Data Protection in Malta

Online privacy in Malta

Cookie Compliance

Subsidiary Legislation 586.01, entitled ‘Processing of Personal Data (Electronic Communications Sector) Regulations' amended the regulations implementing Article 2(5) of Directive 2009/136/EC into Maltese Law. 

The Commissioner has recently published a “Guidance Note on Cookies Consent Requirements” which can be read here

Traffic Data

Under the Processing of Personal Data (Electronic Communications Sector) Regulations, traffic data relating to subscribers and users processed by an undertaking which provides publicly available electronic communications services or which provides a public communications network, must be erased or made anonymous when no longer required for the purpose of transmitting a communication.

Traffic data required for the purpose of subscriber billing or interconnection payments may be retained, provided however, that data retention is permissible only up to the period that a bill may lawfully be challenged or payment pursued.

Traffic data may be processed where the aim is to market or publicize the provision of a value-added service, however, the processing of such data shall only be permissible to the extent and for the duration necessary to render such services.

Processing of traffic data is also permissible by an undertaking providing publicly available electronic communication for the following purposes:

  • Managing billing or traffic management
  • Customer inquiries
  • Fraud detection
  • Rendering of value-added services

The Act does not introduce any new rules in this regard.

Location Data

Where location data (other than traffic data) relating to users or subscribers of public communications networks or of publicly available electronic communications services can be processed, such data may only be processed when it is made anonymous or with the consent of the users or subscribers, to the extent and for the duration necessary for the provision a value-added service.

Prior to obtaining user or subscriber consent, the undertaking providing the service shall inform them of the following:

  • The type of location data which shall be processed
  • The purpose and duration of processing
  • Whether the processed data shall be transmitted to a third party for the purpose of providing the value-added service

A user or subscriber may withdraw consent for the processing of such location data (other than traffic data) at any time.

The Act does not change the previous position and does not derogate from the GDPR or further regulate in this regard.

Continue reading

  • no results

Previous topic
Back to top