Skip to content
World Watch/Malta/Data & Privacy

Data & Privacy ยท Malta

Data protection & GDPR compliance in Malta (2026)

Comprehensive lawGDPR (EU) 2016/679 directly applicable; Malta Data Protection Act 2018 (Chapter 586, Laws of Malta); supervised by the Information and Data Protection Commissioner (IDPC)Country index 96 ยท A+

Malta shaded by its data & privacy status

Data protection in Malta: comprehensive law, under GDPR (EU) 2016/679 directly applicable; Malta Data Protection Act 2018 (Chapter 586, Laws of Malta); supervised by the Information and Data Protection Commissioner (IDPC).

Malta applies the EU General Data Protection Regulation directly as its primary data-protection instrument, supplemented by the national Data Protection Act 2018 (Chapter 586) and eleven pieces of subsidiary legislation that exercise permitted GDPR derogations. The Information and Data Protection Commissioner (IDPC) is the independent supervisory authority; Dr Reno Borg assumed a new five-year term as Commissioner on 22 April 2026. Malta also participates fully in the EU AI Act framework, with the IDPC designated as market surveillance authority for high-risk AI systems from 2 August 2026.

GDPR & data protection in Malta

In Malta, data protection is governed by the EU General Data Protection Regulation (GDPR), which applies directly and is enforced by the Information and Data Protection Commissioner (IDPC).

Framework
the GDPR (Regulation (EU) 2016/679) plus the national data-protection act
Supervisory authority
the Information and Data Protection Commissioner (IDPC)
Applies to
any organisation processing the personal data of people in Malta, wherever the organisation is based
Maximum fine
โ‚ฌ20 million or 4% of global annual turnover, whichever is higher
Breach notification
within 72 hours of becoming aware, to the supervisory authority
DPO
required for large-scale monitoring or large-scale special-category processing

The GDPR is bloc-wide; Malta supplements it with a national data-protection act and its own supervisory authority.

GDPR in Malta: FAQ

Does the GDPR apply in Malta?

Yes. As an EU/EEA member, Malta applies the GDPR (Regulation (EU) 2016/679) directly, enforced by the Information and Data Protection Commissioner (IDPC).

Who enforces data protection law in Malta?

The Information and Data Protection Commissioner (IDPC).

What are the GDPR fines in Malta?

Up to โ‚ฌ20 million or 4% of global annual turnover, whichever is higher.

Do you need a Data Protection Officer in Malta?

A DPO is required where you carry out large-scale monitoring or process special-category data at scale.

How quickly must a data breach be reported in Malta?

Personal-data breaches must be notified to the supervisory authority within 72 hours of becoming aware.

Key points

Primary national implementing law

The Data Protection Act 2018 (Act XX of 2018), codified as Chapter 586 of the Laws of Malta, repealed the previous Chapter 440 and entered into force on 28 May 2018 to complement GDPR. It is accompanied by eleven subsidiary regulations covering specific processing contexts.

Supervisory authority, IDPC

The Information and Data Protection Commissioner (IDPC) is Malta's sole data-protection supervisory authority under Chapter 586. Dr Reno Borg took the oath of office on 22 April 2026 for a new five-year term, succeeding Ian Deguara.

Key national derogations

Malta exercised GDPR derogations in subsidiary legislation: SL 586.11 lowers the age of digital consent to 13 (GDPR Art. 8 permits 13-16); SL 586.10 permits health-data processing for insurance purposes; derogations for freedom of expression and journalistic/research/archival purposes are also enacted.

Law Enforcement Directive implementation

SL 586.08 transposes Directive 2016/680 (Law Enforcement Directive) into Maltese law, governing personal-data processing by competent authorities for criminal justice purposes, with the IDPC designated as the monitoring authority.

Enforcement record

The IDPC actively issues fines: the largest recorded was โ‚ฌ65,000 against C-Planet for a data breach involving special-category data. For public authorities, fines are capped at โ‚ฌ25,000 per violation (doubling to โ‚ฌ50,000 for serious cases) plus daily penalties; private entities face standard GDPR maximums (up to 4 % global turnover / โ‚ฌ20 million).

AI Act intersection with data protection

Under Malta's AI Act implementation framework, the IDPC is designated as market surveillance authority for high-risk AI systems touching biometrics, law enforcement, migration/border control, and the administration of justice, with powers effective from 2 August 2026.

Malta - other topics

Data & Privacy in other countries

Last verified 5/24/2026 ยท Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite ยท Explore the full world map โ†’