Law: The Data Protection Act (Act XX 2018) ('the Act') and the General Data Protection Regulation (Regulation (EU) 2016/679)

Regulator: Office of the Information and Data Protection Commissioner ('IDPC')

Summary: The Act came into effect on 28 May 2018 and replaced the former Data Protection Act (Chapter 440 of the Laws of Malta). Its main aim is the implementation of the GDPR in Malta. In addition to the Act, a several pieces of subsidiary legislation exist which benefit from the flexibility the GDPR in allowing national derogations in certain areas of its implementation, such as the processing of health information for insurance purposes and for the lowering of the age of consent of children in relation to information services. The IDPC is the national supervisory authority and is responsible for monitoring and enforcing the application of the provisions of the Act and the GDPR. As part of its regulatory responsibilities, the IDPC has issued guidance on various data protection issues, including on data protection in relation to the banking and gambling industries.