Regulatory Compliance

Data Protection

Data Protection Policy

The General Data Protection Regulation (EU) 2016/679 ('GDPR') and the Data Protection Act (Cap. 586 of the laws of Malta) regulate the processing of personal data whether held electronically or in manual form. The Central Bank of Malta (the 'Bank') is committed to fully comply with the Data Protection principles as set out in such data protection legislation.

Purposes for collecting data

The Bank collects and processes data to carry out its functions and obligations under the Central Bank of Malta Act (Cap. 204 of the laws of Malta) and other applicable laws. The Bank's primary objective is to maintain price stability. More detailed information about the Bank's Mission Statement can be viewed here.

The Bank needs to collect and process personal data for a variety of purposes. This may include data that relates to Bank staff, to business contacts or to members of the public.

The Bank recognises its privileged position in receiving this data and is committed to protecting the privacy of the individuals whose data it processes, and to meeting its responsibilities to process personal data in a way that is consistent with the principles set out in data protection legislation.

Principles of Data Protection

Any processing of data shall be based upon the following basic principles:

  • personal data must be processed lawfully, fairly and in a transparent manner;
  • personal data must always be processed in accordance with good practice;
  • personal data must only be collected for specific, explicitly stated and legitimate purposes;
  • personal data must not be processed for any purpose that is incompatible with that for which the information is collected;
  • personal data that are processed must be adequate and relevant in relation to the purpose of the processing;
  • personal data that are processed must be correct and, if necessary, up to date;
  • all reasonable measures must be taken to complete, correct, block, or erase data to the extent that such data are incomplete or incorrect, having regard to the purposes for which they are processed;
  • personal data must not be kept for a period longer than is necessary, having regard to the purposes for which they are processed;
  • personal data must be processed in a manner that ensures appropriate security of the data, including protection against unauthorised or unlawful processing, accidental destruction, loss or damage;
  • personal data must not be transferred to third countries that do not offer an adequate level of protection.

In order to fulfil these requirements, the Bank has also developed an internal Data Protection Policy which must be adhered to by all members of staff when processing personal data.  The internal Data Protection Policy sets out the rules and obligations followed by the Bank when processing personal data in accordance with current data protection legislation.

The Bank as Data Controller

The Bank is considered as data controller under current legislation. The Board of Directors is responsible for compliance with data protection legislation while a Data Protection Officer appointed by the Board handles day-to-day matters related to data protection. All Bank staff who process personal data must comply with the requirements laid down by current data protection legislation.

Recipients of data

Personal data are only accessed by those staff members of the Bank who are assigned to carry out the functions of the Bank as prescribed by law. Personal data may be disclosed to third parties only when necessary and in accordance with current legislation. 

All data subjects have the right to access any personal data retained by the Bank. Requests for access to personal data by data subjects are to be made in writing and sent to the Bank's Data Protection Officer, whose contact details are provided below.  The Bank aims to comply as quickly as possible with requests for access to personal data and will ensure that they are provided within a reasonable timeframe in accordance with data protection legislation.  

Personal Data Retention

The Bank ensures that all personal data shall be retained in accordance with the GDPR, that is, for no longer than is necessary, having regard to the purposes for which they are processed. The Bank has in place a data retention policy in order to ensure that personal data are destroyed once they are no longer required by the Bank.

Questions and Contact Information

Further information on data protection principles and legislation may be obtained from the website of the Office of the Information and Data Protection Commissioner www.idpc.org.mt.  Queries related to data protection may be forwarded to the Bank's Data Protection Officer by email on [email protected], via telephone on +356 2550 4353 or in writing to:

Data Protection Officer
Central Bank of Malta,
Pjazza Kastilja,
Valletta, VLT 1060