Data & Privacy ยท Malta
Data protection & GDPR compliance in Malta (2026)
Malta shaded by its data & privacy status
Data protection in Malta: comprehensive law, under GDPR (EU) 2016/679 directly applicable; Malta Data Protection Act 2018 (Chapter 586, Laws of Malta); supervised by the Information and Data Protection Commissioner (IDPC).
Malta applies the EU General Data Protection Regulation directly as its primary data-protection instrument, supplemented by the national Data Protection Act 2018 (Chapter 586) and eleven pieces of subsidiary legislation that exercise permitted GDPR derogations. The Information and Data Protection Commissioner (IDPC) is the independent supervisory authority; Dr Reno Borg assumed a new five-year term as Commissioner on 22 April 2026. Malta also participates fully in the EU AI Act framework, with the IDPC designated as market surveillance authority for high-risk AI systems from 2 August 2026.
GDPR & data protection in Malta
In Malta, data protection is governed by the EU General Data Protection Regulation (GDPR), which applies directly and is enforced by the Information and Data Protection Commissioner (IDPC).
- Framework
- the GDPR (Regulation (EU) 2016/679) plus the national data-protection act
- Supervisory authority
- the Information and Data Protection Commissioner (IDPC)
- Applies to
- any organisation processing the personal data of people in Malta, wherever the organisation is based
- Maximum fine
- โฌ20 million or 4% of global annual turnover, whichever is higher
- Breach notification
- within 72 hours of becoming aware, to the supervisory authority
- DPO
- required for large-scale monitoring or large-scale special-category processing
The GDPR is bloc-wide; Malta supplements it with a national data-protection act and its own supervisory authority.
GDPR in Malta: FAQ
Yes. As an EU/EEA member, Malta applies the GDPR (Regulation (EU) 2016/679) directly, enforced by the Information and Data Protection Commissioner (IDPC).
The Information and Data Protection Commissioner (IDPC).
Up to โฌ20 million or 4% of global annual turnover, whichever is higher.
A DPO is required where you carry out large-scale monitoring or process special-category data at scale.
Personal-data breaches must be notified to the supervisory authority within 72 hours of becoming aware.
Key points
The Data Protection Act 2018 (Act XX of 2018), codified as Chapter 586 of the Laws of Malta, repealed the previous Chapter 440 and entered into force on 28 May 2018 to complement GDPR. It is accompanied by eleven subsidiary regulations covering specific processing contexts.
The Information and Data Protection Commissioner (IDPC) is Malta's sole data-protection supervisory authority under Chapter 586. Dr Reno Borg took the oath of office on 22 April 2026 for a new five-year term, succeeding Ian Deguara.
Malta exercised GDPR derogations in subsidiary legislation: SL 586.11 lowers the age of digital consent to 13 (GDPR Art. 8 permits 13-16); SL 586.10 permits health-data processing for insurance purposes; derogations for freedom of expression and journalistic/research/archival purposes are also enacted.
SL 586.08 transposes Directive 2016/680 (Law Enforcement Directive) into Maltese law, governing personal-data processing by competent authorities for criminal justice purposes, with the IDPC designated as the monitoring authority.
The IDPC actively issues fines: the largest recorded was โฌ65,000 against C-Planet for a data breach involving special-category data. For public authorities, fines are capped at โฌ25,000 per violation (doubling to โฌ50,000 for serious cases) plus daily penalties; private entities face standard GDPR maximums (up to 4 % global turnover / โฌ20 million).
Under Malta's AI Act implementation framework, the IDPC is designated as market surveillance authority for high-risk AI systems touching biometrics, law enforcement, migration/border control, and the administration of justice, with powers effective from 2 August 2026.
Malta - other topics
Data & Privacy in other countries
Last verified 5/24/2026 ยท Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite ยท Explore the full world map โ