Legislative Framework
The main data protection legislative text in Malta is the Data Protection Act, Chapter 586 of the Laws of Malta (“CAP 586”), which repealed and superseded the previous Data Protection Act, Chapter 440 of the Laws of Malta. CAP 586 implements Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the General Data Protection Regulation, or GDPR), subsequent to Malta being a member state of the European Union.
Another legislative text relevant to the area is the Processing of Personal Data (Electronic Communications Sector) Regulations, Subsidiary Legislation 586.01, which implements Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (the “ePrivacy Directive”).
EU Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009 amending Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and services and Regulation (EC) No 2006/2004 of the European Parliament and of the Council of 27 October 2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws have also been transposed into national law.
Other noteworthy subsidiary legislation (SL) under Chapter 586 of the Laws of Malta includes the following:
Maltese law in other areas contains the following additional data protection and privacy-related laws:
The Constitution of Malta enshrines the right to privacy of one's home and property and the right to freedom of expression as fundamental human rights. The European Convention Act (Chapter 319 of the Laws of Malta) incorporates the European Convention on Human Rights into Maltese law, making it directly enforceable in Maltese courts. This includes the right to privacy (Article 8).
Moreover, the EU Charter of Fundamental Rights, which acknowledges the right to privacy and data protection, is applicable to national authorities when implementing EU law.
Maltese legislation also aligns with the Convention of the Council of Europe for the Protection of Individuals with regard to Automatic Processing of Personal Data (CETS No 108), ratified by Malta in February 2003.
Multilateral Legislative Implementation
Further to the enactment of CAP 586 and SL 586.01 to implement the GDPR and the ePrivacy Directive, respectively, Maltese law has enacted the following in order to implement the applicable EU legislation.
In relation to the implementation of applicable multinational obligations in general, any applicable Regulations or guidance issued by the European Data Protection Board (EDPB) would also be applicable to Malta, as Malta is an EU country.
From a Brexit point of view, whilst Malta is home to a number of persons from the UK, the Information and Data Protection Commissioner (IDPC) has not issued Brexit data protection-specific guidance but has reiterated the statements issued by the EDPB pertaining to Brexit.
Data Protection Authority
Under the domestic data protection regime in Malta, the key regulators are:
As the national supervisory authority, the IDPC is tasked with monitoring and enforcing the provisions of CAP 586 and its subsidiary legislation, as well as the GDPR. This role is crucial for safeguarding the fundamental rights and freedoms of individuals concerning the processing of personal data and ensuring the free flow of such data between Malta and other EU member states (Part V of CAP 586).
The Commissioner is endowed with a distinct legal personality for executing these tasks and powers, and operates with complete independence. According to Article 12(1) of CAP 586, the IDPC must remain free from any direct or indirect external influence, and is prohibited from seeking or accepting instructions from any person or entity. This independence is essential for fulfilling the duties and exercising the powers outlined in Article 58 of the GDPR.
Scope, Duties and Powers of the National Supervisory Authority
The role of the IDPC, also known as the “Commissioner”, includes enforcing the GDPR to safeguard the fundamental rights and freedoms of individuals regarding the processing of personal data and to promote the free flow of personal data between Malta and other EU member states (Part V of CAP 586). The Commissioner is granted a distinct legal personality to perform these tasks and exercise these powers.
The IDPC is empowered to:
Decisions made by the Commissioner can be appealed before the Information and Data Protection Appeals Tribunal. Decisions of the Tribunal are subject to review by the Court of Appeal.
Co-operation With Other Data Protection Authorities
Article 15 of CAP 586 allows the Commissioner to seek advice from and consult with any other competent authority while performing functions under CAP 586 and the GDPR. The Commissioner may also delegate powers, including investigative powers, to the seconding supervisory authority during joint operations with supervisory authorities from other EU member states, provided these powers are exercised under the IDPC's guidance and presence.
The GDPR mandates the IDPC to co-operate on cases with a cross-border component to ensure consistent application of the GDPR, known as the one-stop shop mechanism.
In the context of processing personal data in the electronic communications sector, the IDPC is authorised to seek advice from and, where appropriate, consult with the MCA while performing its functions.
Article 7 of CAP 586 requires the IDPC to consult an ethics committee or an institution recognised by the IDPC when genetic data, biometric data or health data need to be processed for research purposes.
Regarding the scope of investigations and audits by the key local regulator, local implementation legislation does not provide significantly more than what is outlined under the GDPR (complaint basis, Article 57, and ex officio, Article 58), similar to other EEA jurisdictions.
Scope of Data Protection Authority Investigations and Audits
CAP 586 mandates that the Commissioner, as the national supervisory authority, performs the duties assigned under the GDPR (Article 15 of the GDPR). From a domestic law perspective, the Commissioner's role includes handling complaints from third parties with locus standi and exercising the power and duty to investigate ex officio and implement corrective measures. This scope does not extend significantly beyond the provisions of Articles 57 and 58 of the GDPR (Article 15(2) of the GDPR).
Artificial Intelligence (AI)
The pertinent regulator for AI matters would be the Malta Digital Innovation Authority (MDIA), established by the Malta Digital Innovation Authority Act, Chapter 591 of the Laws of Malta (MDIAA). The MDIAA stipulates that the MDIA shall endeavour to assist the competent data protection authorities as required by law (Article 4 (2) (h)).
Domestic Administrative and Enforcement Process
Aside from the relevant GDPR articles, Maltese law does not provide extensive detail on the administrative procedures the IDPC must follow or the legal standards and criteria for evaluating the merits of an investigation; these aspects are largely left to the Commissioner's discretion. Consequently, the primary reference is the “duties assigned to him” under Article 15 of CAP 586.
Moreover, when making decisions, the Commissioner “...may seek the advice of, and may consult with, any other competent authority in the exercise of his functions under this Act and the Regulation” (Article 15.3 of CAP 586).
Regarding the legal standards and criteria that empower the Commissioner to take action, Article 15(2) of CAP 586 specifies that the “Commissioner shall have the power to institute civil judicial proceedings in cases where the provisions of this Act or the Regulation have been or are about to be violated”. The applicable law establishes an objective statutory standard rather than a subjective interpretation, focusing on the Commissioner's discretion or the level of likelihood.
Judicial Review of Data Protection Authority Orders
Under Maltese law, prior to the imposition of a decision by the Commissioner, the parties are heard or asked to make submissions, at the investigation stage. If the respondent disagrees with the decision reached by the Commissioner, they may file an appeal with the Data Protection Appeals Tribunal within 20 days of service of such decision, insofar as it is made on the following substantive grounds (Article 26 of CAP 586):
The appeal procedure before the Data Protection Appeals Tribunal is undertaken in accordance with Article 26 of CAP 586, which sets out the various formalities to be observed by the appellant, the tribunal and its registry, such as time limits and the serving/submission of pertinent legal documents.
If the parties (including the IDPC) are aggrieved with an appeal decision by the Data Protection Appeals Tribunal, they may resort to the Court of Appeal, on a question of law, as constituted by Article 41(9) of the Code of Organisation and Civil Procedure, Chapter 12 of the Laws of Malta, as per Article 29 of CAP 586.
Fines and Penalties
Under the GDPR, the maximum penalty for non-compliance is either EUR20 million or 4% of worldwide turnover, whichever is higher (Article 83 of the GDPR). Although the Malta Data Protection Act does not specify the administrative fines that the IDPC may impose for GDPR violations, the GDPR's provisions are directly applicable. Therefore, the IDPC can enforce the fines outlined in Article 83 of the GDPR.
In addition, and without prejudice to the above, the Data Protection Act stipulates that any individual found guilty of certain offences will face penalties. These offences include knowingly providing false information to the IDPC during an investigation, and failing to comply with any lawful request from the IDPC. Conviction for these offences can result in a fine ranging from EUR1,250 to EUR50,000, imprisonment for up to six months, or both.
Furthermore, violations of SL 586.01 (the Processing of Personal Data (Electronic Communications Sector) Regulations, which implement the ePrivacy Directive) are subject to administrative fines. These fines can be up to EUR23,293.73 for each violation and EUR2,329.37 for each day the infringement continues. The IDPC is responsible for determining and imposing these fines.
There is currently no Maltese law that defines “artificial intelligence” but, as Malta is an EU member state, the anticipated and proposed EU AI Act will cover this domain. Malta is set to implement the EU Artificial Intelligence Act (AI Act), which entered into force on 1 August 2024 and represents a significant step into regulating AI. The Act undertakes a risk-based approach and aims to implement transparency and accountability, human oversight and data governance over AI systems.
The EU AI Act and the GDPR are designed to work together. While the AI Act focuses on the safe development and use of AI systems, the GDPR ensures the protection of personal data. This dual approach ensures that AI innovations do not compromise individual privacy rights.
It is also pertinent to note that the MDIA issued the following White Paper consultations in respect of AI in 2019:
Apart from the interplay between the EU AI Act and the GDPR, there are currently no local laws or guidance on the interplay between applicable laws in Malta.
Locally, there has been a notable increase in the number of enforcement actions and decisions issued by the IDPC concerning infringements of data protection law. The IDPC issued more decisions in 2024 than in 2023, indicating a significant upward trend in enforcement measures. The majority of the decisions published by the IDPC pertain primarily to infringements of data subjects’ rights to access their personal data under Article 15 of the GDPR, and to the right to erasure under Article 17. Many decisions address the unlawful processing of personal data in violation of Article 6 of the GDPR (specific local case law and IDPC decisions are explored in 2.2 Recent Case Law and in the Malta Trends and Developments chapter in this guide).
As a member state of the European Union, Malta's legal landscape is significantly influenced by supranational and international developments in data protection law. Recent trends in privacy litigation in the EU underscore the growing importance of data protection laws, with the Court of Justice of the European Union (CJEU) delivering several landmark judgments that have direct implications for Malta. In 2024, the CJEU addressed several fundamental issues, including:
These decisions will undoubtedly shape the legal privacy landscape in Malta, guiding domestic litigation and enforcement actions by the IDPC.
Locally, the C-Planet decision of 2022 remains the highest fine (EUR65,000) issued by the IDPC. It was imposed on C-Planet It Solutions Limited, which infringed principles of security regarding personal and special categories of data of a substantial number of data subjects. A civil case is currently also being heard in front of the Civil Courts of Malta as a collective action regarding the illegal processing of personal data that included voter preferences.
The IDPC undertook various decisions during 2024, with a large majority pertaining to complaints over CCTV cameras capturing public spaces or third-party properties, whereby the authority ordered the controller to stop processing operations and remove the camera. The only administrative fine issued in 2024 by the IDPC was a EUR15,000 fine in relation to a data protection complaint against two direct unsolicited marketing phone calls (two years apart) after several complaints to stop the processing of personal data by the data subject towards the controller. In such a case, the authority found that the controller infringed Articles 21 (2) and 5 (2) of the GDPR. The IDPC noted that the length and repeated nature of infringement increased the gravity of the breach and further warranted an administrative fine be applied (Article 82). The authority also noted that the way in which the infringement occurred revealed a certain amount of negligence on the controller’s part since the controller’s system failed to erase the complainant’s telephone number from its systems after several complaints to erase the complainant’s personal data and following reassurance that such measures had been taken, and thus infringed Article 21(2) of the GDPR.
Another interesting decision taken in 2024 by the IDPC involved a balancing test between one’s right to privacy and the right to freedom of expression, particularly journalistic expression. In this decision, the alleged breach regarded the publishing of 200 pages of WhatsApp chat conversations between the complainant and a third party, which was consequently published through a blog post found on a blogger’s website. The IDPC needed to take into consideration the right to one’s private life and reconcile an eventual court ban on the publication of such chats with the right to freedom of expression and the right of public interest in relation to persons and information that are deemed to be in the public eye and published in virtue of maintaining a democratic society. In its final decision, the IDPC decided that, although the right to journalistic expression is a fundamental right, the controller of such information should have conducted a fundamental assessment and carefully removed parts containing intimate personal data (for example, sexual relations of the complainant). It decided that the controller had failed to demonstrate proportionate, necessary and justified reasons for substantial public interest as the reason for publishing, and thus deemed the processing unlawful. As a consequence, the IDPC ordered the controller to erase the blog post.
Class actions do exist in Malta, under the Collective Proceedings Act (Chapter 520 of the Laws of Malta, as it stood before the 2023 amendments), but this legislation has faced challenges in its application before the Maltese courts since data protection claims, for example, do not fall under such statute. However, a collective claim is possible in respect of data protection matters in light of Maltese Civil Procedure, which has been termed by court jurisprudence as azzjoni kollettiva or a “cumulative action”. This was in fact the basis for the collective claim of C-Planet in 2022; the case concerned the data leak of sensitive personal data pertaining to citizens’ political leanings and association, which, in the jurisdiction in question, is an immensely delicate issue.
Nevertheless, the Representative Actions Act (Directive (EU) 2020/1828 of 25 November 2020) is designed to provide a more robust legal framework, and is expected to enhance the effectiveness of collective actions by qualified entities in court. Essentially, the Representative Actions Directive requires member states to implement a harmonised procedural framework to permit consumer class actions where a party is in breach of laws, which amongst others now includes data protection claims.
This Directive aims to establish a model for representative actions on behalf of European consumers when their collective interests are harmed. Malta enacted the transposing Maltese law on 5 June 2023 by way of Act No XVII of 2023, entitled “An Act to provide for representative actions for the protection of the collective interests of consumers, and to carry out other consequential amendments” (the Representative Actions Act).
There is no Maltese law specifically regulating the IoT. The concept previously generally fell into the legal problematic pit with big data in terms of data repurposing, but it is anticipated that the forthcoming EU Data Act will reconcile certain matters concerning the IoT in the same way as it intends to better reconcile the industry of big data closely linked with such. Full application of this law is set for 12 September 2025.
There is no Maltese law specifically regulating data regulation, except for the interplay between the EU Data Act and GDPR. The EU Data Act is set to become applicable in Malta in September 2025.
As referred to in 3.1 Objectives and Scope of Data Regulation and 3.2 Interaction of Data Regulation and Data Protection, there is no Maltese law regulating the use of IoT services and data processing services; these are to be governed by the upcoming EU Data Act.
The MDIA is the designated authority to enforce the EU Data Act in Malta. Established under the MDIAA, this authority exercises regulatory functions regarding innovative technology and related services, and promotes consistent principles for the development of visions, skills and other qualities relating to innovative technology. The MDIA is tasked with assisting competent data protection authorities to safeguard data protection rights, in the context of innovative technologies, although it was not primarily set up to oversee privacy and data protection compliance. In this respect, the MDIA is entrusted with the “Strategy and Vision for Artificial Intelligence in Malta 2030”.
Maltese law does not provide regulations regarding “do not track” technologies or behavioural/targeted advertising, but it does regulate cookies and may naturally be interpreted to apply also to similar identifier applications.
In this respect, it is noteworthy that, whilst the conditions for the placing of cookies or similar identifiers entail the “right to refuse” such placement (apart from the provision of information) under the ePrivacy Directive, the requirement under Maltese law is for the giving of “consent”.
The applicable Maltese subsidiary legislation regarding online marketing (SL.586.01) is in line with the ePrivacy Directive.
In relation to workplace or employment law considerations, Maltese law does not provide any specific regulatory framework further to EU data protection law.
In this respect, therefore, from an employment relationship point of view, as there is a disparity in power dynamics between the employer and the employee, consent cannot be relied upon as a lawful basis for processing, so contract performance is utilised.
The employer may also qualify the ground of legitimate interest within a contract of employment, in relation to certain matters. Nevertheless, as an EU member state, Malta is subject to EU jurisprudence and is a contracting party to the ECHR. In this respect, the 2017 judgment of the European Court of Human Rights in Bărbulescu v Romania, which related to the monitoring of an employee’s personal data, established that such monitoring of employees may be carried out in compliance with applicable legislation if it is done in a transparent manner as provided by law.
Under Maltese employment law, it may be inferred that the employer has a legitimate reason to ascertain whether the agreed “hours of work” are duly undertaken. Accordingly, further to the above judgment, a degree of proportionality and due informed notice and explanation must be undertaken, with the adoption of the least intrusive monitoring and adequate safeguards and, last but not least, the qualification of legitimacy in justifying such monitoring.
Previous provisions addressing certain time/record-keeping matters in relation to employment-related data have now been repealed.
In Malta, the Whistleblower Act, Chapter 527 of the Laws of Malta, was enacted in 2013 with the intention of encouraging employees to flag workplace malpractice or illegality encountered or observed. Data protection wrongdoing is included in such legislation, given the wide scope of “improper practice” defined therein. Therefore, employees may raise the issue of privacy and data protection infringements occurring within the organisation discreetly.
Malta does not have specific laws in relation to data protection in due diligence exercises for asset deals, but it is subject to the GDPR, which stipulates indirect obligations in this respect.
In corporate and M&A transactions, the acquiring entity is typically interested in carrying out a due diligence exercise to understand the entity with which they are planning to do business (ie, whether it is and has been compliant with laws such as data protection) and to understand the inherent risk of the seller’s data assets. Whilst this may be desirable for an acquiring entity before it inherits unlawfully obtained or processed data, Article 28(1) of the GDPR mandates an obligation for controllers to ensure that the processors being engaged provide sufficient guarantees that their processing meets the GDPR standards and requirements, in addition to guaranteeing the protection of data subjects’ rights.
Typical issues encountered include the absence of written policies governing data protection and non-reported data breaches.
Parties may opt to enter into an indemnification agreement whereby the vendor would need to reimburse any fine(s) suffered by the purchaser for data protection non-compliance following acquisition. However, this does not account for an increase in insurance premiums in cases where the data protection due diligence results in existing insufficiencies and a high risk of fines.
Further to EU data protection law, personal data that is attributable to a person within the EU or that is processed within the EU may be transferred freely within the EU territory. This may also occur in respect to third countries and international organisations if the processing to occur within such countries or organisation is able to comply with the GDPR’s requirements, ensuring adequate safeguards in terms of Chapter 5 of the GDPR.
Furthermore, the “appropriate safeguards” requirement may be met by virtue of a number of legitimising instruments, as delineated in the GDPR – notably, a Commission adequacy, standard contractual clauses (SCCs), binding corporate rules (BCRs) or other legally binding instruments (Article 46 of the GDPR).
Mechanisms or Derogations That Apply to International Data Transfers
Multilateral agreements in place by virtue of the EU may be applicable for the benefit of Malta and therefore may facilitate cross-border transfers of data to third countries in satisfying the GDPR’s appropriate safeguards element.
In this respect, the EU-US adequacy decision issued in July 2023 effectively acts to fill in the gap for the EU-US Privacy Shield that was invalidated by the CJEU in 2016, and hence facilitates the unhindered flow of data across the Atlantic.
In the EU data protection law sphere, notifications to one’s authority are not currently required in terms of third-country transfers. Appropriate safeguards in terms of the GDPR must be in place vis-à-vis the recipient third country where no adequacy decision for such exists.
In terms of Maltese company law, certain prescribed company-related records must be kept at the company’s registered office in Malta. However, this pertains to the originals in question, so such data may be transferred overseas insofar as such transfer complies with the application legislation, such as being done in accordance with the appropriate safeguards legitimising the regime of third countries or if the transfer does not breach any other law or legal agreement, such as client privilege or a non-disclosure, confidentiality agreement, with the original copy remaining at the registered office.
As a member state of the EU, Malta is subject to Council Regulation 2271/96 of 22 November 1996, which protects against the effects of the potential extraterritorial application of legislation adopted by a third country, and actions based thereon or resulting therefrom. This consequently protects EU operators from the reach of a third country’s extraterritoriality jurisdiction, which may possibly jeopardise EU data subjects’ privacy rights, in light of the third country's differing standard of data protection to the GDPR.
There have been no recent developments or guidance from a local perspective in relation to the international transfer of personal data. Reference to such developments can be found from the European Commission, including its recent public consultation on additional SCCs for international transfers of personal data to non-EU controllers and processors subject to the GDPR extraterritorially, issued in September 2024.
198 Old Bakery Street
Valletta
VLT 1455
Malta
+356 2124 1232
info@fenechlaw.com www.fenechlaw.comData Protection and Privacy in Malta: an Overview
Data protection authority decisions in Malta
Over the past few years, there has been an increase in the number of enforcements and decisions passed by the Information and Data Protection Commissioner (IDPC or “Commissioner”) in connection with infringements of data protection law. The IDPC issued more decisions in 2024 than in 2023, reflecting the exponential trajectory for enforcement measures by the IDPC. 2024 also saw the first decision that was instituted ex officio rather than by virtue of a public complaint – ie, by the IDPC’s own volition and within its regulatory scope.
The majority of the decisions published by the IDPC relate mainly to an infringement of the data subjects’ rights to their personal data in terms of Article 15 (and Article 17) of the EU General Data Protection Regulation (GDPR), and to the unlawful processing of personal data pursuant to Article 6 of the GDPR.
Right of access
Over recent months, several claims and complaints have been lodged with the IDPC concerning the infringement of data subject access right requests. The vast majority of these have been centred around the right of access to personal data, as per Article 15 of the GDPR. However, interestingly, several claims made in 2024 pertained to right to access requests that were denied by the controller, based on the belief that the request for data was predominantly aimed at facilitating litigation as found under regulation 4(e) of the Restriction of the Data Protection (Obligation and Rights) Regulations, Subsidiary Legislation 586.09.
In its examination of such cases, the Commissioner noted that the controller cannot apply such derogation based on an “assumption” that the complainant may be requesting such information in order to institute a legal action. In fact, in its decisions the Commissioner emphasised that said derogation and the right of data subjects can only be restricted “for… defence of a legal claim and for legal proceedings” (Article 4(e) of SL 586.09). Therefore, the restriction shall only apply if it is necessary for the controller to defend an actual legal claim and legal proceedings that may subsequently be instituted under any law.
In such cases, the Commissioner noted that the controllers failed to provide evidence during the IDPC’s investigation to effectively demonstrate that the complainant brought a legal claim against it, and therefore the derogation was applicable. Thus, the Commissioner ordered the controller to comply with the request and provide the complainant with the information requested as underpinned in Article 15 of the GDPR.
The IDPC has already issued its first decision for 2025, regarding a data subject’s right to access their personal data from a bank acting as the data controller. Once again, the fundamental right of the data subject, as underpinned in Article 15(1)(a) to (h) of the GDPR and, where applicable, Article 15(2), and access to copy of the personal data undergoing processing in accordance with Article 15(3) of the GDPR, formed the legal basis for the request. However, after the complainant was informed that he had received “all” data in relation to himself, the complainant further requested that he also be provided with any internal correspondence at the bank that included his personal data. The controller denied this request on the basis of Article 15(4) of the GDPR. The Commissioner noted that the bank continued to provide contradictory statements: at one instance it had reassured the complainant that it had provided him with all the personal data it had, while on the other hand it was unable to divulge internal communications that contained his personal data.
In its decision the Commissioner noted the following: in its response to the complainant, the controller failed to mention that it was only providing partial access and therefore such response lacked the necessary elements of transparency and fairness, and only after further questioning did the controller reveal that this was a partial access. The Commissioner concluded that the manner in which the controller handled the request by the complainant went against the principles of fairness and transparency as set forth in Article 5(1)(a) of the GDPR.
Furthermore, upon investigation into the controller’s reasons for not sharing internal communications that held personal data of the complainant – namely, to protect its employees who are bound by the professional secrecy laws – the Commissioner pointed out correctly that this internal correspondence pertained to the complainant within the context of a complaint lodged with the Office of the Arbiter for Financial Services case, and that the professional secrecy laws should not hinder the complainant from accessing his own personal data relating to a case that was res judicata at the time of receipt of the complainant’s access request.
In its final decision, the Commissioner concluded that the controller had failed to inform the complainant of the limitation invoked pursuant to Article 15(4) of the GDPR, and that the necessary elements of transparency and fairness as set under Article 5(1) of the GDPR were also breached. As a compromise, the Commissioner stated that in order to protect the bank’s employee's internal communications, it could have shared such communications with any contact details, such as names, email addresses, etc, redacted and omitted before sharing. The Commissioner ordered that such personal data be shared with the complainant as requested.
Right to erasure (the right to be forgotten)
The right to erasure as established under Article 17 of the GDPR was another basis of data protection complaints to the IDPC. In one decision regarding this, the complainant requested the erasure of his personal data from an insurance company (the controller). The complainant had shared his personal data when requesting a quote for car insurance. However, having not received a quote, the complainant requested the insurance company delete the personal data he had previously shared when requesting a quote. The controller refused to erase such data, claiming it was obliged by insurance law to retain such data for a specific period of time.
When investigating the case, the IDPC asked the controller which law obliged it to retain such data, to which the controller responded that there was no specific law except for that found under the GDPR, where a controller can retain personal data for up to five years. The Commissioner noted that, on the contrary, the GDPR does not impose such a legal obligation and in fact advocates for data minimisation (Article 5(1)(c)); therefore, the controller could not rely on this derogation from erasure found under Article 17(3)(b).
The controller also stated that it was not obliged to erase such personal data because of its need to exercise a defence of legal claims, as underpinned by Article 17(3)(e). The Commissioner established that such a defence cannot be a hypothetical – it must be proved that retaining the information is necessary to defend an actual legal claim instituted against the controller. The IDPC decided that the controller had failed to provide a legal defence for retaining the personal data and refuting erasure, and had therefore breached Article 17(1) and was ordered to erase the personal data of the complainant.
Unlawful processing
In 2024, similar to 2023, the IDPC continued to receive complaints of infringements regarding the unlawful processing of personal data under Article 6(1) of the GDPR, particularly concerning CCTV surveillance systems. Many complaints involved data subjects claiming that CCTV installations, intended to protect tenants' safety, were not lawful under the GDPR. Defendants often argued that their CCTV processing was exempt under the household exemption of the GDPR, claiming it was for property protection. However, the IDPC frequently determined that this exemption did not apply, especially when the CCTV captured public spaces, referencing the CJEU’s Rynes judgment (Case C-212/13).
In cases where the household exemption was deemed inapplicable, the IDPC examined whether the CCTV processing had a lawful basis under Article 6 of the GDPR. The IDPC often found no such lawful basis, thus ruling the processing as contravening the GDPR. The IDPC emphasised that CCTV capturing public spaces could only be lawful in exceptional cases where a compelling legitimate interest was proven or where legislative provisions permitted such processing. Even in cases of prior vandalism or serious incidents, the IDPC often found the evidence insufficient to justify limiting data protection rights. The IDPC's corrective measures typically included reprimands and orders to recalibrate CCTV systems to limit their scope and protect public areas.
Recent case law: illegal processing of electoral data and voter preferences
The Civil Courts of Malta are currently hearing a collective action (similar in scope to a class action) regarding the illegal processing of personal data (including voter preferences). The case was instituted after a Maltese service provider (C-Planet) that provided technology services to a number of entities in Malta suffered a massive data breach. The impacted data, released on the internet, included a database containing the details of all Maltese citizens who are eligible to vote as well as their voting preferences, thereby including special category data.
When called to testify by the plaintiffs, the Malta Electoral Commission confirmed that part of this database comprised the electoral register. However, the affected database also contained various other data fields, such as telephone numbers, but also voting preferences, which are not typically part of the electoral database. It appears therefore that there had been an amalgamation of various data sources.
Whilst the case is still ongoing, there have been several local reports that this database has been in use extensively by the Labour party (the party currently in government) to award government jobs and to check the political orientation of prospective government employees.
The case has been instituted by more than 500 Maltese citizens, who are being assisted by the NGOs Daphne Caruana Galizia Foundation and Repubblika. The current civil case is seeking damages against the service provider that suffered the data breach and also against the third parties who actually created the database itself.
Through its investigations and eventual decision, the IDPC has already found the service provider to be in breach of the GDPR and imposed a fine of EUR65,000. The civil case is ongoing.
Concluding remarks
Within the Maltese context, recent trends reveal a heightened focus and awareness on data protection by public authorities, as evidenced by the increase in decisions and enforcement actions. There is also a growing recognition among data subjects of the value of their personal data, reflected in the rising number of complaints filed with the IDPC. This trend is encouraging, as it indicates that the fundamental objectives of data protection legislation are being effectively realised.
Within the European context and therefore equally the local Maltese context, emerging technologies and new digital realities have become the biggest challenges to privacy and data protection. It shall be interesting to see how the various new EU digital laws will coincide with privacy and data protection regulation in the coming years, and whether it will be enough to safeguard such rights as technology continues to advance at such a rapid rate.
198 Old Bakery Street
Valletta
VLT 1455
Malta
+356 2124 1232
info@fenechlaw.com www.fenechlaw.com