Skip to main content

1. INTRODUCTION

MedservRegis p.l.c. (C 28847) is committed to protecting the privacy of individuals whose Personal Data it processes. This Privacy Notice applies to natural persons who are Bondholders or representatives thereof, providing information regarding the manner in which the Company processes Personal Data in accordance with Applicable Laws.

2. DEFINITIONS

Applicable Laws” means the GDPR and the DP Act.

Bondholder” means any natural or legal person investing or seeking to invest in the Company through the purchasing of Bonds.

Consent” means any freely given, specific, informed and unambiguous indication of wishes by which a person (by a statement or by a clear affirmative action) signifies agreement to the Processing of Personal Data.

Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

Data Subject” means any identified or identifiable natural person to whom Personal Data relates.

DP Act” means the Data Protection Act (Chapter 586 of the Laws of Malta) and the subsidiary legislation thereunder, as may be amended from time to time.

GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

Issuance T&Cs” means any Securities Note and/or Registration Documents that may be issued in respect of an issue of Bonds by the Company.

Representative” means the natural person representing a Bondholder, particularly where such Bondholder is a legal entity.

Personal Data” means any information relating to an identified or identifiable natural person.

Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Processor” means the natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Controller.

Any capitalised terms not defined in this Privacy Notice shall bear the same meaning as set out in the relevant Issuance T&Cs.

3. WHO WE ARE (CONTROLLER INFORMATION)

The Controller of Personal Data is MedservRegis p.l.c., a public limited liability company registered under the laws of Malta with company registration number C 28847 and with registered office at Port of Marsaxlokk, Birzebbugia, BBG 3011, Malta.

Contact Details:

  • Email: investors@medservregis.com
  • Telephone: (00356) 2220 2000
  • Address: Port of Marsaxlokk, Birzebbugia, BBG 3011, Malta
  • Website: https://www.medservregis.com

The Company has appointed a Data Protection Officer who may be contacted through the following means:

  • Email: dpo@medservregis.com
  • Telephone: (00356) 2220 2000
  • Address: Port of Marsaxlokk, Birzebbugia, BBG 3011, Malta

4. PERSONAL DATA COLLECTED

The Company may process the following Personal Data:

Identity Data – first name and last name, date of birth, identity card number and MSE account numbers of the Bondholders.
Contact Data – email address, telephone number and mobile number as well as addresses of the Bondholders.
Financial Data – bank account details, such as bank account number .

5. PURPOSES AND LAWFUL BASES FOR PROCESSING

The following sets out the purposes for which Personal Data is processed, as well as the lawful basis (in terms of the Applicable Laws) on which such data is processed:

Purpose

Categories of Personal Data

Lawful Basis

Registration

To register bondholders or their Representatives as holders of bonds in the Company, or to register Representatives where the Bondholder is a legal entity, or to register usufructuaries, guardians or pledgees of the Bondholder with respect to the bonds held in the Company.

The electronic register is maintained on behalf of the Issuer at the CSD and contains the names, addresses, identity card numbers (in the case of natural persons) and MSE account numbers of the Bondholders.

For this purpose, the Company may share the electronic register with its appointed functionaries on an as-needed basis. One such instance in which the register shall be shared is with respect to existing Bondholders in order for them to be contacted by the Company to enquire as to whether they would like to subscribe for additional or new bonds.

Identity Data

(1) Necessity in order to take steps at the data subject’s request prior to entering into a contract, namely the Issuance T&Cs;

(2) Necessity for the purposes of legitimate interests to remain organised internally by maintaining adequate records regarding the bonds held in the Company as well as to streamline processes, including the issuance of new or additional bonds to existing Bondholders;

(3) Necessity for compliance with a legal obligation to which the Company is subject, such as obligations emanating from the Companies Act (Chapter 386 of the Laws of Malta) and the Capital Markets Rules published by the Malta Financial Services Authority (MFSA).

Communication

To contact data subjects with respect to the bonds held in the Company by the Bondholder (whether personally the Bondholder, a Representative, a usufructuary, guardian or pledgee of the Bondholder).

Identity Data and Contact Data

(1) Necessity for the performance of a contract between the Bondholder and the Company, such as the Issuance T&Cs, where the data subject is personally the Bondholder;

(2) Necessity for the purposes of legitimate interests to remain organised internally and communicate with Bondholders as may be required;

(3) Necessity for compliance with a legal obligation to which the Company is subject, such as obligations emanating from the Companies Act (Chapter 386 of the Laws of Malta) and the Capital Markets Rules published by the Malta Financial Services Authority (MFSA).

Interest Payment Distribution

To distribute interest payments to data subjects: where personally the Bondholder or a usufructuary, guardian or pledgee of the Bondholder with respect to the bonds held in the Company by the Bondholder.

Payment is made by direct credit transfer into such bank account as the Bondholder may designate.

Financial Data

(1) Necessity for the performance of a contract between the Bondholder and the Company, namely the Issuance T&Cs;

(2) Necessity for compliance with a legal obligation to which the Company is subject, such as obligations emanating from the Companies Act (Chapter 386 of the Laws of Malta) and the Capital Markets Rules published by the Malta Financial Services Authority (MFSA);

(3) Necessity for the purposes of legitimate interests to manage the Company efficiently, particularly to distribute interest payments accordingly to Bondholders or other persons who are entitled to receive such interest payments.

Legal Claims

To establish, exercise or defend any legal claims in relation to the bonds held in the Company by the Bondholder.

Identity Data, Contact Data, and Financial Data

Necessity for the purposes of legitimate interests for the Company to defend itself from any legal claims and to institute any legal claims it may deem necessary.

Tax Compliance and Reporting

To render an account to the Maltese Commissioner for Tax and Customs of all amounts of interest paid and tax deducted, including the identity of the recipient. To advise the Maltese Commissioner for Tax and Customs on an annual basis in respect of all interest paid gross and of the identity of all such recipients.

To collect and forward certain information (including information regarding payments made to certain Bondholders) to the Commissioner for Tax and Customs.

Identity Data, Contact Data, and Financial Data

Necessity for compliance with a legal obligation to which the Company is subject, including obligations under the Income Tax Act (Cap. 123 of the laws of Malta), the Prevention of Money Laundering and Funding of Terrorism Regulations (Subsidiary Legislation 373.01), FATCA Legislation, and CRS Legislation.

Anti-Money Laundering and Know Your Customer (KYC)

Verification of identity as required by the Prevention of Money Laundering Act (Chapter 373 of the laws of Malta) and regulations made thereunder.

For the purposes of the Prevention of Money Laundering and Funding of Terrorism Regulations (Subsidiary Legislation 373.01).

Identity Data, Contact Data, and Financial Data

Necessity for compliance with a legal obligation to which the Company is subject under the Prevention of Money Laundering Act (Chapter 373 of the laws of Malta) and the Prevention of Money Laundering and Funding of Terrorism Regulations (Subsidiary Legislation 373.01).

FATCA and CRS Compliance

To identify and report financial accounts held by Specified U.S. persons and certain non-U.S. entities to the Maltese tax authorities under FATCA Legislation.

To identify and report to the Maltese tax authorities financial accounts held by a Reportable Person and certain entities with one or more Controlling Persons under CRS Legislation.

Identity Data, Contact Data, and Financial Data

Necessity for compliance with a legal obligation to which the Company is subject under the FATCA Legislation (Legal Notice 78 of 2014) and CRS Legislation (Legal Notice 384 of 2015).

Statutory Requirement Statement

The Processing of Personal Data is not a statutory requirement but is a requirement for the performance of the Issuance T&Cs or the agreement which the entity represented has entered into with the Company, including all obligations therein for the purposes listed in the table above.

If the Company does not Process the Personal Data set out in this privacy notice, the Company will be prevented from performing its obligations under the Issuance T&Cs and Bondholders will be unable to purchase the bonds and the Company may be prevented from performing its obligations under the agreement which the entity represented has entered into with the Company.

6. AUTOMATED DECISION-MAKING AND PROFILING

The Company does not use Personal Data in order to carry out any automated decision-making or profiling. In the event that it decides to carry out any such automated decision-making or profiling in the future, it shall inform data subjects prior to making any such use of Personal Data.

7. DATA RECIPIENTS

In the course of business and as part of any Bond issuance, the Company works with third parties, typically service providers or subcontractors, who may also be Processors, and may have to share Personal Data with the following third parties:

  • Third-Party Consultants and Professional Advisors
  • Sponsor, Manager & Registrar
  • Central Securities Depository (CSD)
  • Authorised Intermediaries
  • Regulators, Courts, Law Enforcement and Other Authorities
  • Malta Financial Services Authority (MFSA)
  • Malta Stock Exchange (MSE)
  • Security Trustee

Other than as set out above, the Company will typically not disclose Personal Data to third parties. However, there may be times where it may need to disclose Personal Data to third parties and the Company shall only do so in accordance with the Applicable Laws.

The Company requires all third parties with whom it shares Personal Data to respect the security of such Personal Data and to treat it in accordance with relevant law, including the Applicable Laws.

The Company does not allow Processors to use Personal Data for their own purposes and only permits them to Process Personal Data for specified purposes and in accordance with the Company’s instructions.

8. INTERNATIONAL TRANSFERS OF PERSONAL DATA

The Company generally does not transfer Personal Data to persons or entities outside the EU and the European Economic Area (the “EEA”).

However, under the FATCA Legislation, the Maltese Government and the Government of the U.S. shall annually exchange information obtained pursuant to the FATCA Legislation on an automatic basis. Financial account information in respect of Bondholders could fall within the scope of FATCA and may therefore be subject to reporting obligations.

Under CRS Legislation, Malta based financial institutions are obliged to report to the Maltese tax authorities financial accounts held by Reportable Persons, and the Maltese tax authorities exchange information with tax authorities in participating jurisdictions.

In the event of any such transfer of Personal Data to countries which are outside the EU/EEA, the Company shall ensure that a lawful basis for this exists and that appropriate safeguards are implemented for the protection of Personal Data, in accordance with the Applicable Laws. Data subjects may obtain a copy of the appropriate safeguards implemented by contacting the Company at the details indicated in Section 3 above.

9. RETENTION OF PERSONAL DATA

The Company retains Personal Data only for as long as it has a valid reason to do so. To determine the appropriate retention period for Personal Data, it considers the amount, nature and sensitivity of the Personal Data, the potential risk of harm from unauthorised use or disclosure of Personal Data, the purposes for which it Processes Personal Data and whether it can achieve those purposes through other means, and the applicable legal requirements.

Standard practice is to determine whether there are any specific laws permitting or obliging the Company to keep certain Personal Data for a certain period of time, in which case it will typically keep the Personal Data for the maximum period indicated by any such law.

The Company would also determine whether there are any actions under any laws and/or contracts that may be invoked against it by data subjects and/or third parties and if so, what the prescriptive periods for such actions are (usually of two or five years), and in such cases, will keep any relevant Personal Data that it may need to defend itself against any claims, challenges or other such actions by data subjects and/or third parties for such time as is necessary.

In terms of article 2156 of the Civil Code (Cap. 16 of the laws of Malta), the right of Bondholders to bring claims for payment of interest and repayment of the principal on the Bonds is barred by the lapse of five (5) years.

If a data subject is personally a Bondholder in the Company or an individual who is entitled to receive interest payments on the bonds held by the Bondholder in the Company, the Company generally retains Financial Data for a period of ten (10) years from the date on which the person ceases to hold bonds in the Company, which retention period is in line with obligations in terms of the Companies Act (Chapter 386 of the Laws of Malta).

In any case, the Company generally retains Identity Data and Contact Data for a period of five (5) years from the end of the relationship with the data subject and/or the Bondholder in order to be able to defend itself from any legal claims, challenges or actions by data subjects and/or third parties which may arise in relation to the relationship with the data subject and/or the Bondholder.

10. DATA SUBJECT RIGHTS

In terms of the Applicable Laws, as a Data Subject and for as long as the Company retains Personal Data, data subjects have the following rights in relation to such Personal Data:

  • Access – The right to request access to Personal Data and information related to the Processing thereof, as well as obtain a copy thereof. Bondholders shall have, at all reasonable times during business hours, access to the register of Bondholders held at the CSD for the purpose of inspecting information held on their respective account.
  • Rectification – The right to request the rectification of any inaccuracies or any missing Personal Data.
  • Erasure – The right to request the erasure of Personal Data.
  • Restriction – The right to request the restriction of the Processing of Personal Data in cases explicitly provided for by law, including if the data subject believes that the Company is unlawfully Processing Personal Data or that the Personal Data that the Company holds is inaccurate.
  • Portability – The right to request that the Company provide Personal Data which it holds in a structured, commonly used and machine-readable format (except where such Personal Data was provided in handwritten format, in which case, upon request, such Personal Data will be provided in such handwritten format), and where technically feasible, the data subject may also request that the Company transmit such Personal Data to a third-party Controller indicated by the data subject.
  • Objection – The right to object to the Processing of Personal Data where the Company is relying on its legitimate interests (or those of a third party) for such Processing.
  • Automated decision-making and profiling – The right to object to a decision taken solely on the basis of automated Processing, including profiling, which has an impact on or significantly affects the data subject.
  • Withdrawal of consent – If Consent has been provided for the Processing of Personal Data, the right to withdraw that Consent at any time, which will not affect the lawfulness of the Processing carried out prior to such withdrawal.
  • Information about the source – Where the Personal Data held was not provided directly by the data subject, the right to receive any available information as to the source of such Personal Data.

Any of the above requests should be addressed in writing to the Data Protection Officer who may be contacted at the contact details set out in section 3 above.

Data subjects will not have to pay the Company to exercise any of the above-listed rights. However, the Company may charge a reasonable fee if the request is clearly unfounded, repetitive or excessive.

None of the above-listed rights are absolute and such rights must generally be weighed against the Company’s own legal obligations and legitimate interests. If the Company is permitted, and if a decision is taken to override a Data Subject request, it shall inform the data subject accordingly.

11. COMPLAINTS

The Company strives to be receptive to concerns and would appreciate if data subjects would contact it in the first instance should they have any complaints or believe that the Company has breached any privacy rules.

Should a data subject feel wronged by the Company’s data protection practices, they may file a complaint with the data protection supervisory authority of their country of residence. In Malta, this would be the Office for the Information and Data Protection Commissioner.

Contact Details for the Office of the Information and Data Protection Commissioner Malta:

  • Email: info@idpc.org.mt
  • Phone: +356 2328 7100
  • Address: Floor 2, Airways House, Triq il-Kbira, Tas-Sliema SLM 1549, Malta

12. COLLECTION OF PERSONAL DATA FROM THIRD PARTIES

If a data subject is a Bondholder, the Company may not always collect Personal Data directly from them. In the event that they have invested in the Company through the services of a financial intermediary, the Company may also collect Personal Data from the financial intermediary, and shall only do so if a lawful basis exists for the collection and Processing of Personal Data, as set out in section 5 of this Privacy Notice.

The Company or the CSD may also collect Personal Data from persons becoming entitled to a Bond in consequence of the death or bankruptcy of a Bondholder, upon such evidence being produced as may be required.

13. DATA SUBJECT OBLIGATIONS

Data subjects acknowledge that, when providing Personal Data to the Company, they are required to provide actual, accurate and complete data, and must inform the Company of any changes to the Personal Data it holds about them, so as to ensure that it is kept up-to-date and accurate.

In the event that data subjects supply the Company with Personal Data pertaining to third-party Data Subjects (such as a Bondholder, in the case that the data subject is a Representative of the Bondholder), they shall be solely responsible to ensure the following obligations:

  • Data subjects must immediately bring this Privacy Notice to the attention of such third-party Data Subject.
  • The collection, transfer, provision and any Processing of such Personal Data by the data subject must fully comply with any applicable laws, particularly the Applicable Laws.
  • Data subjects must provide and/or collect, as may be applicable, any information notices, approval, Consent or other requirements as may be necessary from such Data Subjects prior to supplying the Company with their Personal Data.
  • Data subjects remain responsible for ensuring that such Personal Data supplied to the Company is accurate and up-to-date and shall promptly inform the Company of any changes thereto.

Data subjects hereby fully indemnify the Company and shall render it completely harmless on first written demand against all costs, damages or liability of whatsoever nature resulting from any claims or litigation (whether instituted or threatened) against the Company as a result of their provision of Personal Data relating to third-party Data Subjects in breach of provisions (a) to (d) of this section 13.

This section 13 shall supersede and extinguish all previous agreements, promises, assurances, warranties, representations and understandings between the Company and the non-natural person, as applicable, whether written or oral, relating to this subject-matter.

14. PERSONAL DATA OF MINORS

The Company does not generally Process any Personal Data pertaining to minors. In the event that it needs to Process Personal Data pertaining to minors, it shall ensure that any such Processing is carried out in accordance with all applicable laws including collecting any necessary Consent for such Processing from the minors’ parents or guardians and ensuring that the minors receive this Privacy Notice and understand the Processing activities being undertaken by the Company with respect to their Personal Data.

Applications in the name and for the benefit of minors shall be allowed provided that the Applicant already holds an account with the MSE. Any Bonds allocated pursuant to such an Application shall be registered in the name of the minor as Bondholder, with interest and redemption monies payable to the parents/legal guardian/s signing the Application Form until such time as the minor attains the age of 18 years.

15. GOVERNING LAW

This Privacy Notice is governed by and construed in accordance with the laws of Malta.