Skip to main content

Our Privacy Policy

The Planning Authority (PA), as a data controller understands the importance of your personal data and of your right to privacy.  The purpose of this statement is to reassure you that as a legal person or Entity, we are committed to keep your personal data as safe as possible.  We invite you to read on and be informed about the types of personal data we collect, when we collect it, why we do so, what we do with it – including who we may have to share it with and why – and how long we keep it for and why. Throughout this statement, when we make use of the word ‘services’, we take this to also include and not limited to complimentary services such as our customer care unit, our website and any other means that assist or improve your experience and ease of access to information.

Duties of disclosure upon collection of personal data from the data subject is processed in accordance with the general provisions of the EU General Data Protection Regulation (GDPR).

With the following information, we would like to give you an overview of how we will process your data and of your rights according to data privacy laws. The details on what data will be processed and which method will be used depend significantly on the services applied for or agreed upon.

  1. Who Is the Data Protection Officer and How Can You Contact Them?

The Planning Authority’s Data Protection Officer is:

Mr Ivor Robinich FIEMA
Office: The Office of the Internal Auditor & Data Protection
Planning Authority,
St Francis Ravelin,
Floriana, FRN 1230

  1. What Sources and Data Do We Use?

We process personal data that we obtain from our service recipients in the context of our service provider- service recipient relationship. We also process insofar as necessary to provide our service – personal data that we obtain from publicly accessible sources, (e.g., press, internet).

Relevant data is personal information (e.g., name, address and other contact details, date and place of birth, and nationality), identification data (e.g., ID card details), photos/images and authentication data (e.g., sample signature). Furthermore, this can also be registration data such as username, password; tracking data such as an IP address or financial information including billing, such as credit card information, and audit trail of accessibility or extraction of data from our services where applicable.

  1. What Do We Process Your Data for (Purpose of Processing) and On What Legal Basis?

Your data is processed in order to provide our services in the context of carrying out our contractual obligations with our service recipients or in that of carrying out pre-contractual measures that occur as part of a request. The purposes of data processing are primarily in compliance with statutory, administrative and procedural needs.

In addition, we also obtain personal data from publicly available sources.

A) As a result of your consent, you have granted us to process your personal data for certain purposes, this processing is based on your consent. Consent given can be withdrawn at any time. This also applies to withdrawing declarations of consent that were given to us before the GDPR came into force, i.e., before May 25, 2018. Withdrawal of consent does not affect the legality of data processed prior to withdrawal.

B) As a public authority, we are subject to various legal obligations and must abide with statutory provisions. Occasionally, we may receive requests from third parties with authority to obtain disclosure of personal data, such as to check that we are complying with applicable law and regulation, to investigate an alleged crime, to establish, exercise or defend legal rights. We will only fulfil requests for personal data where we are permitted to do so in accordance with applicable law or regulation. 

  1. Who Receives Your Data?

Regarding transferring data to recipients outside our authority, to begin with it is to be noted that, as a public authority, we are obliged to be discrete regarding all service recipient-related matters of which we acquire knowledge (confidentiality pursuant to our general terms and conditions). We may pass on information about you only if legal provisions demand it, if it is necessary to protect the vital interests of service recipients or other individuals, in the fulfilment of a task carried out in the public interest or in the exercise of public authority or if you have given your consent or following a court order or investigation by entities who have the power of investigation under Maltese law.

Within the authority, every unit that requires your data to fulfil our contractual and legal obligations will have access to it. Service providers and vicarious agents appointed by the PA can also receive access to data for the purposes given only, and in accordance with our specific instructions. They are required to take appropriate and security measures to protect your personal information in line with our policies and statutory regulations. These are companies in the categories of IT services, logistics, telecommunications, collection, advice, consulting and similar services.

  1. For How Long Will Your Data Be Stored?

We will process and store your personal data for as long as it is necessary in order to fulfil our contractual and statutory obligations. If the data is no longer required, it will be deleted.

  1. What Data Privacy Rights Do You Have?

Every data subject has:

  • the right to access according to Article 15 of the GDPR,
  • the right to rectification according to Article 16 of the GDPR,
  • the right to erasure according to Article 17 of the GDPR,
  • the right to restrict processing according to Article 18 of the GDPR,
  • the right of object according to Article 21 of the GDPR, and if applicable –
  • the right to data portability according to Article 20 of the GDPR.

Furthermore, if applicable to you, there is also a right to lodge a complaint with an appropriate data privacy regulatory authority.

You can withdraw consent granted to us for the processing of personal data at any time for reasons mentioned above. This also applies to withdrawing declarations of consent that were made to us before the GDPR came into force, i.e., before May 25, 2018.

Please note that the withdrawal only applies to the future. Processing that was carried out before the withdrawal is not affected by it.

  1. Are you Obliged to Provide Data?

In the context of our service provider–service recipient relationship, you must provide all personal data that is required for accepting and carrying out this relationship and fulfilling the accompanying contractual obligations or that we are legally obliged to collect. Without this data, we are, in principle, not in a position to close or execute a contract with you or provide you with the service you require.

8.Individual Right of Objection

On grounds relating to your situation, you shall have the right of objection, at any time to processing and profiling of your personal data which is based on data processing in the public interest and data processing based on balancing interests.

If you submit an objection, we will no longer process your personal data unless we can give evidence of mandatory, legitimate reasons for processing, which outweigh your interests, rights, and freedoms, or processing serves the enforcement, exercise, or defence of interests. Please note, that in such cases we will not be able to provide services and maintain a service provider–service recipient relationship.

9.Right of Objection to Processing for Statistical Purpose

On grounds relating to your situation, you shall have the right of objection, at any time to processing of your personal data. If you submit an objection, we will no longer process your personal data unless we can give evidence that processing is necessary for the performance of a task carried out for the reasons of public interest, or other as a cause of investigation for wrongdoing under Maltese law.

The objection does not need to be made in a particular form and should ideally be addressed to the Data Protection Officer.


Please Note:

If there are any changes to this privacy policy, we will replace this page with an updated version. It is therefore in your own interest to check this policy any time you access our web site to be aware of any changes which may occur from time to time.


Privacy Notice for COVID-19 – Events.

This Privacy Statement serves as an addendum to the statement available on this website. It explains how and why the Planning Authority (PA) as a controller collects and processes your personal data specifically in relation to the COVID-19 (coronavirus) pandemic. Updates to processing activities at the PA events are meant to protect participants and the wider public from exposure to COVID-19. If you choose to attend a PA event, we will ask you for specific personal data that you would not normally supply and have not previously supplied to the PA. The provision of this information will help us manage the prevention of COVID-19 at such events and so support a safe return to such occasions. The information that we will process about you in response to COVID-19 will be no more than is necessary to determine whether you may have increased your immunity, been exposed to or may be suffering from COVID-19.

The PA may issue lawful, fair and transparent terms and conditions of participation according to exigencies and protocols set in place by the Health Authorities which may change from time to time. The types of personal data that we may process are and not limited to:

1. Prior to your participation in an event,

You will be required to complete a Participant Declaration. If you do not agree to or fail to complete the Participant Declaration, you will not be permitted to attend. The Participant Declaration may capture the following personal data:

  1. Your full name and signature.
  2. Your email address and telephone number.
  3. The event that you are participating in.
  4. Your vaccination certificate.
  5. A negative COVID-19 test.

2. At the Event,

You will be asked whether you are presenting any symptoms of Covid-19. You may be subjected to a non-invasive thermal scanning. Your responses will not be recorded. However, if you are experiencing any Covid-19 symptoms you may not be permitted entry.

3. During an Event,

You may be identified as a close contact of a person who has tested positive for Covid-19. If you are deemed a close contact, your personal information, including your limited health information may be processed for the PA and/or the health authorities to conduct appropriate contact tracing.

4. Post Event,

You may be contacted after an event if it transpires that you have been identified as a close contact of a person who has tested positive for Covid-19. You are also expected to contact the PA and/or the health authorities if you start presenting symptoms in the 14 days after an event. If the PA becomes aware that you may have been exposed to COVID-19 at an event, the PA may use your personal data for contact tracing purposes, e.g., to contact you and advise you to seek medical assessment, or otherwise to advise others that they have been identified as your close contact and that they might need to seek medical assessment. The PA will only keep your personal data for as long as is necessary to manage the risk of COVID-19, and in any event no longer than necessary.