April 2024

1. Governing Texts

Data protection in Malta is primarily governed by the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') which has been implemented into Maltese law by virtue of the Data Protection Act (Chapter 586 of the Laws of Malta) ('the Act').

1.1. Key acts, regulations, directives, bills

The Act implementing the GDPR came into effect on May 28, 2018, and replaced the former Data Protection Act (Chapter 440 of the Laws of Malta).

Additionally, the Act is currently accompanied by various pieces of subsidiary legislation ('the Regulations') which take advantage of various national derogations, allowing, for instance, the processing of health information for insurance purposes, and lowering the age of consent of children in relation to information services. These regulations include the following:

• Processing of Personal Data (Electronic Communications Sector) 2003 (Subsidiary Legislation 586.01) ('the Electronic Communications Sector Regulations');
• Processing of Personal Data (Protection of Minors) Regulations 2004 (Subsidiary Legislation 586.04) ('the Protection of Minors Regulations');
• Transfer of Personal Data to Third Countries Order 2012;
• Processing of Personal Data for the Purposes of the General Elections Act Regulations and the Local Government Act Regulations 2013 (Subsidiary Legislation 586.06);
• Processing of Personal Data (Education Sector) Regulations 2015 (Subsidiary Legislation 586.07);
• Data Protection (Processing of Personal Data by Competent Authorities for the Purposes of the Prevention, Investigation, Detection or Prosecution of Criminal Offences or the Execution of Criminal Penalties) Regulation 2018 (Subsidiary Legislation 586.08) ('the Criminal Data Processing Regulations');
• Restriction of the Data Protection (Obligations and Rights) Regulations 2018 (Subsidiary Legislation 586.09) ('Restriction of the Data Protection (Obligations and Rights) Regulations 2018');
• Processing of Data concerning Health for Insurance Purposes Regulations 2018 (Subsidiary Legislation 586.10) ('the Processing Health Data for Insurance Purposes Regulations'); and
• Processing of Child's Personal Data in relation to the Offer of Information Society Services 2018 (Subsidiary Legislation 586.11) ('the Processing of Children's Data Regulations').

Additionally, a few other laws, separate from the Act, regulate specific privacy matters, for example, the access to the vehicle registration database or the obligation of sea or air carriers to communicate passenger data in accordance with the respective EU legislation.

Two pieces of subsidiary legislation particular to Malta are:

• Processing of Personal Data (Secondary Processing) (Health Sector) Regulations ('Subsidiary Legislation 528.10') which regulates the further processing of personal data in the health sector in specific circumstances; and
• Retention of Data (Malta Gaming Authority) Regulations (Subsidiary Legislation 583.12) ('Retention of Data by Malta Gaming Authority Regulations') which regulates the retention by the Malta Gaming Authority of personal data collected or otherwise processed in the pursuit of its regulatory functions.

1.2. Guidelines

Malta's data protection authority, the Information and Data Protection Commission ('IDPC') is the national supervisory authority and has published guidelines on its website, some of which include the following:

• Guidelines on the data protection aspects related to the collection of employees’ COVID-19 vaccination status;
• Guidelines for Banking;
• Guidelines for the Maltese Gaming Industry;
• Processing of Personal Data for Political Campaigning Purposes;
• Guidelines for the promotion of good practice in the processing of personal data by credit referencing institutions;
• Guidelines for the drafting of information clauses;
• Guidelines on street photography;
• Guidelines on cookies consent requirements;
• Securing personal data;
• International transfer of personal data;
• Codes of conduct;
• Guidelines on consent;
• Rights for individuals;
• CCTV for individuals;
• Disclosure of health data in the context of occupational medicine and assessment of working capacity;
• Guidelines on DPIA template;
• Guidelines on the processing of personal data for political campaigning purposes; and
• Guide about posting pictures and video on social media.

1.3. Case law

Pursuant to Article 26 of the Act, any person who feels aggrieved by a decision of the IDPC regarding data breaches shall have the right to appeal in writing to the Information and Data Protection Appeals Tribunal ('the Tribunal') within 20 days from notification of the decision. If the parties feel aggrieved by the appeal decision, the parties may resort to the Court of Appeal as constituted by Article 41(6) of Chapter 12 on the Code of Organization and Civil Procedure ('the Code of Organization and Civil Procedure') of the Laws of Malta.

Following the entry into force of the GDPR and the Act, there have been several data breaches and fines levied by the IDPC. Decisions by the IDPC can be found here, whilst appeals decided by the Tribunal can be found here.

2. Scope of Application

2.1. Personal scope

The Malta Data Protection Act aligns closely with the GDPR, focusing on protecting the personal data of natural persons without introducing significant variations from GDPR standards. It applies both to data processing activities within Malta and to the processing of data subjects in Malta by entities outside the EU, ensuring comprehensive data protection coverage.

2.2. Territorial scope

The Act does not incorporate any variations to that stipulated under the GDPR in terms of the territorial/extraterritorial scope as it has been adopted into the Maltese jurisdiction. In particular, inter alia, the Act specifies that it shall apply 'to establishments of controllers and processors in Malta, in a Maltese Embassy or a High Commission abroad. This is regardless of whether the processing takes place in Malta or not. Additionally, the Act also applies to data subjects who are in Malta by a controller or processor not established in the European Union. This Act applies where the laws of Malta apply by virtue of public international law' (Article 4(2) of the Act).

2.3. Material scope

The Act does not incorporate any variations to that stipulated under the GDPR and is replicated under Article 4(1) of the Act.

However, the Restriction of the Data Protection (Obligations and Rights) Regulations 2018 provides for limitations to the general principles in line with Article 23 of the GDPR. These restrictions only apply where such restrictions are a necessary measure. Furthermore, such restrictions must respect the essence of the fundamental rights and freedoms of the data subject and shall be a necessary and proportionate measure. The data controller must inform the data subject about any restriction provided for under these regulations (provided that such a disclosure will not be prejudicial to the purposes of the restriction). The restrictions may apply in the following cases:

• for the safeguarding and maintaining of national security, public security, defense, and the international relations of Malta;
• for the prevention, detection, investigation, and prosecution of criminal offences, including measures to combat any money laundering activity, and the execution of criminal penalties;
• for the administration of any tax, duty, fines, fees, or other money due or owing to the State, under any law allowing for generating revenue in any manner for the Government of Malta;
• for the administration of social security benefits in accordance with law and where such data has been obtained in confidence when carrying out an investigation against fraud;
• for the establishment, exercise, or defense of a legal claim and for legal proceedings which may be instituted under any law;
• for the performance of the functions of the IDPC;
• for the delivery of professional services in relation to the carrying out of social work or social assistance by a public authority, public body, voluntary organization, or any other body delivering such services, and provided that such data shall have been obtained in confidence specifically for the purposes of delivering these services to the beneficiary;
• for health data that is processed and where it would be likely that the application of the principles would cause serious harm to the vital interests of the patient; or
• for matters relating to Maltese citizenship where the Minister responsible for citizenship or any person authorized to act on their behalf, refuses an application for the acquisition of Maltese citizenship under Maltese law.

3. Data Protection Authority | Regulatory Authority

3.1. Main regulator for data protection

The IDPC is the national supervisory authority and is appointed in accordance with Article 11 of the Act.

3.2. Main powers, duties and responsibilities

The IDPC is responsible for monitoring and enforcing the application of the provisions of the Act and any subsidiary legislation, as well as the Freedom of Information Act (Chapter 496 of the Laws of Malta) and the GDPR in order to protect the fundamental rights and freedoms of natural persons in relation to the processing of personal data, and to facilitate the free flow of personal data between Malta and other Member States (Part V of the Act).

4. Key Definitions

Data controller: There is no national variation to this definition.

Data processor: There is no national variation to this definition.

Personal data: There is no national variation to this definition.

Sensitive data: There is no national variation to this definition.

Health data: There is no national variation to this definition.

Biometric data: There is no national variation to this definition.

Pseudonymization: There is no national variation to this definition.

5. Legal Bases

5.1. Consent

The Act does not incorporate any variations to that stipulated under the GDPR in terms of consent, except to provide in Article 9 of the Act, that there may be an exemption or derogation from the requirements of Article 7 of the GDPR for personal data processed for the purpose of exercising the right to freedom of expression and information, including processing for journalistic purposes or for the purposes of academic, artistic, or literary expression. This is the case where, having regard to the importance of the right of freedom of expression and information in a democratic society, compliance with such provisions would be incompatible with such processing purposes. This is also subject to the provision that, when reconciling the right to the protection of personal data with the right to freedom of expression and information, the controller must ensure that the processing is proportionate, necessary, and justified for reasons of substantial public interest (Article 9(1) of the Act).

5.2. Contract with the data subject

The Act does not implement variations of the GDPR on contracts with data subjects nor does it specifically refer to this legal basis.

5.3. Legal obligations

The Act does not implement variations of the GDPR on legal obligations as a legal basis.

5.4. Interests of the data subject

The Act does not implement variations to the GDPR on the protection of the interests of the data subject.

5.5. Public interest

The Act establishes under Article 6(2) that controllers and processors may derogate from the provisions of Articles 15, 16, 18, 19, 20, and 21 of the GDPR for the processing of personal data for archiving purposes in the public interest. This is so, in so far as the exercise of the rights set out in those articles is likely to render impossible or seriously impair the achievement of those purposes, or the controller reasonably believes that such derogations are necessary for the fulfillment of those purposes. Further to this, however, Article 7 of the Act stipulates that the controller must consult with and obtain authorization from the Commissioner where the controller intends to process data in the interest of the public. This authorization is required when the data is related to genetic data, biometric data, data concerning health for statistical or research purposes, and special categories of data related to the management of social care services and systems.

Additionally, as mentioned above, Article 9 of the Act provides that there is to be a fair balance in relation to the right to protection of personal data with the right to freedom of expression and information. Therefore, it is vital that the controller ensures that the processing is proportionate, necessary, and justified for reasons of substantial public interest.

Article 10 of the Act stipulates that the Minister may, after consulting with the Commissioner, through regulations set limits to the transfer of specific categories of personal data to a third country or international organizations for important reasons of public interest.

Please also see the section on legal bases in other instances below for public interest processing in relation to health data.

5.6. Legitimate interests of the data controller

The Act does not implement variations to the GDPR on the legitimate interests of the data controller nor does it specifically refer to this legal basis.

5.7. Legal bases in other instances

Scientific, historical, or statistical research purposes

Where the data processing referred to in the case of scientific, historical, and/or statistical purposes, as well as data processed in the public interest serves another purpose at the same time, the derogations shall apply only to the processing for the former. Such processing is subject to appropriate safeguards for the rights and freedoms of the data subject, including pseudonymization and other technical and organizational measures to ensure respect for the principle of data minimization.

Secondary processing of health data

Subsidiary Legislation 528.10 provides for the processing of personal data in the health sector hereinafter referred to as 'secondary processing' which is not linked to the primary purpose for which the data was originally collected. The provisions of these regulations are to apply in conformity with the provisions of the GDPR. Secondary processing of personal data in the health sector is permitted where such secondary processing is related to:

• the processing and analysis of records kept by all entities falling within the ambit of the health sector, and the administration of the systems and services by entities, that are licensed to deliver any kind of service to patients or individuals, for the purpose of managing and enhancing the health service;
• the analysis of health records supplied to the Ministry of Health in accordance with licensing legislation, contractual obligations, and compliance with EU regulations on public health statistics, and to safeguard other public health interests, to produce the indicators required for monitoring, to ensure the quality and cost-effectiveness of the health services at national level;
• the monitoring of contractual obligations, including the purposes of quality control, management information, and monitoring of such services and systems, arising from the public-private partnerships and partnerships with non-governmental organizations that the Ministry for Health has entered into with third parties, to ensure that the aforementioned partners are adhering to their contractual obligations to deliver a safe and accessible service;
• the fulfillment of the obligations related to the provision of statistical information, whether to international organizations or local clients; this may involve the linkage of existing administrative databases and disease registers;
• the compilation of evidence in medico-legal cases and in cases referred by public bodies, in the course of exercising their duties as provided by law;
• the investigation and monitoring of health threats, which typically requires the processing of health record data for the protection of public health; and
• access to health records, for the purpose of research activities.

Furthermore, personal data may be processed where the research activities are in the public interest. Where such processing cannot be conducted using anonymized data, it is only permissible subject to the following conditions:

• following approval by the Health Ethics Committee within the Ministry of Health, where the research activity is conducted within the Ministry for Health or its partners, and after obtaining prior authorization from the Commissioner for Data Protection in terms of Article 7 of the Act; and
• following approval by any other Ethics Committee recognized by the IDPC where the research activity is conducted by academics or students, or any other NGO or public body having the remit to assist patients in need of health services, and after obtaining prior authorization from the Commissioner for Data Protection in terms of Article 7 of the Act.

This is subject to the proviso that processing of such data is conducted using pseudonymized data, and where this is not possible appropriate measures are taken to safeguard the rights and fundamental freedoms of the data subject by providing that data should be anonymized as soon as the research or the statistical study no longer requires identifiable data.

6. Principles

The principles that must be complied with in the processing of personal data are six in total and are the same as those found in the GDPR. Personal data of natural persons must be processed:

• fairly, lawfully, and transparently;
• collected for specific and legitimate reasons (data minimization);
• adequately, must be relevant and not excessive;
• accurately and updated when necessary;
• stored in an identifiable format until necessary (storage limitation); and
• stored securely.

It should be noted that Article 8 of the Act requires that an identity document can only be processed 'when such processing is clearly justified having regard to the purpose of the processing and (a) the importance of a secure identification or (b) any other valid reason as may be provided by law: Provided that the national identity number or any other identifier of general application shall be used only under appropriate safeguards for the rights and freedoms of the data subject pursuant to the GDPR. An 'identity document' is a legally valid identity document as provided in the Identity Card and other Identity Documents Act (Chapter 258 of the Laws of Malta),' which in turn provides the following definition of an 'identity document,' namely: 'an identity card, a residence document and an identification document issued under this Act.' The IDPC normally interprets this requirement as meaning that as much as possible, copies of identity documents should not be kept; however, this principle would be overridden when other laws require such copies to be retained, such as laws regulating anti-money laundering.

7. Controller and Processor Obligations

7.1. Data processing notification

There are no notification or registration requirements or fees with the IDPC before processing data. However, consultation with the IDPC is required in the instances outlined in the section on Data Protection Impact Assessments ('DPIA').

7.2. Data transfers

The Act does not implement variations from the GDPR on the transfer of data except to provide in Article 10 that 'in the absence of an adequacy decision pursuant to Article 45(3) of the GDPR, the Minister may, following consultation with the Commissioner, by regulations set limits to the transfer of specific categories of personal data to a third country or an international organization for important reasons of public interest.'

7.3. Data processing records

The Act does not implement variations of the GDPR in relation to maintaining data processing records.

7.4. Data protection impact assessment

Where a type of processing uses new technologies and is likely to result in a high risk to the rights and freedoms of natural persons, the controller must, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the processing of personal data.

The IDPC established a number of processing activities where a DPIA must be carried out by controllers prior to the processing. The list has been compiled after considering the Guidelines on Data Protection Impact Assessment that were adopted by the Article 29 Working Party, and subsequently endorsed by the European Data Protection Board ('EDPB'). The list is non-exhaustive and is as follows:

• Systematic monitoring: personal data that involves:
  • observing, monitoring, or controlling data subjects' behavior, in particular, within the online environment;
  • specific circumstances where the controller is legally required to process personal data about data subjects without their knowledge;
  • operations concerning the use of geolocation data, including but not limited to, the purpose of direct marketing; or
  • monitoring on a large scale of public spaces or private areas accessible by the public;
• Automated decisions: fully or partially by means of processing, including profiling, which produces legal effects concerning the data subjects or similarly significantly affects them;
• Use of innovative technologies: any processing of special categories of personal data and of data concerning vulnerable data subjects, using innovative technologies or the implementation of new methods in existing technology;
• Special categories of data: processing on a large scale of special categories of data, including, personal data relating to criminal convictions and offenses;
• Biometric data: any processing activity involving biometric data for the purposes of uniquely identifying data subjects:
  • when the data subjects are in a public space or in a private area accessible to the public;
  • when the biometric data are processed in conjunction with personal data related to criminal convictions and offences; or
  • when the biometrics are related to individuals who need high protection such as minors, employees, patients, mentally ill persons, and asylum seekers;
• Genetic data: any processing of genetic data, other than that processed by an individual health care professional when providing a related service directly to the data subjects, for the purpose of matching or combining data sets in a way that would exceed the reasonable expectation of the data subject;
• Data concerning vulnerable persons: processing of personal data of vulnerable natural persons, in particular, concerning children, employees, and individuals receiving any form of social assistance;
• Employee monitoring: processing of personal data for the purpose of the evaluation or scoring of aspects concerning the employee's performance at work, or when the processing increases the power imbalance between the data subjects and the controller, particularly, when the employees may be unable to easily consent to, or oppose, the processing of their data, or exercise their rights; and
• DPIAs not subject to the authorization of the IDPC: The controller shall only consult the IDPC prior to processing when, notwithstanding reasonable mitigating measures taken in terms of available technologies to address the high risks following the carrying out of the DPIA, residual risks would still be present in the processing operation. The controller must also consult and obtain prior authorization from the IDPC where the controller intends to process the following data in the public interest:
  • genetic data, biometric data, or data concerning health for statistical purposes (the IDPC will consult a research ethics committee or an institution recognized by the IDPC); or
  • special categories of data in relation to the management of social care services and systems, including for the purposes of quality control, management information, and the general national supervision and monitoring of such services and systems.

Furthermore, The IDPC has published a checklist for Minimum requirements based on which the controller may develop their own template on conducting DPIAs.

Finally, the European Commission has issued the Better Regulation Toolbox (November 2021) which provides guidance on how to carry out a DPIA, which includes guidance on, among other things, the steps to be followed for a DPIA, the format of the DPIA report, and how to apply proportionality to assessments.

7.5. Data protection officer appointment

Apart from the requirements that are listed under Article 37 of the GDPR, the IDPC has made it a specific requirement for the following two types of businesses to appoint a data protection officer ('DPO'):

• Banks: The Malta Bankers' Association and the IDPC issued the Data Protection Guidelines for Banks of May 2018, which states that the DPO is responsible for monitoring compliance with the GDPR, providing information and advice, and liaising with the IDPC. The DPO must report to the highest level of management, operate independently, not be dismissed or penalized for performing their tasks, and be able to have other roles so long as they do not give rise to a conflict of interest.
• Business-to-consumer ('B2C') gaming operators and affiliates: The Malta Gaming Authority together with the IDPC issued Guidelines for the Maltese Gaming Industry. B2C's must designate a DPO since a B2C operator's core activity is to monitor individuals systematically and on a large scale. Business-to-business ('B2B') operators are not required to appoint a DPO, but they are recommended to do so on a voluntary basis. The role of the DPO may be held either by an in-house employee or may also be outsourced, as long as the appointed person has expert knowledge of the data protection law and practices and is able to fulfill their role under Article 39 of the GDPR. A group of companies which is in possession of a corporate group license may appoint a single DPO provided that the said DPO is easily accessible from each establishment.

7.6. Data breach notification

In addition to the GDPR, Maltese law contains the following 'sectoral' obligations as detailed in two of the regulations mentioned in the section on key acts, regulations, directives, and bills above, namely the Electronic Communications Regulations and the Criminal Data Processing Regulations:

Processing of Personal Data (Electronic Communications Regulations Sector) Regulations

In­ relation to the Electronic Communications Regulations, Article 3A reiterates the procedure outlined by the GDPR and the Act in the case of a personal data breach, however, this is limited to a personal data breach where the controller is the provider of the publicly available electronic communications service (such as an Internet Service Provider). This states that in the case of a personal data breach, the provider of the publicly available electronic communications service shall, without undue delay, notify the IDPC of the personal data breach. When this data breach is likely to adversely affect the personal data or privacy of a subscriber or individual using such a service, the provider must notify the subscriber/individual of the data breach without undue delay and can even be required by the IDPC to do so. Such notification must include:

• the nature of the breach
• the contact points where more information can be contained; and 
• recommend measures to mitigate the possible adverse effects of the data breach.

Service providers must maintain an inventory of personal data breaches comprising the facts surrounding the data breach, its effects, and the remedial action taken. This information is used to enable the IDPC to verify compliance with the above.

Criminal Data Processing Regulations

Article 30 of the Criminal Data Processing Regulations deals with the notification of personal data breaches to the IDPC, in relation to breaches of personal data being processed by competent authorities for the purposes of the prevention, investigation, detection, or prosecution of criminal offenses or the execution of criminal penalties.

The regulations establish a 72-hour timeframe within which the controller is to notify in writing a personal data breach to the IDPC unless such breach is unlikely to result in a risk to the rights and freedoms of any individual. The processor is also obliged to notify the controller after becoming aware of any personal data breach. Such regulations actually transpose the Data Protection Directive with respect to Law Enforcement (Directive (EU) 2016/680), rather than the GDPR per se.

In view of the above, the IDPC has also specified other sectoral obligations through the guidelines it has issued, namely for the following:

• Banking: Banks must consider setting up a central data breach management unit to collate, review, and notify data breaches, where appropriate. They must also review and update their security measures considering the increased security obligations in the GDPR.
• Gaming: Players can file direct claims for data breaches of their privacy rights against both operators and their gaming affiliates if the data breach is the result of the conduct of the latter. When acting as processors, affiliates are obliged to notify any data breach to the operator without undue delay after becoming aware of a personal data breach. In those cases where an affiliate suffers a data breach in relation to its own records (e.g. marketing database), for which it is responsible as a controller, such affiliate shall notify the data breach to the IDPC within 72 hours of becoming aware of the data breach. Depending on the affiliate model, the operator, the affiliate, or both will have the burden of proof to demonstrate compliance with the Act. Gaming affiliates are responsible for the conduct of their sub-affiliates.

Notably, it would be prudent to have a data breach policy in place, the scope of which is to ensure that all data breach events are detected, reported, categorized, and monitored consistently and that incidents are assessed and adhered to appropriately in accordance with the GDPR. In this way, mitigation improvements may be put in place to prevent a recurrence, and the noteworthy points from the experience may be communicated to all individuals within the organization in order to prevent future incidents.

7.7. Data retention

The Act does not implement variations and exemptions of the GDPR related to data retention; however, Article 3 of the Retention of Data by Malta Gaming Authority Regulations stipulates that the Malta Gaming Authority may retain all data, including any personal data, collected or otherwise processed in the pursuit of its regulatory functions under the relevant laws, for a period of ten years from the date when the data is no longer necessary in relation to the purposes for which it is collected or otherwise processed. This is subject to the proviso that the retention of data, including any personal data, is ipso jure considered to be necessary in relation to the purposes for which it is collected or otherwise processed, throughout the duration of the validity of any authorization issued by the Authority. The retention of the data, including any personal data, by the Malta Gaming Authority for further periods must also be lawful when it is necessary:

• for compliance with a legal and/or regulatory obligation imposed on the same authority;
• for archiving purposes in the public interest, scientific, and/or historical research purposes and/or statistical purposes; and/or
• for the establishment, exercise, and/or defense of legal claims by the said authority.

7.8. Children's data

Article 2 of the Protection of Minors Regulations states that where any information is derived in relation to a minor by any teacher, member of a school administration, or any other person acting instead of the parents of the child, or in a professional capacity, such information may be processed as follows, as long as the processing is in the best interest of the minor:

• where personal data is being processed as aforementioned, consent by parents or other legal guardians of the minor shall not be required if it may be prejudicial to the best interest of the minor; and
• with respect to the above, no parent or legal guardian of the minor shall have access to any personal data held in relation to such minor.

Article 8 of the GDPR as well as Article 4 of The Processing of Children's Data Regulations states that processing of the personal data of a child in relation to information society services shall be lawful where the child is 13 years of age.

7.9. Special categories of personal data

Article 7 of the Act requires that where a controller processes special category data in the public interest, the controller must consult with and obtain prior authorization from the IDPC, where the data processed is:

• genetic data, biometric data, or data concerning health for statistical or research purposes; or
• special categories of data in relation to the management of social care services and systems, including for the purpose of quality control, management information, and the general national supervision and monitoring of such services and systems.

Where genetic data, biometric data, or data concerning health is required to be processed for research purposes, the IDPC shall consult an ethics committee, or an institution recognized by the IDPC.

Furthermore, please note special provisions in relation to the secondary processing of health data as detailed in the section on legal bases in other instances above.

With reference to the processing of criminal conviction data, the Malta Police Force keeps a register of criminal convictions. Police conduct certificates are issued solely by the Commissioner of Police, at the request of the data subject or upon a relevant court order given ex-officio, or at the request of an interested party. Data on criminal convictions may also be disclosed to other national competent authorities as required by law or with the explicit consent of the data subject. Judgments of the criminal courts of Malta are available to the general public.

The IDPC normally requires that if one needs to view a criminal conduct certificate (such as in the course of interviews for employment), this can be viewed but not kept on file. This requirement may be overridden by specific laws that require the retention of a criminal conduct certificate, for example for anti-money laundering investigations or in the context of an application for a license (e.g. gaming license/financial institution) or in relation to the Ultimate Beneficial Owners of a company to be registered in Malta.

7.10. Controller and processor contracts

The Act does not implement variations of the GDPR in relation to the contract which must be in place between a controller and processor.

8. Data Subject Rights

Scientific, historical, or statistical research purposes

Controllers and processors may derogate from the following data subject rights where personal data is processed for scientific, historical, or statistical research purposes:

• the right of access by the data subject;
• the right to rectification;
• the right to restriction of processing; and
• the right to object.

In so far as the exercise of the above-mentioned rights:

• is likely to render impossible or seriously impair the achievement of those purposes; and
• the controller reasonably believes that such derogation is necessary for the fulfillment of those purposes.

Personal data processed in the public interest

Controllers and processors may derogate from the following data subject rights where personal data is processed in the public interest:

• the right of access;
• the right to rectification;
• the right to restriction of processing;
• the notification obligation regarding rectification, erasure, or restricting of the processing;
• the right to data portability; and
• the right to object.

In so far as the exercise of the above-mentioned rights:

• is likely to render impossible or seriously impair the achievement of those purposes; and
• the controller reasonably believes that such derogation is necessary for the fulfillment of those purposes.

8.1. Right to be informed

Article 6(1) of the Act provides that controllers and processors may derogate from the right of information to be provided in relation to the processing of personal data for scientific and historical research purposes, official statistics, and archiving purposes in the public interest, in so far as the exercise of the rights set out in the right of information to be provided:

• is likely to render impossible or seriously impair the achievement of those purposes; and
• the controller reasonably believes that such derogations are necessary for the fulfillment of those purposes.

Article 6(4) of the Act outlines that the processing for the aforementioned purpose shall be subject to safeguards for the rights and freedoms of the data subject, including pseudonymization and other technical and organizational measures to ensure respect for the principle of data minimization. Where these purposes can be fulfilled by processing that does not permit or no longer permits the identification of data subjects, those purposes shall be fulfilled in that manner.

8.2. Right to access

The Act does not implement variations to the GDPR on the right to access.

8.3. Right to rectification

The Act does not implement variations to the GDPR on the right to rectification.

8.4. Right to erasure

The Act does not implement variations of the GDPR on the right to erasure.

8.5. Right to object/opt-out

The Act does not implement variations to the GDPR on the right to object/opt-out.

8.6. Right to data portability

Controllers and processors may derogate from the right to data portability for the processing of personal data only for archiving purposes in the public interest, in so far as the exercise of this right (Article 6 of the Act):

• is likely to render impossible or seriously impair the achievement of those purposes; and
• the controller reasonably believes that such derogations are necessary for the fulfillment of those purposes.

Processing for the aforementioned purpose shall be subject to safeguards for the rights and freedoms of the data subject, including pseudonymization and other technical and organizational measures to ensure respect for the principle of data minimization. Where these purposes can be fulfilled by processing that does not permit or no longer permits the identification of data subjects, those purposes shall be fulfilled in that manner.

8.7. Right not to be subject to automated decision-making

The Act does not implement variations of the GDPR on automated individual decision-making.

8.8. Other rights

Controllers and processors may derogate from the right to restriction of processing to be provided in relation to the processing of personal data for scientific and historical research purposes, official statistics, and archiving purposes in the public interest, in so far as the exercise of this right:

• is likely to render impossible or seriously impair the achievement of those purposes; and
• the controller reasonably believes that such derogations are necessary for the fulfillment of those purposes.

Processing for the aforementioned purpose shall be subject to safeguards for the rights and freedoms of the data subject, including pseudonymization and other technical and organizational measures to ensure respect for the principle of data minimization. Where these purposes can be fulfilled by processing that does not permit or no longer permits the identification of data subjects, those purposes shall be fulfilled in that manner.

Furthermore, the Restriction of the Data Protection (Obligations and Rights) Regulations 2018 provides for limitations to the general rights of the data subject in line with Article 23 of the GDPR and in the same manner in which the general GDPR principles are restricted. Please see the section on material scope above for more details.

9. Penalties

Where the IDPC imposes an administrative fine in accordance with the GDPR, it shall by order in writing, require the controller or processor to pay such administrative fine, which shall be due to the IDPC as a civil debt. It is possible for the controller or processor, as the case may be, to appeal such a fine within such time as an appeal may be entered under Article 26 of the Chapter 12 Code of Organization and Civil Procedure, however failure to do so would render the decision of the IDPC as final and would constitute an executive title under the Laws of Malta.

The IDPC may impose an administrative fine on a public authority or body:

• which shall not exceed €25,000 for each violation and, additionally, the Commissioner may impose a daily fine payment of €25 for each day during which such violation persists, for an infringement of Article 83(4) of the GDPR; and/or
• which shall not exceed €50,000 for each violation and, additionally, the Commissioner may impose a daily fine payment of €50 for each day during which such violation persists for an infringement of Articles 83(5) or 83(6) of the GDPR.

Any person who knowingly provides false information to the IDPC and does not comply with any lawful request pursuant to an investigation by the IDPC shall be guilty of an offense, and upon conviction be liable to a fine of not less than €1,250 and not more than €50,000 or to imprisonment for six months, or to both. In this regard, the IDPC would refer proceedings to the Executive Police.

Data subjects also have the right to compensation in respect of material and non-material damage.

9.1 Enforcement decisions

All decisions by the IDPC can be found here, whilst appeals decided by the Tribunal can be found here.