Office of the Information and Data Protection Commissioner

Frequently Asked Questions


Q. How can the Data Protection Act help me?

A. The Data Protection Act makes provision for the protection of individuals against the violation of their privacy by the processing of personal data. The Act establishes obligations on data controllers on the way how personal data is to be processed, based on the priciples of good information handling.


Q. What are the nine basic principles of good information handling?

A. The nine principles as set out in article 7 of the Act, assure that your information about you is handled properly. They state that data must be:

1.  Fairly and lawfully processed;
2.  Processed in accordance with good practice;
3.  Collected for specific, explicitly stated and legitimate purposes;
4.  Processed for reasons compatible with the reason it was collected;
5.  Adequate and relevant to the processing purpose;
6.  Not more than is required for processing purpose;
7.  Correct and, if necessary, up to date;
8.  Completed, corrected, blocked or erased, if the data is found to be incomplete or incorrect with regard to its processing purpose;
9.  Not kept for longer than is necessary.  


Q. What is Personal data?

A. Personal data means any information about an identifiable living individual. The Data Protection Act makes also specific provisions for sensitive personal data, which includes:

  • Racial or ethnic origin;
  • Political opinions;
  • Religious of philosophical beliefs;
  • Membership of a trade union;
  • Health or sex life.

Q. What is the Right of Access?

A. The Data Protection Act provides that a data subject has a right of access over his own personal data.
Where personal data relating to you is being processed, you are entitled to receive written information, without excessive delay and without expense. The information shall indicate:

  • The actual personal data which is processed;
  • The source of the information;
  • The purpose of the processing
  • Any recipients or categories of recipients of the data
  • Logic involved in any automatic processing of data relating to you

In exercising your right of access, you need to write to the person or organisation you believe holds the information. The request must be made at reasonable intervals, in writing and signed by the data subject.

Does this mean that I have a right to access the whole file of record?

The Act requires the controller to provide you with “written information”, which must however give a clear and fair account of the personal data held about you. This does not mean that you have a right to access the file or any copy contained in such file.


In providing such information the controller may not in any way reveal the identification of third parties. So normally the controller may summarise or take extracts from the file to give you a true and full picture of the personal data held about you without impinging on the privacy rights of others.



Q. What about paper records and filing systems?

A. As well as covering computerised records the Data Protection Act covers also paper files. However, organisations will be allowed some time to meet their increased responsibilities. In terms of existing manual processing operations (prior 15 July 2003), data controllers have a transition period till 27 October 2007 to notify such processing operations to the Commissioner for Data Protection. With regards to both new automatic and manual processing operations (as from 15 July 2003), data controllers are obliged to notify such operations prior implementation.




Q. What is a data controller?

A. A data controller refers to that person who alone or jointly with others determines the purposes and means of the processing of personal data.




Q. What is Notification?

A. Notification is the process by which a data controller's details are added to the register.
The Commissioner maintains a public register of data controllers. Each register entry includes the name and address of the data controller and a general description of the processing of personal data by the data controller. Individuals can consult the register to find out what processing of personal data is being carried out by a particular data controller.




Q. Why do data controllers have to notify?

A. The Act requires every data controller who is processing personal data to notify such processing operations, unless they are exempt from the notification obligation under S.L 440.02.




Q. Is there any link between notification and compliance?

A. No. The principal purpose of the notification process and the public register is openness. It is an important aspect of data protection legislation that the public should be able to find out who is carrying out processing of personal data and other information about the processing, such as, for what purposes the processing is carried out. However, notification does not equate to compliance with the data protection principles.

The Commissioner is able to enforce the data protection principles against any data controller who is not otherwise exempt from compliance, regardless of their notification status, where he is satisfied that any of the principles have been, or are being, contravened.




Q. What is the register of data controllers?

A. The register of data controllers held at the Commissioner’s office, contains the names and addresses of all data controllers who have notified. This means that they have told the Commissioner that they process personal information. It also includes broad details of the data they process in terms of type, purpose, the people that they may want to give the information to, and whether they may be transferred to third countries.




Q. To whom shall I make the complaint?

A. The Data Subject may bring up the case to the Office of the Information and Data Commissioner by lodging a complaint online or else by submitting the report by conventional mail or by email at
idpc.info@gov.mt.




Q. What are the functions of the Information and Data Protection Commissioner?

A. Inter alia the Act establishes the following obligations of the Information and Data Protection Commissioner:  
  • to carry out inspection or investigation and considering any complaint and for such purpose require the production of any documents and have access to the premises where data is kept;
  • to create and maintain a public register of all processing operations being notified by Data Controllers;
  • to encourage the drawing up of suitable codes of conduct by the various sectors;
  • to order the blocking, erasure or destruction of data, to impose a temporary or definitive ban on processing, or to warn or admonish the controller;
  • the Commissioner is also required to collaborate with supervisory authorities of other countries to the extent necessary for the performance of his duties and participate in the EU for a of data protection authorities;
  • to enforce the provisions of the Act and in cases of violation, the Commissioner may impose administrative fines or institute court proceedings.