Office of the Information and Data Protection Commissioner

Guidelines & Publications

Annual Reports

Reports drawn up in terms of the Data Protection Act, covering the activities performed by the Commissioner in the exercise of his functions.

2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011

In terms of article 40 of the Data Protection Act, the Data Protection Commissioner regularly meets representatives of the various sectors with the objective to discuss and agree on principles emanating from the Act and articulate in the form of guidelines or codes of practice. 


Data protection guidelines on the processing of visual images in schools have been launched on 27 October 2005.

These guidelines, the first in a series, have been jointly developed by the Data Protection Commissioner and a committee of school representatives composed of representatives of state schools, independent schools, independent schools, church schools, the Education Division and the Office of the Prime Minister. Such guidelines are intended to define good practice to be adopted in schools.

Data Protection Guidelines
Guidance for Schools - Processing of visual images in schools

Linji Gwida dwar il-Protezzjoni tad-Data

Gwida ghall-iskejjel - Processar ta' immagini vizwali fl-iskejjel

Having issued the first set of guidelines on visual images, the education committee has now commenced other discussions on issues relating to the processing of documents within a school in order to identify procedures of good practice.


Data Protection guidlines for the promotion of good practice in the Insurance Business Sector have been launched on 15 February 2006 during an information session.

These guidelines have been jointly developed by a working group composed of representatives of the Malta Insurance Association, the Association of Insurance Brokers, the Malta Financial Services Authority and the Office of the Data Protection Commissioner.  The working group will keep on meeting to discuss further issues related to the sector in order to develop a more exhaustive document.

Guidelines for the promotion of good practice - Insurance Business Sector


Guidance notes applicable to the banking sector have been jointly developed between this Office and the Malta Bankers' Association.  The purpose of these guidelines is to provide the data subject with good practice information pertaining to the applicability of the Data Protection Act in the processing of personal data by the banking sector.

Guidelines for the promotion of good practice - The Banking Sector

Credit Referencing

Data protection guidelines for the promotion of good practice in the processing of personal data by credit referencing institutions.

Engaging a processor

Where a data controller subcontracts business or operational activities and for such reason entrusts a
processor with the use of personal data, the controller shall still remain responsible in terms of data protection with regard to such processes carried out on his behalf.

Common examples of similar processes may include hiring an accounting firm to compile employees’ payroll or IT service providers for maintenance and support.

In these cases, the relationship between a data controller and a processor should be regulated by a written contract in accordance with article 25 of the Data Protection Act.

In order to facilitate data controllers in complying with the above provision, the Commissioner has developed specific sample clauses which could serve as a basis for developing similar agreements or which may form part of business/ service level agreements developed between the parties.

Click here for the sample agreement.

Sample Website Privacy Policy and information clause

Data Conrtollers are strongly encouraged to include a privacy policy on their website providing comprehensive information to site users in conformity with the requirements emanating from article 19 of the Data Protection Act.

Click here to view a sample Website Privacy Policy.

A sample data protection information clause, which can form part of an application form when personal data is collected from a data subject, is being provided for guidance purposes and may be customised and adjusted by the data controller according to the requirements of the organisation: 

"The personal information provided in this application form shall be processed in accordance with the provisions of the Data Protection Act (Cap. 440 of the Laws of Malta) and solely processed for the purpose(s) of [insert purpose/s].

Your personal information will not be disclosed to third parties without your express consent unless this will be strictly required by law.

You have the right to request access to your personal data as well as the right to rectify and where applicable, erase any inaccurate, incomplete or immaterial personal data processed by [insert company name]. 

I do hereby authorise [insert company name] to process the data contained in this form for the above-stated purpose(s)."

Processing of personal data for research and statistics

Data Protection Guidelines on the processing of personal data for research and statistics purposes have been developed by this Office with the objective to assist data subjects who will process personal information in the course of conducting research.  These guidelines have been developed in agreement with both the University Research Ethics Committee and the Health Ethics Committee.

The use of biometric devices at the workplace

Biometrics is the science and technology of uniquely identifying human subjects by means of measuring and analysing one or more intrinsic physical or behavioural traits. These human body characteristics may include fingerprints, eye retinas and more

CCTV surveillance cameras

Closed-circuit television (CCTV) surveillance has become ubiquitous in everyday life.  Their employment is commonplace in a variety of areas to which members of the public have access.  While walking down Republic Street, visiting a shop or bank or sipping a cup of more 

Unsolicited direct marketing

The digital age has revolutionised the way personal data is processed in both the private and commercial spheres.  The relentless drive for innovation and technological progress is radically shaping up our present and future.  The Internet, which sees its origin from a military networking project, has become more

The right to information

Going through the past pages of our diary, we may surprisingly discover an everlasting list of organisations and individuals to whom we have provided our personal information. If we were to challenge ourselves with questions concerning the purposes for which our personal data had been requested or to whom such information may be disclosed or for how long will it be more

Online Behavioural Advertising

During our internet surfing experience, we must have certainly encountered an instance whereby a pop-up window, containing an advertisement, automatically takes centre screen without our direct or indirect intervention.  Funnily enough, the advert will most probably be a personalised one and which entices the user to acquire a product or more