Skip to content

Data Retention Policy

1. Introduction

Malta Digital Innovation Authority (‘MDIA’) is established by virtue of the Malta Digital Innovation Authority Act, Chapter 591 to seek the development of  the  innovative technology sector in Malta through proper recognition and regulation of relevant innovative technology arrangements and related services.

The purpose of this Data Retention Policy is to explain the legal requirement for MDIA to retain Personal Data, usually for a specified amount of time and to dispose of such data. This Policy also provides guidance on appropriate data handling and disposal.

It is of vital importance that this Data Retention Policy is read in conjunction with the Data Privacy Policy of MDIA which is available at https://www.mdia.gov.mt/privacy-policy/ 

2. Retention Period

Following a data landscaping exercise by MDIA to understand precisely what Personal Data it retains, MDIA listed such Personal Data in its Data Protection Policy available in the above-mentioned link.

MDIA shall not retain any Personal Data for any longer than is necessary in light of the purpose/s for which that data is collected, held and processed, subject to statutory periods of limitation.

When establishing the below retention periods, MDIA took into consideration the objectives and requirements of its business, the type of Personal Data in question, the purpose and legal basis for which the Personal Data is collected, held and processed, as well as the category of Data Subjects.

CATEGORY OF DATARETENTION PERIODMANUAL / ELECTRONIC
Personal Information  
MDIA Employees Personal Files10 yearsBoth
Application forms for calls for positions10 yearsBoth
CVs10 yearsBoth
Attendance Sheets10 yearsBoth
Vacation Leave Application Forms10 yearsBoth
Yearly Leave Balances10 yearsBoth
Sick Leave Certificates / Records10 yearsBoth
Medical History10 yearsBoth
Disciplinary Records10 yearsBoth
Disciplinary Charges10 yearsBoth
Financial Information  
Tax and National Insurance Records10 yearsBoth
Accounting Records10 yearsBoth
Annual Financial Statements10 yearsBoth
Details of Applicants’ Financial Data, including bank account details and VAT numbers3 yearsBoth
Funding Programmes / Applications  
Documentation relating to applications3 years from termination of programmeBoth
Other  
Minutes of Meetings10 yearsBoth
CCTVRoutine footage is deleted after 15 days. If MDIA is requested to retain specific footage due to ongoing legal proceedings, footage will be retained for a period of one (1) year or for any such period as requested by the MDIA requesting the footage.Electronic

Notwithstanding the above defined retention periods, certain Personal Data may be deleted or otherwise disposed of prior to the expiry of its defined retention period where a decision is made within MDIA to do so, whether in response to a request by a Data Subject as mentioned in the Data Protection Policy of MDIA, or otherwise.

On the other hand, in special circumstances, such as, in cases where the Personal Data is relevant to current or contemplated litigation, Government or regulatory investigation or audit, that Personal Data must be retained until the Data Protection Officer determines that that Personal Data is no longer required.

MDIA also ensures that it conducts periodical reviews of the Personal Data retained.

If Personal Data is not listed in the above table, it is likely that it should be classified as disposable information. Disposable information consists of data that may be discarded or deleted at the discretion of the user once it has served its temporary useful purpose and/or data that may be safely destroyed because it is not a formal or official record.

Examples include duplicates of originals that have not been annotated, preliminary drafts of letters, reports, worksheets and informal notes that do not represent significant steps or decisions in the preparation of an official record, materials obtained for reference purposes, spam and junk mail.

Nonetheless, if a Data Subject considers that there is an omission in the above table, or would like to request further clarifications, please contact the Data Protection Officer whose details are indicated below as well as in the MDIA's Data Protection Policy.

3. Storage and Back-up

The organisation will ensure that all Personal Data of Data Subjects is securely retained and stored.

With respect to hard or manual Personal Data, these are stored in locked cabinets and overnight, in locked premises as well. Personal Data stored electronically, will be subject to access controls and passwords. Where necessary, encryption software shall be used. All Personal Data, whether hard documents or electronically, are backed up and maintained off site.

For further details in relation to information technology security, kindly request the MDIA's IT Security Policy.

4. Disposal of Personal Data

The destruction of Personal Data which is in hard documentation shall be conducted by shredding, where possible. On the other hand, the destruction of electronic Personal Data shall be deleted entirely from the computer and any other software, application or program used by MDIA and where necessary, with the co-ordination of experts in the sector of information technology.

5. Breach Reporting

In the case of Personal Data breaches, MDIA shall upon its knowledge of this breach, inform immediately its Data Protection Officer whose details are further mentioned below, who will then take the necessary actions, where this would be required by law. Nonetheless, should a Data Subject feel that anyone could have breached this Data Retention Policy as well as the Data Protection Policy, this should be reported to MDIA’s Data Protection Officer whose details can be found below.

6. Data Protection Officer

MDIA has appointed a Data Protection Officer who can help Data Subjects with any questions that they may have about this Privacy Policy or any other related document, including any requests to exercise their legal rights. The contact details of the Data Protection Officer are the following:

  • Address: MDIA, Twenty20, Business Centre, Triq l-Intornjatur, Zone 3, Central Business District, Birkirkara, CBD 3050, Malta.
  • Email address[email protected]

7. Conclusion

MDIA strives to conduct frequent audits and allocate appropriate resources to ensure that Personal Data of Data Subjects is being protected at all times in accordance with the legal requirements and in line with this Data Retention Policy. This version was last updated on 29th November 2022.

8. Disclaimer

The MDIA makes every effort to maintain the accuracy of the information that is published on its website but accepts no responsibility and expressly excludes liability for any direct, indirect or consequential loss or damage which may arise from the usage of, and/or reliance on, such information.

#MDIATalent

Connect your digital talent with Malta’s thriving innovation scene through MDIATalent.

MDIATalent supports the growth of Malta’s digital innovation sector by connecting skilled individuals with relevant opportunities with MDIA.