GDPR Law in Malta

gdpr law in malta

Is Your Enterprise Compliant with Malta GDPR Laws?  

The introduction of the General Data Protection Regulation (Regulation 2016/679/EU), or ‘GDPR’, on 25 May 2018 harmonised the unsynchronised regulation of data protection across the EU which could not keep up with the ever evolving digital world.  From this point on, the traditional trajectory of business would enter a new age – bringing about a number of management and system considerations required to be incorporated as part of the day-to-day running of a business, from day one of its incorporation.  

To What Extent does the GDPR Apply to My Business in Malta?  

Not all processing of data is subject to the GDPR; however, once ‘Personal’ data is involved, the GDPR regime applies across the board to all ‘processing’ activities, as trivial as they may seem.  Given that businesses base revenue on sales, marketing and customer interactions, a Maltese business is bound to carry out processing of personal data whether it realises it or not.

Compliant with the GDPR or Compliant with the GDPR Regime?  

Whilst several businesses brought their organisations in line with the text of the GDPR by 25 May 2018, in the interim, regulatory practice has evolved as a result of various EU court judgements, European Data Protection Board (EDPB) guidelines and EU Member State data protection commission rulings and guidance notes – the IDPC in Malta.  

Breaking down the GDPR  

  • Fines up to €20,000,000 or 4% of the firm’s annual revenue turnover, whichever amount is higher.
  • Mandatory appointment of Data Protection Officer (DPO) for a number of activities.
  • Obligatory Data Breach Notification (DBN) as prescribed under law.
  • Required Data Protection Impact Assessments (DPIAs) when high risk may ensue.
  • Data Protection by Design and by Default (DPbD) now obligatory from the start.
  • Substantially extended scope and reach of GDPR applicability.koszi
  • More onerous requisites for consent as lawful basis.
  • Additional data subject rights which may be invoked.
  • Increased information detail to be shared with data subjects.
  • Data Processors directly responsible at law with Data Controllers.
  • Additional stringent requisites in controller-processor agreements.
  • Non-exhaustive list of third-country transfer mitigation measures – such as Standard Contractual Clauses (SCCs).


Contact Us
Please send me legal and other updates
Key Contacts

Dr Charlene Mifsud

Partner, Corporate & Commercial

+356 2205 6298

Related Practices