Malta amends its rules relating to personal data processing in education


Malta has recently amended its rules in relation to the processing of personal data in the educational sector.

By means Legal Notice 407/21, published in November 2021, a number of provisions and definitions have been changed.

The processing of personal data within an educational context is governed by the Processing of Personal Data (Education Sector) Regulations, Subsidiary Legislation 586.07. (the “Regulations”).

The main scope of the Regulations is to provide further clarity with regards to the processing of personal data relating to students by education authorities, educational institutions and examination bodies, and are always subservient to the Data Protection Act.

Through Legal Notice 407/21, most notably, the definition of “student” found under the Regulations have been expanded not only include data subjects that are registered and/or attending an education institution or registered with examination body but now also those data subjects that have attended such institutions or were in the past registered with ana examination body. This essentially means that the provisions of the Regulations have been extended to apply to that cohort of students with historical educational ties.

Other changes brought about by Legal Notice 407/21 include the realignment of a number of terms re-introduced through the General Data Protection Regulation. The term “sensitive personal data” (which was used in the context of the EU Directive 46/95 and transposed in the legacy version of the Maltese Data Protection Act has been changed to “special categories of data”.

Additionally, the powers available to educational authorities with respect to requesting personal data from educational institutions and examination bodies in relation to national initiatives with regards to employment opportunities or the alignment of jobs with the studies or qualifications achieved, has now been extended also to personal data that would be required by the educational authorities in the context of European initiaties.


Article provided by INPLP member: Gege Gatt (Malta IT Law Association, Malta)

Co-authoreded with: Antonio Ghio



Discover more about INPLP, the INPLP-Members and the GDPR-FINE database

Dr. Tobias Höllwarth (Managing Director INPLP)

What is the INPLP?

INPLP is a not-for-profit international network of qualified professionals providing expert counsel on legal and compliance issues relating to data privacy and associated matters. INPLP provides targeted and concise guidance, multi-jurisdictional views and practical information to address the ever-increasing and intensifying field of data protection challenges. INPLP fulfils its mission by sharing know-how, conducting joint research into data processing practices and engaging proactively in international cooperation in both the private and public sectors.