⚖ Laws of Malta

GuidesData Protection and Privacy Rights in Malta

Data Protection and Privacy Rights in Malta

GDPR complaints, data access requests, privacy violations

You have strong data protection rights in Malta under GDPR and Maltese law. You can access your data, demand it be deleted, and complain if organisations m

  1. Know your rights under GDPR

    As a Malta resident you have: Right of access — see what data an organisation holds about you. Right to rectification — correct inaccurate data. Right to erasure (right to be forgotten) — have your data deleted in certain circumstances. Right to object — stop an organisation using your data for marketing. Right to data portability — get your data in a usable format. Right to restrict processing. These apply to any organisation processing your personal data.

  2. Submit a Subject Access Request (SAR)

    To find out what data an organisation holds about you, submit a Subject Access Request in writing (email is fine). State clearly: your full name and contact details, what data you want access to, and any details to help them locate it. The organisation must respond free of charge within 30 days. For complex requests they can extend to 3 months but must tell you within 30 days.

  3. Request erasure of your data

    You can request your data be deleted if: you no longer consent and consent was the only basis for processing; the data is no longer necessary for the original purpose; you successfully object to the processing; or the data was processed unlawfully. Send a written erasure request. The organisation must respond within 30 days. There are exceptions — e.g. legal obligations may require them to keep some data.

  4. Opt out of marketing — right to object

    You have an absolute right to object to your data being used for direct marketing. Contact the organisation and say clearly you object to marketing communications. They must stop immediately — they cannot charge you or refuse. You can also unsubscribe from emails using the unsubscribe link (required by law to be included in marketing emails).

  5. Data breach — your rights if your data was leaked

    If an organisation suffers a data breach that is likely to result in a risk to your rights and freedoms, they must notify you without undue delay. If you have been notified of a breach or suspect one, you can: request information about what happened; request erasure of affected data; contact the IDPC if the organisation is not responding adequately.

  6. File a complaint with the IDPC

    If your data rights are being violated and the organisation is not cooperating, file a complaint with the Information and Data Protection Commissioner (IDPC) at idpc.org.mt or call 2328 7100. The complaint is free. The IDPC can investigate, order the organisation to comply, and impose fines of up to €20 million or 4% of annual global turnover for serious breaches.

  7. Spam and unwanted calls — special rules

    Under the Electronic Communications Act and GDPR, unsolicited commercial emails (spam) and automated marketing calls are illegal without your prior consent. If you receive spam from a Maltese-based company, complain to the IDPC. For phone calls from overseas, the IDPC can coordinate with regulators in other EU countries through the European Data Protection Board network.

Loading...