Legislative Framework

The main data protection legislative text in Malta is the Data Protection Act, Chapter 586 of the Laws of Malta (“CAP 586”), which repealed and superseded the previous Data Protection Act, Chapter 440 of the Laws of Malta. CAP 586 implements Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the General Data Protection Regulation, or GDPR), subsequent to Malta being a member state of the European Union.

Another legislative text relevant to the area is the Processing of Personal Data (Electronic Communications Sector) Regulations, Subsidiary Legislation 586.01, which implements Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (the “ePrivacy Directive”).

EU Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009 amending Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and services and Regulation (EC) No 2006/2004 of the European Parliament and of the Council of 27 October 2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws have also been transposed into national law.

Other noteworthy subsidiary legislation (SL) under Chapter 586 of the Laws of Malta includes the following:

• the Processing of Personal Data (Protection of Minors) Regulations (SL 586.04);
• the Processing of Personal Data for the purposes of the General Elections Act and the Local Councils Act Regulations (SL 586.06);
• the Processing of Personal Data (Education Sector) Regulations (SL 586.07);
• the Data Protection (Processing of Personal Data by Competent Authorities for the Purposes of the Prevention, Investigation, Detection or Prosecution of Criminal Offences or the Execution of Criminal Penalties) Regulations (SL 586.08);
• the Restriction of the Data Protection (Obligations and Rights) Regulations (SL 586.09);
• the Processing of Data concerning Health for Insurance Purposes Regulations (SL 586.10);
• the Processing of Child’s Personal Data in relation to the Offer of Information Society Services Regulations (SL 586.11); and
• the Enforcement of Rights of Data Subjects in relation to Transfers of Personal Data to a Third Country or an International Organisation Regulations (SL 586.12).

Maltese law in other areas contains the following additional data protection and privacy-related laws:

• the Criminal Code, Chapter 9 of the Laws of Malta, Title IX, Cooperation between the National Authorities and the Office of the European Public Prosecutor;
• the Identity Card and other Identity Documents Act, Chapter 258 of the Laws of Malta, on the limitations of the use of biometric data stored on an electronic identity card;
• the Accountancy Profession Act, Chapter 281 of the Laws of Malta, on the remit and limitations of the Accountancy Board;
• the Income Tax Management Act, Chapter 372 of the Laws of Malta, on the partial or complete restriction of data subject rights, particularly the right of access, and on the limitations of the Commissioner of Inland Revenue to request special category data;
• the Credit Agreements for Consumers relating to Residential Immovable Property Regulations (SL 378.10), on the limitations of processing personal data obtained from a consumer or any other person in connection with the conclusion and management of any credit agreement, insofar as this may only be processed for the purpose of assessing the creditworthiness of the consumer or of any such other person and their ability to repay in accordance with these regulations;
• Part VIII of the Electronic Communications Networks And Services (General) Regulations (SL 399.48), on the protection of privacy, which regulate calling-line identification, among other matters;
• the Work Place (Minimum Health and Safety Requirements for the Protection of Workers from Risks resulting from Exposure to Electromagnetic Fields) Regulations (SL 424.34), on the limitations on the right of access in the context of safety risk assessments;
• the Olive Oil (Marketing Standards) (Implementing) Regulations (SL 427.101), establishing a public interest ground for the sharing of data and information by persons, natural or legal, for the purposes of the Director General’s functions;
• the Telework National Standard Order (SL 452.104), on measures, particularly concerning software, that employers of teleworkers must implement to ensure the protection of data used and processed by the teleworker in the carrying out of duties;
• the Clinical Trials Regulations (SL 458.43), pertaining to rules regulating clinical trials, including assurances on the rights of the subject to physical and mental integrity, and to the provision and protection of data concerning him or her;
• the Communication of Passenger Data by Air or Sea Carriers Order (SL 460.18), on the rules regulating the processing of personal data by the Principal Immigration Officer, including on retention periods;
• the Securitisation Act, Chapter 484 of the Laws of Malta, on the transfer of personal data, including to third countries without adequate levels of protection, within the context of securitisation transactions;
• the Voluntary Organisations Act, Chapter 492 of the Laws of Malta, on disclosures of personal data processed by the Commissioner for Voluntary Organisations;
• the Deployment and Use of Intelligent Transport Systems Regulations (SL 499.61), pertaining to the processing of personal data in the context of intelligent transport systems (ITS) and the preference for anonymous data in the performance of ITS applications and services;
• the Motor Vehicles (Exchange of Data) Regulations (SL 499.62), on, inter alia, retention periods of personal data processed by competent authorities;
• the Health Act, Chapter 528 of the Laws of Malta, on, inter alia, the limitation of the right to access by a patient;
• the Processing of Personal Data (Secondary Processing) (Health Sector) Regulations (SL 528.10), on, inter alia, the secondary processing of personal data and health records for research activities;
• the Business Register and Information Sharing Regulations (SL 546.02), on the establishment of a business registry and, inter alia, the rule that all undertakings listed thereon (including self-employed persons) are considered as business undertakings;
• the Co-ordination of Government Inspections Act, Chapter 568 of the Laws of Malta, which provides, inter alia, that the sharing of data and the maintenance of common databases and repositories of information, as provided for by this Act to facilitate reductions in the burden of inspections on entities and individuals, shall be regarded as activities that are carried out in the public interest for the purposes of the Data Protection Act;
• the Gaming Commercial Communications Regulations (SL 583.09), on the limitation of the processing of personal data, unsolicited commercial communications and commercial communications to self-excluded players by authorised persons offering licensable games or service providers collaborating with authorised persons; and
• the Passenger Name Record (Data) Act, Chapter 584 of the Laws of Malta, which transposes Directive (EU) 2016/681 of the European Parliament and of the Council of 27 April 2016 on the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime.

The Constitution of Malta enshrines the right to privacy of one's home and property and the right to freedom of expression as fundamental human rights. The European Convention Act (Chapter 319 of the Laws of Malta) incorporates the European Convention on Human Rights into Maltese law, making it directly enforceable in Maltese courts. This includes the right to privacy (Article 8).

Moreover, the EU Charter of Fundamental Rights, which acknowledges the right to privacy and data protection, is applicable to national authorities when implementing EU law.

Maltese legislation also aligns with the Convention of the Council of Europe for the Protection of Individuals with regard to Automatic Processing of Personal Data (CETS No 108), ratified by Malta in February 2003.

Multilateral Legislative Implementation

Further to the enactment of CAP 586 and SL 586.01 to implement the GDPR and the ePrivacy Directive, respectively, Maltese law has enacted the following in order to implement the applicable EU legislation.

• SL 586.08 (enacted in 2018) is the domestic legislation in Malta that implements Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data.
• SL 586.12 implements Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to the GDPR.

In relation to the implementation of applicable multinational obligations in general, any applicable Regulations or guidance issued by the European Data Protection Board (EDPB) would also be applicable to Malta, as Malta is an EU country.

From a Brexit point of view, whilst Malta is home to a number of persons from the UK, the Information and Data Protection Commissioner (IDPC) has not issued Brexit data protection-specific guidance but has reiterated the statements issued by the EDPB pertaining to Brexit.

Data Protection Authority

Under the domestic data protection regime in Malta, the key regulators are:

• the IDPC, which is effectively the national supervisory authority in Malta in terms of the GDPR; and
• to a secondary extent, in terms of SL 586.01, the Malta Communications Authority (MCA).

As the national supervisory authority, the IDPC is tasked with monitoring and enforcing the provisions of CAP 586 and its subsidiary legislation, as well as the GDPR. This role is crucial for safeguarding the fundamental rights and freedoms of individuals concerning the processing of personal data and ensuring the free flow of such data between Malta and other EU member states (Part V of CAP 586).

The Commissioner is endowed with a distinct legal personality for executing these tasks and powers, and operates with complete independence. According to Article 12(1) of CAP 586, the IDPC must remain free from any direct or indirect external influence, and is prohibited from seeking or accepting instructions from any person or entity. This independence is essential for fulfilling the duties and exercising the powers outlined in Article 58 of the GDPR.

Scope, Duties and Powers of the National Supervisory Authority

The role of the IDPC, also known as the “Commissioner”, includes enforcing the GDPR to safeguard the fundamental rights and freedoms of individuals regarding the processing of personal data and to promote the free flow of personal data between Malta and other EU member states (Part V of CAP 586). The Commissioner is granted a distinct legal personality to perform these tasks and exercise these powers.

The IDPC is empowered to:

• impose administrative fines;
• institute civil judicial proceedings when there are violations or imminent violations of CAP 586 or the GDPR;
• request assistance from the executive police to enter and search premises under the investigative powers granted by Article 58 of the GDPR;
• seek advice and consult with other competent authorities in fulfilling its functions under CAP 586 and the GDPR; and
• confer powers, including investigative powers, on members or staff of seconding supervisory authorities during joint operations with supervisory authorities from other EU member states.

Decisions made by the Commissioner can be appealed before the Information and Data Protection Appeals Tribunal. Decisions of the Tribunal are subject to review by the Court of Appeal.

Co-operation With Other Data Protection Authorities

Article 15 of CAP 586 allows the Commissioner to seek advice from and consult with any other competent authority while performing functions under CAP 586 and the GDPR. The Commissioner may also delegate powers, including investigative powers, to the seconding supervisory authority during joint operations with supervisory authorities from other EU member states, provided these powers are exercised under the IDPC's guidance and presence.

The GDPR mandates the IDPC to co-operate on cases with a cross-border component to ensure consistent application of the GDPR, known as the one-stop shop mechanism.

In the context of processing personal data in the electronic communications sector, the IDPC is authorised to seek advice from and, where appropriate, consult with the MCA while performing its functions.

Article 7 of CAP 586 requires the IDPC to consult an ethics committee or an institution recognised by the IDPC when genetic data, biometric data or health data need to be processed for research purposes.

Regarding the scope of investigations and audits by the key local regulator, local implementation legislation does not provide significantly more than what is outlined under the GDPR (complaint basis, Article 57, and ex officio, Article 58), similar to other EEA jurisdictions.

Scope of Data Protection Authority Investigations and Audits

CAP 586 mandates that the Commissioner, as the national supervisory authority, performs the duties assigned under the GDPR (Article 15 of the GDPR). From a domestic law perspective, the Commissioner's role includes handling complaints from third parties with locus standi and exercising the power and duty to investigate ex officio and implement corrective measures. This scope does not extend significantly beyond the provisions of Articles 57 and 58 of the GDPR (Article 15(2) of the GDPR).

Artificial Intelligence (AI)

The pertinent regulator for AI matters would be the Malta Digital Innovation Authority (MDIA), established by the Malta Digital Innovation Authority Act, Chapter 591 of the Laws of Malta (MDIAA). The MDIAA stipulates that the MDIA shall endeavour to assist the competent data protection authorities as required by law (Article 4 (2) (h)).

Domestic Administrative and Enforcement Process

Aside from the relevant GDPR articles, Maltese law does not provide extensive detail on the administrative procedures the IDPC must follow or the legal standards and criteria for evaluating the merits of an investigation; these aspects are largely left to the Commissioner's discretion. Consequently, the primary reference is the “duties assigned to him” under Article 15 of CAP 586.

Moreover, when making decisions, the Commissioner “...may seek the advice of, and may consult with, any other competent authority in the exercise of his functions under this Act and the Regulation” (Article 15.3 of CAP 586).

Regarding the legal standards and criteria that empower the Commissioner to take action, Article 15(2) of CAP 586 specifies that the “Commissioner shall have the power to institute civil judicial proceedings in cases where the provisions of this Act or the Regulation have been or are about to be violated”. The applicable law establishes an objective statutory standard rather than a subjective interpretation, focusing on the Commissioner's discretion or the level of likelihood.

Judicial Review of Data Protection Authority Orders

Under Maltese law, prior to the imposition of a decision by the Commissioner, the parties are heard or asked to make submissions, at the investigation stage. If the respondent disagrees with the decision reached by the Commissioner, they may file an appeal with the Data Protection Appeals Tribunal within 20 days of service of such decision, insofar as it is made on the following substantive grounds (Article 26 of CAP 586):

• a material error as to the facts has been made;
• there was a material procedural error;
• an error of law has been made; or
• there was some material illegality, including unreasonableness or lack of proportionality.

The appeal procedure before the Data Protection Appeals Tribunal is undertaken in accordance with Article 26 of CAP 586, which sets out the various formalities to be observed by the appellant, the tribunal and its registry, such as time limits and the serving/submission of pertinent legal documents.

If the parties (including the IDPC) are aggrieved with an appeal decision by the Data Protection Appeals Tribunal, they may resort to the Court of Appeal, on a question of law, as constituted by Article 41(9) of the Code of Organisation and Civil Procedure, Chapter 12 of the Laws of Malta, as per Article 29 of CAP 586.

Fines and Penalties

Under the GDPR, the maximum penalty for non-compliance is either EUR20 million or 4% of worldwide turnover, whichever is higher (Article 83 of the GDPR). Although the Malta Data Protection Act does not specify the administrative fines that the IDPC may impose for GDPR violations, the GDPR's provisions are directly applicable. Therefore, the IDPC can enforce the fines outlined in Article 83 of the GDPR.

In addition, and without prejudice to the above, the Data Protection Act stipulates that any individual found guilty of certain offences will face penalties. These offences include knowingly providing false information to the IDPC during an investigation, and failing to comply with any lawful request from the IDPC. Conviction for these offences can result in a fine ranging from EUR1,250 to EUR50,000, imprisonment for up to six months, or both.

Furthermore, violations of SL 586.01 (the Processing of Personal Data (Electronic Communications Sector) Regulations, which implement the ePrivacy Directive) are subject to administrative fines. These fines can be up to EUR23,293.73 for each violation and EUR2,329.37 for each day the infringement continues. The IDPC is responsible for determining and imposing these fines.

There is currently no Maltese law that defines “artificial intelligence” but, as Malta is an EU member state, the anticipated and proposed EU AI Act will cover this domain. Malta is set to implement the EU Artificial Intelligence Act (AI Act), which entered into force on 1 August 2024 and represents a significant step into regulating AI. The Act undertakes a risk-based approach and aims to implement transparency and accountability, human oversight and data governance over AI systems.

The EU AI Act and the GDPR are designed to work together. While the AI Act focuses on the safe development and use of AI systems, the GDPR ensures the protection of personal data. This dual approach ensures that AI innovations do not compromise individual privacy rights.

It is also pertinent to note that the MDIA issued the following White Paper consultations in respect of AI in 2019:

• Malta: Towards an AI Strategy – High-level policy document for public consultation;
• Malta: The Ultimate AI Launchpad – A Strategy and Vision for Artificial Intelligence in Malta 2023; and
• Malta: Towards Trustworthy AI – Malta’s Ethical AI Framework.

Apart from the interplay between the EU AI Act and the GDPR, there are currently no local laws or guidance on the interplay between applicable laws in Malta.

Locally, there has been a notable increase in the number of enforcement actions and decisions issued by the IDPC concerning infringements of data protection law. The IDPC issued more decisions in 2024 than in 2023, indicating a significant upward trend in enforcement measures. The majority of the decisions published by the IDPC pertain primarily to infringements of data subjects’ rights to access their personal data under Article 15 of the GDPR, and to the right to erasure under Article 17. Many decisions address the unlawful processing of personal data in violation of Article 6 of the GDPR (specific local case law and IDPC decisions are explored in 2.2 Recent Case Law and in the Malta Trends and Developments chapter in this guide).

As a member state of the European Union, Malta's legal landscape is significantly influenced by supranational and international developments in data protection law. Recent trends in privacy litigation in the EU underscore the growing importance of data protection laws, with the Court of Justice of the European Union (CJEU) delivering several landmark judgments that have direct implications for Malta. In 2024, the CJEU addressed several fundamental issues, including:

• consumer litigation against companies violating data privacy rights;
• targeted advertising;
• the intersection of data privacy and competition law; and
• data privacy within the healthcare and finance sectors.

These decisions will undoubtedly shape the legal privacy landscape in Malta, guiding domestic litigation and enforcement actions by the IDPC.

Locally, the C-Planet decision of 2022 remains the highest fine (EUR65,000) issued by the IDPC. It was imposed on C-Planet It Solutions Limited, which infringed principles of security regarding personal and special categories of data of a substantial number of data subjects. A civil case is currently also being heard in front of the Civil Courts of Malta as a collective action regarding the illegal processing of personal data that included voter preferences.

The IDPC undertook various decisions during 2024, with a large majority pertaining to complaints over CCTV cameras capturing public spaces or third-party properties, whereby the authority ordered the controller to stop processing operations and remove the camera. The only administrative fine issued in 2024 by the IDPC was a EUR15,000 fine in relation to a data protection complaint against two direct unsolicited marketing phone calls (two years apart) after several complaints to stop the processing of personal data by the data subject towards the controller. In such a case, the authority found that the controller infringed Articles 21 (2) and 5 (2) of the GDPR. The IDPC noted that the length and repeated nature of infringement increased the gravity of the breach and further warranted an administrative fine be applied (Article 82). The authority also noted that the way in which the infringement occurred revealed a certain amount of negligence on the controller’s part since the controller’s system failed to erase the complainant’s telephone number from its systems after several complaints to erase the complainant’s personal data and following reassurance that such measures had been taken, and thus infringed Article 21(2) of the GDPR.

Another interesting decision taken in 2024 by the IDPC involved a balancing test between one’s right to privacy and the right to freedom of expression, particularly journalistic expression. In this decision, the alleged breach regarded the publishing of 200 pages of WhatsApp chat conversations between the complainant and a third party, which was consequently published through a blog post found on a blogger’s website. The IDPC needed to take into consideration the right to one’s private life and reconcile an eventual court ban on the publication of such chats with the right to freedom of expression and the right of public interest in relation to persons and information that are deemed to be in the public eye and published in virtue of maintaining a democratic society. In its final decision, the IDPC decided that, although the right to journalistic expression is a fundamental right, the controller of such information should have conducted a fundamental assessment and carefully removed parts containing intimate personal data (for example, sexual relations of the complainant). It decided that the controller had failed to demonstrate proportionate, necessary and justified reasons for substantial public interest as the reason for publishing, and thus deemed the processing unlawful. As a consequence, the IDPC ordered the controller to erase the blog post.

Class actions do exist in Malta, under the Collective Proceedings Act (Chapter 520 of the Laws of Malta, as it stood before the 2023 amendments), but this legislation has faced challenges in its application before the Maltese courts since data protection claims, for example, do not fall under such statute. However, a collective claim is possible in respect of data protection matters in light of Maltese Civil Procedure, which has been termed by court jurisprudence as azzjoni kollettiva or a “cumulative action”. This was in fact the basis for the collective claim of C-Planet in 2022; the case concerned the data leak of sensitive personal data pertaining to citizens’ political leanings and association, which, in the jurisdiction in question, is an immensely delicate issue.

Nevertheless, the Representative Actions Act (Directive (EU) 2020/1828 of 25 November 2020) is designed to provide a more robust legal framework, and is expected to enhance the effectiveness of collective actions by qualified entities in court. Essentially, the Representative Actions Directive requires member states to implement a harmonised procedural framework to permit consumer class actions where a party is in breach of laws, which amongst others now includes data protection claims.

This Directive aims to establish a model for representative actions on behalf of European consumers when their collective interests are harmed. Malta enacted the transposing Maltese law on 5 June 2023 by way of Act No XVII of 2023, entitled “An Act to provide for representative actions for the protection of the collective interests of consumers, and to carry out other consequential amendments” (the Representative Actions Act).

There is no Maltese law specifically regulating the IoT. The concept previously generally fell into the legal problematic pit with big data in terms of data repurposing, but it is anticipated that the forthcoming EU Data Act will reconcile certain matters concerning the IoT in the same way as it intends to better reconcile the industry of big data closely linked with such. Full application of this law is set for 12 September 2025.

There is no Maltese law specifically regulating data regulation, except for the interplay between the EU Data Act and GDPR. The EU Data Act is set to become applicable in Malta in September 2025.

As referred to in 3.1 Objectives and Scope of Data Regulation and 3.2 Interaction of Data Regulation and Data Protection, there is no Maltese law regulating the use of IoT services and data processing services; these are to be governed by the upcoming EU Data Act.

The MDIA is the designated authority to enforce the EU Data Act in Malta. Established under the MDIAA, this authority exercises regulatory functions regarding innovative technology and related services, and promotes consistent principles for the development of visions, skills and other qualities relating to innovative technology. The MDIA is tasked with assisting competent data protection authorities to safeguard data protection rights, in the context of innovative technologies, although it was not primarily set up to oversee privacy and data protection compliance. In this respect, the MDIA is entrusted with the “Strategy and Vision for Artificial Intelligence in Malta 2030”.

Maltese law does not provide regulations regarding “do not track” technologies or behavioural/targeted advertising, but it does regulate cookies and may naturally be interpreted to apply also to similar identifier applications.

In this respect, it is noteworthy that, whilst the conditions for the placing of cookies or similar identifiers entail the “right to refuse” such placement (apart from the provision of information) under the ePrivacy Directive, the requirement under Maltese law is for the giving of “consent”.

The applicable Maltese subsidiary legislation regarding online marketing (SL.586.01) is in line with the ePrivacy Directive.

In relation to workplace or employment law considerations, Maltese law does not provide any specific regulatory framework further to EU data protection law.

In this respect, therefore, from an employment relationship point of view, as there is a disparity in power dynamics between the employer and the employee, consent cannot be relied upon as a lawful basis for processing, so contract performance is utilised.

The employer may also qualify the ground of legitimate interest within a contract of employment, in relation to certain matters. Nevertheless, as an EU member state, Malta is subject to EU jurisprudence and is a contracting party to the ECHR. In this respect, the 2017 judgment of the European Court of Human Rights in Bărbulescu v Romania, which related to the monitoring of an employee’s personal data, established that such monitoring of employees may be carried out in compliance with applicable legislation if it is done in a transparent manner as provided by law.

Under Maltese employment law, it may be inferred that the employer has a legitimate reason to ascertain whether the agreed “hours of work” are duly undertaken. Accordingly, further to the above judgment, a degree of proportionality and due informed notice and explanation must be undertaken, with the adoption of the least intrusive monitoring and adequate safeguards and, last but not least, the qualification of legitimacy in justifying such monitoring.

Previous provisions addressing certain time/record-keeping matters in relation to employment-related data have now been repealed.

In Malta, the Whistleblower Act, Chapter 527 of the Laws of Malta, was enacted in 2013 with the intention of encouraging employees to flag workplace malpractice or illegality encountered or observed. Data protection wrongdoing is included in such legislation, given the wide scope of “improper practice” defined therein. Therefore, employees may raise the issue of privacy and data protection infringements occurring within the organisation discreetly.

Malta does not have specific laws in relation to data protection in due diligence exercises for asset deals, but it is subject to the GDPR, which stipulates indirect obligations in this respect.

In corporate and M&A transactions, the acquiring entity is typically interested in carrying out a due diligence exercise to understand the entity with which they are planning to do business (ie, whether it is and has been compliant with laws such as data protection) and to understand the inherent risk of the seller’s data assets. Whilst this may be desirable for an acquiring entity before it inherits unlawfully obtained or processed data, Article 28(1) of the GDPR mandates an obligation for controllers to ensure that the processors being engaged provide sufficient guarantees that their processing meets the GDPR standards and requirements, in addition to guaranteeing the protection of data subjects’ rights.

Typical issues encountered include the absence of written policies governing data protection and non-reported data breaches.

Parties may opt to enter into an indemnification agreement whereby the vendor would need to reimburse any fine(s) suffered by the purchaser for data protection non-compliance following acquisition. However, this does not account for an increase in insurance premiums in cases where the data protection due diligence results in existing insufficiencies and a high risk of fines.

Further to EU data protection law, personal data that is attributable to a person within the EU or that is processed within the EU may be transferred freely within the EU territory. This may also occur in respect to third countries and international organisations if the processing to occur within such countries or organisation is able to comply with the GDPR’s requirements, ensuring adequate safeguards in terms of Chapter 5 of the GDPR.

Furthermore, the “appropriate safeguards” requirement may be met by virtue of a number of legitimising instruments, as delineated in the GDPR – notably, a Commission adequacy, standard contractual clauses (SCCs), binding corporate rules (BCRs) or other legally binding instruments (Article 46 of the GDPR).

Mechanisms or Derogations That Apply to International Data Transfers

Multilateral agreements in place by virtue of the EU may be applicable for the benefit of Malta and therefore may facilitate cross-border transfers of data to third countries in satisfying the GDPR’s appropriate safeguards element.

In this respect, the EU-US adequacy decision issued in July 2023 effectively acts to fill in the gap for the EU-US Privacy Shield that was invalidated by the CJEU in 2016, and hence facilitates the unhindered flow of data across the Atlantic.

In the EU data protection law sphere, notifications to one’s authority are not currently required in terms of third-country transfers. Appropriate safeguards in terms of the GDPR must be in place vis-à-vis the recipient third country where no adequacy decision for such exists.

In terms of Maltese company law, certain prescribed company-related records must be kept at the company’s registered office in Malta. However, this pertains to the originals in question, so such data may be transferred overseas insofar as such transfer complies with the application legislation, such as being done in accordance with the appropriate safeguards legitimising the regime of third countries or if the transfer does not breach any other law or legal agreement, such as client privilege or a non-disclosure, confidentiality agreement, with the original copy remaining at the registered office.

As a member state of the EU, Malta is subject to Council Regulation 2271/96 of 22 November 1996, which protects against the effects of the potential extraterritorial application of legislation adopted by a third country, and actions based thereon or resulting therefrom. This consequently protects EU operators from the reach of a third country’s extraterritoriality jurisdiction, which may possibly jeopardise EU data subjects’ privacy rights, in light of the third country's differing standard of data protection to the GDPR.

There have been no recent developments or guidance from a local perspective in relation to the international transfer of personal data. Reference to such developments can be found from the European Commission, including its recent public consultation on additional SCCs for international transfers of personal data to non-EU controllers and processors subject to the GDPR extraterritorially, issued in September 2024.