The General Data Protection Regulation (EU) 2016/679 (GDPR) and the Data Protection Act 2018 (Cap 586 of the Laws of Malta) regulate the processing of personal data whether held electronically or in manual form. The Malta Information & Technology Agency (MITA) is set to fully comply with the Data Protection Principles as set out in such data protection legislation.

Purposes for collecting data

In accordance with EU Regulation 2021/887, coming into force on 28 June 2021, MITA has been mandated the role of Cybersecurity Coordination Centre for Malta (NCC-MT). The NCC-MT is responsible to:

  • Engage and interact with the industry, the public sector and research community to build up a local community
  • Act as contact points at the national level to support the European Cybersecurity Competence Centre
  • Provide expertise and contribution to the strategic planning activities of the European Cybersecurity Competence Centre
  • Facilitate the participation of industry, research institutions and other actors in cross-border projects
  • Establish synergies with relevant activities at national level in national policies as stated in the national cybersecurity strategies
  • Promote and disseminate outcomes of the works of the Network, the Cybersecurity Competence Community and Competence Centre at a national level with specific reference to the Cybersecurity Certification Framework
  • Assist requests by entities to form part of the EU Cybersecurity Competence Community
  • Advocate and promote involvement by entities in the activities arising from the Centre, the Network and the Community
  • Implement specific actions for which grants have been awarded
  • Promote and contribute to the building of competencies within cybersecurity by engaging in awareness campaigns and supporting educational programmes, projects, and activities, arising in both the local and EU context

MITA collects and processes information to carry out its obligations in accordance to the General Data Protection Regulation 2016/679, the Electronic Communications Data Protection Directive 2002/58/EC, the Directive 2016/680, the GMICT Policy, Regulation (EU) 2021/887 of the European Parliament and of the Council of 20 May 2021 establishing the European Cybersecurity Industrial, Technology and Research Competence Centre and the Network of National Coordination Centres and all applicable laws and regulations relating to the processing of personal data and privacy.

MITA implements appropriate physical, electronic, managerial and disciplinary procedures that protect the information from unauthorised access, the maintenance of data accuracy and the appropriate use of information.

Recipients of data

Personal Information is accessed by MITA employees who are assigned to carry out their functions in accordance with their assigned responsibilities. Personal data may also be disclosed to Public Authorities and third parties as authorised by law. The citizen’s rights are safeguarded by the Data Protection legislations, other National laws, as well as by MITA’s internal policies and procedures.

Your rights

You are entitled to know, free of charge, what type of information the NCC-MT holds and processes about you and why, who has access to it, how it is held and kept up to date, for how long it is kept, and what the Unit is doing to comply with data protection legislation.

The GDPR establishes a formal procedure for dealing with data subject access requests. All data subjects have the right to access any personal information kept about them by the NCC-MT, either on computer or in manual files. Requests for access to personal information by data subjects are to be made in writing, or by using MITA’s Data Subject Access Request Form and sent to the MITA’s Data Protection Officer. Your identification details such as ID number, name and surname have to be submitted with the request for access. In case we encounter identification difficulties, you may be required to present an identification document.

MITA aims to comply as quickly as possible with requests for access to personal information and will ensure that it is provided within a reasonable timeframe and in any case not later than one month from receipt of request, unless there is good reason for delay. When a request for access cannot be met within a reasonable time, the reason will be explained in writing to the data subject making the request. Should there be any data breaches, the data subject will be informed accordingly.

All data subjects have the right to request that their information is amended, erased or not used in the event the data results to be incorrect.

In case you are not satisfied with the outcome of your access request, you may refer a complaint to the Information and Data Protection Commissioner, whose contact details are provided below.

Retention Policy

Pursuant to Article 5 of the General Data Protection Regulation (GDPR), personal data will only be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes.

Personal data will only be kept in a form, which permits identification of data subjects for as long as is necessary for the purposes for which the personal data are processed. In order to ensure that the personal data are not kept longer than necessary, time limits are established for the erasure and/or for a periodic review.

However, further processing for archiving purposes in the public interest, scientific, or historical research purposes or statistical purposes (in accordance with Article 89(1) GDPR) is not considered to be incompatible with the initial purposes.

Data Protection Officer

The Data Protection Officer may be contacted at:

Malta Information & Technology Agency
Gattard House, National Road
Blata Il-Bajda 1057

Telephone: 25992410
Email: [email protected]

The Information and Data Protection Commissioner
The Information and Data Protection Commissioner may be contacted at:
Level 2, Airways House,
High Street,
Sliema SLM 1549
Telephone: 23287100 
Email: [email protected]