Guidelines and Publications


Activity Report 2018​ 



Data Protection Guidelines for Banks were developed by the Malta Bankers' Association after a consultation exercise held with the Commissioner.  These Guidelines are intended to focus only on those sections of the GDPR which may not be entirely clear, or which could lend themselves to differing interpretations, in order that a common understanding is arrived at and a consistent interpretation is applied across the banking sector.




Guidelines issued by the Malta Gaming Authority, in consultation with the Information and Data Protection Commissioner, for the Maltese Gaming Industry.





A sample data protection information clause, which can form part of an application form when personal data is collected from a data subject and processed on the basis of his or her consent, is being provided for guidance purposes and may be customised and adjusted by the data controller according to the requirements of the organisation: 
"The personal information provided in this application form shall be processed in accordance with the provisions of the Data Protection Act and the General Data Protection Regulation and for the purpose(s) of [insert purpose/s]. 

The processing is based on [insert legal basis for processing pursuant to Article 6 of the GDPR]

 Your personal information will not be disclosed to any third parties unless strictly required by law.  Furthermore, for the scope of achieving the processing purposes, the following are the recipients of your personal data [identify any processors which may be engaged. If you are not able to list them, include information on the categories of recipients which should be as specific as possible by indicating the type of recipient, for instance, by reference to the activities it carries out]:

The Data Protection Officer’s contact details are [where applicable]:

[contact details of the DPO]

You have the right to request access to your personal data as well as the right to rectify and where applicable, erase any inaccurate, incomplete or immaterial personal data; to request restriction of processing, to object to processing and to request data portability for the data held by [insert company name].

If you consider that the processing of your personal data is carried out in an unlawful manner, you may lodge a complaint with the Information and Data Protection Commissioner.

The retention period of the personal data you provided in this application is [include retention timeframe or, if that is not possible, the criteria used to determine that period].

You can withdraw your consent at any time by [specify how the data subject can withdraw the consent which should be as easy as to give consent].

I authorise [insert company name] to process my personal data contained in this form for direct marketing purposes.

I do hereby authorise [insert company name] to process my personal data contained in this form for the above specified purposes."


Processing of personal data for research and statistics 

Data Protection Guidelines on the processing of personal data for research and statistics purposes have been developed by this Office with the objective to assist data subjects who will process personal information in the course of conducting research.  These guidelines have been developed in agreement with both the University Research Ethics Committee and the Health Ethics Committee.

Data Protection and Street Photography 

Brief guidelines​ providing professional photographers and enthusiasts with basic data protection requirements and considerations when engaging in street photography, essentially when capturing un-posed and un-staged images, particularly when such images identify natural persons who happen to be in public places.



Were a data controller subcontracts business or operational activities and for such reason entrusts a processor with the use of personal data, the controller shall still remain responsible in terms of data protection with regard to such processes carried out on his behalf. 

Common examples of similar processes may include hiring an accounting firm to compile employees’ payroll or IT service providers for maintenance and support.

In these cases, the relationship between a data controller and a processor should be regulated by a written contract in accordance with article 28 of the General Data Protection Regulation.


Data protection guidelines on the processing of visual images in schools have been launched on 27 October 2005. These guidelines, the first in a series, have been jointly developed by the Data Protection Commissioner and a committee of school representatives composed of representatives of state schools, independent schools, independent schools, church schools, the Education Division and the Office of the Prime Minister. Such guidelines are intended to define good practice to be adopted in schools.

Guidance for Schools - Processing of visual images in schools

Having issued the first set of guidelines on visual images, the education committee has now commenced other discussions on issues relating to the processing of documents within a school in order to identify procedures of good practice.


Data Protection guidelines for the promotion of good practice in the Insurance Business Sector have been launched on 15 February 2006 during an information session.
These guidelines have been jointly developed by a working group composed of representatives of the Malta Insurance Association, the Association of Insurance Brokers, the Malta Financial Services Authority and the Office of the Data Protection Commissioner.  The working group will keep on meeting to discuss further issues related to the sector in order to develop a more exhaustive document.