This website is here to provide with more information regarding the Data Protection. GDPR (EU 2016/679) and Data Protection Act, Cap 586 The General Data Protection Regulation (EU) 2016/679 (GDPR) and the Data Protection Act, Cap 586 protect the fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.

General Data Protection Regulation Provisions

The provisions of the General Data Protection Regulation, GDPR (EU) 2016/679 are directly applicable in each Member State. The GDPR provides for the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data. It presents a set of rules that apply in a uniform manner across the European Union. The GDPR gives a more enhanced protection of personal data, easier access to data and a stronger enforcement of the rules. The Data Protection Act, Cap 586 of the Laws of Malta implements and further specifies the relevant provisions of the GDPR on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. Please consult the FAQ section regarding data protection, so that you are aware of your rights in the context of this legislation.

Useful Links

LN 263 of 2019

Processing of Personal Data (Secondary Processing) (Health Sector) Regulations, 2019​


GDPR stands for General Data Protection Regulation. The Regulation came into force on the 25th of May 2018. The main aim of this Regulation is to ease the flow of personal data and increase data protection rights for EU residents across all member states.

Any organisation which processes and holds the personal data of EU citizens is obliged to abide by the GDPR. It also applies to organisations outside the EU that offer services and goods to individuals in the EU.

The GDPR does not apply to processing carried out by individuals purely for personal/household activities (for example; writing a list of names of the people you are going to invite to your birthday party). The GDPR also does not apply to processing covered by the Law Enforcement Directive.

The GDPR strengthens the rights of everyone involved in data processing and sets out the roles and responsibilities of both the controllers and the processors in one European streamlined legalisation. It’s also important to be compliant as there are significant fines involved in the case of breaches.

Any information relating to an identified or identifiable natural person.

The data controller determines the purpose of the data processing (determines the “why” and “how” of a data processing activity) while the data processor is a person or entity which processes the data on behalf of the controller.

Not necessarily. Consent is only one of a number of criteria which need to be followed for processing personal information. Consent won’t always be the easiest or most appropriate. You should always choose the lawful basis stated in article 6 of the GDPR that most closely reflects the true nature of the relationship with the individual and the purpose of the processing.

Legitimate interest does not apply for public authorities when they are performing their official tasks.

The purpose of the Processing Operations Form is to provide a description of the categories of data subjects and categories of personal data. These points are specified in Article 30 of the GDPR. A template of this form can be accessed from the intranet.

The GDPR establishes the appointment of a DPO if:
  • You are a public authority – a government entity, authority, or body
  • Your core activities consist of regular and systematic monitoring of personal data on a large scale
  • Your core activities consist of processing of special categories of data (sensitive personal data) on a large scale (including criminal offences).
It depends. Under Article 17 of the GDPR data subjects have the right to be forgotten. This right is not absolute as there are instances where it does not apply. The right to erasure does not apply if processing is necessary for one of the following reasons:
  • To exercise the right of freedom of expression and information;
  • To comply with a legal obligation;
  • For the performance of a task carried out in the public interest or in the exercise of official authority;
  • For archiving purposes in the public interest, scientific research, historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing; or
  • For the establishment, exercise or defence of legal claims.
Suitable policies such as Data Protection and Retention policies should be created. These policies set out how personal data is being processed. 
If the site has CCTV cameras on location, then a CCTV policy should be created.
Records of processing activities should be kept. These must include significant information about data processing, including data categories, the group of data subjects, the purpose of the processing and the data recipients.
Other compliance measures include, staff training, data protection auditing, and allocating responsibility for compliance. Other technical measures include pseudonymisation, minimising the processing of personal data and applying suitable security measures. 

This is to be defined according to the type of processing. In Article 5 of the GDPR, it is specified that personal data “must be kept for no longer than is necessary for the purposes for which they are processed”. It is therefore up to the controller to determine and justify the duration of the data retention period.

The Information and Data Protection Commissioner (IDPC) (referred to as the “supervisory authority” in the GDPR) needs to be informed within 72 hours.

CCTV surveillance on properties is legitimate as long as footage only captures areas on the owner’s property.  If you are unsure and you have sought remedy by discussing with your neighbour to no avail, you can refer the matter as a complaint to the national supervisory authority (IDPC).

  • The right to be informed – Individuals have a right to be told what personal data our organisation collects about them, the lawful basis that applies, how their data will be used, and who else it will be shared with. Public Authorities must be completely transparent in how they are using personal data.
  • The right of access – Individuals have the right to obtain a copy of personal information that is held about them. This lets them check how their data is being processed and whether it is lawful.
  • The right of rectification – Individuals are entitled to have personal data rectified if it is inaccurate or incomplete.
  • The right to erasure – Also known as ‘the right to be forgotten’, this refers to an individual’s right to have their personal data deleted or removed in certain circumstances. 
  • The right to restrict processing – This refers to an individual’s right to block or suppress processing of their personal data (e.g. if there is an appeal pending).
  • The right to data portability – Individuals are entitled to move, copy or transfer their personal data from one IT environment to another, should they choose to do so.
  • The right to object – In certain circumstances, individuals are entitled to object to their personal data being processed. This includes if a company uses personal data for direct marketing, for its legitimate interests, for scientific and historical research, or for the performance of a task in the public interest.
  • Rights related to automated decision making and profiling – The GDPR has put in place safeguards to protect individuals against the risk of a potentially damaging decision being made without human intervention. Individuals are entitled to request human intervention or challenge decisions where automated decisions are made and where the consequence has a legal or significant effect on them.
There are no provisions that determine dashcams as being against data protection legislation, but they must be used responsibly.  In this case, the GDPR may not apply if the equipment is used for personal and household activities.  Obviously this changes if personal data is placed or shared online or otherwise made available in a public manner. If the processing relates to a Data Controller, any data subjects included in the footage need to be aware of the processing and their rights. As per the Malta Drone Regulations, drones may not be flown over populated areas such as towns, cities, and villages, people or crowds, vehicles or vessels, or private property without the permission of the property owner.
According to (EU) 2019/947 drones are to fly 120 m away from the closest point of the surface of the earth unless covered by specific legislation or the data subjects’ consent.

Though one cannot refer to this activity as illegal, it is generally regarded as excessive.  There are less invasive methods that can be used to monitor employee behaviour, such as supervision by other members of staff and, inspections etc. CCTV surveillance is usually used in common areas of premises and should not be pointing on the activity of employees at all hours.  Though there may be justifiable exemptions to this situation, it is generally considered excessive to capture constant footage of employees at work. Also, footage should be overwritten after a period of time, ideally not exceeding 7 days.

This would fall under processing as a personal and household activity, especially if you have controlled your audience through appropriate privacy features on your social media account. However it may not be as clear cut, because photos can still find their way out of your circle of friends or followers. Therefore you should exercise caution, especially if the image does not only concern your family members. Nowadays social media accounts also provide the use of “stickers” so that faces and identities can be concealed.

It is recommended that you consult your organisation’s policy on this matter. Employees in Customer Care or similar services are usually duty bound to identify themselves because they are acting in an official capacity. The guidance they provide to clients is factual and based on policies and they do not act on personal opinions or recommendations. This query is often asked during GDPR training but it does not relate directly to the processing of personal data in accordance with this Regulation. It is more a matter of organisational policies and procedures.

Candidates may process personal data during an electoral campaign with a view to inform voters of their policies and related issues. Candidates may process personal data such as your mobile number if it is published on a directory or on your social media account. If this is not the case, it may be that you had provided your details to the candidate and his/her affiliated political party through a membership or house visit. If this is still not the case, the candidate may have obtained your mobile phone number illegitimately and you may file a complaint with the national supervisory authority (the IDPC). Electoral candidates are entitled to make use of the electoral register in order to send leaflets and information during an election campaign or for the purpose relating to an election campaign. They may also establish contact with data subjects who follow their social media accounts by processing personal data that is public.

Candidates and political parties have to request your written consent for such processing, including consent for providing your date of birth and mobile number. You may withdraw this consent at any time at no cost. This may be a case of illegitimate processing that may be referred as a complaint to the national supervisory authority (IDPC).

It is possible that the store was utilising the Electoral Register which used to be made available for purchase. This activity has been discontinued and the Electoral Commission makes it very clear that the Register is to be used for election purposes only. You are within your rights to decline providing such details, and also to request erasure from the store’s database if this is being processed without your consent.

Survey companies may select random telephone numbers and if you receive such a call it is very possible that they have no details about the persons within the household. You are within your rights to decline to participate, unless the survey is being done through the National Statistics Office as an official survey. In that case households are informed beforehand, through a leaflet or information campaign, which will also indicate the legal obligation to participate.

Installing CCTV surveillance requires an impact assessment on the fundamental rights and freedoms of data subjects. It is not desirable for such surveillance to operate around the whole locality, especially if there are areas that are not usually connected with criminal or illegitimate activity.  If the Local Councils can produce enough justification, by referring to multiple incidents that had to be reported to the Police, then this could be the basis for installing such equipment.  The Law Enforcement Directive and the GDPR make it clear that the principle of proportionality has to apply. One cannot assume that all citizens are criminals, therefore constant surveillance in areas that do not require it would be too invasive on the privacy of many law-abiding individuals.

Public Service entities, as well as private companies, usually ask for personal details to verify the validity of your visit, as well as to keep records of your visit for security reasons. The categories of personal data collected should not go beyond verifying your identity and entity, and are to be regulated by a Data Protection Policy and a Retention Policy as per GDPR principles.

Article. 15 of the GDPR states that data subjects have the right to access any information held about them. This means that you have the right to request and access any personal data processed about you including the interview notes and results. You do not however have the right to access any information pertaining to the other candidates. Restrictions may apply in certain circumstances as indicated in Subsidiary Legislation 586.09.

Contact Details


Data Protection and Information Coordination Directorate

280, Level 3, Republic Street, Valletta



Public Service Logo