Guidelines and Publications

​Annual Reports 

Reports drawn up in terms of the Data Protection Act, covering the activities performed by the Commissioner in the exercise of his functions.



Guidelines​ adopted by this Office to provide the necessary direction to political parties and election candidates when processing personal data for the purpose of sending political campaigning messages.

Credit Referencing 




Data Controllers are strongly encouraged to include a privacy policy on their website providing comprehensive information to site users in conformity with the requirements emanating from article 19 of the Data Protection Act. 
A sample data protection information clause, which can form part of an application form when personal data is collected from a data subject, is being provided for guidance purposes and may be customised and adjusted by the data controller according to the requirements of the organisation: 
"The personal information provided in this application form shall be processed in accordance with the provisions of the Data Protection Act (Cap. 440 of the Laws of Malta) and solely processed for the purpose(s) of [insert purpose/s].
Your personal information will not be disclosed to third parties without your express consent unless this will be strictly required by law.
You have the right to request access to your personal data as well as the right to rectify and where applicable, erase any inaccurate, incomplete or immaterial personal data processed by [insert company name].
I do hereby authorise [insert company name] to process the data contained in this form for the above-stated purpose(s)."​

Processing of personal data for research and statistics 

Data Protection Guidelines on the processing of personal data for research and statistics purposes have been developed by this Office with the objective to assist data subjects who will process personal information in the course of conducting research.  These guidelines have been developed in agreement with both the University Research Ethics Committee and the Health Ethics Committee.

Data Protection and Street Photography 

Brief guidelines​ providing professional photographers and enthusiasts with basic data protection requirements and considerations when engaging in street photography, essentially when capturing un-posed and un-staged images, particularly when such images identify natural persons who happen to be in public places.



Were a data controller subcontracts business or operational activities and for such reason entrusts a processor with the use of personal data, the controller shall still remain responsible in terms of data protection with regard to such processes carried out on his behalf. 

Common examples of similar processes may include hiring an accounting firm to compile employees’ payroll or IT service providers for maintenance and support.

In these cases, the relationship between a data controller and a processor should be regulated by a written contract in accordance with article 25 of the Data Protection Act.

In order to facilitate data controllers in complying with the above provision, the Commissioner has developed specific sample clauses which could serve as a basis for developing similar agreements or which may form part of business/ service level agreements developed between the parties. 

Click here for the sample agreement.​



Data protection guidelines on the processing of visual images in schools have been launched on 27 October 2005. These guidelines, the first in a series, have been jointly developed by the Data Protection Commissioner and a committee of school representatives composed of representatives of state schools, independent schools, independent schools, church schools, the Education Division and the Office of the Prime Minister. Such guidelines are intended to define good practice to be adopted in schools.

Guidance for Schools - Processing of visual images in schools

Having issued the first set of guidelines on visual images, the education committee has now commenced other discussions on issues relating to the processing of documents within a school in order to identify procedures of good practice.


Data Protection guidelines for the promotion of good practice in the Insurance Business Sector have been launched on 15 February 2006 during an information session.
These guidelines have been jointly developed by a working group composed of representatives of the Malta Insurance Association, the Association of Insurance Brokers, the Malta Financial Services Authority and the Office of the Data Protection Commissioner.  The working group will keep on meeting to discuss further issues related to the sector in order to develop a more exhaustive document.


Guidance notes applicable to the banking sector have been jointly developed between this Office and the Malta Bankers' Association. The purpose of these guidelines is to provide the data subject with good practice information pertaining to the applicability of the Data Protection Act in the processing of personal data by the banking sector.

Guidelines for the promotion of good practice - The Banking Sector