Finco Treasury Management Limited

Privacy Policy

01 Data Privacy Policy for

Finco Treasury Management Limited


1.1 Background

The Finco Treasury Management Limited (“Finco”, “we”, “our”, “us”) takes the protection of your privacy very seriously and recognises its obligations as a Data Controller in terms of applicable data protection law, including the General Data Protection Regulation EU 2016/679 (“GDPR”) as supplemented by the Data Protection Act (Chapter 440 Laws of Malta).

This data privacy notice (the “Notice”) sets out the basis on which we will process your personal data when (i) you approach and engage Finco to provide us with our services (the “Services”), and (ii) you visit and use our website (the “Website”) regardless of the manner in which you access the Website.

In this Notice, Finco informs you about (i) the items of personal data we may collect about you and how we handle it, (ii) our obligation to inform you how and when your personal data is processed and how we process it responsibly, (iii) your rights as a Data Subject, and (iv) how the law protects you.

1.2 Principles

In complying with our data protection obligations, Finco is committed to the principles of (i) lawfulness, fairness and transparency – to process personal data lawfully, fairly and in a transparent manner, (ii) purpose limitation – to process personal data for specified legitimate and compatible purposes, (iii) data minimisation – to process personal data only as adequate, relevant and limited to its purpose, (iv) accuracy – to process personal information which is accurate and up to date, (v) storage limitation – to process personal data for no longer than necessary, for the legitimate purposes for which it was processed and in accordance with our legal obligations, (vi) integrity and confidentiality – to process personal data in a manner that ensures appropriate security of personal data.

1.3 Who We Are

1.3.1 Data Controller

Finco is the Data Controller responsible for this website. As the Data Controller, Finco is responsible for any personal data which we collect or process in relation to (i) the provision of any Services, and/or (ii) the Website. Other companies within the Finco Group of Companies will be data controllers of your personal data in their own right, whether jointly or as entirely separate data controllers. For example, Finco Trust Services Limited (“FTS”) may provide services to Finco’s clients who initially engaged Finco, which may give rise to certain autonomous data processing activities by FTS. Finco Group Companies have their own separate data protection and privacy policies which will be made available to you if and when other Finco Group Companies process your data.

1.3.2 Contact

If you have any questions about how Finco protects your privacy, have any questions on this Notice, would like information on the personal data we hold or would like to exercise your legal rights, please contact our Data Privacy team at the address below.

Name:          Finco Treasury Management Limited
Attn:             Data Privacy Officer
Address:      The Bastions Office No. 2, Emvin Cremona Street, Floriana FRN 1281 Malta

You have a right to file a complaint at any time to a competent supervisory authority on data protection matters, such as the supervisory authority in your place of habitual residence or your place of work. In Malta, the competent supervisory authority is the Office of the Information and Data Protection Commissioner (“IDPC”).

Name:          Office of the Information and Data Protection Commissioner (IDPC)
Address:      Level 2, Airways House, High Street, Sliema SLM 1549 – Malta

We would however appreciate the opportunity to address your concerns and queries before you approach the competent supervisory authority and kindly ask you to contact us in the first instance.

1.4 Minors

If you are aged 18 or under, please get your parent/guardian’s permission before you provide any personal information to us. We may need to process personal data relating to parents or guardians in that case – and we may also need to request for verification documentation to ensure that consent is given or authorised by the holder of parental responsibility.


2.1 Information We Collect

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity of the person has been removed. In the course of Finco’s relationship with you, we will need to collect, use and sometimes disclose, various items of personal data about you for various purposes in connection with the Services we provide, as instructed by you (or by your organisation). It is impractical and impossible to exhaustively list all the items of personal data we may need to collect, use or disclose about you during our relationship.

The data we collect from you is set out below. As explained above, these categories are intended to be indicative and cannot be construed as an exhaustive list of information or data we may collect:

(a) Identity Data this would include your name and surname, title, maiden name, identity card, passport, driving licence or national insurance number, gender, nationality, employment status, organisation and occupation;

(b) Contact Data this would include your residential address, billing and mailing address, email address, telephone and mobile numbers;

(c) Compliance Data this would include information provided to Finco as part of our KYC, due diligence and AML procedures, such as information from passports, identity cards, utility bills, bank or professional references, KYC database checks, police conduct certificates, curriculum vitae, as well as any other documentation which you may provide us or which may be requested by us or mandated by any competent authority from time to time;

(d) Services Data this includes the information which you provide to us or which may be requested from you as part of our provision of the Services, and may include details of employers, counterparties, related parties, parties in interest, business partners, investors, assets, shareholders, buyers, sellers, your customers (as may be strictly relevant for the provision of our Services). This may also require the collection, processing, retention of contracts, agreements, public deeds and other such documents (all as may be applicable or necessary for the Services);

(e) Financial Data would include bank account details, details of payment methods, as well as the financial status and creditworthiness of our clients;

(f) Transaction Data would include details about (i) invoices issued (including date and means of settlement), (ii) payments made, and (iii) any outstanding invoices.

It should be noted that where our Services are provided to legal persons, we may collect Identity Data, Contact Data and Compliance Data on related persons such as directors, legal and judicial representatives, company secretaries and other officers (such as MLROs, DPOs, compliance officers or risk officers), other key persons, shareholders and ultimate beneficial owners (in the case of companies), founders and administrators (in the case of foundations), settlors, beneficiaries, protectors and trustees (in the case of trusts) as well as auditors and legal or tax advisors.

It should be further noted that where our Services provided to legal persons consist in payroll services, we may need to collect information as to the number of days of sick leave or vacation leave taken by employees, as well as their marital or parental status, national insurance and tax details, which we collect and process as Services Data.

Finco will also collect, use and process any other personal information that you voluntarily provide us with or disclose to us. Any such information we voluntarily receive from you will be classified by us as Services Data.

2.2 Failure to Provide Personal Data

Where personal data is required by Finco whether in terms of law or in Finco’s sole opinion to enable us to carry out a Service, and you do not provide us with such data when requested, Finco may not be able to assist you or provide you with your requested Services. In certain cases, such as collection of Compliance Data, we may terminate our professional relationship forthwith or decline to enter into a professional relationship, as the case may be.

2.3 Special Categories of Personal Data

We may occasionally need to collect and process certain categories of personal data including information on criminal convictions or offences (as for example we may require under Compliance Data for our AML purposes). By engaging Finco you will be giving us your unambiguous consent to collect and process such information on you in order for us to provide you with the requested Services. We may also collect and process third party special categories of data when required to do so at law.

2.4 How We Collect Personal Data

The principal methods we use to collect personal data include:

2.4.1 Collection Directly From You

We principally collect information directly from you. This would include where we request you to provide us with information in order for us to commence our relationship and the provide Services, information as part of our on-going obligations at law, information to enable us to effectively carry out of our Services from time to time.

In addition, if you attend a meeting at our office, we may hold images or videos captured by our CCTV cameras as part of our security procedures.

2.2.1 Data We Collect from Third Parties

There may be instances where we it may be necessary for us to collect information about you from third party sources including: (a) publicly accessible sources such as information from the Register of Companies, Shipping Register, Public Registry, Lands Registry, Government Gazette (including Electoral Register) or court services on the Ministry of Justice website; (b) banks or credit reference agencies; (c) KYC data from KYC searchable databases, (d) Government agencies, (e) third party organisations that you have had dealings with; (f) documents which may include reference to you provided to us in carrying out the Services, whether by our client or in data rooms; (g) information from instructing firms, third parties on whom we can place reliance or other clients; (h) online search tools, anti-fraud or other databases, sanctions lists and searches carried out from online search engines such as Google; (g) information which you have instructed third parties to provide to us.

Such processing is (a) either to carry out the Services, to carry out our business and pursue our legitimate interests and/or to protect your legitimate purposes or that of others and/or (b) to fulfil a contractual obligation, or take steps linked to a contract, with you or your organisation. There are instances when the law will also require us to carry out such processing (e.g. the need to carry out know your client procedures).

2.3 Purposes for Which We Collect Personal Data

We use your information in accordance with the purpose for which we collected it. We use our best efforts to ensure this is done on the basis of necessity and proportionality. Under data protection law, we can only use your personal data if we have a proper reason for doing so. The principal purposes for using your personal data are:

(a) The performance our professional engagement to implement a contracted Service (such as discretionary or advisory portfolio management, foreign exchange transactions, money remittance) or to execute a client’s instruction;

(b) To manage and administer your (or your organisation’s) relationship with Finco, including use for the purposes of viewing of statements and valuations (manually or electronically), processing payments, accounting, auditing, billing and collection and other support services;

(c) To conduct checks to identify our clients (KYC), verify and/or authenticate and/or those of other persons involved with the client (e.g. company shareholders). This may include automated checks of personal data you provide about your identity against relevant databases and contacting you to confirm your identity, establishing whether you are a “politically exposed person” or recording our communications with you for compliance purposes;

(d) To conduct certain checks on you, such as background, credit checks and anti-fraud checks, we and other organisations may access and use your personal information (including from other countries) to conduct background checks, credit checks and checks to prevent fraud and money laundering.  If fraud is identified or suspected, we may pass details to the relevant authorities including credit reference agencies, law enforcement agencies and fraud prevention agencies.

(e) To monitor, screen for and action financial and other sanctions or embargoes;

(f) To comply with professional, legal and regulatory obligations as well as rules of conduct that apply to us;

(g) Where necessary to gather, provide or confirm information required by or relating to audits, enquiries or investigations by enforcement authorities, regulatory bodies, courts, tribunals and government agencies;

(h) To log, deal and track any complaints received;

(i) To update and enhance client records;

(j) For marketing our services;

(k) For the purposes of external audits and quality checks, e.g. for an audit of our accounts or obtaining an external valuation of our business or undergoing vendor or purchaser due diligence disclosures;

(l) For insurance purposes;

(m) For our legitimate interests or those of a third party;  A legitimate interest is when we have a business or commercial reason to use your information, so long as this is not overridden by your own rights and interests;

(n) For the establishment, exercise or defence of legal claims or proceedings;

(o) Where you have given consent. Where we apply your consent as a basis to process personal data we acknowledge that you may withdraw such consent at any time – in which case, unless there is another lawful ground which permits us to continue to process the personal data, we shall cease to process that personal data. Before giving us your consent please be sure that you understood what we are asking your consent for;

(p) For credit control purposes and to make sure clients can pay for the services we provide;

(q) Risk Management – For the purposes of risk management and to maintain our accreditations so we can demonstrate we operate to the highest standards;

(r) Security of our Systems – ensuring that our IT and communications systems, including networks and servers, are secure – also to protect your sensitive commercial and personal data;

In relation to several of the above-mentioned instances where we process your personal data, we are processing such personal data on the ground that it is necessary, in our legitimate interest or that of a third party (including, possibly, your own) for us to do so.


We will hold on to your personal data for no longer than is necessary keeping in mind the purpose/s (or compatible purposes) for which we first collected the data and the purposes set out in this Notice. We may also keep hold of some of your information if it becomes necessary or required to meet legal or regulatory requirements, resolve disputes, prevent fraud and abuse, or enforce our terms and conditions.

Different retention periods apply for different types of data and different criteria will apply for the determination of retention periods. The retention periods we apply take account of:

(a) Legal and regulatory requirements and guidance;

(b) Minimum retention periods provided by law;

(c) Prescriptive Limitation periods that apply in respect of taking legal action;

(d) Our ability to defend ourselves against legal claims and complaints;

(e) The operational requirements and the nature of our business;

(f) The set of circumstances relevant to a client, the services rendered, degree of risk, type of data and others risk factors.


4.1 General

We do not, and will not, sell any of your personal data to any third party – including your name, address, email address or credit card information. In the course of our business it may be necessary for us share your data with the following categories of persons/companies/entities as an essential part of being able to provide our Services:

(a) Officers and employees of our organisation, on a needs basis;

(b) Other professional advisors who we instruct on your behalf or refer you to (e.g. tax advisors, accountants etc.);

(c) Legal advisors whose expertise may be required;

(d) Other companies or institutions that are involved in the process of facilitating our services to you (e.g. banks);

(e) Professional service providers, who service us in turn to operate our business. This includes our internet service providers through whom data may be passed as part of our online services to our clients.

(f) Credit reference agencies, law enforcement and fraud prevention agencies, so we can help tackle fraud.

(g) Our insurers, brokers.

(h) Our auditors;

(i) Other Finco Group Companies or entities with whom we are closely associated, as sometimes we offer internal services and/or have the need in our legitimate interests to share data on a confidential basis.

There are a number of instances where we are legally obliged to share your personal data without your consent, such as by court order, to comply with legal requirements and satisfy a legal request, to investigate or report actual or suspected fraudulent or criminal activities, for the proper administration of justice, to protect your vital interests, to fulfil your requests, to safeguard the integrity of the relevant websites operated by us or by such related entities or subsidiaries, or in the event of a corporate sale, merger, reorganisation, dissolution or similar event involving us and/or our subsidiaries and related entities;

4.2 Third Countries

We do not generally transfer your personal data to entities outside the EEA. If we ever have to share data with entities that are outside of the EEA, we will be sure to do so in a manner that complies with the requirements established by the GDPR by implementing appropriate safeguards, including for example based on your consent, or to fulfil a legal obligation or to protect the public interest and/or for our or your legitimate purposes and/or to full our legal or contractual obligations to you.

4.3 Sharing data on your instruction

When you instruct us to transfer or share your personal data with any person (whether in the EEA or based in a third country), we will perform any processing activity required to fulfil such instructions as your mandatories and not as an autonomous controller. As your mandatories, Finco will not be required to enter into a contractual mechanism, joint controller agreement or otherwise, with the recipient to whom you have instructed us to share or transfer your personal data.


We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed (safeguard its integrity and confidentiality). We also regularly review and, where practicable, improve upon these security measures.

In addition, we limit access to your personal data to those employees, agents, contractors and other professional third parties who strictly need to know this information. They will only process your personal data on our instructions and they are subject to a duty of confidentiality. We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.


Under certain circumstances, you have rights under data protection laws in relation to your personal data such as:

6.1 Request access to your personal data

This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it. You may send an email to requesting information as the personal data which we process. You shall receive one copy free of charge via email of the personal data which is undergoing processing.

6.2 Request correction (rectification) of your personal data

This enables you to have any incomplete or inaccurate data we hold about you corrected and/or updated, though we may need to verify the accuracy of the new data you provide to us.  It is in your interest to keep us informed of any changes or updates to your personal data which may occur during the course of your relationship with us, since this may otherwise impair our ability to provide you with your requested Services or the quality thereof.

6.3 Request erasure of your personal data

This enables you to ask us to delete or remove personal data where: (a) there is no good reason for us continuing to process it; (b) you have successfully exercised your right to object to processing (see below); (c) we may have processed your information unlawfully; or (d) we are required to erase your personal data to comply with local law.

Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request. These may include instances where the retention of your personal data is necessary to: (a) comply with a legal or regulatory obligation to which we are subject; or (b) establish, exercise or defend a legal claim.

6.4 Object to processing of your personal data

This may happen where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your personal information that override your rights and freedoms.

6.5 Request restriction of processing your personal data

This enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data’s accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your personal data, but we need to verify whether we have overriding legitimate grounds to use it.

6.6 Request transfer of your personal data

We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.

6.7 Right to withdraw consent

Withdraw your consent at any time where we are relying on consent to process your personal data (which will generally not be the case). This will not however affect the lawfulness of any processing which we carried out before you withdrew your consent. Any processing activities that are not based on your consent will remain unaffected.

6.8 What we may need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

6.9 Time limit to respond

We try to respond to all legitimate requests within a period of one month from the date of receiving your request. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

Kindly note that none of these data subject rights are absolute, and must generally be weighed against our own legal obligations and legitimate interests. If a decision is taken to override your data subject request, you will be informed of this by our data protection team along with the reasons for our decision.


We reserve the right to make changes to this Notice in the future, which will be duly notified to you. If you have any questions regarding this Notice, or if you would like to send us your comments, please contact us today or alternatively write to our Data Privacy Officer using the details above.