- GDPR
Regulation (EU) 2016/679 of the European Parliament and of the council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) - ePrivacy
Directive Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on Privacy and Electronic Communications) - Directive on the Processing of Personal Data by Competent Authorities
Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA - Passenger Name Record Directive
Directive (EU) 2016/681 of the European Parliament and of the Council of 27 April 2016 on the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime - Regulation (EU) 2023/2854 of the European Parliament and of the Council of 13 December 2023 on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act)
Data Protection Laws
Return to GDPR pageCurrent European Union Data Protection Legislation
Current Local Data Protection Legislation
- Data Protection Act (Cap. 586 of the Laws of Malta)
- Processing of Personal Data (Electronic Communications Sector) Regulations (S.L. 586.01)
- Notification and Fees (Data Protection Act) Regulations (S.L. 586.02)
- Third Country (Data Protection Act) Regulations (S.L. 586.03)
- Processing of Personal Data (Protection of Minors) Regulations (S.L. 586.04)
- Transfer of Personal Data to Third Countries Order (S.L. 586.05)
- Processing of Personal Data for the purposes of the General Elections Act and the Local Councils Act Regulations (S.L. 586.06)
- Processing of Personal Data (Education Sector) Regulations (S.L. 586.07)
- Data Protection (Processing of Personal Data by Competent Authorities for the Purposes of the Prevention, Investigation, Detection or Prosecution of Criminal Offences or the Execution of Criminal Penalties) Regulations (S.L. 586.08)
- Restriction of the Data Protection (Obligations and Rights) Regulations (S.L. 586.09)
- Processing of Data concerning Health for Insurance Purposes Regulations (S.L. 586.10)
- Processing of Child’s Personal Data in relation to the Offer of Information Society Services Regulations (S.L. 586.11)
- Enforcement of the Rights of Data Subjects in relation to Transfers of Personal Data to a Third Country or an International Organisation Regulations (S.L. 586.12)
- Data Protection (Fair access to and use of data) Regulation (S.L. 586.13)
- Artificial Intelligence (Designation of the Information and Data Protection Commissioner for the Purposes of Regulation (eu) 2024/1689) Regulations (S.L. 586.14)
Stay updated with our latest insights
Reminder: DORA Register of Information Submission Deadline Approaching
Further to the Malta Financial Services Authority’s (‘MFSA’) circular setting out the reporting timelines applicable to the annual submission of the Register of Information (‘ROI’) under Regulation (EU) 2022/2554 on Digital Operational Resilience for the Financial Sector (‘DORA’), the submission deadline is now approaching. Financial entities authorised by the MFSA and falling within the scope of DORA are required to submit their updated ROI by 21 March 2026 or the next working day. The ROI must reflect the entity’s contractual arrangements with ICT third-party service providers as at 31 December 2025 and must be submitted via the MFSA’s LH Portal.…
European Commission Proposes Updated EU Cybersecurity Act (The Cybersecurity Act 2)
On 20 January 2026, the Proposal for a Regulation for the EU Cybersecurity Act (‘The Cybersecurity Act 2’) was published by the European Commission to update and replace Regulation (EU) 2019/881 (the “2019 Cybersecurity Act”). The Proposal was introduced in response to major changes in cybersecurity threats as well as the weaknesses identified in the 2019 Cybersecurity Act. Since the adoption of the 2019 Cybersecurity Act, cyberattacks have become more frequent and sophisticated, increasingly targeting critical infrastructures, essential services and digital supply chains. At the same time, growing geopolitical tensions and the EU’s reliance on technologies from third countries have…
NIS 2 and Critical Entities Resilience Framework Enter into Force in Malta
Two long-awaited Legal Notices published on Friday, 23rd January 2026 have brought into force key elements of Malta’s cybersecurity and resilience framework, implementing two recent EU legislative developments. Entry Into Force of the NIS 2 Directive Legal Notice 22 of 2026 brought Subsidiary Legislation 460.41, the Measures for a High Common Level of Cybersecurity Across the European Union (Malta) Order, into force on Friday, 23rd January 2026. This Subsidiary Legislation transposes the EU Network and Information Systems Directive II (more commonly known as ‘NIS 2’) into Maltese law and is brought into force as already previously published without substantial substantive…
Join our mailing list
Get in touch by sending us a message or by contacting us directly.