As we move into 2025, data protection remains a critical concern for businesses operating in Malta. The regulatory landscape, primarily governed by the General Data Protection Regulation (GDPR) and the Data Protection Act (Chapter 586 of the Laws of Malta), continues to evolve, ensuring that personal data is handled with the utmost care and transparency.
The continuous development of GDPR
The rapid advancement of technology and the increasing complexity of data processing have necessitated updates to data protection laws. The GDPR, implemented in 2018, was a significant step towards harmonising data privacy laws across Europe. However, as new technologies such as artificial intelligence and machine learning become more prevalent, there is a growing need to address the unique challenges they present. These updates aim to enhance transparency, improve compliance, and ensure that data protection measures keep pace with technological developments.
Roles, Duties, and Responsibilities
Data Controllers and Processors: In Malta, data controllers and processors play pivotal roles in ensuring compliance with data protection laws. Data controllers determine the purposes and means of processing personal data, while processors handle data on behalf of controllers. Both must implement appropriate technical and organisational measures to safeguard personal data against breaches and unauthorised access.
Data Protection Officers (DPOs): Organisations that process large volumes of personal data or sensitive data are required to appoint a DPO. The DPO’s responsibilities include monitoring compliance with GDPR and internal policies, providing advice on data protection impact assessments (DPIAs), and acting as a contact point for data subjects and the Information and Data Protection Commissioner (IDPC).
Information and Data Protection Commissioner (IDPC): The IDPC is Malta’s supervisory authority responsible for enforcing data protection laws. The IDPC provides guidance, handles complaints, and can impose fines for non-compliance.
Important News for 2025
In 2025, Malta continues to align its data protection framework with EU standards. Recent updates stricter measures for international data transfers. The IDPC has also introduced new protocols for handling data breaches, emphasising rapid response and transparency.
The IDPC has launched the “Online Self-Assessment Compliance tool” for SMEs to assist various business stakeholders that are not familiar with data protection. This initiative allows for increased awareness around data protection amongst the Maltese business community.
The IDPC continues to work on fostering and strengthening its collaborations internationally by entering into an MOU such as that done with the National Privacy Commission of the Philippines. This agreement was designed to share information and expertise on data protection practices.
It is important to note the right to access is one of the most important rights a data subject has. The IDPC issued a reprimand to a controller for not granting a data subject access to internal emails that included the data subject’s personal data and information related to the processing activity. The Commissioner ruled that the right of access applies to all personal data processed by the controller, regardless of whether it is found in internal communications among employees. The controller also failed to adequately inform the data subject that it was withholding access to the personal data contained within the internal emails, which lacked transparency and fairness. Consequently, the Commissioner ordered the controller to provide the data subject with information regarding the processing activity and access to the emails containing their personal data, after redacting the personal data of the employees and other non-personal data.
How ARQ Group Can Help
ARQ Group is dedicated to helping businesses navigate the complexities of data protection. Our team of experts offers comprehensive services, including GDPR compliance audits, DPO outsourcing, and tailored training programmes to ensure your organisation meets all regulatory requirements.
For more information, please speak to Kai Keingunther – Senior Advisor – Risk and Compliance.

Manfred Galdes
Managing Partner
A lawyer by profession, Manfred Galdes is the managing partner at ARQ. He has spent over twenty years of experience practising in the area of regulatory and AML compliance, having held leading roles both in the private and public sector. A lawyer by profession, Manfred Galdes is the managing partner at ARQ. He has spent over twenty years of experience practising in the area of regulatory and AML compliance, having held leading roles both in the private and public sector.