Privacy Policy

BNF Bank p.l.c. takes the confidentiality and security of Your personal data very seriously.

This Master Privacy Policy (“Privacy Policy”) relates to the website https://www.bnf.bank/ and/or any sub-website and/or associated domains (and/or sub-domains) of https://www.bnf.bank/ (hereinafter referred to as the “Site”) the services (which may include sale of goods if applicable) provided by BNF Bank p.l.c. (C 41030) and BNF Bank PLC (London Branch) (FC036636) , the owners of the Site, ("We", "Us", "Our", “Ourselves” and/or “BNF”) and any related software applications, where Personal Data is processed by the same (via the Site, any of Our ‘apps’ or otherwise) relating to You. In this Master Privacy Policy, "You" and "Your" and “User” refer to an identified or identifiable natural person being the User of the Site and/or client (or prospective client) of any of Our services.

Our full details, including contact details, can be read below.

You may be reading this Privacy Policy as a User or visitor of the Site or You may have been directed here by one (or more) of Our condensed privacy policies or Our other notices.

Although this Privacy Policy provides detailed, layered information on how and why We generally process Personal Data (via the Site, inclusive of Internet Banking, any of Our ‘apps’, or otherwise) as well as detailed information about Your various rights, the specific and tailor-made content of such condensed policies or other notices will, in most cases, provide You with more focused and detailed information on specific processing operations (for example, the specific legal basis for processing certain categories of Personal Data and the specific purpose for doing so depending on the matter at hand).

Although Our goal is to always be as clear and transparent as possible, We appreciate that legal documents can sometimes be difficult to read. However, We h1ly encourage You to read this Privacy Policy (which is divided into sections for Your convenience) with care. Please do not hold back from contacting Us for any clarification You may need. For example, if You need clarification on a specific legal basis We are relying on to process Your Personal Data for a specific processing operation, We would be happy to provide You with any such information You may need.

We collect Personal Data in various ways both digitally on www.bnf.bank, (either when You choose to provide Us with certain data or in some cases, automatically, or via our Facebook chat or from third parties) as well as non-digitally (for example when You fill in a physical form to benefit from one or more of Our services).
‍

There are various categories of Personal Data that We collect about You, namely:
‍

CONTACT DETAILS - Such as Your name, surname, country, residential and corresponding address, telephone and mobile number.
REGISTRATION DATA - Such as the Bank’s Internet Banking portal username, password, country of residence, gender.
IDENTIFICATION DATA - Such as an official photo identification document, passport information, National Insurance Number, Tax Identification Number, Social Security Number, Date of Birth, nationality and citizenship.
FINANCIAL DATA - Such as invoices, pay slips, the value of Your property or other assets, Your credit history, credit capacity, financial products You have with BNF Bank, payment arrears and information on Your income.
TRANSACTION DATA - Such as information we use to identify and authenticate You (e.g. Your signature), Your bank account number, deposits, withdrawals and transfers related to Your account.
SOCIO-DEMOGRAPHIC DATA - Such as Your marital status and whether have any dependents.
OTHER DATA YOU MAY PROVIDE TO US DURING OUR INTERACTIONS WITH YOU - Such as other information about You that You give us by filling-in forms or communicating with us, whether face-to-face, by phone, email, online, or otherwise.
MARKETING DATA - Such as proof of opt-in consent (where needed), objections to marketing, mailing address and data obtained when participating in market research.
GEOGRAPHIC INFORMATION - Such as information about which branches or ATMs You use, information included in customer documentation, marketing and sales information, as well as online identifiers such as cookies and IP address which we use to recognize You when accessing our services online.
RISK RATING INFORMATION - Such as credit risk rating and transactional behavior,
INVESTIGATION DATA - Such as due diligence checks, sanctions and anti-money laundering checks, external intelligence reports, content and other data related to relevant exchanges of information between and among individuals/organisations, including emails, voicemail and live chat.
RECORDS OF CORRESPONDENCE - Such as communication between us, including snail mail, telephone calls, emails, live chat, instant messages and social media communications.
ESIS QUOTE INFORMATION - Such as information we collect about You in order to provide You with a quote for a credit agreement secured by a residential immovable property
‍

In some cases, (for example, if You are a client, or prospective client of Our services, via the Bank’s Site, telephone, app or otherwise) We may request additional Personal Data as a means of securely identifying You or for another similar lawful purpose. The additional information We may request from You to be able to provide You with Our services includes:
‍

More secure identification methods
Credentials/references

Many of the categories of Personal Data above are collected directly from You (for example, Your Contact Details and Your Registration Data).
‍

WE MAY ALSO COLLECT PERSONAL DATA FROM OTHER SOURCES, including data companies, publicly accessible databases (e.g. Malta Business Registry and/or the UK Companies House), joint marketing partners, social media platforms, Credit Reference Agencies, the Central Credit Register maintained by the Central Bank of Malta, the UK Bankruptcy and Insolvency Register and Disqualified Directors Register, and other publicly available sources of information and other third parties.

We may also receive Personal Data about You from third parties when We need to confirm Your Contact Details or even certain Financial Information. Should this be the case, We will take all measures as required by law to further inform You about the source of such Personal Data as well as the categories of Personal Data We collect and process. There are certain instances at law where We are specifically forbidden from disclosing to You such activity (for example, when carrying out due diligence for anti-money laundering purposes).

For a detailed description of the reasons why We process the categories of personal data above (and any other specific personal data We process) as well as the corresponding legal ground(s) for doing so please see the ‘What We Use Your Personal Data For (Purpose of Processing)’ below.

For information/Personal Data that We may collect automatically via the Bank’s Site, please see the Cookies section below.

Communications
All data exchanged in Our Internet Banking environment is processed in a secure session (SSL – Secure Socket Layer) and encrypted using 256 bit technology, DigiCert certified), protecting You against any attempted access by third parties. This technology does not require You to possess any additional software.

Encryption
This is a process whereby the information sent by You or Our Internet Banking is transformed, so that it cannot be read or deciphered by anyone, except the intended recipient. The data is encrypted through the use of private keys/public keys method.

SSL (Secure Socket Layer)
Standard protocol ensuring security and privacy in internet communications. The protocol supports client and server authentication. The SSL negotiates the opening of a secure session and the exchange of public keys before the exchange of data between the parties involved.

Approved browsers
Access to Internet Banking is limited to browsers that meet the minimum security standards (as may be relevant from time to time) and support data encryption at 256 bits. Internet Banking must therefore be accessed through Microsoft Internet Explorer 11.0 or higher. Your latest browser must be able to handle at least TLS1.2

Contract number and individual secret code
In order to authenticate access to Internet Banking You will need to enter a contract number (username) and a password using the randomised virtual keyboard or if You prefer Your normal keyboard. This will identify the client. The contract number and the password are encrypted when sent over the internet. The access keys are assigned on registration.

Two Factor Authentication
At login stage the first two level authentication system is activated, whereby You will be required to insert Your username and password, together with a 6 digit code. You shall receive from us, a one- time password (also known as “OTP Code”), on Your approved mobile phone number for accessing bank account details and opening term deposits. After login stage at payment initiation, the BNF Internet Banking system will also require You to authorise the payment via two factor authentication, by inserting Your password and an OTP Code sent on Your approved mobile phone number.

Automatic suspension of access
If the customer enters the Internet Banking access codes incorrectly on consecutive occasions, access will be automatically suspended.

Automatic cancellation of access
If the customer fails to log out of Internet Banking after using the service, BNF has developed an automatic cancellation device, which takes effect after a given period of time.

Note also that customers must also accept an important part of the responsibility for the security of the service, keeping their access codes and contract numbers secret and logging out of Internet Banking (through the "Logout" option) whenever they end a session, or need to move away from the computer where they have opened the Internet Banking session. You are also advised to logout of an active Internet Banking Session while using Your browser for another non-secure internet browsing.

By maintaining our commitment to these principles, we at BNF will ensure that we respect the inherent trust that You place in us.

‍

Before addressing any request You make with Us, We may first need to verify Your identity. In all cases We will try to act on Your requests as soon as reasonably possible.

As explained in the Retention Periods section above, We may need to keep certain Personal Data for compliance with Our legal retention obligations but also to complete transactions that You requested prior to the change or deletion that You requested.

In certain circumstances, the following rights may be available to You and You can exercise these rights by making a request to us. Where these rights are not available to You and we cannot fulfil Your request, we will inform You of this and provide our reasons for such refusal.

Your Right of Access

You may, at any time request Us to confirm whether or not We are processing Personal Data that concerns You and, if We are, You shall have the right to access that Personal Data and to the following information:

What Personal Data We have,
Why We process them,
Who We disclose them to,
How long We intend on keeping them for (where possible),
Whether We transfer them abroad and the safeguards We take to protect them,
What Your rights are,
How You can make a complaint,
Where We got Your Personal Data from and
Whether We have carried out any automated decision-making (including profiling) as well as related information.

Upon request, We shall (without adversely affecting the rights and freedoms of others including Our own) provide You with a copy of the Personal Data undergoing processing within one month of receipt of the request, which period may be extended by two months where necessary, taking into account the complexity and number of the requests. We shall inform You of any such extension within one month of receipt of the request, together with the reasons for the delay.

Your Right to Rectification

You have the right to ask Us to rectify inaccurate Personal Data and to complete incomplete Personal Data concerning You. We may seek to verify the accuracy of the data before rectifying it.

Your Right to Erasure (The Right to be Forgotten)

You have the right to ask Us to delete Your Personal Data and We shall comply without undue delay but only where:

The Personal Data are no longer necessary for the purposes for which they were collected; or
You have withdrawn Your consent (in those instances where We process on the basis of Your consent) and We have no other legal ground to process Your Personal Data; or
You shall have successfully exercised Your right to object (as explained below); or
Your Personal Data shall have been processed unlawfully; or
There exists a legal obligation to which We are subject; or
Special circumstances exist in connection with certain children’s rights.

In any case, We shall not be legally bound to comply with Your erasure request if the processing of Your Personal Data is necessary:

for compliance with a legal obligation to which We are subject (including but not limited to Our data retention obligations); or
for the establishment, exercise or defence of legal claims.

There are other legal grounds entitling Us to refuse erasure requests although the two instances above are the most likely grounds that may be invoked by Us to deny such requests.

Your Right to Data Restriction

You have the right to ask Us to restrict (that is, store but not further process) Your Personal Data but only where:

The accuracy of Your Personal Data is contested (see the right to data rectification above), for a period enabling Us to verify the accuracy of the Personal Data; or
The processing is unlawful and You oppose the erasure of Your Personal Data; or
We no longer need the Personal Data for the purposes for which they were collected but You need the Personal Data for the establishment, exercise or defence of legal claims; or
You exercised Your right to object and verification of Our legitimate grounds to override Your objection is pending.

Following Your request for restriction, except for storing Your Personal Data, We may only process Your Personal Data:

Where We have Your consent; or
For the establishment, exercise or defence of legal claims; or
For the protection of the rights of another natural or legal person; or
For reasons of important public interest.

Your Right to Data Portability

You have the right to ask Us to provide Your Personal Data (that You shall have provided to Us) to You in a structured, commonly used, machine-readable format, or (where technically feasible) to have it 'ported' directly to another data controller, provided this does not adversely affect the rights and freedoms of others. This right shall only apply where:

The processing is based on Your consent or on the performance of a contract with You; and
The processing is carried out by automated means.

Your Right to Withdraw Consent (when We rely on consent)

See Our Special Note on Consent for detailed information on this right (which You may exercise at any time).

Your Right to Object to Certain Processing

In those cases where We only process Your Personal Data when this is 1.) necessary for the performance of a task carried out in the public interest or 2.) when processing is necessary for the purposes of the legitimate interests pursued by Us or by a third party, You shall have the right to object to processing of Your Personal Data by Us. Where an objection is entered, the processing of data shall cease, unless We as data controller provide compelling and legitimate grounds requiring the continuation of the data processing which outweigh the objections You may have raised.

When your data is processed for direct marketing purposes, You have the right to object at any time to the processing of Your Personal Data, which includes profiling to the extent that it is related to such direct marketing.

For the avoidance of all doubt, when We process Your Personal Data when this is necessary for the performance of a contract, when necessary for compliance with a legal obligation to which We are subject or when processing is necessary to protect Your vital interests or those of another natural person, this general right to object shall not subsist.

Your Right to lodge a Complaint

You also have the right to lodge complaints with the appropriate Data Protection Supervisory Authority. The competent authority in Malta is the Office of the Information and Data Protection Commissioner (OIDPC).

We kindly ask that You please attempt to resolve any issues You may have with Us first (even though, as stated above, You have a right to contact the competent authority at any time).

WHAT WE MAY REQIURE FROM YOU

As one of the security measures We implement, before being in the position to help You exercise Your rights as described above We may need to verify Your identity to ensure that We do not disclose to or share any Personal Data with any unauthorised individuals.

TIME LIMIT FOR A RESPONSE

We try to reply to all legitimate requests within one month from receiving them. In some particular cases (for example, if the matter is particularly complex or if You send Us multiple requests), it may take Us longer than a month. In such cases, we will notify You accordingly and keep You updated.

Introduction

Applicable Laws

What is Personal Data?

Personal Data We Collect About You

How And Why We Collect Personal Data

What We Use Your Personal Data For (Purpose Of Processing)

Special Note on Consent

Personal Data Relating To Third Parties

Accuracy Of Personal Data

Direct Marketing

Transfer To Third Countries

Internet Communications

Authorised Disclosures

Sharing Of Personal Data With Other Categories Of Recipients

Security Measures

Additional Security Measures In Internet Banking

Payment Services Directives II

Retention Periods

Processing For Research And Statistical Reasons

Links To Third Party Sources

Cookies, Web Beacons & Spotlight Tags

Minors

Automated Decision-Making

Your Rights Under The Data Protection Law

Company Details

Updates