Data Protection Notice
It is the obligation of the Information and Data Protection Commissioner to ensure that the right to the protection of personal data pertaining to individuals who visit this website, and make use of its online facilities, is guaranteed.
This data protection notice provides you with all the information in relation to the processing of personal data pursuant to the requirements set forth in articles 13 and 14 of the General Data Protection Regulation.
1. Controller
The controller is the Information and Data Protection Commissioner whose office is situated at Floor 2, Airways House, High Street, Sliema, SLM 1549, MALTA.
2. Data Protection Officer
The Data Protection Officer may be contacted at idpc.info@idpc.org.mt or via our postal address.
3. Information Collected and the Purpose of the Processing
3.1 Downloaded Information
When you visit our website, the following information will be automatically processed:
- the requested web page or download;
- whether the request was successful or not;
- the date and time when you accessed the site;
- the Internet address of the web site or the domain name of the computer from which you accessed the site; and
- the operating system of the machine running your web browser and the type and version of your web browser.
3.2 Cookies
Cookies are small pieces of data that the site transfers to the user’s computer hard drive when the user visits the website. This website makes limited use of cookies and consequently, for any further information, you are being guided to visit our Cookies Policy.
3.3 Personal data provided by the data subject or collected from other sources
All information provided in the online forms available on the Commissioner’s website, namely, the forms to notify a personal data breach, to lodge a data protection complaint or to lodge a freedom of information application shall be processed by the Commissioner solely for the purpose of enabling him to perform his regulatory tasks as the supervisory authority responsible for monitoring the applicability of the law, which includes inter alia, the GDPR and the Data Protection Act (Cap. 586 of the Laws of Malta), including any legislation made thereunder, and the Freedom of Information Act (Cap. 496 of the Laws of Malta).
The legal basis we rely on to process your personal data is article 6(1)(e) of the GDPR, which enables the Commissioner to process your personal data that is strictly necessary for the purpose of performing his tasks as provided by law.
If the information you provide to us contains a special category of personal data within the meaning of article 9(1) of the GDPR, such as data in relation to health, or data revealing racial or ethnic origin, the Commissioner shall process such data on the basis of article 6(1)(e) in conjunction with article 9(2)(g) of the GDPR, which also relates to our public task and the safeguarding of your fundamental rights.
If you lodge a data protection complaint or a freedom of information application with the Commissioner, we would generally be required to disclose the contents of your complaint or application, including your identity, to the controller or the public authority to enable the Commissioner to investigate the complaint or the application and to provide the controller or the public authority with the opportunity to defend itself against the allegation raised by the complainant. If there is specific information that you prefer not to be shared and that you would like the Commissioner to use solely for the purposes of the legal analysis, you are kindly guided to inform us accordingly.
Naturally, during the course of the investigation, we may also receive further information about you.
If you are acting on behalf of a data subject, we may ask for additional information, such as a power of attorney, to ensure that you have the authority to act on behalf of the data subject.
We may publish statistics relating to the number and nature of complaints received but not in a form that would lead to the identification of a natural person.
We publish data protection decisions and FOI decision notices issued by the Commissioner. The FOI decision notices are generally published in full unless there is any information which is deemed to be confidential or for any other reason which the Commissioner deems fit. Any personal data contained in data protection decisions are redacted and any other information which is deemed confidential, which includes inter alia commercially sensitive information, is also redacted.
For information about how long we hold your personal data, click here to access our retention schedule.
3.4 IDPC Newsletter
The Commissioner publishes newsletters to raise awareness and provide information to the public about pertinent data protection matters. By subscribing, you will receive the next newsletter issued after your subscription is processed.
In the newsletter, the Commissioner may include useful links to other website of various local and international organisations and agencies, as well as a link to this Office’s social media profiles. When connecting to such other websites, you will be subject to the data protection policies of those sites.
Once you subscribe, you will receive future issues of the newsletter directly in your mailbox. When subscribing to the Commissioner’s newsletter we will collect your email address, name and surname.
The Commissioner will also record the following information:
- the time and date of your subscription;
- data related on whether the newsletter was delivered to you, data related to your interaction with the newsletter, such as whether the newsletter was opened and eventually, if you clicked on it. This information can be sorted by specific date and time.
The employees of the Commissioner have access to these personal data strictly on a need-to-know basis.
The legal basis we rely on to process your personal data is your consent as established by Article 6(1)(a) of the GDPR. By subscribing to the newsletter, you acknowledge that you are providing your consent to the Commissioner to process your personal data. Your personal data will be collected for the sole purpose of sending the newsletter and to deliver content tailored to your interests.
The Commissioner will never use any personal data collected from complaints to send you the newsletter.
3.4.1 Rectify your personal data and unsubscribe to the newsletter
After subscription, you may at any time:
- change your email address used to subscribe; and
- unsubscribe from receiving the newsletter.
To change your preferred email address, one should unsubscribe and re-subscribe with the new preferred e-mail address.
To unsubscribe from the newsletter, and therefore to withdraw your consent from receiving the newsletter, please visit the “Subscribe today” page. There, you will find a link which will redirect you to the unsubscribe page where you will need to provide the email address you used at the time of subscription. To confirm your un-subscription, simply click the “Yes, unsubscribe me” button.
Unsubscribe requests are processed automatically to ensure that you no longer receive the Commissioner’s newsletter.
The Commissioner will keep a timestamp of your request to unsubscribe together with your personal data for a period of 6 months to allow the Commissioner to exercise his regulatory tasks and to respond to your queries.
After the lapse of this period, your personal data will be permanently erased from our database.
3.4.2 Security measure
The Commissioner is committed to safeguarding your right to the protection of personal data. For the purpose of ensuring that your personal data is not misused for subscribing to the Commissioner’s newsletter, we have implemented the Two-Factor Authentication.
After submitting your subscription request, you will receive an email asking you to confirm your choice. Please click on the link provided in the email to complete your subscription.
In the event you have the suspicion that your personal data has been used by an unauthorised third party to subscribe to the Commissioner’s newsletter, you are kindly guided to send an email to the Commissioner’s DPO at idpc.info@idpc.org.mt.
3.4.3 Retention period
Your personal data will be processed for as long as you remain a subscriber to the Commissioner’s newsletter. Once you unsubscribe, your data will be processed as described in point 3.4.1.
For information about how long we hold personal data, click here to access our data retention policy.
3.5 Recipients of personal data
We may share your personal data in specific situations as follows:
Recipient | Purpose | Data shared | Legal basis | Security measures |
Data Processor | To provide dedicated technical services when specifically required for the purpose of assisting the Commissioner conducting complex on-the-spot inspections. | Any data held by the Commissioner in relation to the investigation which is necessary to enable the processor to conduct his tasks. | Service Agreement | Personal information are solely processed upon the Commissioner’s instructions, held securely, and returned or deleted after the task is concluded. |
Data Processor | To provide the plugin for the Commissioner’s newsletter. | No personal data is shared However, the processor may access your data in the event of conducting maintenance activities. | Data Protection Agreement and Maintenance Agreement | N/A |
Supervisory Authorities of other Member States | To investigate cross border complaints pursuant to the one-stop-shop mechanism | Any data held by the Commissioner in relation to the complaints | Chapter VII of the GDPR and Regulation (EU) No 1024/2012 of the European Parliament and of the Council of 25 October 2012 (‘the IMI Regulation’) repealing Commission Decision 2008/49/EC). | Information is shared primarily by means of the Internal Market Information (IMI) system. The IMI system provides a standardised format for the exchange of information with our counterparts. The controller of the IMI system is the European Commission which establishes and implements the appropriate technical and organisational measures. |
Your personal data will not be disclosed or shared with any third parties for the purpose of direct marketing.
3.6 Your rights as a data subject
Your right of access
You have the right to ask us to receive a copy of your personal data undergoing processing, including the right to receive information about the processing activity. This right may be subject to the limitation specified in article 15(4) of the GDPR and the restrictions as set forth in S.L. 586.09.
Your right to rectification
You have the right to ask us to rectify your personal data in case you believe that your personal data is inaccurate.
Your right to erasure
You have the right to ask us to erase your personal data in certain circumstances. This is not an absolute right and depends on the legal basis of the processing.
Your right to restriction of processing
You have the right to ask us to restrict the processing of your information in certain circumstances.
Your right to object to processing
You have the right to object to processing unless such processing is required to execute our function and it forms part of our public tasks or is in our legitimate interests.
Your right to data portability
You have the right to ask us to provide you with an electronic copy of the personal data that you have provided. You may also request us to forward such data to another controller. This right only applies if we are processing information based on your consent and processed by automated means.
Your right to withdraw your consent
You have the right to withdraw your consent at any time if such processing is based on article 6(1)(a) of the GDPR, without affecting the lawfulness of such processing taking place before its withdrawal.
Your right to lodge a complaint with the Commissioner.
You have the right to lodge a complaint with this Office or with the supervisory authority of another Member State, if you believe that the processing of your personal data infringes the GDPR.
Your rights may be restricted in accordance with S.L. 586.09.”
No fees are applicable when exercising your rights. You will be provided with a response without undue delay and in any event within one month of receipt of the request.
Please contact our DPO on idpc.info@idpc.org.mt if you wish to make a request and exercise any of your data protection rights.
4. Links to Other Websites
To enhance your experience, our site provides links to various local and international organisations and agencies. Please be aware that when you click on these links and navigate to external websites, your online experience will no longer be governed by this data protection policy.
5. Website Security Measures
This site uses Secure Sockets Layer (SSL) to ensure secure transmission of your personal data. You should be able to see the padlock symbol in the status bar on the top left-hand corner of the browser window. The url address also starts with https:// depicting a secure webpage. SSL applies encryption between two points such as your PC and the connecting server. Any data transmitted during the session will be encrypted or scrambled and then decrypted or unscrambled at the receiving end. This will ascertain that data cannot be read during transmission.
6. Amendments to this Data Protection Notice
If there are any changes to this data protection policy, we will replace this page with the revised version. We therefore encourage you to review this notice each time you visit our website to stay informed of any changes that may occur. If the amendments are substantive, we will actively bring such amendments directly to the attention of the affected data subjects.
7. Feedback
We welcome and greatly appreciate any comments or suggestions you may have that could help us to enhance the quality of service related to this website.
Updated on 05 May 2025