top of page

MALTA - Data Protection and GDPR Review

Data protection in Malta has evolved considerably over the years, influenced by both local and international factors. As a member of the European Union, Malta has been particularly influenced by EU data protection directives and regulations, including the latest General Data Protection Regulation (GDPR). This article outlines key milestones in the history of data protection in Malta.

Early Days: National Legislation

Before Malta's accession to the European Union in 2004, data protection was largely unregulated. Following its EU membership, however, Malta adopted the Data Protection Act in 2001 to align itself with the EU Data Protection Directive 95/46/EC. This early piece of legislation laid the groundwork for the protection of personal data and privacy.

Creation of the IDPC

The Information and Data Protection Commissioner (IDPC) was established as part of Malta's early efforts to comply with EU standards. The IDPC serves as the national supervisory authority for data protection, responsible for monitoring and enforcing data protection law.

EU Influence and GDPR

In May 2018, the EU General Data Protection Regulation (GDPR) came into effect, replacing the Data Protection Directive. The GDPR introduced stricter rules and larger fines for breaches. It also extended the scope of EU data protection law to all foreign companies processing data of EU residents. Malta, like other EU member states, was compelled to update its national laws to be in compliance with GDPR.

Updates to National Legislation

In light of the GDPR, Malta updated its Data Protection Act in 2018 to bring it in line with the new EU regulation. The new Act also empowered the IDPC with additional resources and authority to enforce the GDPR, including the ability to impose significant administrative fines.

Public Awareness and Education

Since the implementation of GDPR, there has been a noticeable increase in public awareness and education about data protection in Malta. Organizations, both public and private, have had to take data protection more seriously, often appointing Data Protection Officers (DPOs) and conducting Data Protection Impact Assessments (DPIAs).

Ongoing Challenges and Future Directions

While considerable progress has been made, Malta faces challenges in data protection, including adapting to new technologies like artificial intelligence and blockchain, and dealing with cross-border data transfers. The IDPC continues to evolve to meet these challenges, regularly publishing guidelines and taking enforcement actions where necessary.


The history of data protection in Malta is marked by a deepening understanding of the importance of personal data protection, significantly influenced by EU legislation. The implementation of GDPR and the subsequent national legislation changes have substantially strengthened the data protection landscape in the country. With ongoing developments in technology and international data issues, data protection will undoubtedly remain a critical area of focus for Malta.

# Comprehensive Guide on Data Protection in Malta in Relation to GDPR

Data protection in Malta is primarily governed by the General Data Protection Regulation (GDPR), which came into effect on May 25, 2018, across all European Union (EU) member states. This comprehensive guide aims to outline key aspects of data protection under the GDPR in Malta. Please note that this guide is for informational purposes and not a substitute for legal advice.

Regulatory Bodies

European Union

GDPR (General Data Protection Regulation)**: A regulation that standardizes data protection laws across all EU member states.


Information and Data Protection Commissioner (IDPC)**: The national supervisory authority responsible for enforcing data protection regulations in Malta.

Key Concepts

Personal Data

Any information related to an identifiable person.

Data Controller

The entity that determines the purposes and means of the processing of personal data.

Data Processor

A third party that processes personal data on behalf of the data controller.

Data Subject

The individual whose personal data is being processed.


Explicit permission from the data subject to process their data.

Obligations for Data Controllers and Processors

Privacy Policy

Organizations must have a transparent and accessible privacy policy outlining how they collect, use, and store personal data.

Data Protection Impact Assessment (DPIA)

A DPIA is required when data processing activities pose high risks to the privacy rights of individuals.

Data Protection Officer (DPO)

A DPO is mandatory for public bodies and for organizations engaged in large-scale data processing or monitoring.


Maintaining records of data processing activities is obligatory under GDPR to demonstrate compliance.

Security Measures

Adequate technical and organizational security measures must be implemented to protect personal data.

Data Breach Notification

Data breaches must be reported to the IDPC and the affected data subjects within 72 hours of becoming aware of the breach.

Rights of Data Subjects

Right to Access

Individuals have the right to access their personal data and know how it's being processed.

Right to Rectification

The right to correct inaccurate or incomplete personal data.

Right to Erasure ("Right to be Forgotten")

Individuals can ask for their personal data to be deleted under certain conditions.

Right to Object

The right to object to data processing for specific reasons, including direct marketing.

Right to Data Portability

Individuals can request a copy of their data in a machine-readable format for transfer to another service.

Enforcement and Penalties

Non-compliance with GDPR can result in fines from the IDPC of up to €20 million or 4% of the organization’s annual global turnover, whichever is higher.

Additional Considerations

Local Laws**: Malta has its own Data Protection Act, updated in 2018 to align with GDPR, that further details data protection regulations within the country.

International Data Transfers**: Transferring data outside the EU must be done in compliance with GDPR regulations, often requiring mechanisms like Standard Contractual Clauses.

Special Categories**: Additional safeguards are required for the processing of sensitive data such as health information or biometric data.


Data protection in Malta is in line with stringent European standards as set by the GDPR. Organizations must be proactive in ensuring compliance, which includes understanding the rights of data subjects and the obligations of data controllers and processors. Given the evolving nature of data protection laws and the growing digital landscape, it is advisable for organizations to seek legal consultation to ensure they remain compliant.


bottom of page