Data Protection

Data Protection Policy

The General Data Protection Regulation (EU) 2016/679 (GDPR) and the Data Protection Act (Cap 586) regulate the processing of personal data whether held electronically or in manual form. The Malta Communications Authority (MCA) is set to fully comply with the Data Protection Principles as set out in such data protection legislation.

Purposes for collecting data
The MCA collects and processes information to carry out its obligations in accordance with present legislation.  All data is collected and processed in accordance with Data Protection Legislation and the Electronic Communications Networks and Services (General) Regulations, S.L. 399.28.

Recipients of data
Personal Information is only accessed by those MCA employees who are assigned to carry out the functions of the Authority in line with its duties prescribed at law. Personal Data will be disclosed to third parties when necessary but only as authorised by law.

Your rights
You are entitled to know, free of charge, what type of information the MCA holds and processes about you and why, who has access to it, how it is held and kept up to date, for how long it is kept, and what the MCA is doing to comply with data protection legislation.

The GDPR establishes a formal procedure for dealing with data subject access requests.  All data subjects have the right to access any personal information kept about them by the MCA, either on computer or in manual files. Requests for access to personal information by data subjects are to be made in writing and sent to the Data Controller of the MCA, whose contact details are provided below.  Your identification details such as ID number, name and surname have to be submitted with the request for access.  In case we encounter identification difficulties, you may be required to present an identification document.

The MCA aims to comply as quickly as possible with requests for access to personal information and will ensure that it is provided within a reasonable timeframe and in any case not later than one month from receipt of request, unless there is good reason for delay. When a request for access cannot be met within a reasonable time, the reason will be explained in writing to the data subject making the request.  Should there be any data breaches, the data subject will be informed accordingly.

All data subjects have the right to request that their information is amended, erased or not used in the event the data results to be incorrect. In case you are not satisfied with the outcome of your access request, you may refer a complaint to the Information and Data Protection Commissioner, whose contact details are provided below.

The Data Controller’s Contact Details:

The Chief Executive Officer of the MCA as the Data Controller of the Authority may be contacted at:

Malta Communications Authority
Valletta Waterfront
Pinto Wharf
Floriana FRN 1913
Telephone:  (+356) 21 336840        Email:

The Information and Data Protection Commissioner’s Contact Details:

The Information and Data Protection Commissioner may be contacted at:
Level 2, Airways House,
High Street,
Sliema SLM 1549
Telephone:  23287100                    Email:


 Policy regulating the Retention of External Documentation

1. Scope

The General Data Protection Regulation (GDPR) (EU) 2016/679 and the Data Protection Act (DPA), Cap. 586 of the Laws of Malta put forward the principle that personal data and sensitive personal data should not be retained for periods that are longer than necessary. In this context, the Malta Communications Authority (‘MCA’) has drawn up a retention policy for all external documentation that it collects and processes, with the purpose of ensuring compliance and to ensure that no resources are utilised in the processing and archiving of data which is no longer of relevance.

This policy is aimed at regulating the retention, maintenance and disposal of external documentation in accordance with the principles of data protection legislation, and other legal provisions in Maltese Law.

2. Objectives

This policy aims to achieve the following objectives:

  1. Regulate the retention of and disposal of the various types of documentation whether held in manual or automated filing systems within the MCA, while adhering to the data protection principle that personal data should not be retained for a longer period than necessary.
  2. Dispose of unnecessary documentation that is no longer relevant and is taking up useful storage space.
  3. Promote the digitisation of documentation as may be reasonably possible in order to minimize the use of storage space required to store documentation, as well as to promote a sustainable use of paper and printing consumables.

3. Administration

Documentation is held and recorded by the MCA. This policy is therefore applicable to all such documentation. It will be the responsibility of the Chief of the relevant Unit and the Authority’s Data Controller to ensure that all provisions of this policy are adhered to.

4. Documentation held within the MCA and their Retention Period

As part of its operating requirements the MCA, requests, keeps and maintains a wide range of documentation including personal information. The retention of different categories of documents is governed by different requirements and different legislation and regulations and may be categorised as follows:

Consumer Affairs:

  • Documentation in relation to consumer enquiries and complaints: 5 years

EU funded projects:

  • Documentation in relation to EU funded projects: 10 years

Financial Documentation:

  • Tax and National Insurance Records: 10 years
  • Procurement Records: 10 years
  • Accounting Records: 10 years
  • Inventory Records: 10 years
  • Yearly Financial Statements: 10 years

General Authorisations and Licences to provide commercial service (Electronic Communications and Posts):

  • Active authorisations and licences (all): unlimited for as long as the authorisation or licence exists
  • Cancellation of authorisation and licence (all): 25 years


  • Documentation in relation to all forms of litigation including arbitration: 7 years from final judgement (includes Court of Appeal were applicable)

Radiocommunication Licences:

  • Active licences (all): unlimited for as long as the licence exists
  • Cancellation of Aeronautical (air): 5 years
  • Cancellation of Aeronautical (ground): 25 years
  • Cancellation of Aeronautical (portable): 25 years
  • Cancellation of Amateur – permanent: 10 years
  • Cancellation of Amateur – temporary: 5 years
  • Cancellation of Broadcasting: 25 years
  • Cancellation of Links: 25 years
  • Cancellation of Maritime coast station - private channels: 25 years
  • Cancellation of Maritime coast station - shared channels: 15 years
  • Cancellation of other various Licences permanent: 25 years
  • Cancellation of other various Licences temporary: 5 years
  • Cancellation of Paging: 25 years
  • Cancellation of PMR – permanent: 25 years
  • Cancellation of PMR – temporary: 5 years
  • Cancellation of SES permanent: 5 years
  • Cancellation of SES temporary: 5 years
  • Cancellation of Test and Trial: 5 years
  • Documentation related to the Radio Spectrum Assignment Process: 5 years from the end of process
  • ECN Notification: 5 years from licence expiry date
  • Maritime identities: 25 years from date of de-registration of vessel from the applicable Maltese registers
  • Radio spectrum Licences: 5 years from the termination date of the licence


  • Documentation in relation to the recruitment process i.e. published calls for posts, application forms/letters, CV of chosen applicant, related correspondence, attendance at interviews, publication of results etc.: 1 year from publication of call for post.
  • Documentation related to CVs of persons who applied for a post but were not chosen. The MCA shall request such applicants if they would like to grant their consent to the Authority to keep their CVs in case of any future similar posts: 1 year from end of recruitment process. 
  • Jobsplus report: 5 years from end of recruitment process. 
  • Application Forms for the filling of positions co-financed from EU Funds: 8 years from end of recruitment process. 


  • CCTV monitoring: 45 days
  • Visitors Log: 3 months
  • Affidavits: 10 years

5. Security of Documentation

  1. Documentation is maintained in an accessible but secure location with adequate access provided to MCA officials who have the clearance level to access the relevant documentation. In the case of documents with sensitive personal data with higher clearance levels, access control protocols are fully adhered to, to ensure that only those that have the required security clearance have access to such documentation.
  2. In the case of personal information, the GDPR also stipulates that only those required to process personal information should have access to personal records.
  3. Personnel who are found to be in breach of these security protocols, and thus in breach of the GDPR, will be subject to disciplinary action.

6. Manual vs Electronic Records

In terms of retention periods, it needs to be pointed out that the same retention period will apply for both electronic and manual information.

7. Conclusion

This data retention policy aims to achieve a good working balance between the retention of useful and meaningful information in line with the provisions of the relevant legislation and the disposal of information which is no longer required and is being archived unnecessarily. Data that needs to be destroyed after the noted timeframes will be disposed of in an efficient manner to ensure that such information will no longer be available within the MCA. Data Protection Controllers and Data Protection Officers are aware of the noted retention periods and will instruct all relevant personnel to follow the indicated procedures accordingly.

It is to be noted that anonymised or statistical data do not fall within the parameters of this data retention policy, since they do not constitute identifying personal data.



Cookies Policy


Cookies are small text files which are downloaded to your computer or mobile device when you visit a website or application. Your web browser (such as Internet Explorer, Mozilla Firefox, Safari or Google Chrome) then sends these cookies back to the website on each subsequent visit so that they can recognise you and remember things like personalised details or user preferences.

Cookies are very useful and do lots of different jobs, helping to make your experience on our website as enjoyable and useful as possible. They remember your preferences and generally improve your experience.

There are two different types of cookie:

Session Cookies: These only last for your online session and disappear from your computer or device when you close your browser.
Persistent Cookies: These stay on your computer or device after the browser has been closed and last for the period of time specified in the cookie. These persistent cookies are activated each time you visit the site where the cookie was generated.


When you use our website or mobile site, the following categories of cookies may be set on your device:

‘Strictly Necessary' Cookies
These cookies are essential because they help you to move around our websites and use features such as the Subscriptions page. Without these cookies the website simply would not work properly. These cookies do not gather information about you.

Functional Cookies
These cookies allow websites to remember choices you make (such as your user name and language preferences). They allow us to provide you with enhanced and more personal features. The information these cookies collect will not allow us to identify you personally.

Analytics Cookies
In order to keep our website and mobile site relevant, easy to use and up-to-date, we use web analytics services such as Google Analytics to help us understand how people use them. For example, we can see which parts of our websites are most popular and make sure we are constantly updating and improving our content. The information we collect is anonymous and only used for statistical purposes.

Embedded Content and Third Party Cookies
To help us deliver the best possible content, we sometimes use third party tools to embed photos and video content from websites such as YouTube, Facebook and Instagram. As a result, when you visit a page containing such content, you may be presented with cookies from these websites. We do not control the use of these cookies and cannot access them. You should check the third party websites for more information about these cookies.

Across our websites and mobile site you will also see embedded ‘share’ buttons. These enable you to easily share content with friends through a number of popular social networks. When you click on one of these buttons, a cookie may be set by the service you have chosen to share content through. Again, the MCA does not control these cookies and cannot access them.


Whenever you use our website and mobile site, information may be collected through the use of cookies and similar technologies.

We don’t sell the information collected by cookies, nor do we disclose the information to third parties, except where required by law (for example to government bodies and law enforcement agencies).

By using our website and mobile site you agree to our use of cookies as described in this Cookie Policy.