Data Protection for Organisations
Guidelines
Guidelines on data protection aspects of the collection by employers of the COVID-19 vaccination status of employees
Having received a considerable number of queries about the data protection implications of the collection, the IDPC has issued guidelines on data protection aspects of the collection of information about the COVID-19 vaccination status of their employees.
The guidelines explain how employers which intend to collect and process such information should act on the basis of the risk-based approach.
Please click on the following hyperlink to access the guidelines: Guidelines on the data protection aspects related to the collection of employees’ COVID-19 vaccination status
Banking
Data Protection Guidelines for Banks (Link here) were developed by the Malta Bankers' Association after a consultation exercise held with the Commissioner. These Guidelines are intended to focus only on those sections of the GDPR which may not be entirely clear, or which could lend themselves to differing interpretations, in order that a common understanding is arrived at and a consistent interpretation is applied across the banking sector.​
​​Gaming Industry
Guidelines issued by the Malta Gaming Authority, in consultation with the Information and Data Protection Commissioner, for the Maltese Gaming Industry.​ You may follow this link to read the full document.
​​Political Campaigning Purposes
Guidelines adopted by this Office to provide the necessary direction to political parties and election candidates when processing personal data for the purpose of sending political campaigning messages.​ You may follow this link to read the full document.
Credit Referencing
Data protection guidelines for the promotion of good practice in the processing of personal data by credit referencing institutions. You may follow this link to read the full document.
Sample Information Clause
A sample data protection information clause, which can form part of an application form when personal data is collected from a data subject and processed on the basis of his or her consent, is being provided for guidance purposes and may be customised and adjusted by the data controller according to the requirements of the organisation:
"The personal information provided in this application form shall be processed in accordance with the provisions of the Data Protection Act and the General Data Protection Regulation and for the purpose(s) of [insert purpose/s].
The processing is based on [insert legal basis for processing pursuant to Article 6 of the GDPR]
Your personal information will not be disclosed to any third parties unless strictly required by law. Furthermore, for the scope of achieving the processing purposes, the following are the recipients of your personal data [identify any processors which may be engaged. If you are not able to list them, include information on the categories of recipients which should be as specific as possible by indicating the type of recipient, for instance, by reference to the activities it carries out]:
The Data Protection Officer’s contact details are [where applicable]:
[contact details of the DPO]
You have the right to request access to your personal data as well as the right to rectify and where applicable, erase any inaccurate, incomplete or immaterial personal data; to request restriction of processing, to object to processing and to request data portability for the data held by [insert company name].
If you consider that the processing of your personal data is carried out in an unlawful manner, you may lodge a complaint with the Information and Data Protection Commissioner.
The retention period of the personal data you provided in this application is [include retention timeframe or, if that is not possible, the criteria used to determine that period].
You can withdraw your consent at any time by [specify how the data subject can withdraw the consent which should be as easy as to give consent].
I authorise [insert company name] to process my personal data contained in this form for direct marketing purposes.
I do hereby authorise [insert company name] to process my personal data contained in this form for the above specified purposes."