Malta Data Privacy Laws: Cap. 586 and GDPR Guide (2026)

Overview of Malta's Data Protection Framework

Malta's data protection regime is built on two pillars: the directly applicable EU General Data Protection Regulation (GDPR) and the national Data Protection Act, Chapter 586 of the Laws of Malta. The Act came into force on 28 May 2018, replacing the earlier Data Protection Act of 2001 (Cap. 440) to align Maltese law with the GDPR's requirements.

As an EU Member State, Malta is bound by the GDPR in its entirety. Cap. 586 does not replicate GDPR provisions but instead supplements them by addressing areas where the GDPR permits or requires national implementation. These areas include the establishment of the supervisory authority, specific exemptions for journalistic and academic purposes, the processing of national identification numbers, and the age of consent for children's data.

The combination of the GDPR and Cap. 586 means that any organization processing personal data of individuals in Malta must comply with both the regulation and the national law. This applies to data controllers and processors established in Malta, as well as those outside Malta who offer goods or services to individuals in the country or monitor their behavior.

The Data Protection Act (Cap. 586)

Structure and Scope

Cap. 586 is organized into several parts covering the establishment and powers of the supervisory authority, provisions supplementing the GDPR, rules on processing for law enforcement purposes (transposing the EU Law Enforcement Directive), and rules on processing by intelligence and security services.

The Act applies to the processing of personal data by automated means, as well as to the processing of personal data that forms part of a filing system or is intended to form part of a filing system. It covers both the private and public sectors, with certain modifications for law enforcement and national security processing.

Legal Bases for Processing

Malta follows the six legal bases for processing established by Article 6 of the GDPR. These include consent of the data subject, performance of a contract, compliance with a legal obligation, protection of vital interests, performance of a task carried out in the public interest, and legitimate interests pursued by the controller or a third party.

For special categories of data (such as health data, biometric data, and data revealing racial or ethnic origin), processing is only permitted under the conditions set out in Article 9 of the GDPR. Cap. 586 adds national provisions specifying how these conditions apply in Malta, particularly in the context of employment law, social security, and public health.

Children's Data

Malta has set the age of digital consent at 16, consistent with the default under Article 8 of the GDPR. This means that the processing of a child's personal data based on consent requires the authorization of the holder of parental responsibility if the child is below 16 years of age. Organizations offering information society services to children must make reasonable efforts to verify parental consent.

The Information and Data Protection Commissioner (IDPC)

Role and Independence

The IDPC is Malta's independent supervisory authority for data protection. Established under Cap. 586, the Commissioner is endowed with a distinct legal personality and operates with complete independence. Article 12(1) of Cap. 586 explicitly provides that the IDPC must remain free from any direct or indirect external influence and is prohibited from seeking or accepting instructions from any person or entity.

The Commissioner is appointed by the President of Malta on the advice of the Prime Minister, following a resolution of the House of Representatives supported by at least two-thirds of its members. This appointment procedure is designed to safeguard the independence of the office.

Powers and Functions

The IDPC exercises the full range of investigative, corrective, and advisory powers granted to supervisory authorities under Articles 57 and 58 of the GDPR. These include the power to order controllers and processors to comply with data subject requests, to impose temporary or permanent bans on processing, and to order the rectification, restriction, or erasure of data.

The Commissioner may also institute civil judicial proceedings when there are violations or imminent violations of Cap. 586 or the GDPR, and may request assistance from the executive police to enter and search premises under the investigative powers granted by Article 58 of the GDPR.

Enforcement Record

Malta's IDPC has taken a measured approach to enforcement. The majority of decisions published by the IDPC have concerned infringements of data subjects' rights to access their personal data under Article 15 of the GDPR and the right to erasure under Article 17. A significant number of decisions have also addressed complaints about CCTV cameras capturing public spaces or third-party properties, with the IDPC ordering controllers to cease processing and remove cameras in several cases.

The highest administrative fine issued by the IDPC to date was a EUR 65,000 penalty imposed on C-Planet IT Solutions Limited in 2022 for infringements of data security principles regarding personal and special categories of data. In 2024, the IDPC issued a EUR 15,000 fine for unsolicited marketing phone calls made after repeated complaints to stop processing.

The IDPC has increased its enforcement activity over time, issuing more decisions in 2024 than in 2023, indicating a trend toward more active supervision.

Data Subject Rights Under Maltese Law

Individuals in Malta benefit from the full suite of data subject rights provided by the GDPR. These rights are directly enforceable and cannot be diminished by national legislation.

Right of Access

Under Article 15 of the GDPR, data subjects have the right to obtain confirmation of whether their personal data is being processed and, if so, to access that data along with information about the purposes of processing, the categories of data involved, the recipients, and the retention period. This right has been the subject of the largest number of IDPC decisions.

Right to Rectification and Erasure

Data subjects may request the correction of inaccurate personal data and the completion of incomplete data under Article 16. The right to erasure (the "right to be forgotten") under Article 17 allows individuals to request the deletion of their data in specified circumstances, including when the data is no longer necessary for the purpose it was collected.

Right to Data Portability

Article 20 of the GDPR grants data subjects the right to receive their personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller. This right applies where processing is based on consent or a contract and is carried out by automated means.

Right to Object

Data subjects may object to the processing of their personal data for direct marketing purposes at any time under Article 21 of the GDPR. They may also object to processing based on public interest or legitimate interest grounds, in which case the controller must demonstrate compelling legitimate grounds to override the objection.

Cross-Border Data Transfers

General Framework

As an EU Member State, Malta follows the GDPR's rules on international data transfers. Personal data may only be transferred to a country outside the European Economic Area (EEA) if one of the transfer mechanisms recognized by Chapter V of the GDPR is in place.

These mechanisms include adequacy decisions adopted by the European Commission (Article 45), appropriate safeguards such as standard contractual clauses or binding corporate rules (Article 46), and derogations for specific situations under Article 49.

Malta's Unique Subsidiary Legislation

Malta has distinguished itself among EU Member States by enacting specific subsidiary legislation on cross-border transfers. Subsidiary Legislation 586.12, the Enforcement of the Rights of Data Subjects in Relation to Transfers of Personal Data to a Third Country or an International Organisation Regulations, establishes enforceable rights in Maltese law for data subjects whose data is transferred internationally.

This legislation provides a clear legal mechanism for individuals to enforce their GDPR rights when their personal data is transferred to a third country. It addresses a gap that exists in some other EU jurisdictions where the enforceability of transfer safeguards by individual data subjects may be less clear.

Additionally, the minister responsible for data protection may, following consultation with the IDPC, set limits on the transfer of specific categories of personal data to a third country or international organization for significant reasons of public interest.

Penalties and Sanctions

Administrative Fines

The GDPR's two-tier penalty structure applies directly in Malta. For less serious infringements (such as failures to maintain records of processing activities or to conduct data protection impact assessments), fines of up to EUR 10 million or 2% of annual worldwide turnover may be imposed.

For more serious violations (such as processing data without a legal basis, failing to obtain valid consent, or transferring data internationally without appropriate safeguards), fines of up to EUR 20 million or 4% of annual worldwide turnover may be imposed.

While Cap. 586 does not establish additional administrative fine amounts beyond those in the GDPR, the GDPR's provisions on fines are directly applicable and enforceable by the IDPC.

Criminal Offenses

Cap. 586 creates several criminal offenses related to data protection. These include obstructing the Commissioner in the exercise of their functions, processing personal data in a manner that constitutes a criminal offense under the Act, and unauthorized disclosure of personal data obtained during the course of processing.

Penalties for criminal offenses under Cap. 586 can include fines and, in serious cases, imprisonment.

Special Processing Situations

Employment Context

Malta has enacted specific provisions governing the processing of personal data in the employment context. Employers must have a lawful basis for processing employee data and must inform employees about the nature and extent of monitoring activities. The IDPC has issued guidance on workplace monitoring, including the use of CCTV in the workplace, email monitoring, and GPS tracking of company vehicles.

Health Data

The processing of health data is subject to the special category provisions of Article 9 of the GDPR, as supplemented by Maltese law. Health care providers must implement appropriate safeguards and may only process health data when it is necessary for medical treatment, public health purposes, or other grounds specified in the GDPR.

Journalism and Academic Expression

Cap. 586 includes exemptions for the processing of personal data for journalistic purposes and the purposes of academic, artistic, or literary expression. These exemptions balance the right to data protection with the rights to freedom of expression and information, as required by Article 85 of the GDPR.

AI Regulation and the Expanding Role of the IDPC

In 2025, Malta designated the IDPC as the national supervisory authority responsible for overseeing high-risk AI systems under the EU's AI Act. Malta's Artificial Intelligence Regulations, Legal Notice 226 of 2025, grant the IDPC enforcement powers over biometric, law enforcement, border management, and justice-related high-risk AI systems.

Under these regulations, the IDPC may impose fines of up to EUR 50,000 per infringement and daily penalties for continued breaches. This designation reflects Malta's approach of consolidating data-related oversight within a single independent authority rather than creating a separate AI regulator.

Compliance Requirements for Organizations

Organizations processing personal data in Malta must meet several key obligations under the GDPR and Cap. 586.

Data Protection Officer

Organizations that are public authorities, that carry out large-scale systematic monitoring of individuals, or that process special categories of data on a large scale must appoint a Data Protection Officer (DPO). The DPO must be given the resources necessary to carry out their tasks and must report to the highest management level.

Record Keeping

Controllers and processors must maintain records of their processing activities and make them available to the IDPC on request. There is no obligation to notify the IDPC of processing activities prior to commencing them, unlike the notification regime that existed under the previous Data Protection Act.

Data Protection Impact Assessments

Where processing is likely to result in a high risk to the rights and freedoms of individuals, controllers must carry out a Data Protection Impact Assessment (DPIA) before commencing the processing. If the DPIA identifies a high risk that cannot be mitigated, the controller must consult the IDPC prior to processing.

Breach Notification

Data controllers must notify the IDPC of a personal data breach within 72 hours of becoming aware of it, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals. Where a breach is likely to result in a high risk, the controller must also notify the affected data subjects without undue delay.

Practical Considerations for Businesses

Malta's status as an EU Member State and its well-developed regulatory infrastructure make compliance relatively straightforward for organizations already familiar with the GDPR. The IDPC's website provides guidance documents, template forms for breach notifications and data subject requests, and information about upcoming regulatory developments.

For businesses establishing operations in Malta, the country's position as a growing technology and gaming hub means that the IDPC has developed particular expertise in areas such as online processing, gaming data, and financial services data. Organizations in these sectors may benefit from engaging with the IDPC early to understand expectations.

Malta's small size also means that the IDPC is relatively accessible to organizations seeking guidance, though this should not be mistaken for a lenient enforcement posture. The trend toward increased enforcement activity and the expansion of the IDPC's mandate to include AI oversight suggest a supervisory authority that is becoming more active over time.

This article is for informational purposes only and does not constitute legal advice. Data protection laws are subject to change, and organizations should consult with a qualified attorney for advice specific to their situation.