Privacy Notice
Privacy Notice
ECCM Bank plc (ECCM or the Bank) is a public limited company registered in Malta, having its official address at 230/231, The Adelaide, Tower Road, Sliema, Malta. The Bank’s principal activities consist of banking services to international corporate customers. The Bank is covered by a banking licence granted by the Malta Financial Services Authority on 01 July 2014, as the Regulator or Authority, in terms of the Banking Act 1994 (Chapter 371 of the Laws of Malta)
ECCM is committed to protecting the privacy and security of personal data it processes and to handle personal data, whether held electronically or in manual form, in accordance with the provisions of the General Data Protection Regulation (EU) 2016/679 (GDPR), the Data Protection Act (Cap. 586 of the Laws of Malta) and subsidiary legislation related thereto.
This Privacy Notice applies to personal data held by ECCM as a data controller. The Board of Directors is responsible for compliance with data protection legislation and all ECCM Bank plc employees are bound by an internal Data Protection Policy and current data protection legislation when processing personal data in order to implement ECCM’s statutory remit.
Capitalised terms herein shall have the meaning ascribed to them in the GDPR.
When ECCM Collects Personal Data
In the regular course of business, the Bank collects personal data from representatives of its corporate customers in connection with the provision of banking or other financial services, as well as from suppliers of goods or services, employees or other relevant counterparties. This data is required for the Bank to assess applications, administer financing arrangements, and comply with its statutory and regulatory obligations, including employment obligations.
Customers: Prior to the establishment of a business relationship with its customers, the Bank processes personal data in relation to personnel or representatives of its customers on the basis of their consent or other applicable lawful grounds. Once a business relationship is formed, the Bank processes and receives personal data on the basis of the contractual documentation entered into between the Bank and the beneficiary, as well as the Bank’s legitimate interests and its legal obligations under applicable financial services legislation.
Supply: Personal data may be processed as a result of supply processes for the purchase of products or equipment or the provision of services. Personal data will also be processed in the conclusion of contractual relationships with suppliers, contractors, advisors, consultants and agents.
Recruitment & Employment: ECCM will process personal data when conducting recruitment exercises to fill vacancies which may include due diligence screening of shortlisted applicants and results and ranking of any written assessments and interviews held. Following recruitment, employee data is held by ECCM for the purposes of concluding employment contracts, provision of employment benefits, performance reviews, management of attendance including sick leave, payroll, training, travel and disciplinary proceedings.
Reporting Obligations: ECCM is also required by statute to report business data for regulatory or statistical purposes. Occasionally such reporting may relate to personal data.
CCTV system: The ECCM’s CCTV System covers a number of cameras situated in strategically located areas in the Bank as well as outside the Bank’s premises which have been put in place for security surveillance purposes.
How ECCM Uses Personal Data
ECCM shall only process the personal data necessary to fulfil its specified purposes, in terms of and in compliance with this Privacy Notice and in compliance with the GDPR. ECCM shall not use personal data unless ECCM has a lawful reason to use it or with the data subject’s specific written consent to do so. ECCM may use personal data for the following reasons:
Performance of a Contract: when entering into a contract for the provision of products or services, ECCM shall collect and process personal data, in order to perform and fulfil its obligations under the contract.
Legal Obligation: ECCM shall collect, process or hold personal data in order to comply with a legal obligation arising from relevant laws and regulations by which ECCM is bound, for example for the purpose of identifying and preventing fraud, the funding of terrorism and financial crime, tax evasion or other illicit activities. ECCM may be required to disclose personal data to regulators and other authorities. Sharing of personal data in this regard shall be carried out in compliance with the Bank’s legal duties and obligations.
Legitimate Interest: ECCM may process personal data in order to protect the legitimate interests of the Bank or a third party, provided that these legitimate interests do not threaten in a way or unduly infringe on a data subject’s legal rights and freedoms, in particular, the right of privacy. For example, video surveillance (CCTV) monitoring may be used at the premises of the Bank for crime and fraud prevention purposes. In such instances ECCM will inform data subjects when CCTV monitoring is being used.
Consent: ECCM may lawfully process personal data where a data subject has provided ECCM with specific, informed and unambiguous consent to do so for a particular purpose/s.
Data Subject Rights
Data subjects have various rights in connection with the processing of their personal information, as explained below.
Right to be Informed: A data subject is entitled to know, free of charge, what type of information ECCM holds and processes about the data subject, who has access to it, how it is held and kept up-to-date, for how long it is kept, and what ECCM is doing to comply with data protection legislation.
Right of Access: A data subject is entitled to obtain confirmation on how the data subject’s personal data is being processed by ECCM and request a copy of that data as well as all the available information concerning its processing.
Right to Rectification: A data subject is entitled to request the rectification of the data subject’s personal data held by ECCM in instances where personal data held is inaccurate or incomplete.
Right to Erasure (the Right to be Forgotten): A data subject is entitled to request the erasure of personal data held by ECCM, where there is no compelling reason for its continued processing. ECCM is not obliged to accede to this request if such data needs to be retained by ECCM in order to comply with a legal obligation or to establish, exercise or defend legal claims.
Right to Restriction of Processing: A data subject is entitled to block or suppress the processing of personal data, provided that certain conditions are satisfied. As with erasure, restrictions of processing may result in ECCM’s inability to serve the data subject with a specific service or product.
Right to Data Portability: A data subject is entitled to obtain the data subject’s personal data and reuse it for the data subject’s own purposes across different services. This information however only relates to that data provided to ECCM by means of a contract or when providing the Bank with consent.
Right to Object: A data subject is entitled to object to the processing of the data subject’s personal data which is collected by ECCM. This right does not apply in all circumstances, for example, it does not apply where ECCM is processing information because it is necessary for the performance of a contract.
Right to Withdraw Consent: When a data subject has provided ECCM with consent for the processing of the data subject’s personal data, such consent may be withdrawn at any time thereby terminating any associated processing. ECCM may continue to process personal data if it has another legitimate reason for doing so such as to observe statutory requirements or for the performance of a contract.
Right to Lodge a Complaint: A data subject is also at liberty to complain to the data protection regulator, i.e. the Information and Data Protection Commissioner, whose contact details are provided below, or by visiting . Alternatively, the data subject may raise the complaint with the data protection regulator in the country where the data subject lives or works.
To exercise any of the abovementioned rights, a data subject is requested to contact ECCM’s Data Protection Office (DPO) using the details set out in the ‘Contact Details’ section below. Identification details such as ID number, name and surname have to be submitted with the request for access. The data subject may also be required to present an identification document.
ECCM aims to comply as quickly as possible with requests and will ensure that a reply is provided within a reasonable timeframe and in any event within a period of 30 days from receipt of the request, proof of identity and the fulfilment of any requirement deemed necessary to verify the authentication of the request, unless there is good reason for delay. This delay may be extended by a further 60 days where necessary. When the request cannot be met within a reasonable time, the DPO shall inform the data subject of the delay within 30 days from receipt of the request, proof of identity and the fulfilment of any requirement deemed necessary to verify the authentication of the request. The reason for the delay will be explained in writing.
As explained above, these rights may be restricted, if applicable, in terms of the GDPR.
Contact Details
The DPO of ECCM can be contacted by email at dpo@eccm.com.mt, by telephone on +356 202902575 or in writing at the following address:
Legal & Compliance Department
ECCM Bank plc
230/231, The Adelaide,
Tower Road,
Sliema
SLM1601
Malta
The Information and Data Protection Commissioner may be contacted as follows:
Telephone: (+356) 2328 7100
Email: idpc.info@idpc.org.mt
Website: https://idpc.org.mt