Skip to main content

Malta amends its rules relating to personal data processing in education


Malta has recently amended its rules in relation to the processing of personal data in the educational sector.

By means Legal Notice 407/21, published in November 2021, a number of provisions and definitions have been changed.

The processing of personal data within an educational context is governed by the Processing of Personal Data (Education Sector) Regulations, Subsidiary Legislation 586.07. (the “Regulations”).

The main scope of the Regulations is to provide further clarity with regards to the processing of personal data relating to students by education authorities, educational institutions and examination bodies, and are always subservient to the Data Protection Act.

Through Legal Notice 407/21, most notably, the definition of “student” found under the Regulations have been expanded not only include data subjects that are registered and/or attending an education institution or registered with examination body but now also those data subjects that have attended such institutions or were in the past registered with ana examination body. This essentially means that the provisions of the Regulations have been extended to apply to that cohort of students with historical educational ties.

Other changes brought about by Legal Notice 407/21 include the realignment of a number of terms re-introduced through the General Data Protection Regulation. The term “sensitive personal data” (which was used in the context of the EU Directive 46/95 and transposed in the legacy version of the Maltese Data Protection Act has been changed to “special categories of data”.

Additionally, the powers available to educational authorities with respect to requesting personal data from educational institutions and examination bodies in relation to national initiatives with regards to employment opportunities or the alignment of jobs with the studies or qualifications achieved, has now been extended also to personal data that would be required by the educational authorities in the context of European initiaties.


Article provided by INPLP member: Gege Gatt (Malta IT Law Association, Malta)

Co-authoreded with: Antonio Ghio



Discover more about INPLP, the INPLP-Members and the GDPR-FINE database

Dr. Tobias Höllwarth (Managing Director INPLP)

Cloud Privacy Check (CPC). Data Privacy Compliance in the Cloud Made Easy

Understand Cloud and Data Protection Law in only 4 easy steps. Plus highly relevant legal information for 33 countries. Provided by EuroCloud and 53 European lawyers.


About Us

EuroCloud is an independent non-profit organization and consists of a two-tier setup where organisations form all European countries can apply to participate in as long as they respect the EuroCloud Statutes.

To act as a true European player, all programs that are developed are intended to be European activities. These European programs are the strength of EuroCloud as a whole. Respect to local cultures along with the will to promote a real European spirit.