The long-overdue legal Bill that will consolidate the EU’s General Data Protection Regulation (GDPR) into Maltese Law and to repeal Chapter 440 of the Laws of Malta, based on the EU’s Data Protection Directive (Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data), has finally been published.

As an EU Regulation (in contradistinction to a Directive), the GDPR has direct effect in all EU Member States, except in those instances where the GDPR itself allows some leeway that resulted from the lengthy negotiations that characterised the run up to the adoption of the Regulation. Accordingly, in any EU Member State including Malta, the primary reference point will be to the GDPR text itself, as this constitutes the source of the law. However, where the leeway referred to above is allowed, the new, significantly-shorter Data Protection Act will govern how the GDPR legal framework will operate in Malta. This will also have treaty status under Article 16 of the Treaty of the Functioning of the EU (TFEU).

The Bill makes for the following salient points.


The Act does not apply to the processing of personal data:

  • which falls outside the scope of Union law;
  • by the Government of Malta when carrying out activities which fall within the scope of Chapter 2 of Title V of the Treaty on European Union;
  • by a natural person in the course of a purely personal or household activity; or
  • by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.

The Act, on the other hand, applies to the processing of personal data:

  • in activities of an establishment of a controller or a processor in Malta or in a Maltese Embassy or High Commission abroad, regardless of where the processing takes place;
  • the processing of personal data of data subjects who are in Malta by a controller or processor not established in the European Union, where the processing activities are related to the sale of goods or services (even those offered for free) to data subjects in Malta or the monitoring of data subjects’ behaviour insofar as their behaviour takes place in Malta;
  • by a controller not established in the European Union but in a place where the laws of Malta apply by virtue of public international law.


Data Processing activities falling within the scope of the GDPR need to be subject to appropriate safeguards for the rights and freedoms of the data subject. Such safeguards include pseudonymisation and other technical and organisational measures to ensure respect for the principle of data minimisation.

A data controller is now obliged consult with, and obtain prior authorisation from, the Data Protection Commissioner where the data controller intends to process in the public interest:

  • genetic data, biometric data or data concerning health for statistical or research purposes; or
  • special categories of data in relation to the management of social care services and systems. This includes processing for the purposes of quality control, management information and the general national supervision and monitoring of such services and systems. Where genetic data, biometric data or data concerning health need to be processed for research purposes, the Data Protection Commissioner is obliged to consult a research ethics committee or institution.

Processing of an Identity Document

The Act directs data processors to process identity documents only when such processing is clearly justified having regard to the purpose of the processing, the importance of a secure identification or any other valid reason as may be provided by law, and then only when there are appropriate safeguards in place for the GDPR rights and freedoms of the data subject to be safeguarded.

Freedom of Expression and Information

Personal data processed for the purpose of exercising the right to freedom of expression and information, including processing for journalistic purposes or for the purposes of academic, artistic or literary expression, are exempt from compliance with the GDPR. However, when reconciling the right to the protection of personal data with the right to freedom of expression and information, the data controller still has an obligation to ensure that the processing is proportionate, necessary and justified for reasons of substantial public interest.

Adequacy Decisions

Where adequacy decisions pursuant to Article 45(3) of the GDPR have not yet been made, the Minister may, following consultation with the Data Protection Commissioner set limits to the transfer of specific categories of personal data to a third country or an international organisation on the basis of public interest.

The Data Protection Commissioner

In carrying out his functions at law, the Data Protection Commissioner may request the assistance of the police to enter and search any premises. In the event of joint operations with the supervisory authorities of one or more other Member States, the Data Protection Commissioner may confer powers, including investigative powers, on the seconding supervisory authority’s members or staff. In such case, the powers of the seconding supervisory authority’s members or staff are to be exercised under the guidance, and in the presence of the Data Protection Commissioner.

Restriction of Fines for Public Authorities or Bodies

In the event that the Data Protection Commissioner decides to impose an administrative fine on a public authority or body, such fine will not exceed €25,000 for each violation of Article 83(4) of the GDPR and a daily fine of €25 for each day during which such violation persists. For infringements of Articles 83(5) or 83(6) of the GDPR, the fines will go up to a maximum of €50,000 for each violation and €50 for each day during which such violation persists.


In addition to the offences set out in Articles 22 and 83 of the GDPR, any person who:

  • intentionally provides false information to the Data Protection Commissioner when requested to provide information under Article 58 of the GDPR, or any other law; or
  • fails to comply with any lawful request following an investigation by the Commissioner;
  • is guilty of an offence against this Act and shall, on conviction, be liable to a fine of not less than €1,250 and not more than €50,000 or to imprisonment for six months or to both the fine and imprisonment.

This introduces an element of personal liability to GDPR and is intended to align the incentives of an individual working for an organisation with those of the Data Protection Office. The GDPR fines stipulated in the Regulation itself only apply to organisations, rather than to individuals.

The Bill also clarifies the procedure of how proceedings shall be instituted for any offence under the Act. In order for proceedings to take place, the Data Protection Commissioner needs to provide information and to ask for prosecution to any Police Officer.

Information and Data Protection Appeals Tribunal Appeals

Any person who has been served a legally-binding decision by the Data Protection Commissioner and wants to seek redress has the right to appeal in writing to the Information and Data Protection Appeals Tribunal within twenty days from being served the said decision.

An appeal to the Tribunal is possible on any of the following bases:

  1. a material error as to the facts of the decision;
  2. a material procedural error;
  3. an error of law;
  4. the existence of some material illegality, including unreasonableness or lack of proportionality.

Need Help With GDPR? 

We’ve got you covered. You can read more about our GDPR services here and if you think we can be of any help, go ahead and get in touch.

Our Other Services