Global Data Protection Law Guide  Malta

AE Legal

 

What law(s) specifically govern personal data / information?

Regulation (EU) 2016/679 (General Data Protection Regulation – 'GDPR').

The principal data protection legislation in Malta (and the EU) is the GDPR, (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data) and which replaced Directive 95/46/EC ('Data Protection Directive'). The GDPR intends to increase the harmonisation of data protection law across the EU Member States.

The Data Protection Act (Chapter 586 of the Laws of Malta) and Regulations issued thereunder which address specific data processing contexts.

Freedom of Information Act (Chapter 496 of the Laws of Malta) – This law interacts with data protection laws in that it outlines when personal data held by public authorities can be disclosed.

 

What are the key data protection principles in this jurisdiction?:

In accordance with article 5 of the GDPR, the Regulation provides an exhaustive list of six (6) principles relating to lawful basis by which the processing of personal data is permissible.
In terms of law, and in relation to the data subject, personal data shall be:

• processed lawfully, fairly and in a transparent manner;
• collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
• adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
• accurate and, where necessary, kept up to date;
• kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
• processed in a manner that ensures appropriate security of the personal data;

Lawfulness of processing

In order to adhere to the above six (6) principles, there must primarily be the lawful basis for which the processing of the personal data is carried out, where at least one (1) of the following rules applies, by virtue of article 6 of the GDPR:

• the data subject provides their consent of the data subject for one or more specific purposes;
• contractual necessity;
• compliance with a legal obligation of the controller to perform the relevant processing;
• protection of the vital interests of the data subject or of another natural person;
• performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or
• legitimate interests (i.e. the processing is necessary for the purposes of legitimate interests pursued by the controller, except where the controller's interests are overridden by the interests, fundamental rights or freedoms of the affected data subjects. However, this rule shall not apply to processing carried out by public authorities in the performance of their task).

The processing of sensitive personal data, known as special categories of personal data, requires stronger grounds and is only permitted when certain conditions are strictly met, of which the most relevant are:

• explicit consent of the affected data subject has been provided to the data controller and/or processor;
• the processing is necessary in the context of employment or social security law;
• processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
• processing relates to personal data which are manifestly made public by the data subject;
• processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject; or
• the processing is necessary for the establishment, exercise or defence of legal claims.

Processing of sensitive personal data as per article 9 of the GDPR, considers the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.

Transparency
With respect to article 12 of the GDPR, personal data must be processed lawfully, fairly and in a transparent manner. Regarding the processing of personal data, controllers are obliged to provide certain information to data subjects. Such information must be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language so that it is easy to understand, and, additionally, where appropriate, visualisation be used, in particular for any information addressed specifically to a child. Such information could be provided in electronic form, for example, when addressed to the public, through a website.

Purpose limitation
Personal data may only be collected for specified, explicit and legitimate purposes and must not be further processed in a manner that is incompatible with those purposes.

Data minimisation
The processing of personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which those data are processed. This requires, in particular, ensuring that the period for which the personal data is stored is limited to a strict minimum, and this in line with the principle of storage limitation.

 Accuracy
Personal data must be accurate and, where necessary, kept up to date. In this respect, where any inaccuracies arise, every reasonable step must be taken to ensure that personal data which is inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.

Storage limitation
Personal data must be stored in a form that permits identification of data subjects for no longer than it is necessary for the purposes for which the personal data was initially collected. One must note that personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with article 89(1) of the GDPR, subject to implementation of the appropriate technical and organisational measures required by the GDPR itself in order to safeguard the rights and freedoms of the data subject.

Integrity and confidentiality
Personal data must be processed in a manner that ensures appropriate security of those data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Accountability
The data controller is responsible for processing of data in accordance with the principles outlined in the GDPR. In particular, the data controller is obliged to implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in compliance with the GDPR.

 

What is the supervisory authority / regulator in charge of data protection?

The Information and Data Protection Commissioner (the IDPC).
The IDPC shall be responsible for the independent monitoring and enforcing the application of the provisions of the Data protection Act, and the GDPR, in order to protect the fundamental rights and freedoms of natural persons in relation to processing of personal data and to facilitate the free flow of personal data between Malta and any other Member State.

 

Is there a requirement to register with a supervisory authority / regulator?

No, there is no registration requirement in order to process personal data. However, as shall be explained below, there are certain instances where the law requires a Data Protection Officer (DPO) to be registered with the IDPC.

 

Is there a requirement to notify the supervisory authority / regulator?

As shall be explained in further detail below, the data controller must inform the IDPC of a transfer to a third country that is not the subject of an adequacy decision and if appropriate safeguards are absent.

 

Is it possible to register with / notify the supervisory authority / regulator online?

Registration of a DPO may be done online.

 

What are the key data subject rights under the data protection laws of this jurisdiction?

Right to information
Pursuant to Articles 13 and 14 of the GDPR, data subjects have the right to be provided with all the below information:

• the identity and the contact details of the controller and, where applicable, of the controller's representative;
• the contact details of the data protection officer, where applicable;
• the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
• the legitimate interests pursued by the controller or by a third party, where the processing of the data is on this basis;
• the recipients or categories of recipients of the personal data, if any;
• where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation, and the existence or absence of an adequacy decision by the Commission; and
• the categories of personal data concerned, where personal data has not been obtained from the data subject.

Right of access
A data subject has the right to obtain from a controller certain information in respect of the data subject's personal data as listed in article 15 of the GDPR, as follows:

• the purposes of the processing;
• the categories of personal data concerned;
• the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
• where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
• the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
• (f)the right to lodge a complaint with a supervisory authority;
• (g)where the personal data are not collected from the data subject, any available information as to their source;
• (h)the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

Additionally, the data subject may request a copy of the personal data being processed.

Right to rectification of errors
Pursuant to article 16 of the GDPR, data subjects have the right to rectification of inaccurate personal data. Moreover, taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

Right to deletion/right to be forgotten
Data subjects have the right to erasure of their personal data (the 'right to be forgotten') if one of the reasons as listed in article 17 of the GDPR below apply:

• the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
• the data subject withdraws consent on which the processing is based, and where there is no other legal ground for the processing;
• the data subject objects to the processing and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing;
• the personal data have been unlawfully processed;
• the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
• the personal data have been collected in relation to the offer of information society services.

Right to restriction of processing
Data subjects have the right to request restriction of the processing of personal data, which means that the data may only be processed for limited purposes as defined in article 18 of the GDPR, where one of the following applies:

• the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
• the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
• the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
• the data subject has objected to processing pending the verification whether the legitimate grounds of the controller override those of the data subject.

Right to data portability
Data subjects have a right to receive a copy of their personal data in a structured, commonly used machine-readable format, and transfer their personal data from one controller to another or have the data transmitted directly between controllers in accordance with article 20 of the GDPR, where the processing is based on consent or on a contract, and the processing is carried out by automated means.

Right to object to processing
By virtue of article 21 of the GDPR, data subjects have the right to object, on grounds relating to their particular situation, to the processing of personal data where the basis for that processing is either public interest (Article 6 para 1(e) GDPR) or legitimate interest of the controller (Article 6 para 1(f) GDPR). The controller must cease such processing unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the relevant data subject or requires the data in order to establish, exercise or defend legal rights.
Data subjects have the right to object to the processing of personal data for marketing purposes, including profiling.

Right to withdraw consent
A data subject has the right to withdraw their consent at any time (Article 7 para 3 of the GDPR). The withdrawal of consent does not affect the lawfulness of processing based on consent before the withdrawal. Prior to giving consent, the data subject shall be informed of this right and it shall be as easy to withdraw as to give consent.

Right to complain to the relevant data protection authority(ies)
Data subjects have the right to lodge complaints concerning the processing of their personal data with the competent data protection authority, and the right to an effective judicial remedy in accordance with Article 47 of the EU Charter of Fundamental Rights if the data subject considers that his or her rights under this Regulation are infringed or where the supervisory authority does not act on a complaint, partially or wholly rejects or dismisses a complaint or does not act where such action is necessary to protect the rights of the data subject. 

Right not to be subject to automated individual decision-making
Under certain circumstances, data subjects have the right not to be subject to a decision based solely on automated processing of data (including profiling), which produces legal effects or similarly significant effects for the data subject (Article 22 of the GDPR).
This is a summary only and there are some qualifications and limitations to these rights which may be relevant.

 

Is there a requirement to appoint a data protection officer (or equivalent)?

Under the GDPR (articles 37 to 39), a Data Protection Officer (DPO) must be appointed by organisations that:

• are a public authority or body (except for courts acting in their judicial capacity);
• whose core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or
• whose core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.

This applies to both controllers and processors. Organisations that are not required to appoint a DPO may do so voluntarily. In making a voluntary appointment, organisations should be aware that the same requirements of the position and tasks apply as if the appointment had been mandatory.
Moreover, certain subsidiary legislation explicitly mention the role of a DPO in specific contexts.
The DPO must have expert knowledge of data protection law and practices, be independent and report to the highest management level.
In terms of the tasks which the DPO is tasked with, the GDPR provides that the DPO shall have at least the following tasks:

• to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions;
• to monitor compliance with the GDPR, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
• to provide advice where requested as regards the data protection impact assessment and monitor its performance;
• to cooperate with the supervisory authority;
• to act as the contact point for the supervisory authority on issues relating to processing.

The data protection officer shall in the performance of his or her tasks have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing.

 

Do data protection/ privacy impact assessments need to be carried out in certain circumstances?

Pursuant to article 35 of the GDPR the data controller is obliged, prior to the processing, to carry out a data protection impact assessment (DPIA), where a type of processing, in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons.
In particular, a data protection impact assessment is required in the case of:

• a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
• processing on a large scale of special categories of data, or of personal data relating to criminal convictions and offences; or
• a systematic monitoring of a publicly accessible area on a large scale.
• The IDPC provides a non-exhaustive list of types of processing operations where a data protection impact assessment may be required:
• a, Systematic monitoring;
• b. Automated-decisions;
• Use of innovative technologies;
• Special categories of personal data;
• Biometric data;
• Genetic data;
• Data concerning vulnerable persons; and
• Employee monitoring.

 

Does this jurisdiction have any specific data breach notification requirements?

In accordance with article 33 of the GDPR, in the case of a data breach, the data controller shall without undue delay, and where feasible, notify such a personal data breach to the IDPC within seventy two (72) hours from becoming aware of such breach. There is an online prescribed form ‘Data Breach Notification’ which should be filled in by the data controller. Where the notification to the supervisory authority is not made within seventy two (72) hours, it shall be accompanied by reasons for the delay.
The notification is not required in those specific cases where the controller determines that the breach is unlikely to result in a risk to the rights and freedoms of data subjects.
When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller is required to communicate the personal data breach to the data subject without undue delay.
The notification shall at least:

• describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
• communicate the name and contact details of the DPO or other contact point where more information can be obtained;
• describe the likely consequences of the personal data breach;
• describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.

 

The data controller shall moreover document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken.

 

The EDPB (European Data Protection Board) has issued guidelines on the data breach notification, detailing requirements for data breach notifications ( Guidelines 9/2022 on personal data breach notification under GDPR and Guidelines 01/2021 on Examples regarding Data Breach Notification).

 

What restrictions apply to the international transfer of personal data / information?

International Data transfers (i.e. jurisdictions outside the European Economic Area ('EEA')) can only take place in accordance with article 44 et of the GDPR, if the transfer is subject to an 'Adequacy Decision' pursuant to article 45 of the GDPR, or the recipient has implemented certain safeguards required by the GDPR under article 46.

When assessing the adequacy of the level of protection, the Commission shall, in particular, take account of the following elements:

• the rule of law, respect for human rights and fundamental freedoms, relevant legislation, both general and sectoral, including concerning public security, defence, national security and criminal law and the access of public authorities to personal data, as well as the implementation of such legislation, data protection rules, professional rules and security measures, case-law, as well as effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal data are being transferred;
• the existence and effective functioning of one or more independent supervisory authorities in the third country or to which an international organisation is subject, with responsibility for ensuring and enforcing compliance with the data protection rules, including adequate enforcement powers, for assisting and advising the data subjects in exercising their rights and for cooperation with the supervisory authorities of the Member States; and
• the international commitments the third country or international organisation concerned has entered into, or other obligations arising from legally binding conventions or instruments as well as from its participation in multilateral or regional systems, in particular in relation to the protection of personal data.

The EU Commission has issued decisions concerning an adequate level of protection on the basis of article 45 para 3 of the GDPR for the following countries: Andorra; Argentina; Canada; Faroe Islands; Guernsey; Isle of Man; Israel; Japan; Jersey; New Zealand; Republic of Korea, Switzerland; Uruguay and United States commercial organisations participating in the EU-US Data Privacy Framework. The United Kingdom has been recognised by EU Commission as providing adequate protection under the GDPR and the Law Enforcement Directive, although these decisions are currently set to expire on 27 December 2025, pending renewal.
For a data transfer to all other countries the controller is obliged to ensure compliance with international data transfers:

• The transfer may be based on Standard Contractual Clauses (SCCs) drafted by the EU Commission. The SCCs which took effect from 27 June 2021, are available for the following transfers:
  • Module 1: controller to controller
  • Module 2: controller to processor
  • Module 3: processor to processor
  • Module 4: processor to controller
• The transfer may be based on contracts agreed between the data exporter and data importer provided that they meet the protection standards outlined in the GDPR. Additionally, prior approval by the relevant data protection authority is key.
• The transfer may be based on Binding Corporate Rules (BCRs) pursuant to article 47 of the GDPR, in particular within a group of entities. For BCRs prior approval by the relevant data protection authority is needed. Most importantly, the BCRs need to include a mechanism to ensure they are legally binding and enforced by every member in the group of entities.
• The transfer is covered by one of the permitted derogations set out in article 49 (in the absence of an adequacy regulation or appropriate safeguard), such as the explicit consent of the data subject, the transfer is necessary for the performance of a contract between the data subject and data controller at the data subject's request or in the interest of the data subject, or the transfer is necessary for the establishment, exercise or defence of legal claims.

Additionally, in the absence of adequacy or safeguards, transfers may take place only under limited exceptions under article 49 of the GDPR, such as:

• the data subject has given explicit consent;
• the transfer is necessary for a contract (with or for the benefit of the data subject);
• for important reasons of public interest;
• to establish, exercise or defend legal claims;
• to protect vital interests (e.g. emergencies);
• from a public register.

Derogations must be interpreted restrictively and are generally intended for occasional and not repetitive transfers.

 

Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?

With regard to its geographic and territorial scope, the GDPR combines the principles of establishment, market place and territoriality.
Pursuant to the principle of establishment, the GDPR is applicable for processing activities carried out in the context of the activities of an establishment of a controller or a processor in the EU, regardless of whether the processing itself takes place in the EU.
Pursuant to the principle of the market place, the GDPR is applicable for the processing of personal data of data subjects situated in the EU by a controller or processor who is not situated in the EU, where the processing activities are related to

• the offering of goods or services to such data subjects situated in the EU, irrespective of whether a payment of the data subject is required; or
• the monitoring of their behaviour as far as their behaviour takes place within the EU (principle of the territoriality).

 

What rules specifically deal with marketing?

The Processing of Personal Data (Electronic Communications Sector) Regulations (Subsidiary Legislation 586.01 of the Laws of Malta) specifically prohibits the use of any publicly available electronic communications service to make an unsolicited communication for the purpose of direct marketing by means of:

• an automatic calling machine;
• a facsimile machine; or
• electronic mail

to a subscriber or user, irrespective of whether such subscriber or user is a natural person or legal person, unless the subscriber or user has given their prior consent in writing to the receipt of such a communication.
Notwithstanding the above, where a person has obtained from customers their contact details for electronic mail in relation to the sale of a product or a service, that person may use such details for direct marketing of its own similar products or services. However, customers shall be given the opportunity to object, free of charge and in an easy and simple manner, to such use of electronic contact details at the time of their collection and on the occasion of each message where the customer has not initially refused such use.

 

Do different rules apply to business-to-business and business-to-consumer marketing?

As per the above, the Regulations do not make a distinction between the recipient of communication as it applies to both natural and legal persons.

 

What rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc)?

Please refer to the above.

 

What rules specifically deal with cookies?

The Processing of Personal Data (Electronic Communications Sector) Regulations (Subsidiary Legislation 586.01 of the Laws of Malta) implement the provisions of the ePrivacy Directive (Directive 2009/136/EC), which is often referred to as the 'Cookie Law'.

In terms of the Maltese Regulations, the storing of information or the gaining of access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given their consent, having been provided by the controller with clear and comprehensive information.

In addition, traffic data relating to subscribers and users processed for the purpose of the transmission of a communication and stored by an undertaking which provides publicly available electronic communications services or by an undertaking which provides a public communications network must be erased or made anonymous when it is no longer needed for the purpose of the transmission of a communication.

 

What are the consequences of non compliance with data protections laws (including marketing laws)?

The GDPR provides for a maximum penalty in the amount of the higher of EUR 20 million or 4% of worldwide turnover (Article 83 GDPR).

The Maltese Data Protection Act does not specifically set out the applicable administrative fines which may be imposed by the IDPC for non-compliance. Since the GDPR is directly applicable, the IDPC may impose the administrative fines as set out in Article 83 of the Regulation.

Without prejudice to the above, in terms of the Data Protection Act, any person who:

• knowingly provides false information to the IDPC when so requested by the IDPC pursuant to its investigative powers in terms of the GDPR, or any other law; or
• does not comply with any lawful request pursuant to an investigation by the IDPC;

shall be guilty of an offence and shall, upon conviction, be liable to a fine of not less than EUR 1,250 and not more than EUR50,000 or to imprisonment for six months or to both such fine and imprisonment.

In addition, any person who contravenes or fails to comply with the Processing of Personal Data (Electronic Communications Sector) Regulations shall be liable to an administrative fine not exceeding twenty three thousand two hundred and ninety three euro and seventy three cents (EUR 23,293.73) for each violation and two thousand three hundred and twenty nine euro and thirty seven cents (EUR 2,329.37) for each day during which such violation persists, which fine shall be determined and imposed by the IDPC.

 

In broad terms, multinational organisations should be aware of what key factors if they process personal data / information from individuals within this jurisdiction, without being located there?

Controllers and processors who are not established in the EEA are generally required under article 27 of the GDPR to designate a representative in the EEA where their activities fall within the territorial scope of the EEA data protection regime under article 3, specifically if they involve processing personal data of data subjects within the EEA in connection with the provision of goods or services, or the monitoring of the behaviour of data subjects located in the EEA.

Since Malta is a member state of the EU, it is very important to keep in mind that the processing of personal data of individuals who are physically present in Malta will fall within the scope of the GDPR.

 

What upcoming data protection developments should multinational organisations be aware of?

At a European level, the EU is currently discussing the ePrivacy Regulation which will be repealing the current Privacy and Electronic Communications Directive (Directive 2002/58/EC). However, as of today there is still no fixed date by when this new Regulation will come into effect.

Meanwhile, the Digital Services Act (DSA) and the Artificial Intelligence Act (AI Act) have recently entered into force and represent key components of the EU’s regulatory framework. The DSA was adopted on 19 October 2022, published in the Official Journal on 27 October 2022, and entered into force on 16 November 2022, with general application beginning on 17 February 2024. The DSA establishes obligations for online platforms to manage illegal content, disinformation, and systemic risks, while requiring transparency in content moderation and advertising practices. It also mandates risk assessments for very large online platforms and creates a European Board for Digital Services to oversee enforcement. The DSA applies to all digital platforms operating in the EU, including those established outside the EU if they provide services to EU users.

The AI Act was published on 12 July 2024 and entered into force on 1 August 2024. Its provisions are being phased in over time, with prohibitions on certain AI systems and AI literacy obligations taking effect on 2 February 2025, governance rules and obligations for General Purpose AI models on 2 August 2025, high-risk AI system provisions on 2 August 2026, and final provisions, including those for AI embedded in regulated products, on 2 August 2027. The AI Act classifies AI systems according to risk levels, unacceptable, high, limited, and minimal, and imposes strict requirements on high-risk systems, including transparency, accountability, and human oversight. Certain AI practices, such as social scoring and biometric categorisation, are prohibited. The Act applies to providers and users of AI systems within the EU, as well as to organisations outside the EU if their AI systems affect EU citizens.

 

Search by:

Need more information?
Contact a member firm:

Kris Scicluna

AE

Malta

Disclaimer:

© 2025, AE. All rights reserved by AE. as author and the owner of the copyright in this chapter. AE. has granted to Multilaw non-exclusive worldwide license to use and include this chapter in this guide and to sublicense Lexis Nexis, a division of RELX Inc. and its affiliates certain rights to use and distribute this Guide.

The information in the International Data Protection Laws Guide provides a general overview at the time of publication and is not intended to be a comprehensive review of all legal developments nor should it be taken as opinion or legal advice on the matters covered. It is for general information purposes only and readers should take legal advice from a Multilaw member firm.

Publication Date: 2025