Privacy Policy

Your trust is important to us. Timberland Invest Ltd. (C 60291) having its registered office at CF Business Centre, Gort Street, St Julians STJ 9023 (hereinafter also referred to as the “Company”, “we” “us” or “our”) respects your privacy and is committed to protecting your personal data.

The Company collects information from you in order to be able to receive, process and give effect to your instructions relative to the provision of investment services by the Company. Where the applicant, is an institutional client, then we will process personal data about the directors, representatives, officers, authorised signatories, shareholders and ultimate beneficial owners (UBOs) of that institutional client. This Notice also explains how we process personal data about those individuals and should therefore be circulated accordingly. In this Notice, “you” is used to refer to any of the above individuals, i.e. the client (if a natural person) and in the case of institutional clients, their directors, representatives, officers, authorised signatories, shareholders and UBOs.

We take the protection of your personal data very seriously. The purpose of this Notice is to set out the basis on which we will process your personal data when you enter into a relationship with us, to inform you about how we will generally handle and look after your aforementioned personal data, and to tell you about (i) our obligations to process your personal data responsibly, (ii) your data protection rights as a data subject and also (iii) how the law protects you. For sake of clarity, please note that submission of subscription orders creates a contractual relationship between you and the Company.

We process your data in an appropriate and lawful manner, in accordance with the Data Protection Act (Chapter 586 of the Laws of Malta) (the “Act”) and the General Data Protection Regulation (Regulation (EU) 2016/679) (the “GDPR”), subsidiary legislation and regulations promulgated thereunder, as they may be updated from time to time.

Therefore, this Policy strictly provides an overview and outline of our processing activities and cannot be exhaustive due to the fluidity of your business relationship and the services you may request from us.

It is therefore important that you read this Policy carefully, together with any other Privacy Policy or fair processing notice that we may issue on specific occasions when we are collecting or processing personal data about you, so that you are fully aware of how and why we are using your data (namely, in the context of a service provision). This Policy supplements the other notices and is not intended to override them.

When accessing our website, we may automatically collect certain information, in particular your IP Address. Please refer to our IP and Cookie Policy available here: https://www.timberland-malta.com/cookie-policy for more information about how the website https://www.timberland-malta.com uses cookies.

Moreover, certain processing activities which we wish to carry to out require your express consent, as indicated below in this Policy. Your consent is kindly requested to enable these activities (as described in detail below). We shall request your consent for specific activities by means of separate Consent Forms which will explain the purposes for processing for which we are requesting consent should this be necessary.

1. Name and address of the data controller

The Company (as previously defined) is the controller and responsible for your personal data.

Timberland Invest Ltd. (C 60291)

with its registered office at

CF Business Centre, Gort Street, St Julians STJ 9023

You can contact our data protection contact point at any time about any data protection issues at the above‐mentioned business address or email us on the following email address:

E-Mail:      [email protected]

2. Collection and storage of personal data

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data). In the interest of clarity, personal data does not include information relating to a legal person (for example, a company or other legal entity). In that regard, information such as a company name, its company number, registered address and VAT number does not amount to personal data in terms of both the Act and the GDPR. Therefore, the collection and use of information strictly pertaining to a legal person does not give rise to data controller obligations at law. Naturally, we will still treat any and all such information in a confidential and secure manner.

During the course of our relationship with you we may collect and process the following personal data: which we have grouped as follows:

Where the applicant, or investor, is an institutional investor, then we will process personal data about the directors, representatives, officers, authorised signatories, shareholders and ultimate beneficial owners (UBOs) of that institutional investor. This Notice also explains how we process personal data about those individuals and should therefore be circulated accordingly.

We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregate may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy notice.

As indicated, we do collect Special Categories of Personal Data about you, specifically as a result of the information that we collect and process in terms of Compliance Data. The collection and processing of this information is necessary in order to for us to (i) conduct and carry out our internal Know-Your-Customer (“KYC”) due diligence, (ii) comply with our various legal and regulatory obligations as a licensed financial institution, including in particular our Anti-Money Laundering (“AML”) obligations, (iii) fulfil any mandated external regulated reporting, such as the Financial Intelligence Analysis Unit (“FIAU”) and (iv) abide by Court orders.

3. Obligation to Provide Data

Within the scope of our business relationship, you must provide personal data which is necessary for the initiation and execution of the business relationship. As a rule, we would not be able to enter into a business relationship, execute an order or continue an existing relationship without the data that we are mandated at law to collect and process. Specifically, provisions on anti-money laundering require that we verify the identity of a prospective customer before entering into a business relationship, for example by means of an identity card, utility bill and even references.

Accordingly, where we need to collect personal data by law, or under the terms of the contract we have with you (pursuant to your entry into a business relationship with us), or as otherwise part of our defined legitimate interests, and you fail to provide that data when requested, we may not be able to perform the contract that we have or which we are otherwise trying to enter into with you.

In most cases, by failing to provide us with the necessary information and documents, we will not be allowed to enter into or otherwise continue your requested business relationship. In the case of an existing relationship, we would have to exercise our prerogative to terminate the contract and relationship. We will notify you if this is the case at the time.

4. How is your personal data collected?

We use different methods to collect data from and about you including through:

5. Purposes for Processing

We process your personal data in accordance with the General Data Protection Regulation (GDPR).

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances.Where we need to perform the contract we are about to enter into or have entered into with you in respect of your business relationship with us.

Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.

Where we need to comply with a legal or regulatory obligation.

Generally we do not rely on consent as a legal basis for processing your personal data, other than in relation to sending third party direct marketing communications to you via email or text message. You have the right to withdraw consent to such marketing at any time by contacting us at [email protected]

Purposes for which we will use your personal data

We have set out below, in a table format, a description of all the ways we plan to use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.

Kindly note that we may process your personal data for more than one lawful ground, depending on the specific purpose for which we are using your data.

Accordingly, please contact us at [email protected] if you need details about the specific legal ground we are relying on to process your personal data where more than one ground has been set out in the table below.

Purpose/ActivityType of DataLawful basis for processing including basis of legitimate interest
To decide whether to accept your subscription and your relationship with us and, if positive, to enter into a business relationship with you.(a) Identity
(b) Contact
(c) Compliance
(d) General Due Diligence
(a) Performance of a contract with you or take steps at your request prior to entering into a contract with you.
(b) Necessary for our legitimate interests (to verify your identity and suitability for our business, and your ability to meet financial commitments).
(a) To process and perform transactions and financial services requested by the customer, including the following:
– deposits;
– transfer instructions; 
– fund withdrawals and releases;
– processing and production of statements;
– Asset management
(b) Manage transactions;
(c) Collect and recover money which is owed to us (debt recovery).
(a) Identity
(b) Contact
(c) Compliance
(d) Regulatory,
(e) Transaction;
(f) Tax; and
(g) Recording
(a) Performance of a contract with you or take steps at your request prior to entering into a contract with you.
(b) Necessary for our legitimate interests (to recover debts due to us).
(a) To fulfil our:
– internal AML compliance policies and requirements;
– obligations under the PMLA and PMLFTR; and
– external regulated reporting and obligations to the MFSA and FIAU (amongst others).
(b) For legal, tax, insurance, accounting and other general compliance purposes,
(c) To abide by Court orders,
(d) Consult and exchange data with credit agencies.
(a) Compliance
(b)Additional Compliance
(c) Court Data
(d) Regulatory
(e) Transaction
(f) Recording
(a) Necessary to comply with a legal obligation (both statutory requirements, financial supervisory requirements and in respect of Court orders).
(b) Necessary for our legitimate interests:
– detection and prevention of fraud, money laundering and any other criminal activity,
– identity and age verification,
– satisfaction of tax law control,
– asserting legal claims and mounting a defence in the event of litigation,
– credit checks,
– credit or default risks,
– risk assessment and management,
– to ensure that we carry out your instructions accurately
To manage our relationship with you which will include:
(a) Notifying you about changes to our terms or privacy notices;
(b) Responding to complaints, queries and/or reported issues;
(c) Dealing with requests;
(d) Asking you to participate in a survey; and
(e) Requesting feedback from you.
(a) Identity
(b) Contact
(c) Usage
(d) Marketing and Communications
(e) Contact
(f) Recording
(a) Performance of a contract with you
(b) Necessary for our legitimate interests (for customer service matters, to study how customers use our services, to enable a review, assessment or rating of our operations, to develop them and grow our business, market and opinion research, to the extent you have not objected to having your data processed for direct marketing purposes).
(c) Necessary for our legitimate interests (for the purpose of the resolution of complaints).
To administer and protect our business and our website, (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data) (a) Identity
(b) Contact
(c) Technical
(d) Contact
(e) Recording
(a) Necessary for our legitimate interests –
– for running, administering and protecting our business,
– network security and IT operations,
– measures to ensure against trespassing and server or network hacks ,
– to prevent fraud and to maintain the confidentiality of transactions, and
– in the context of a business reorganisation or group restructuring exercise)
(b) Performance of a contract with you (ensuring that your transactions remain secure and confidential).
To deliver advertisements to you and measure or understand the effectiveness of the advertising we serve to you(a) Identity
(b) Contact
(c) Usage
(d)Marketing and Communications
(e) Technical
Necessary for our legitimate interests (to study how existing customers use our services, to develop them, to grow our business and to inform our marketing strategy).
To make suggestions and/or recommendations to you, as an existing customer, about our other services that we feel may be of interest to you.(a) Identity
(b) Contact
(c) Technical
(d) Customer Contact
Necessary for our legitimate interests (to develop our services and grow our business)

Marketing

We strive to provide you with choices regarding certain personal data uses, particularly around advertising and marketing communications. Through your Identity, Contact, Technical and Usage Data, we would be able form a view on what we think you may want or need and what may be of interest to you. This would then enable us to determine which of our particular services may be most relevant for you (we call this marketing).

In that regard, will only send you advertising and marketing communications:

Opting out

You can ask us to stop sending you advertising and marketing communications at any time by:

Where you opt out of receiving such communications, this will not apply to personal data collected by us as a result of your entry into a business relationship with us and our service provision, or which we otherwise process to ensure compliance with our legal obligations or to fulfil our defined legitimate interests.

Change of purpose

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose.

If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us at [email protected].

If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so. Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

6. Transfers of personal data to third persons

Your personal data will not be forwarded to third parties for purposes other than those listed below. Those employees of our Company who come into contact with your data are subject to a strict duty of confidentiality, and we constantly monitor its compliance. We have also bound and will continue to bind to confidentiality in writing any other persons with whom we cooperate and who come or might come into contact with your data.

We may only forward information about you to third parties if required to do so by law, if you have given your consent or if we are authorised to provide information and the processors commissioned by us guarantee confidentiality and compliance with the requirements of the GDPR.

The recipients of personal data may be:

We may only forward information about you to third parties if required to do so by law, if you have given your consent or if we are authorised to provide infromation and the processors commissioned by us guarantee confidentiality and compliance with the requirements of GDPR. We require all third parties to respect the security and secrecy of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

Additionally, in the case of transactions effected via SWIFT, we may be required to disclose your personal data to the United States authorities or any other authorities as required, in order to comply with legal requirements applicable in the United States or in any other country for the prevention of crime.

Data is only transmitted to countries outside the EU or the European Economic Area (EEA), referred to as third countries, if this is required to execute your orders (e.g. payment and securities orders), if required by law (e.g. tax reporting obligations or if you have given us your consent.

Whenever we transfer your personal data to third countries, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

As indicated, we may also be required to share your information with overseas government authorities and regulatory agencies, for the detection and prevention of crime.

Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the EEA.

7. Duration of storage and erasure of personal data

The personal data you provide will only be stored and processed as long and to the extent necessary to fulfill our contractual and statutory obligations. In this regard, it should be noted that our business relationship may last several years and your personal data shall be retained for the duration of such relationship.

To determine the retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable contractual and statutory obligations.

If the data is no longer required for the performance of our contractual and statutory obligations, then it shall be deleted unless the Company needs to process it further (for a limited time) for the following purposes:

By and large, in the latter case, our retention of your data shall not exceed the period of six (6) years from the date of the termination of your business relationship with us. This period of retention enables us to use the data in question for the defence of possible future legal claims (taking into account the timeframe of the applicable prescriptive period at law).

Details of retention periods for different aspects of your personal data are available in our retention policy which you can request from us by contacting us [email protected]

8. Your rights as a data subject

When your personal data is processed, you are a data subject as defined by the GDPR and you have rights in relation to us as the data controller as described in this section.

a) Right of confirmation and access, Art. 15 GDPR

You have the right to obtain confirmation from us at any time as to whether any personal data concerning you is processed by us.

Where that is the case, you have the right to access to the data and the following information:

Furthermore, you have the right to be informed if personal data is transferred to a country which is not a member state of the EU (“third country”) or to an international organisation. In this context, you can demand to be informed of the appropriate safeguards pursuant to Art. 46 GDPR relating to the transfer.

b) Right to rectification, Art. 16 GDPR

You have the right to obtain from us without undue delay the rectification of inaccurate personal data concerning you. Furthermore, you have the right – taking into account the purposes of the processing – to have incomplete personal data completed, including by means of providing a supplementary statement:

c) Right to erasure (‘right to be forgotten’), Art. 17 GDPR

You have the right to demand the erasure of personal data concerning you without delay where one of the following grounds applies:

If the Company or the Portfolio in question has made the affected personal data public and is obliged pursuant to the above provisions to erase the personal data, then we are also obliged to inform other controllers who process the data that you, as data subject, have requested the erasure of any links to, or copies or replications of, that personal data.

In this regard, taking into account the available technology and the implementation costs, we take appropriate measures, including technical measures, to comply with these obligations, at least to the extent that processing is no longer necessary, i.e. that no legal provisions prescribe this and that no legitimate interests prevent deletion.

There are certain exceptions where we may refuse a requested erasure, e.g. if the personal data is required to comply with a legal obligation or for the assertion, exercise or defence of legal claims.

d) Right to restriction of processing, Art. 18 GDPR

You have the right to demand that we restrict the processing of your personal data where at least one of the following applies:

Where processing of your personal data has been restricted, such personal data shall – with the exception of storage – only be processed with your consent or for the enforcement, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State. In such a case you shall be informed by us before the restriction is lifted.

e) Notification obligation, Art. 19 GDPR

If you have asserted your right to rectification or erasure of personal data or restriction of processing, we shall be obliged to notify each recipient to whom your personal data has been disclosed of such rectification or erasure of personal data or restriction of processing, unless this proves impossible or involves disproportionate effort. You can therefore demand that we inform you about those recipients.

f) Right to data portability, Art. 20 GDPR

You have the right to receive your personal data which you have supplied to us in a structured, commonly used and machine-readable format. Furthermore, you have the right to transmit this data to another controller without hindrance from the controller to which the personal data has been provided, where the processing is based on consent pursuant to Art. 6(1)(a) GDPR or Art. 9(2)(a) GDPR or on a contract pursuant to Art. 6(1)(b) GDPR and the processing is carried out by automated means, as long as the processing is not necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Moreover, when exercising your right to data portability according to Art. 20(1) GDPR you can demand that the personal data be transferred directly from one controller to another controller to the extent that this is technically feasible and that this does not adversely affect any rights and freedoms of others.

g) Right to object, Art. 21 GDPR

1) Objection in individual cases

For reasons relating to your particular situation, you have the right to object any time to the processing of your personal data pursuant to Art. 6(1)(e) GDPR (data processing in the public interest) and Art. 6(1)(f) GDPR (data processing for the purposes of legitimate interests).

If an objection is lodged, your personal data will no longer be processed unless there are demonstrably compelling reasons outweighing your interests, rights and freedoms. Continued processing is also possible if the processing serves to assert, exercise or defend legal claims.

2) Objection to direct marketing

Under certain circumstances, your personal data may be processed for direct marketing purposes. You have the right to object to such processing at any time. This also applies to profiling, as far as it is connected to direct marketing. You can object to direct marketing at any time by sending an email to [email protected] or else following the relevant links in any direct marketing messages sent.

You have the right to object, on grounds relating to your particular situation, at any time to the processing of your personal data which is based on Art. 6(1)(e) or (f) GDPR. This also includes profiling based on those provisions.

We shall no longer process the personal data in the event of objection unless we can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or the processing serves the enforcement, exercise or defence of legal claims.

Where your personal data is processed for direct marketing purposes, you shall have the right to object at any time to the processing of your personal data for such marketing; this also includes profiling, to the extent that it is related to such direct marketing. Where you object to processing for direct marketing purposes, the personal data concerning you shall no longer be processed for such purposes.

h) Right to withdraw consent, Art 7(3) GDPR

If you have given your consent to data processing, you have the right to withdraw2 this consent at any time with effect for the future. Any processing of personal data which took place before such withdrawal shall not be affected.

Should you wish to exercise your right to withdraw consent, please sent an e-mail addressed to [email protected].

i) Right to lodge a compliance with a supervisory authority

You have the right to lodge a complaint at any time to a competent supervisory authority on data protection matters, such as in particular the supervisory authority in the place of your habitual residence or your place of work. In the case of Malta, this is the Office of the Information and Data Protection Commissioner (the “IDPC”) (https://idpc.org.mt). We would, however, appreciate the opportunity to deal with your concerns before you approach the supervisory authority, so please contact us in the first instance.

9. Changes to this Privacy Policy

We may amend this Privacy Policy from time to time. Please check this page frequently in order become familiar with the latest version of our Privacy Policy.

Subscribe To Our Newsletter

Be one step ahead with our latest news updates.

Timberland Invest Ltd.,
CF Business Centre,
Gort Street,
St Julians STJ 9023
Malta

Translate »