Skip to content

Privacy Policy

PRIVACY NOTICE

Information on the Processing of Personal Data for Applicants for International Protection
at the International Protection Agency

1. Introduction

When you submit an Application for International Protection to the International Protection Agency (“IPA”), you provide the IPA with personal data in your capacity as a data subject. This Privacy Notice explains:

  • Who is responsible for processing your personal data;
  • Why your personal data is collected and processed;
  • The legal bases that allow the process of your personal data;
  • How long your personal data is retained for;
  • With whom your personal data is shared;
  • Your rights under the General Data Protection Regulation (EU) 2016/679, hereunder ‘GDPR’, and your rights and obligations as an applicant for international protection under applicable EU and national asylum legislation:
         – Regulation(EU) 2024/1351 – Asylum and Migration Management Regulation
         – Regulation (EU) 2024/1356 – Screening Regulation
         – Regulation (EU) 2024/1358 – Eurodac Regulation (recast)
         – Regulation (EU) 2024/1348– Asylum Procedures Regulation 
         – Regulation (EU) 2024/1347– Qualification Regulation
         – Directive (EU) 2024/1346 – Reception Conditions Directive
         – International Protection Act Chapter 420 of the Laws of Malta

The IPA is committed to protecting your personal data and ensuring transparency in how it is processed.

2. Data Controller and Contact Details

International Protection Agency (IPA) – Data Controller

The IPA is the entity responsible for determining the purposes and means of processing your personal data. It is an Agency of the Government of Malta responsible for receiving, examining, and deciding on applications for international protection.

Data Protection Officer (DPO)

The DPO handles all queries related to this Privacy Notice and the protection of your personal data. Contact details:

Email: [email protected]  
Postal Address: Data Protection Officer International Protection Agency Fafner House, National Road, Ħamrun, Malta

3. Categories of Personal Data Processed

The IPA may process the following categories of data:

  • Identification Data: Name, surname, date/place of birth, nationality, gender, marital status, contact information.
  • Biometric Data: Fingerprints and facial image (collected in line with the Eurodac Regulation)
  • Travel and Identity-Related Information: Passports, ID cards, visas or travel documents, travel route, entry information, former residence.
  • Family Information: Details of family members, documents or statements establishing family links.
  • Information supporting your application: Your personal statements, interview records, written documentation or evidence you submit.
  • Health and Vulnerability Information: Processed only if required to evaluate special procedural guarantees, assess vulnerability (e.g., minors, medical needs), or ensure appropriate support.
  • Special Category Data: Personal data such as information concerning your health, ethnicity, religion or philosophical beliefs, political opinions, sexual orientation and your biometric data will be processed in the context of the asylum procedure. The processing of special data is conducted in the performance of a public task and to comply with legal obligations binding upon the IPA. The legal bases for processing are Article 6(1)(c), Article 6(1)(e) and Article 9(2)(g) of the GDPR. Processing is strictly limited to what is legally necessary for reasons of substantial public interest, to assess your eligibility for international protection, to conduct mandatory vulnerability and health checks and to verify your identity, as mandated by EU asylum law.

4. Purposes of Processing and Legal Bases

Your personal data is processed in accordance with the GDPR, EU asylum legislation and national law, for the following purposes:

Purposes of processing

Legal Basis

Registering your application for international protection.

Article 6(1)(c) GDPR; Article 27 and Article 28 of the Asylum Procedures Regulation (APR)

Identifying previous applications in other Member States and supporting security and identity checks by cross-referencing your biometric data against national identity, visa, and residency databases in coordination with the national identity registry, Identita Malta.

Article 6(1)(c) and Article 9(2)(g) GDPR; Articles 21, 22 of Regulation (EC) 2021/1134 on Visa Information Systems (VIS)

Determining the EU Member State responsible for examining your application for international protection.

Article 6(1)(c) GDPR; Chapter II of the Asylum Management Regulation

Assessing eligibility for refugee status or subsidiary protection status.

Articles 6(1)(c) and Article 9(2)(g) GDPR; Chapters III and IV of the Asylum Procedure Regulation; Article 4 of the Qualification Regulation

Assessing the merits of your application for international protection through the regular, accelerated or border procedure and issuing a decision on your application for international protection.

Article 6(1)(c) GDPR; Article 4 of the Asylum Procedures Regulation, Chapter II of the Asylum Procedures Regulation; Chapter II of the Qualification Regulation

Verifying your identity, nationality, travel route, and family links

Article 6(1)(c) GDPR; Article 17 of the Screening Regulation, Article 27 of the Asylum Procedures Regulation

Organising your transfer to another Member State is if it is determined that the other Member State is legally responsible for your application.

Article 6(1)(c) GDPR; Chapter V of the Asylum Management Regulation (AMMR)

Recording your personal statements of your personal interview and supporting documents to ensure thorough and factual reporting.

Article 6(1)(c) GDPR; Article 14 of the Asylum Procedures Regulation (APR);

Assessing the need for special procedural guarantees, through medical or vulnerability information, and where applicable, initiating the referral procedure in cooperation with the Agency for the Welfare of Asylum Seekers (AWAS).

Article 6(1)(c) GDPR; Articles 20-25 of the Asylum Procedures Regulation

Ensuring you have access to employment opportunities by connecting you to the public employment service, JobsPlus Malta.

Article 6(1)(c) GDPR; Article 17 of the Recast Reception Conditions Directive (EU) 2024/2346

Ensuring access to your right to an effective remedy, by disclosing your data to the International Protection Tribunal (IPAT), in case of an appeal procedure.

Article 6(1)(c) GDPR; Chapter V of the Asylum Procedures Regulation (APR);

Where strictly necessary and applicable for reasons of national security and public safety, your personal data may be shared with the competent Immigration Authorities, in accordance with national law.

Article 6(1)(e) GDPR; Immigration Act Cap.217 of the Laws of Malta

Maintaining accurate records for reporting and statistical obligations.

Article 6(1)(c) GDPR; Articles 9 and Article 10 of the Asylum and Migration Management Regulation

5. Applicable Provisions under GDPR

  • Article6(1)(c)– processing is necessary for compliance with a legal obligation to which the controller is subject;
  • Article6(1)(e)– processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  • Article 9(2)(g) – processing necessary for reasons of substantial public interest on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

6. Recipients of Personal Data

Your data may be shared with the following recipients, only when necessary and lawful:

1. Within the IPA

  • Authorised personnel who process your case
  • IT personnel responsible for secure systems maintenance

2. National Authorities
Your data will be shared with other National Authorities where applicable, as outlined under Section (4) of this Privacy Notice, in accordance with the GDPR’s fundamental principles of lawfulness, fairness, and data minimization: 

  • National Statistics Office (NSO)
  • Agency for the Welfare of Asylum Seekers (AWAS)
  • Jobs Plus
  • Identity Malta Agency
  • International Protection Appeals Tribunal
  • National Law Enforcement Authorities

3.  Other EU Member States
When necessary to determine responsibility for examining your application, and in compliance with obligations arising from Regulation 2024/1351 and to implement a return decision (AMMR/Dublin rules).

4. EU Information Systems
Eurodac and VIS database for fingerprints and facial images.

5. International Organisations
Only when requested from you and with appropriate safeguards (e.g., UNHCR, IOM).

Note: Your personal data is not transferred to third countries, except for international organisations operating within the EU framework and therefore are bound by GDPR. 

7. Retention Period

Your personal data is retained for 30 years starting from the date of the final decision or closure of your application, in accordance with the IPA’s Policy on the Retention of Documentation. 

This retention period is required for the International Protection Agency to continue fulfilling its legal obligations under the Asylum Procedures Regulation, the Asylum and Migration Management Regulation, the Qualification Regulation and subsequent legislation and other applicable legal bases such as, public task or official authority and legitimate interest, aligned with the requirements of the General Data Protection Regulation (EU) 2016/679.

8. Your Statutory Obligations

The collection and processing of your personal and biometric data is based on a statutory obligation.  Under the EU Pact on Asylum and Migration, you are legally obliged to cooperate with the competent authorities, as an applicant for international protection.  This means that the processing of your data is not based on your consent, but on a legal duty. Please be informed that failure to cooperate, provide the information requested or to submit to biometric collection may result in the discontinuation of your application, to the presumption of withdrawal of your application,  and/or, where applicable, to administrative sanctions in accordance with Immigration Law, namely the Immigration Act, Part IV of Chapter 217 of the Laws of Malta.

9. Your Rights as a Data Subject

Under the GDPR, you have the right to access your data and request the rectification of inaccurate personal information, and where applicable, restrict the processing of your personal data. You can contact the DPO to exercise your right to access, rectify, restrict, in compliance with applicable laws.

Please note that since processing is based on a legal obligation, the right to erasure (“right to be forgotten”), the right to restrict and the right to object are strictly limited during the period in which your application is being legally processed, in accordance with Article 23 GDPR.

10. How to Exercise Your Rights

To exercise your rights, you can submit a request regarding your personal data, by contacting: Data Protection Officer International Protection Agency Fafner House, National Road Ħamrun, Malta. Contact details as per point 2 of this Privacy Notice.

If you believe your data protection rights have been infringed, you may lodge a complaint with:

  • The Data Protection Officer of the International Protection Agency, or
  • Information and Data Protection Commissioner (IDPC), Malta, or
  • The supervisory authority of your country of residence or workplace.

11. Final Note

Your personal data is processed securely, confidentially, and exclusively for lawful purposes linked to your application for international protection. The IPA takes all necessary measures to protect your rights and ensure your data is handled in accordance with GDPR and EU asylum law.

Any updates to this privacy notice will be published on the IPA website at https://ipa.gov.mt/. The updated version will supersede all previous versions.