Skip to content Skip to footer

Loading Results

General Data Protection Regulation: three years on

The General Data Protection Regulation (GDPR) has been in force for three years and like with any similar regulation, the level of regulatory risk it poses is linked to its enforcement in practice. During 2020, 38 cases were investigated by the Information and Data Protection Commissioner (IDPC). While the number of data breaches investigated to the IDPC  has been increasing exponentially, these only represent a portion of cases reported to the IDPC. Reporting a data breach is an important obligation imposed by the GDPR though in practice, this will always be preceded by a risk assessment  determining whether the incident is in fact a reportable breach or not. 

Locally, the most common types of complaints relate to the unauthorised disclosure of personal data and unlawful video surveillance within accessible and public places.  This reinforces the importance of  adequate and compliant processing of personal data and how this does not stop at well structured filing systems and password protected data repositories. The highest fine imposed by the IDPC during 2020 (€20,000) was imposed on an entity which failed to provide a data subject with access to all data being processed and which failed to meet the required standards of transparency within its privacy policy. 

Sanctions for GDPR violations are dependent on data sensitivity, the number of data subjects involved, the breadth of exposure and the detriment potentially suffered by data subjects. The attitude and practices within an organisation are also considered - a nonchalant approach to data protection or repeated offences is likely to lead to higher penalties. Continued compliance in this respect requires businesses to assess the GDPR related impact of technical advancements, new equipment, operational improvements and other changes, on an ongoing basis.

Fines for non-compliance with the GDPR regulations should be “...effective, proportionate and dissuasive…” and applied on a case by case basis.  The maximum fines are calculated as a portion of a defaulting organisation’s global annual turnover and can vary between: the higher of 2% of turnover or €10 million for less critical infringements; and the higher of 4% of turnover or €20 million for more serious ones.

The fines issued in Malta do not come close to the millions of Euros worth of fines imposed throughout the EU. However, this does not seem to reflect a relaxed application of the Regulation locally but rather, that the extent of data processing carried out by local smaller enterprises typically does not compare to the level of data processing carried out by larger multinational organisations.

An overarching goal for all organisations must remain that of ensuring that a high level of security is applied to personal data collected. This by having in place necessary procedures that limit the data being processed to that which is strictly required aligned to the purpose at hand. Sufficient technical and organisational measures must be put in place to protect data from any unauthorised access by ensuring that data is only accessible to the relevant personnel whilst managing the storage of data in a lawful manner. 

Digital Learning

Furthermore, the interplay between data protection, information security, privacy, cybersecurity and anti money laundering legislation in the current regulatory environment makes it all the more important for organisations to obtain specialist guidance to ensure that clients’ and employee information is processed and stored appropriately. Data protection audits periodically reviewing an organisation’s data processing activities play a pivotal role in managing compliance risks in this area.

Contact us

Mark Lautier

Mark Lautier

Tax Partner, PwC Malta

Tel: +356 2564 6744

Chris Mifsud Bonnici

Chris Mifsud Bonnici

Senior Manager, Tax, PwC Malta

Tel: +356 2564 6935

Follow us

Subscribe to the PwC Thought Leadership Newsletters / Alerts

PwC Malta engages through regular publications on relevant issues covering accounting, income tax, VAT, regulatory and industry specific topics.

Required fields are marked with an asterisk(*)

Please tick as appropriate


  1. By submitting your email address, you acknowledge that you have read the Privacy Statement and that you consent to our processing data in accordance with the Privacy Statement (including international transfers).
  2. Personal data can be changed on request, via email - PwC Malta reserves the right to reject new subscription requests or terminate subscriber accounts at any time without notice and/or justification. If you wish to stop receiving these e-mails from us, please send an email with 'Unsubscribe' as the subject.