Definitions and Applicability

This section sets out the key definitions contained in the Data Protection Act, explaining what they mean in practical terms, and where the Act applies.

What is the scope of the Data Protection Act?

The Act aims to protect the individuals against the violation of their privacy by the processing of “personal data”.

Personal Data means ANY information –

(a)   Relating to an identified or identifiable natural person;

(b)   An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.

The term “any” makes it clear that the spirit of the Act is not to narrow the definition by listing what constitutes information, for instance, a person’s name and surname, but leaves the definition open to interpretation.


Indirectly Identified: A photographer published a photo of a vehicle registration number. This number does not identify individuals by name, but bear unique reference numbers can be matched to a system to identify the individuals concerned. The vehicle registration number is personal data.

Directly Identified:  A photographer publishes a photograph of a person which clearly identifies him or her.

Data subject means a natural person to whom the personal data relates.  A deceased person and a legal person are not considered as data subjects.

Controller of personal data means a person who alone or jointly with others determines the purposes and means of the processing of personal data.  A data controller could be individuals, organisations or any other body corporate.  Data controllers must ensure that any processing of personal data for which they are responsible complies with the Act.

Processor means a person who processes personal data on behalf of the controller.


A company engages another company to provide an internal business service on its behalf, such as, the employees’ payroll. The carrying out of processing by way of processor is to be governed by a contract or other legally binding instrument.

Processing of personal data, mean any operation or set of operations which is taken in regard to personal data, including the collection, recording, organisation, storage, adaptation, alteration, retrieval, gathering, use, disclosure by transmission, dissemination or otherwise making information available, alignment or combination, blocking, erasure or destruction of such data.

Applicability of the Data Protection Act

The Act applies to:

(a)    manual, automated or partly automated processing operations which is intended to form part of a structured filing system;

(b)  the processing of personal data carried out by a controller in Malta or in a Maltese Embassy or High Commission abroad;

The processing of personal data where the controller is established in a third country provided that the equipment used for the processing is situated in Malta (shall not apply if the equipment is used only for purposes of transit of information between a third country and another such country).

The Act does not apply to:

(a)  processing of personal data where such processing is undertaken by a natural person in the course of a purely personal activity;


If a person takes a photograph of a number plate of another person and keeps the image on his mobile phone or installs a CCTV camera system to capture the perimeter of own property, the Act shall not apply due to the household exemption. However, when publishing the photograph or publicly streaming the recorded footage of the CCTV camera, which contains personal data, the Act shall apply and the person would assume the role of a data controller.

(b)   processing operations concerning public security, defence, State security and activities of the State in areas of criminal law.