visit our website, you are presented with a cookie banner; by law we are required to inform you of the cookies we use and to obtain your consent where required.

If you choose to accept and consent to certain cookies, your browser will remember this for the next time. All cookies will expire periodically (depending on the cookie and type of data collected).

You may choose to withdraw consent at any time. You will need to do this by changing some of your browser settings.

To understand how to better do this, please visit www.cookiepedia.co.uk/how-to-manage-cookies or www.aboutcookies.org/how-to-delete-cookies/ .