Regulatory Compliance

Data Protection

The Central Bank of Malta (the "Bank") needs to collect and process personal data for a variety of purposes. In doing so, the Bank is obliged to comply with both local and EU legislation on Data Protection, namely the General Data Protection Regulation (Regulation (EU) 2016/679) hereinafter referred to as the "GDPR".

The Bank ensures that the data protection principles as laid down in the GDPR are followed and fully implemented. In order to fulfil these requirements, the Bank has also developed an internal Data Protection Policy which must be adhered to by all members of staff when processing personal data. Any processing of data shall be based upon the following basic principles:

  • personal data must be processed lawfully, fairly and in a transparent manner;
  • personal data must always be processed in accordance with good practice;
  • personal data must only be collected for specific, explicitly stated and legitimate purposes;
  • personal data must not be processed for any purpose that is incompatible with that for which the information is collected;
  • personal data that is processed must be adequate and relevant in relation to the purpose of the processing;
  • personal data that is processed must be correct and, if necessary, up to date;
  • all reasonable measures must be taken to complete, correct, block, or erase data to the extent that such data are incomplete or incorrect, having regard to the purposes for which they are processed;
  • personal data must not be kept for a period longer than is necessary, having regard to the purposes for which they are processed;
  • personal data must be processed in a manner that ensures appropriate security of the data, including protection against unauthorised or unlawful processing, accidental destruction, loss or damage;
  • personal data must not be transferred to third countries that do not offer an adequate level of protection.

The Central Bank of Malta is considered as "Data Controller" under the GDPR. The Board of Directors is responsible for compliance with the GDPR while a Data Protection Officer appointed by the Board handles day-to-day matters related to data protection.

All Central Bank of Malta employees who process personal data must comply with the requirements laid down by the GDPR and any other legislation in force at the time of processing.  

Further information on Data Protection principles and legislation may be obtained from the website of the Office of the Information and Data Protection Commissioner.            

Queries related to data protection may be forwarded to the Bank's Data Protection Officer by email or in writing to:

Data Protection Officer
Central Bank of Malta,
Pjazza Kastilja,
Valletta, VLT 1060

The Data Protection Officer may also be contacted via phone on +356 2550 4353.

The European Data Protection Legislation

In January 2012, the European Commission proposed a comprehensive reform of data protection rules in the EU.

On 4 May 2016, the official texts of the General Data Protection Regulation - GDPR (Regulation (EU) 2016/679) and Directive (EU) 2016/680 have been published in the EU Official Journal in all the official languages. While the GDPR will enter into force on 24 May 2016, it shall apply from 25 May 2018. The Directive enters into force on 5 May 2016 and EU Member States have to transpose it into their national law by 6 May 2018.

The objective of this new set of rules is to give citizens back control over of their personal data, and to simplify the regulatory environment for business. The data protection reform is a key enabler of the Digital Single Market which the Commission has prioritised. The reform will allow European citizens and businesses to fully benefit from the digital economy.

For further information on these legislative texts please refer to these following links: