Privacy Policy

The General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’)implemented by the Data Protection Act (Act XX 2018) (Chapter 586) ('the Act'places direct data processing obligations on companies at an EU-wide level.

The GDPR applies to “processors” and “controllers” of personal data. Whereas the data controller determines the purpose and means of processing the personal data, the data processor only processes the personal data on behalf of the data controller like for example, a payment provider. By collecting data to sell and market products, eCommerce retailers are likely to fall under the definition of a controller.

The GDPR requires that a data controller only engages a data processor who offers sufficient guarantees. These guarantees should be included in a written contract between the data controller and processor. The contract must also contain a number of mandatory clauses, including, for example, a clause stipulating that the data processor will only process personal data on the documented instructions of the data controller.

In Malta, the Office of the Information and Data Protection Commissioner ('IDPC') is the Data Protection Authority (DPA) responsible for monitoring and enforcing the application of the provisions of the Act and the GDPR in order to protect the fundamental rights and freedoms of natural persons in relation to processing of personal data, and to facilitate the free flow of personal data between Malta and other Member States.

The GDPR applies to any business that processes personal data by automated or manual processing. Article 4 of the GDPR defines ‘personal databroadly. Essentially, it refers to any identifier from which an individual can be directly or indirectly identified. The individual’s consent must be obtained every time that his/her personal data is collected.

According to the GDPR, a company can only process personal data under certain conditions. For instance, the processing should be fair and transparent, for a specified and legitimate purpose and limited to the data necessary to fulfil this purpose. It must also be based on one of the following legal grounds:


  • The consent of the individual concerned;
  • A contractual obligation between you and the individual; To satisfy a legal obligation; 
  • To protect the vital interests of the individual; To carry out a task that is in the public interest;
  • For your company’s legitimate interests, but only after having checked that the fundamental rights and freedoms of the individual whose data you are processing are not seriously impacted. If the person’s rights override your interests, then you cannot process the data.

According to the GDPR, actions such as collecting, using and deleting personal data all fall within the definition of processing personal data. The GDPR applies strict rules for processing data based on consent. The purpose of these rules is to ensure that the individual understands what he or she is consenting to.

This means that the consent should be freely given, specific, informed and unambiguous by way of a request presented in clear and plain language. Furthermore, consent should be given by a statement or an affirmative act, such as checking a box online or signing a form. Especially, in the case of special categories of personal data (sensitive personal data), consent must be explicitly expressed. The data subject must be informed of his/her right to withdraw his/her consent (at will) from the processing of his/her data at any time. In fact, under the GDPR, “it shall be as easy to withdraw as to give consent”.

Companies must provide individuals with information on who is processing what and why. At a minimum, this information must clearly state:

  • who you are;
  • why you are processing the data;
  • what the legal basis is;
  • who will receive the data (if applicable)

In some cases, the information must also state:

  • contact information of the Data Protection Officer (DPO) (where applicable); legitimate interest (when the legitimate interest is the legal ground for processing); basis for transferring the data to a country outside the EU;
  • how long the data will be stored;
  • the individual’s data protection rights (i.e. right to access, correction, erasure, restriction, objection, portability, etc.);
  • how consent can be withdrawn (when consent is the legal ground for processing); whether there is a statutory or contractual obligation to provide the data;
  • in the case of automated decision-making, information about the logic, significance and consequences of the decision.

Right to access and right to data portability

Individuals have the right to request access to their personal data, free of charge and in an accessible format.

If you receive such a request, then you have to:

  • tell the individual if you are processing their personal data;
  • inform them about the processing (such as the purposes of the processing, categories of personal data concerned, recipients of their data, etc);
  • provide a copy of the personal data being processed

In addition, when the processing is based on consent or a contract, the individual can ask for their personal data to be returned or transmitted to another company. This is known as the right to data portability. The data should be provided in a commonly used and machine-readable format.

Right to erasure (right to be forgotten)

In some circumstances, an individual can request that the data controller erase their personal data, such as when the data is no longer needed to fulfil the processing purpose. However, your company is not obliged to comply with an individual request if:

  • the processing is necessary to respect one’s freedom of expression and information;
  • you must keep the personal data to comply with a legal obligation;
  • there are other reasons of public interest to keep the personal data, such as public health or scientific and historical research purposes;
  • you need to keep the personal data to establish a legal claim.

Right to correct and right to object

If an individual believes that their personal data is incorrect, incomplete or inaccurate, he or she has the right to have it rectified or completed without undue delay. An individual may also object at any time to the processing of their personal data for a particular use when your company processes it on the basis of your legitimate interest or for the performance of a task in the public interest. Unless you have a legitimate interest that overrides the interest of the individual, you must stop processing the personal data. Likewise, an individual can ask to have the processing of their personal data restricted while it is determined whether or not your legitimate interest overrides their interest. However, in the case of direct marketing, you are always obliged to stop processing the personal data at the request of the individual.

Appoint a Data Protection Officer

A DPO is responsible for monitoring your compliance with the GDPR. One of the DPO’s core tasks is to inform and advise employees who carry out the actual processing of personal data about their obligations. The DPO also cooperates with the DPA, serving as a contact point towards the DPA and individuals.

However, your company is only required to appoint a DPO if:

  • you regularly or systematically monitor individuals or process special categories of data;
  • this processing is a core business activity; and
  • you do it on a large scale.

For example, if you process personal data to target advertising through search engines based on people’s online behaviour, then the GDPR requires that you have a DPO. If, however, you only send your clients promotional material once a year, then you will not need a DPO.

Responding to requests

If your company receives a request from an individual who wants to exercise their rights, you should respond to this request without undue delay and in any case within 1 month of receiving the request. However, this response time may be extended by 2 months for complex or multiple requests, so long as the individual is informed about the extension. Furthermore, requests should be dealt with free of charge. If a request is rejected, then you must inform the individual of the reasons for doing so and of their right to file a complaint with the DPA.

Demonstrate compliance and keep records

One of the GDPR’s core principles is to demonstrate compliance. Therefore, as a company you must be able to prove that you act in compliance with the GDPR and that you satisfy all applicable obligations, in particular, upon request or inspection from the DPA.

It is therefore suggested that detailed records are kept on the following:

  • name and contact details of your business involved in data processing;
  • reason(s) for processing personal data;
  • description of the categories of individuals providing personal data;
  • categories of organisations receiving the personal data;
  • transfer of personal data to another country or organisation;
  • storage period of the personal data;
  • description of security measures used when processing personal data.

Furthermore, your company should also maintain — and regularly update — written procedures and guidelines and make them known to your employees.

Data Protection Impact Assessment (DPIA)

A DPIA must be conducted whenever the intended processing would pose a high risk to the rights and freedoms of individuals. Such case would be, for instance, when new technologies are introduced.

Cross-border processing

For cross-border processing, a supervisory authority of another country, and not your national DPA, may be the competent authority. Typically, this is the DPA of the country that hosts your company’s main establishment (where decisions about the means and purposes of processing are made) within the EU.