Data protection & privacy laws in Malta (2026)

The Data Protection Act 2018 (Act XX of 2018), codified as Chapter 586 of the Laws of Malta, repealed the previous Chapter 440 and entered into force on 28 May 2018 to complement GDPR. It is accompanied by eleven subsidiary regulations covering specific processing contexts.

The Information and Data Protection Commissioner (IDPC) is Malta's sole data-protection supervisory authority under Chapter 586. Dr Reno Borg took the oath of office on 22 April 2026 for a new five-year term, succeeding Ian Deguara.

Malta exercised GDPR derogations in subsidiary legislation: SL 586.11 lowers the age of digital consent to 13 (GDPR Art. 8 permits 13–16); SL 586.10 permits health-data processing for insurance purposes; derogations for freedom of expression and journalistic/research/archival purposes are also enacted.

SL 586.08 transposes Directive 2016/680 (Law Enforcement Directive) into Maltese law, governing personal-data processing by competent authorities for criminal justice purposes, with the IDPC designated as the monitoring authority.

The IDPC actively issues fines: the largest recorded was €65,000 against C-Planet for a data breach involving special-category data. For public authorities, fines are capped at €25,000 per violation (doubling to €50,000 for serious cases) plus daily penalties; private entities face standard GDPR maximums (up to 4 % global turnover / €20 million).

Under Malta's AI Act implementation framework, the IDPC is designated as market surveillance authority for high-risk AI systems touching biometrics, law enforcement, migration/border control, and the administration of justice, with powers effective from 2 August 2026.