Interview with Privacy Laws & Business - Malta’s DPA backs EU GDPR record-keeping simplification

Interview with Privacy Laws & Business - Malta’s DPA backs EU GDPR record-keeping simplification

05 June 2025

The Information and Data Commissioner (IDPC) Ian Deguara as well Cynthia Duncan - IDPC's Senior Legal Counsel - were interviewed by Stewart and Merrill Dresner  from the publication Privacy Laws & Business.

This is the full text of the Privacy Laws & Business interview article which was published in the June 2025 International Report:

Malta’s DPA backs EU GDPR record-keeping simplification

With the country’s workforce dominated by SMEs, Ian Deguara, head of Malta’s DPA, supports this change. Stewart and Merrill Dresner report from Malta.

Malta, with a population of 542,00 is the least populous Member State in the EU, followed by Luxembourg (661,000) and Cyprus (921,000). Malta’s economy is thriving as a result of its sunny climate in the middle of the Mediterranean region so a magnet for tourists. It has a stable political system, a legal system comprising of EU law and a unique blend of civil law, common law, and various historical influences, and a low tax regime attracting online businesses, security and blockchain consultants.

Independent since 1964, Malta retains many ties with the UK including the Information and Data Protection Commissioner’s (IDPC) with the UK’s ICO. The English language is widely used which helps the development of Malta’s data protection law to be broadly aligned with the UK and Ireland. Consequently, Malta’s IDPC Ian Deguara said that this is a golden moment for companies choosing Malta as a base.

A Growing and evolving office

Deguara joined the IDPC in 2003. “At first, after concluding my studies in computing and management, I occupied the role of a compliance officer at the time when Malta’s data protection law was entering into force in July that year. With long experience of the issues and as part of the management team, I was appointed Commissioner in December 2020.”

“When I was first appointed during the pandemic, much of my time was dedicated to working closely with the health authorities to ensure that any personal data concerning health which was required for the purpose of safely navigating the pandemic was processed in accordance with data protection rules.”

Deguara now has a total of 13 staff members with a flat organisation structure and three functions:

  1. Legal: dealing with data protection and freedom of information investigations, including enquiries and other issues of a legal nature.
  2. Technical: dealing with technical and technological matters.
  3. Communications: recently set-up to take care of increasing the office’s visibility and reach, primarily via its portal and social media channels.

The IDPC’s budget has increased 6-7% every year since 2020. This year it is €800,000. “I plan to recruit more staff, because in November 2024, my office was designated as a Fundamental Rights Authority under the EU AI Act. We will also assume the role of Market Surveillance Authority for certain high risk AI systems under the same Act. I enjoy a close relationship with Malta’s other regulators, such as the Malta Financial Services Authority and the Malta Digital Innovation Authority.”

Complaints and enforcement

Deguara gives high priority to complaints received by his office. “We do not have a triaging system through which complaints are accepted on the basis of the risks which might be involved to the fundamental rights of complainants – all complaints are handled with the same degree of professionalism and dedication”. Some complaints, for example on a non-response to a subject access request, are generally resolved relatively quickly by the IDPC staff, but complex cases will be subject to a fully-fledged investigation. These cases are typically closed with a legally-binding decision within an average period of eight months.

Most legal work is handled in-house, with external legal counsel brought in only for specialist litigation, such as cases before the Constitutional Court.

Complaints against gaming companies represent a distinct and significant stream in the complaint statistics. The land-based casinos and remote gaming industry in Malta represent around 7% of the economy and much more when support functions and related sectors, such as tourism, are taken into account.

Cross-border complaints: In 2024, the IDPC received a total of 256 cross-border complaints, marking a substantial increase from the 105 complaints recorded in 2023, and demonstrating a growing trend in cross-jurisdictional data protection issues, especially within the digital services sector.

Some 252 of these cases fell under the Office’s responsibility as Lead Supervisory Authority (LSA), indicating that the controller in question has its main establishment in Malta. The remaining four complaints were handled under the role of Concerned Supervisory Authority (CSA), where the complaints were filed in Malta against a controller whose main establishment is in another EU/EEA Member State.

The bulk of these 252 complaints originated from other EU jurisdictions, with Austria (124) and Germany (105) together accounting for around 90% of all cross-border cases. The gaming industry overwhelmingly dominated the subject matter of these complaints, being the focus of 244 out of the 256 cases received.

Complaints from Malta: On the domestic front, the Office received 883 local complaints, of which 271 were deemed admissible and proceeded to the investigation stage. A significant portion of these were lodged against private individuals, particularly concerning CCTV surveillance practices directed to private property, while others involved entities within the gaming industry and the public sector.

Following its investigations, the Commissioner issued several formal orders throughout 2024, focusing on sectors and practices where compliance gaps were most evident, including failure to address subject access requests (SARs), unlawful processing of personal data by means of video devices, and infringements of the accuracy principle in the telecommunications sector. Any orders issued by the IDPC in his decisions are followed up to make sure that data controllers comply with them.

In cases involving SARs, particularly within the gaming industry, the Commissioner found repeated instances in which data controllers either failed to respond or did not provide sufficient evidence that the request had been fulfilled. In such cases, the Office ordered the controller to either provide a response to the data subject or supply documentation proving that the request was addressed prior to the complaint or to demonstrate conclusively that access had been provided.

Finding solutions

When representatives of specific sectors or controllers in general seek advice, Deguara said that he is always willing to listen and help identify solutions. “I give verbal advice and written advice if necessary. My advice to a controller provides legal comfort, but this is invariably done without prejudice to any investigation which might need to be carried out ex-officio or following the receipt of a complaint.”

“We issue decisions in the language of the complainant which is in English 90% of the time, and in Maltese for the rest of them.”

Online self-assessment tool for SMEs

The IDPC launched a project called GDPRights, “a GDPR awareness campaign and support to business organisations, in particular, SMEs” to raise awareness and support businesses to comply with the obligations in the GDPR. EU funds were obtained for this in 2019. This project included the development of an Online Self-Assessment Compliance Tool, which allows SMEs to assess their GDPR compliance by answering key questions. The tool then generates a report highlighting risk levels, and compliance gaps, and provides tailored rec­ommendations. It also includes access to templates and policy documents.

Relationship between the IDPC and Malta’s government

Deguara explained that his office is independent; the government does not try to recommend certain policies, but will consult on legislative proposals when these proposals involve the processing of personal data. The Commissioner presents his Annual Report to Parliament and to the Ministry of ­Justice in June of each year.

Deguara said, since 2023, all the decisions taken by his office are published on the website. For data protection decisions, the names of the parties, namely those of the controller and the complainant are redacted, together with any other information which might be of a confidential nature. “However we consider that decisions issued in terms of the Freedom of Information Act are in the public interest and are therefore published in their entirety without any redactions.”

Cooperation with other supervisory authorities

Deguara explained that the office has regular contact with members of the British, Irish and Islands’ Data Protection Authorities (BIIDPA) group. Malta, Ireland and Cyprus are the only members of this group which are EU member states.

“We take it in turns to host the BIIDPA annual conference in person and we meet on specific subjects online. For example, we exchange experience on complaints handling and procedures for various actions.”

Deguara explained that the IDPC’s Memorandum of Understanding with the UK’s ICO has mainly symbolic value, as communications and coordination with the ICO have always been excellent.

The IDPC participates in most of the working groups of the European Data Protection Board (EDPB)(2) both in Brussels and online and one of his colleagues serves as Vice-Chairman of the Customs Information Systems working group.

Conclusion

Deguara concluded “As we continue to navigate an increasingly data-driven world, the role of robust data protection is more critical than ever. Our office remains firmly committed to upholding individuals’ data protection rights, promoting accountability, and ensuring that innovation and data privacy can go hand in hand. It’s not only about compliance, but also about building and nurturing trust in our digital society.”

INFORMATION

Commissioner Ian Deguara is speaking at PL&B’s International Conference in Cambridge on Monday 7 July in the session A common thread binds the British, Irish, and Islands DPAs together for predictability and legal certainty.

MALTA: RESTRICTION ON THE RIGHT OF ACCESS

Cynthia Duncan, IDPC’s Senior Legal Counsel, highlighted one of the most significant legal developments in 2024. The Austrian Supreme Court ruled that foreign iGaming companies were illegally operating in the country, and therefore players sought to keep the winnings but reclaim the losses. In light of these developments, data subjects are increasingly exercising their rights under article 15 GDPR, which grants them the right to obtain a copy of their personal data, including their transaction history. In this regard, the Commissioner has received a significant number of complaints where various gaming companies invoked Regulation 4(e) of Subsidiary Legislation 586.09 – Restriction of the Data Protection (Obligations and Rights) Regulations, a restriction that is often cited in response to players’ requests for data access.

While the GDPR allows for certain restrictions to data subject rights under national law, such limitations must be clearly justified. Regulation 4(e) of Subsidiary Legislation 586.09 provides that “any restriction to the rights of the data subject referred to in Article 23 of the Regulation shall only apply where such restrictions are a necessary measure required: - (e) for the establishment, exercise or defence of a legal claim and for legal proceedings which may be instituted under any law”. However, any such restriction must be assessed strictly in light of regulation 7 of the same legislation, which mandates that any limitation imposed must constitute a necessary and proportionate measure. For a restriction under regulation 4(e) of Subsidiary Legislation 586.09 to be justified, the controller must demonstrate that it is strictly necessary to defend an actual legal claim or legal proceedings. A restriction cannot be based merely on the possibility that the data subject may initiate legal action following receipt of the information. A hypothetical or speculative rationale does not satisfy the legal threshold. Without clear and substantiated evidence of an existing or imminent legal claim, invoking regulation 4(e) of Subsidiary Legislation 586.09 constitutes an unlawful interference with the right of access.

There is an obligation on controllers who decide to restrict data protection rights based on one of the permissible grounds under article 23 GDPR, as further implemented in national law by virtue of Subsidiary Legislation 586.09, to conduct a necessity and proportionality assessment and to properly document such assessment internally pursuant to their accountability obligations. Pursuant to article 5(2) GDPR, the controller must be able to concretely demonstrate how the restriction is indeed necessary, and if this part of the test is passed, must then proceed to demonstrate that the measure is also proportionate. The case law of the Court of Justice of the European Union (CJEU) emphasises that any limitation to the rights of data subjects must pass a strict necessity test. In Case C-73/07, the CJEU held that “derogations and limitations in relation to the protection of personal data … must apply only insofar as is strictly necessary”.

It is therefore imperative that controllers invoking regulation 4(e) of Subsidiary Legislation 586.09 adhere strictly to these legal standards. The Commissioner decided that restrictions must be supported by objective and verifiable evidence, limited to what is strictly necessary and should not be based on speculative or pre-emptive grounds. In his decision, he noted that the right of access is a cornerstone of data protection law and any interference with this right must be exceptional, justified and fully compliant with both national and European legal requirements.

In addition to this, there have been other instances where gaming companies are alleging that transaction data is not personal data and therefore not subject to the requirements of the GDPR. In his decision, the Commissioner determined that the controller’s claim, that transaction data does not constitute personal data under the GDPR, is inconsistent with the established interpretations of article 4(1) GDPR, which defines personal data broadly as any information relating to an identified individual. The Commissioner concluded that transaction data, particularly when combined with other identifying details, falls within this definition and therefore should not have been excluded from the complainant’s access request under article 15 GDPR.

This IDPC’s interpretations have been formally challenged by several iGaming companies, and thus, are currently the subject of ongoing proceedings before the Information and Data Protection Appeals Tribunal.(1)

REFERENCES

  1. CDP 145 (2025)
  2. EDPB plenaries, subgroups and taskforces