Navigate Up
Sign In

Data Retention Policy


1.           This Policy is aimed at regulating the retention, maintenance and disposal of documentation, both personal and other, within the Office of the Regulator, IIP (ORiip), as provided for in the Malta Citizenship Act, Cap 188, and in accordance with the principles of data protection legislation, and other legal provisions in Maltese Law.




2.           The General Data Protection Regulation (GDPR) puts forward the principle that personal data and sensitive personal data should not be retained for periods that are longer than necessary. In this context, the ORiip will be putting forward a retention policy for all data and documentation that it collects and processes, with the purpose of ensuring compliance to the Regulation and to ensure that no resources are utilised in the processing and archiving of data which is no longer of relevance. 





3.           This policy aims to achieve the following objectives:


i)       Regulate the retention of and disposal of the various types of documentation whether held in manual or automated filing systems within the ORiip, while adhering to the Data Protection principle that personal data should not be retained for a longer period than necessary;


ii)     Dispose of unnecessary documentation that is no longer relevant and is taking up useful storage space;


iii)   Promote the digitisation of documentation as may be reasonably possible in order to minimize the use of storage space required to store documentation, as well as to promote a sustainable use of paper and printing consumables.




4.           Documentation is held and recorded separately by the two Sections forming the ORiip, namely the Administration Section and the IIP Monitoring Section. This Policy is therefore applicable to all such documentation. It will be the responsibility of the relevant afore-mentioned Sections and ORiip’s Data Controller, Mr Carmel De Gabriele, to ensure that all provisions of this Policy are adhered to.





5.           As part of its operating requirements the ORiip requests, keeps and maintains a wide range of documentation including personal data. The various types of documentation utilised by ORiip may be categorised as follows:


i)                 Personal Data of ORiip’s staff members;


ii)               Attendance and absence records;


iii)            Discipline related records;


iv)             Financial records including payslips, tax and national insurance contributions, procurement documentation, etc.;


v)               Medical records;


vi)             Vetted IIP Application Records;


vii)           IIP Complaints;


viii)        General Correspondence (Manual and/or Electronic formats) 



It should be  noted that removing the identification details in any record, rendering it anonymous, would be deemed as physically deleted for the purpose of the GDPR and could be retained indefinitely for future processing.





6.           Documentation is maintained in an accessible but secure location with adequate access provided to officials who have the clearance level to access the relevant documentation.  In the case of documents with sensitive personal data with higher clearance levels, access control protocols are fully adhered to, to ensure that only those that have the required security clearance have access to such documentation. 


7.           In the case of personal data, the GDPR also stipulates that only those required to process personal data should have access to personal records. 


8.           Personnel who are found to be in breach of these security protocols, and thus in breach of the GDPR, will be subject to disciplinary action.





9.           In terms of retention periods it needs to be pointed out that the same retention period applies for both electronic and manual data. 





10.         Retention of different categories of documents is governed by different requirements and different                  l​egislation and regulations.


 The following schedule outlines the retention requirements for the various categories of documentation within the ORiip:




Retention Period



HR Documentation  

As per HR Retention Policy



Financial Documentation


Tax and National Insurance Records

Five (5) years

Procurement Records

Ten (10) years

Accounting Records

Ten (10) years

Yearly Financial Statements

Five (5) years



IIP-related Records and relative documentation


Reports and other personal records in connection with vetted IIP Applications

Within one week from the date when any related issues are satisfactorily clarified and/or addressed (normally no personal data is recorded during vetting sessions.  However, in exceptional circumstances – i.e. in extremely rare occasions – such details might need to be recorded in order to verify the eligibility or otherwise of the applicant in question.)

Complaints et simile including ad hoccorrespondence

Within five years from the date of last action taken or correspondence exchanged (whichever is latest) on the complaint in question.  This does not apply in the case of pending complaints which shall be retained until a formal decision is taken in their regard by the IIP Regulator. After the lapse of the said five years, a copy of the conclusions and decision reached by the Regulator (IIP), shorn of any personal data that may lead to the identification of the complainant and/or of any third parties that might have been involved, will, however, be kept on record for posterity’s sake.

General Correspondence

Within two years from the date of last action taken or correspondence exchanged (whichever is latest) on the subject being addressed.





 This retention policy aims to achieve a good working balance between the retention of useful and meaningful information in line with the provisions of the relevant legislation and the disposal of data which is no longer required and is being archived unnecessarily. Data that needs to be destroyed after the noted timeframes will be disposed of in an efficient manner to ensure that such information will no longer be available within the ORiip. Data Protection Controllers, Heads, and DPOs are aware of the noted retention periods and will instruct all relevant personnel to follow the indicated procedures accordingly.  


 It is to be noted that anonymous or statistical data do not fall within the parameters of this Retention Policy, since they do not constitute identifying personal data.

Contact Information:

 Contact Name 
The Office of the Regulator, Individual Investor Programme
2nd Floor, Evans Building,
Merchants Street,

+356 25689381​