Privacy Notice

This notice is issued by Riesant Bank plc ("Riesant", "the Bank", "we", "us"), a credit and investment-services institution licensed by the Malta Financial Services Authority under the Banking Act (Cap. 371) and the Investment Services Act (Cap. 370). Our registered office is at 48 Merchants Street, Valletta, Malta, and our Legal Entity Identifier (LEI) is 213800ERZEB16772WR39. Our principal client centre is in Sliema.

For the purposes of the General Data Protection Regulation (Regulation (EU) 2016/679) and the Maltese Data Protection Act (Cap. 586), Riesant Bank plc is the controller of the personal data described in this notice. This means we determine the purposes for which, and the manner in which, your personal data are processed.

This notice explains what personal data we collect when you enquire about, open or hold a relationship with us, the lawful bases on which we rely, how long we keep your data, with whom we share them, and the rights available to you. It applies to clients, prospective clients, beneficial owners, authorised signatories, guarantors, and others connected to a relationship with the Bank.

Identity and verification data, including your full name, date and place of birth, nationality, residential address, identity-document numbers, photographs taken for identification, and tax-residence and identification numbers required under the Common Reporting Standard and FATCA.

Contact data, including your postal address, email address and telephone numbers, together with records of our correspondence and communications with you. Telephone and electronic communications relating to transactions and investment services are recorded as required under MiFID II.

Financial and transactional data, including your source of wealth and source of funds, account balances, payment and card transactions, deposits, lending arrangements, investment holdings, instructions and dealing history.

Know-your-customer and anti-money-laundering data, including the results of identity verification, screening against sanctions and politically-exposed-person lists, adverse-media checks, risk assessments and the supporting documentation we are required to obtain and retain.

Usage and technical data generated when you use our digital banking and website, including log-in records, device and browser information, IP address and cookie identifiers. Where we obtain special categories of data, or data relating to criminal matters, we do so only where the law permits and as necessary to meet our regulatory and legal obligations.

Performance of a contract. We process your data to assess applications, open and operate accounts, execute payments and investment instructions, administer lending and deposits, and provide the day-to-day services set out in your agreements with us. Fees applicable to these services are published on our rates page.

Compliance with legal obligations. We process your data to discharge duties imposed on us as a regulated bank, including customer due diligence and ongoing monitoring under the Prevention of Money Laundering Act and applicable EU anti-money-laundering law, sanctions screening, transaction reporting, suitability and appropriateness assessments under MiFID II, tax reporting under the Common Reporting Standard and FATCA, and responses to lawful requests from regulators, courts and tax authorities.

Legitimate interests. We process your data to manage credit, market, operational and fraud risk, to maintain the security of our systems, to recover sums owed, to keep proper business records, and to develop and improve our services. We rely on this basis only where your interests and fundamental rights do not override those legitimate interests, and you may object as described below.

Consent. Where we rely on your consent, for example for certain marketing communications or the use of non-essential cookies, you may withdraw that consent at any time without affecting the lawfulness of processing carried out beforehand.

We treat your information as confidential and disclose it only where necessary and lawful. We share personal data with regulators and public authorities, including the Malta Financial Services Authority, the Financial Intelligence Analysis Unit, tax authorities and courts, where we are required or permitted to do so.

We engage carefully selected service providers who process data on our behalf and under written contract, including providers of technology and cloud hosting, identity verification and screening, payment and card processing, archiving and secure destruction, and professional advisers. These processors act only on our documented instructions and are bound to appropriate confidentiality and security obligations.

Where your relationship involves estate planning, trusts or family-office arrangements, we may share data with fiduciary partners, custodians, correspondent banks and counterparties to the extent necessary to deliver the relevant service. We do not sell your personal data, and we do not share it for third-party marketing without your consent.

Riesant is based in Malta and serves clients across 23 EU and EEA countries, and your data are ordinarily processed within the European Economic Area. Where a payment, investment or service necessarily involves a country outside the EEA, or where a service provider operates outside it, your data may be transferred internationally.

Where we transfer personal data outside the EEA, we do so only where an adequacy decision of the European Commission applies, or subject to appropriate safeguards such as the European Commission's Standard Contractual Clauses, together with any supplementary measures required to ensure an equivalent level of protection. You may request information about the safeguards in place by contacting our Data Protection Officer.

We keep your personal data only for as long as necessary for the purposes for which they were collected, including to meet our legal, regulatory, accounting and reporting obligations and to defend or pursue legal claims.

As a general rule, records relating to your identity, transactions and the operation of your accounts are retained for the duration of your relationship with us and for a minimum of ten years from the end of that relationship or the completion of the relevant transaction, in line with anti-money-laundering and other applicable requirements. Where a longer period is required by law or is necessary in connection with actual or anticipated legal proceedings, we retain the data for that longer period. When data are no longer required, they are securely deleted or anonymised.

Subject to the conditions and exemptions in data-protection law, you have the right to be informed about how we use your data and to request access to the personal data we hold about you. You have the right to rectification of inaccurate or incomplete data, and the right to erasure where there is no lawful ground for us to continue processing.

You have the right to restrict or to object to certain processing, including processing based on our legitimate interests and any processing for direct marketing, and the right to data portability in respect of data you have provided to us where processing is carried out by automated means on the basis of consent or contract. Where we rely on consent, you may withdraw it at any time.

Some of these rights are qualified. We may be unable to erase or stop processing data that we are required by law to retain, such as records held for anti-money-laundering or regulatory purposes. To exercise any right, please contact our Data Protection Officer using the details below; we will respond within the timeframes set by law and may need to verify your identity before acting on a request.

Certain processes, such as transaction monitoring, sanctions and fraud screening, and elements of credit assessment, involve automated checks against rules and reference data. These tools help us detect risk and meet our regulatory obligations, and their results are reviewed by our staff before any decision that significantly affects you is taken.

We do not make decisions producing legal or similarly significant effects based solely on automated processing, without human involvement, except where permitted by law, necessary for entering into or performing a contract with you, or based on your explicit consent. Where such processing applies, you may request human intervention, express your point of view and contest the decision.

You can reach our Data Protection Officer in writing at the Data Protection Officer, Riesant Bank plc, 48 Merchants Street, Valletta VLT 1170, Malta, or by email at contact@riesant.com. Please use these details for any question about this notice or to exercise your rights.

If you are not satisfied with how we have handled your personal data, you may lodge a complaint with the Information and Data Protection Commissioner, the supervisory authority in Malta, at the Office of the Information and Data Protection Commissioner, Floor 2, Airways House, High Street, Sliema SLM 1549, Malta, by telephone, or via idpc.org.mt. We would, however, welcome the opportunity to address your concerns directly before you do so.

We may update this notice from time to time to reflect changes in our services or in the law. The date of the latest version is shown above, and we will tell you about material changes through our usual channels.