Privacy Laws

Malta's data protection in comparison to the GDPR

The flag of Malta with the capital in the background
© ollirg / | #37427416

General overview

In Malta, the overarching legal framework for data protection is established by the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), seamlessly integrated into the national legislation through the Data Protection Act (Chapter 586 of the Laws of Malta) ('the Act'). This comprehensive structure ensures a robust defence for personal data, addressing various sectors with specific subsidiary legislation and guidelines.

GDPR opening clauses

The Act, which came into force on 28 May 2018, serves as the primary legislative instrument, embodying the GDPR's principles while providing specific national derogations. It replaced the previous Data Protection Act (Chapter 440 of the Laws of Malta), signifying Malta's enhanced commitment to data protection in line with EU standards.

Key differences and national specifics

The Act is complemented by a series of regulations that address specific aspects of data processing in different sectors. These include:

  1. Processing of personal data (Electronic communications sector) regulations: Governs data protection within the realm of electronic communications.
  2. Processing of personal data (Protection of minors) regulations: Specific rules for the processing of minors' data, emphasizing their heightened vulnerability.
  3. Data protection (Processing of personal data by competent authorities for criminal offences) regulation: Outlines data processing parameters for authorities handling criminal data.
  4. Processing of data concerning health for insurance purposes regulations: Regulates the sensitive area of individuals' health data within the insurance industry.
  5. Processing of child's personal data in relation to Information Society Services Regulations: Addresses the consent age and conditions for children's data processing in digital services.

Distinct from the act, certain laws govern privacy matters related to specific databases and data communication in compliance with EU legislation.


The Information and Data Protection Commissioner ('IDPC') plays a pivotal role in shaping data protection practices in Malta. As the authoritative body, the IDPC has issued various guidelines, providing clarity and direction in areas such as:

  • Banking sector: Detailed guidance for data protection compliance within banking institutions.
  • Gaming industry: Tailored guidelines reflecting the unique data processing activities of the gaming sector.
  • Political campaigning: Establishing clear rules for data processing during political campaigns.
  • Health data disclosure: Guidance on the permissible boundaries for disclosing health data, particularly in employment contexts.
  • Social media practices: Educating the public on responsible social media use, especially concerning pictures and videos.


Malta’s data protection framework, characterized by its comprehensive Act and detailed subsidiary regulations, demonstrates a strong commitment to safeguarding personal data. The active role of the IDPC, through its issuance of sector-specific guidelines, further strengthens this commitment, ensuring that entities and individuals are well-informed about their rights and responsibilities concerning data protection.