DiHubMT Logo - Digital Innovation Hub in Malta

Data Retention Policy

Table of Contents

1. Introduction

Malta Digital Innovation Authority (‘MDIA’) is established by virtue of the Malta Digital Innovation Authority Act, Chapter 591 to seek the development of  the  innovative technology sector in Malta through proper recognition and regulation of relevant innovative technology arrangements and related services.

The MDIA has been entrusted to lead and set up a single EDIH in Malta titled the ‘Malta-EDIH’.

The purpose of this Data Retention Policy is to explain the legal requirement for MDIA to retain Personal Data in all its endeavours, usually for a specified amount of time and to dispose of such data. This Policy also provides guidance on appropriate data handling and disposal.

It is of vital importance that this Data Retention Policy is read in conjunction with the Data Privacy Policy of MDIA which is available at https://www.mdia.gov.mt/privacy-policy/.

2. Retention Period

Following a data landscaping exercise by MDIA to understand precisely what Personal Data it retains, MDIA listed such Personal Data in its Data Protection Policy available in the above-mentioned link.

MDIA shall not retain any Personal Data for any longer than is necessary in light of the purpose/s for which that data is collected, held and processed, subject to statutory periods of limitation.

When establishing the below retention periods, MDIA took into consideration, the objectives and requirements of its business, the type of Personal Data in question, the purpose and legal basis for which the Personal Data is collected, held and processed, as well as the category of Data Subjects.

Personal Information  
MDIA Employees Personal Files10 yearsBoth
Application forms for calls for positions10 yearsBoth
CVs10 yearsBoth
Attendance Sheets10 yearsBoth
Vacation Leave Application Forms10 yearsBoth
Yearly Leave Balances10 yearsBoth
Sick Leave Certificates / Records10 yearsBoth
Medical History10 yearsBoth
Disciplinary Records10 yearsBoth
Disciplinary Charges10 yearsBoth
Financial Information   
Tax and National Insurance Records10 yearsBoth
Accounting Records10 yearsBoth
Annual Financial Statements10 yearsBoth
Details of Applicants’ Financial Data, including bank account details, VAT numbers3 yearsBoth
Funding Programmes / Applications  
Documentation relating to applications3 years from termination of programmeBoth
Minutes of Meetings10 yearsBoth

Routine footage is deleted after 15 days;

If requested to retain specific footage due to ongoing legal proceedings, footage will be retained for a period of one (1) year or for any such period as requested by the MDIA requesting the footage.

User Profile Information10 years after Date of Profile DeletionElectronic
Account Creation Information10 years after Date of Profile DeletionElectronic
Membership Records10 years after Date of Profile DeletionElectronic
Event/Organization Records10 yearsnBoth


Notwithstanding the above defined retention periods, certain Personal Data may be deleted or otherwise disposed of prior to the expiry of its defined retention period where a decision is made within MDIA to do so, whether in response to a request by a Data Subject as mentioned in the Data Protection Policy of MDIA, or otherwise.

On the other hand, in special circumstances, such as, in cases where the Personal Data is relevant to current or contemplated litigation, government or regulatory investigation or audit, that Personal Data must be retained until the Data Protection Officer determines that that Personal Data is no longer required.

MDIA also ensures that it conducts periodical reviews of the Personal Data retained.

If Personal Data is not listed in the above table, it is likely that it should be classified as disposable information. Disposable information consists of data that may be discarded or deleted at the discretion of the user once it has served its temporary useful purpose and/or data that may be safely destroyed because it is not a formal or official record.

Examples include duplicates of originals that have not been annotated, preliminary drafts of letters, reports, worksheets and informal notes that do not represent significant steps or decisions in the preparation of an official record, materials obtained for reference purposes, spam and junk mail.

Nonetheless, if a Data Subject considers that there is an omission in the above table, or would like to request further clarifications, please do contact the Data Protection Officer whose details are indicated below as well as in the Data Protection Policy of MDIA.

3. Storage and Back-up

The organisation will ensure that all Personal Data of Data Subjects is securely retained and stored.

With respect to hard or manual Personal Data, these are stored in locked cabinets and overnight, in locked premises as well. Personal Data stored electronically, will be subject to access controls and passwords. Where necessary, encryption software shall be used. All Personal Data, whether hard documents or electronically, are backed up and maintained off site.

For further details in relation to information technology security, kindly request for the IT Security Policy of MDIA.

4. Disposal of Personal Data

The destruction of Personal Data which is in hard documentation shall be conducted by shredding, where possible. On the other hand, the destruction of electronic Personal Data shall be deleted entirely from the computer and any other software, application or programme used by MDIA and where necessary, with the co-ordination of experts in the sector of information technology.

5. Breach Reporting

In the case of Personal Data breaches, MDIA shall upon its knowledge of this breach, inform immediately its Data Protection Officer whose details are further mentioned below, who will then take the necessary actions, where this would be required by law. Nonetheless, should a Data Subject feel that anyone could have breached this Data Retention Policy as well as the Data Protection Policy, this should be reported to the Data Protection Officer of MDIA whose details are mentioned below.

6. Data Protection Officer

MDIA has appointed a Data Protection Officer who can help Data Subjects with any questions that they may have about this Privacy Policy or any other related document, including any requests to exercise their legal rights. The contact details of the Data Protection Officer are the following:

  • Address: MDIA, Twenty20, Business Centre, Triq l-Intornjatur, Zone 3, Central Business District, Birkirkara, CBD 3050, Malta.
  • Email address: [email protected]

7. Conclusion

MDIA strives to conduct frequent audits and allocate appropriate resources to ensure that Personal Data of Data Subjects is being protected at all times in accordance with the legal requirements and in line with this Data Retention Policy. This version was last updated on 23rd October, 2023.

8. Disclaimer

The MDIA makes every effort to maintain the accuracy of the information that is published on its websites but accepts no responsibility and expressly excludes liability for any direct, indirect or consequential loss or damage which may arise from the usage of, and/or reliance on, such information.