Privacy Policy

Privacy Policy

Your trust is important to us. Timberland Invest Ltd. (C 60291) having its registered office at 171 Old Bakery Street Valletta, VLT 1455 (hereinafter also referred to as the “Company”, “we” “us” or “our”) respects your privacy and is committed to protecting your personal data. The Company collects information from you in order to be able to receive, process and give effect to your subscription to bonds issued by Timberland Securities Investment plc (C 68856).

We take the protection of your personal data very seriously. The purpose of this Notice is to set out the basis on which we will process your personal data when you enter into a relationship with us, to inform you about how we will generally handle and look after your aforementioned personal data, and to tell you about (i) our obligations to process your personal data responsibly, (ii) your data protection rights as a data subject and also (iii) how the law protects you. For sake of clarity, please note that submission of this subscription order creates a contractual relationship between you and the Company.

We process your data in an appropriate and lawful manner, in accordance with the Data Protection Act (Chapter 586 of the Laws of Malta) (the “Act”) and the General Data Protection Regulation (Regulation (EU) 2016/679) (the “GDPR”), subsidiary legislation and regulations promulgated thereunder, as they may be updated from time to time.

Therefore, this Policy strictly provides an overview and outline of our processing activities and cannot be exhaustive due to the fluidity of your business relationship and the services you may request from us.

It is therefore important that you read this Policy carefully, together with any other privacy Policy or fair processing notice that we may issue on specific occasions when we are collecting or processing personal data about you, so that you are fully aware of how and why we are using your data (namely, in the context of a service provision). This Policy supplements the other notices and is not intended to override them.

When accessing our website, we may automatically collect certain information, in particular your IP Address. Please refer to our IP and Cookie Policy available here: for more information about how the website uses cookies.

Moreover, certain processing activities which we wish to carry to out require your express consent, as indicated below in this Policy. Your consent is kindly requested to enable these activities (as described in detail below). We shall request your consent for specific activities by means of separate Consent Forms which will explain the purposes for processing for which we are requesting consent should this be necessary.

1. Name and address of the data controller

The Company (as previously defined) is the controller and responsible for your personal data.

Timberland Invest Ltd. (C 60291)
with its registered office at
Old Bakery Street 171
Valetta, VLT 1455,

You can contact our data protection contact point at any time about any data protection issues at the above‐mentioned business address or email us on the following email address:


2. Collection and storage of personal data

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data). In the interest of clarity, personal data does not include information relating to a legal person (for example, a company or other legal entity). In that regard, information such as a company name, its company number, registered address and VAT number does not amount to personal data in terms of both the Act and the GDPR. Therefore, the collection and use of information strictly pertaining to a legal person does not give rise to data controller obligations at law. Naturally, we will still treat any and all such information in a confidential and secure manner.

During the course of our relationship with you we may collect and process the following personal data: which we have grouped as follows:

We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregate may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy notice.

As indicated, we do collect Special Categories of Personal Data about you, specifically as a result of the information that we collect and process in terms of Compliance Data. The collection and processing of this information is necessary in order to for us to (i) conduct and carry out our internal Know-Your-Customer (“KYC”) due diligence, (ii) comply with our various legal and regulatory obligations as a licensed financial institution, including in particular our Anti-Money Laundering (“AML”) obligations, (iii) fulfil any mandated external regulated reporting, such as the Financial Intelligence Analysis Unit (“FIAU”) and (iv) abide by Court orders.

3. Obligation to Provide Data

Within the scope of our business relationship, you must provide personal data which is necessary for the initiation and execution of the business relationship. As a rule, we would not be able to enter into a business relationship, execute an order or continue an existing relationship without the data that we are mandated at law to collect and process. Specifically, provisions on anti-money laundering require that we verify the identity of a prospective customer before entering into a business relationship, for example by means of an identity card, utility bill and even references.

Accordingly, where we need to collect personal data by law, or under the terms of the contract we have with you (pursuant to your entry into a business relationship with us), or as otherwise part of our defined legitimate interests, and you fail to provide that data when requested, we may not be able to perform the contract that we have or which we are otherwise trying to enter into with you.
In most cases, by failing to provide us with the necessary information and documents, we will not be allowed to enter into or otherwise continue your requested business relationship. In the case of an existing relationship, we would have to exercise our prerogative to terminate the contract and relationship. We will notify you if this is the case at the time.

4. How is your personal data collected?

We use different methods to collect data from and about you including through:

5. Purposes for Processing

We process your personal data in accordance with the General Data Protection Regulation (GDPR).

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances.

Generally we do not rely on consent as a legal basis for processing your personal data, other than in relation to sending third party direct marketing communications to you via email or text message. You have the right to withdraw consent to such marketing at any time by contacting us at

Purposes for which we will use your personal data

We have set out below, in a table format, a description of all the ways we plan to use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.

Kindly note that we may process your personal data for more than one lawful ground, depending on the specific purpose for which we are using your data.

Accordingly, please contact us at if you need details about the specific legal ground we are relying on to process your personal data where more than one ground has been set out in the table below.

Purpose/Activity Type of data Lawful basis for processing including basis of legitimate interest

To decide whether to accept your subscription and your relationship with us and, if positive, to enter into a business relationship with you.

  • Identity
  • Contact
  • Compliance
  • General Due Diligence
  • Performance of a contract with you or take steps at your request prior to entering into a contract with you.
  • Necessary for our legitimate interests (to verify your identity and suitability for our business, and your ability to meet financial commitments).
  • To process and perform transactions and financial services requested by the customer, including the following:
    • deposits;
    • transfer instructions;
    • fund withdrawals and releases;
    • processing and production of statements;
    • Asset management
  • Manage transactions;
  • Collect and recover money which is owed to us (debt recovery).
  • Identity
  • Contact
  • Compliance
  • Regulatory,
  • Transaction;
  • Tax; and
  • Recording
  • Performance of a contract with you or take steps at your request prior to entering into a contract with you.
  • Necessary for our legitimate interests (to recover debts due to us).
  • To fulfil our:
    • internal AML compliance policies and requirements;
    • obligations under the PMLA and PMLFTR; and
    • external regulated reporting and obligations to the MFSA and FIAU (amongst others).
  • For legal, tax, insurance, accounting and other general compliance purposes,
  • To abide by Court orders,
  • Consult and exchange data with credit agencies.
  • Compliance
  • Additional Compliance
  • Court Data
  • Regulatory
  • Transaction
  • Recording
  • Necessary to comply with a legal obligation (both statutory requirements, financial supervisory requirements and in respect of Court orders).
  • Necessary for our legitimate interests:
    • detection and prevention of fraud, money laundering and any other criminal activity,
    • identity and age verification,
    • satisfaction of tax law control,
    • asserting legal claims and mounting a defence in the event of litigation,
    • credit checks,
    • credit or default risks,
    • risk assessment and management,
    • to ensure that we carry out your instructions accurately

To manage our relationship with you which will include:

  • Notifying you about changes to our terms or privacy notices;
  • Responding to complaints, queries and/or reported issues;
  • Dealing with requests;
  • Asking you to participate in a survey; and
  • Requesting feedback from you.
  • Identity
  • Contact
  • Usage
  • Marketing and Communications
  • Recording
  • Performance of a contract with you
  • Necessary for our legitimate interests (for customer service matters, to study how customers use our services, to enable a review, assessment or rating of our operations, to develop them and grow our business, market and opinion research, to the extent you have not objected to having your data processed for direct marketing purposes).
  • Necessary for our legitimate interests (for the purpose of the resolution of complaints).

To administer and protect our business and our website, (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)

  • Identity
  • Contact Technical
  • Contact
  • Recording
  • Necessary for our legitimate interests –
    • for running, administering and protecting our business,
    • network security and IT operations,
    • measures to ensure against trespassing and server or network hacks ,
    • to prevent fraud and to maintain the confidentiality of transactions, and
    • in the context of a business reorganisation or group restructuring exercise)
  • Performance of a contract with you (ensuring that your transactions remain secure and confidential).

To deliver advertisements to you and measure or understand the effectiveness of the advertising we serve to you

  • Identity
  • Contact
  • Usage
  • Marketing and Communications
  • Technical

Necessary for our legitimate interests (to study how existing customers use our services, to develop them, to grow our business and to inform our marketing strategy).

To make suggestions and/or recommendations to you, as an existing customer, about our other services that we feel may be of interest to you.

  • Identity
  • Contact
  • Technical
  • Customer Contact

Necessary for our legitimate interests (to develop our services and grow our business)


We strive to provide you with choices regarding certain personal data uses, particularly around advertising and marketing communications. Through your Identity, Contact, Technical and Usage Data, we would be able form a view on what we think you may want or need and what may be of interest to you. This would then enable us to determine which of our particular services may be most relevant for you (we call this marketing).

In that regard, will only send you advertising and marketing communications:

Opting out

You can ask us to stop sending you advertising and marketing communications at any time by:

Where you opt out of receiving such communications, this will not apply to personal data collected by us as a result of your entry into a business relationship with us and our service provision, or which we otherwise process to ensure compliance with our legal obligations or to fulfil our defined legitimate interests.

Change of purpose

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose.

If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us at

If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

6. Transfers of personal data to third persons

Your personal data will not be forwarded to third parties for purposes other than those listed below. Those employees of our Company who come into contact with your data are subject to a strict duty of confidentiality, and we constantly monitor its compliance. We have also bound and will continue to bind to confidentiality in writing any other persons with whom we cooperate and who come or might come into contact with your data.

We may only forward information about you to third parties if required to do so by law, if you have given your consent or if we are authorised to provide information and the processors commissioned by us guarantee confidentiality and compliance with the requirements of the GDPR.

The recipients of personal data may be:

We may only forward information about you to third parties if required to do so by law, if you have given your consent or if we are authorised to provide information and the processors commissioned by us guarantee confidentiality and compliance with the requirements of GDPR. We require all third parties to respect the security and secrecy of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

Additionally, in the case of transactions effected via SWIFT, we may be required to disclose your personal data to the United States authorities or any other authorities as required, in order to comply with legal requirements applicable in the United States or in any other country for the prevention of crime.

Data is only transmitted to countries outside the EU or the European Economic Area (EEA), referred to as third countries, if this is required to execute your orders (e.g. payment and securities orders), if required by law (e.g. tax reporting obligations or if you have given us your consent.

Whenever we transfer your personal data to third countries, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

As indicated, we may also be required to share your information with overseas government authorities and regulatory agencies, for the detection and prevention of crime.

Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the EEA.

7. Duration of storage and erasure of personal data

The personal data you provide will only be stored and processed as long and to the extent necessary to fulfill our contractual and statutory obligations. In this regard, it should be noted that our business relationship may last several years and your personal data shall be retained for the duration of such relationship.

To determine the retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable contractual and statutory obligations.

If the data is no longer required for the performance of our contractual and statutory obligations, then it shall be deleted unless the Company needs to process it further (for a limited time) for the following purposes:

By and large, in the latter case, our retention of your data shall not exceed the period of six (6) years from the date of the termination of your business relationship with us. This period of retention enables us to use the data in question for the defence of possible future legal claims (taking into account the timeframe of the applicable prescriptive period at law).

Details of retention periods for different aspects of your personal data are available in our retention policy which you can request from us by contacting us

8. Your rights as a data subject

When your personal data is processed, you are a data subject as defined by the GDPR and you have rights in relation to us as the data controller as described in this section.

9. Changes to this Privacy Policy

We may amend this Privacy Policy from time to time. Please check this page frequently in order become familiar with the latest version of our Privacy Policy.

Get in touch


General Telephone:
+356 2090 8100
Timberland Securities Investment plc,
Aragon House Business Centre,
Dragonara Road,
St Julian’s, STJ 3140,