Privacy Notice

Privacy Notice

Malta Development Bank (MDB) is a government-owned bank set up under the Malta Development Bank Act (Cap. 574) having its official address at Triq il-Papa Piju V, Valletta VLT 1040, Malta.
This Privacy Notice provides information on the processing of personal data by MDB in connection with its statutory mandate, employment obligations, procurement procedures and use of website.  MDB is committed to handle personal data, whether held electronically or in manual form, in accordance with the provisions of the General Data Protection Regulation (EU) 2016/679 (GDPR), the Data Protection Act (Cap. 586) and subsidiary legislation related thereto.

Processing of Personal Data

MDB processes personal data to perform its mandate under the Malta Development Act.  The mandate of MDB is to support entrepreneurship and socio-economic development in Malta by providing promotional investment, financing and advisory services, and by issuing securities or otherwise raising funds or capital.  In carrying out its activities, MDB gives particular attention to the needs of small and medium-sized enterprises and large infrastructural projects that contribute to important regional or national development.
As data controller MDB typically processes the following personal data:
  • Financing Activities: In carrying out its statutory mandate under the Malta Development Bank Act, MDB may hold personal data in relation to the evaluation of offers pursuant to a call for expression for local banks to participate in its financing projects.  Following the project selection process, MDB may hold personal data under contractual documentation signed with the selected banks, including client data
  • Reporting Requirements:  MDB is required by statute to report business data for regulatory or statistical purposes.  Occasionally such reporting may relate to personal data.
  • Recruitment & Employment:  MDB will process personal data when conducting recruitment exercises to fill vacancies.  Following recruitment, employee data is held by MDB for the purposes of concluding employment contracts, provision of employment benefits, performance reviews, management of attendance including sick leave, payroll, training, travel and disciplinary proceedings.
  • Procurement and Contractual Relationships:  Personal data may be processed as a result of procurement processes for the purchase of products or equipment or the provision of services.  Personal data will also be processed in the conclusion of contractual relationships with suppliers, contractors, advisors, consultants and agents.
  • Use of Website:  MDB’s website makes use of third-party tools such as Google Analytics, which is an external web analytic service provided by Google Inc. (“Google”) to obtain statistics about the usage of the website. Log information collected by the servers hosting MDB’s website is also sent to servers operated by Google. This information is used to provide aggregated statistics about the number of browser visits, usage patterns and searches performed on this website.  Google itself uses this information for the purpose of evaluating use of the website, compiling reports on website activity for website operators and providing other services relating to website activity and internet usage. Google may also transfer this information to third parties where required to do so by law or where such third parties process the information on Google’s behalf.  Google does not associate IP addresses with any other data held by Google. By using this website, you consent to the processing of your data by Google in the manner and for the purposes set out above.  You may refuse the use of Google Analytics cookies by downloading and installing the Google Analytics Opt-out Browser Add-on.

MDB does not use personal data to take decisions based solely on automated processing which could produce legal effects or which could significantly affect the data subject, without human intervention.  Profiling may be used exclusively to comply with legal obligations relating to compliance with anti-money laundering and combating the funding of terrorism legislation.

Personal data will be processed in a manner that provides the necessary security, as well as safeguards against accidental destruction, loss or damage.

Disclosure to Third Parties

MDB may share personal data with third party recipients who are service providers in order to render a support service to MDB such as IT service providers as well as third parties who may offer consultancy or contractual services.  Data may also be disclosed to local authorities when required as a result of statutory obligations imposed on MDB.
Data may also be transferred abroad to third party business partners in order for MDB to carry out activities under its statutory mandate.  These third party business partners are situated in the European Economic Area (EEA).  MDB will only transfer personal data outside the EEA as permitted by the GDPR.

Data Retention

MDB is committed to keeping data for the minimum time necessary to fulfil its purpose.  In those instances where client data is made available to it directly or indirectly, such data shall be retained for a period of ten years after the termination of the business relationship in order to meet data needs for any financial, regulatory or statistical reporting requirements. 
Data related to suppliers or contractors/advisors shall be retained by MDB for a period of ten years from termination of the contractual relationship in order to meet data needs for any financial accounting requirements or taxation reporting, if necessary.
Data processed during recruitment procedures may be retained for a period of twelve months following the recruitment selection process for the purposes of filling future vacancies within MDB. 
Other personal data, excluding staff data, that may be retained by MDB shall be kept for a period of ten years following the closure of the relationship with the individuals concerned or the entities they represent.
These retention periods may need to be exceeded in case of imminent or pending court cases or where a longer time period is imposed by law.

Data Subject Rights

Data subjects are entitled to know, free of charge, what type of information MDB holds and processes about a data subject, who has access to it, how it is held and kept up to date, for how long it is kept, and what MDB is doing to comply with data protection legislation.


The GDPR establishes a formal procedure for dealing with data subject access requests.  All data subjects have the right to access any personal information kept about them by MDP either on computer or in manual files. Requests for access to personal information by data subjects are to be made in writing and sent to the Data Protection Officer of MDB.  Identification details such as ID number, name and surname have to be submitted with the request for access.  The data subject may also be required to present an identification document.
MDB aims to comply as quickly as possible with requests for access to personal information and will ensure that it is provided within a reasonable timeframe and in any case not later than one month from receipt of request, unless there is good reason for delay. When a request for access cannot be met within a reasonable time, the reason will be explained in writing to the data subject making the request.  Should there be any data breaches, the data subject will be informed accordingly.
All data subjects have the right to request that their information is not used or is amended if it results to be incorrect.  Data subjects may also request that their data is erased. 
These rights may be restricted, if applicable, in terms of the GDPR. 
If a data subject is not satisfied with the outcome of an access request, the data subject may lodge a complaint to the Information and Data Protection Commissioner, whose contact details are provided below.

Contact Details

The Data Protection Officer of MDB can be contacted by email at, by telephone on +356 2226 1711 or in writing at the following address:
Data Protection Officer
Malta Development Bank,
Triq il-Papa Piju V,
Valletta VLT 1041
The Information and Data Protection Commissioner may be contacted as follows:
Telephone:         (+356) 2328 7100

The European Data Protection Legislation

For further information on the GDPR please refer to this following link: GDPR Regulation.