The General Data Protection Regulation (EU) 2016/679 (GDPR) and the Data Protection Act (Cap 586) regulate the processing of personal data whether held electronically or in manual form. The Occupational Health and Safety Authority (OHSA) is set to fully comply with the Data Protection Principles as set out in such data protection legislation.

Purposes for collecting data

OHSA collects and processes information to carry out its legal obligations in terms of the prevailing legislation.  All data collected is processed in compliance with Data Protection Legislation and the Electronic Communications Networks and Services (General) Regulations, S.L. 399.28.

Recipients of data

Personal Information is only accessed by OHSA personnel who are assigned to carry out the functions of the Authority in line with its duties prescribed at law.  As a general rule Personal Data is not divulged however there may be exceptions when such data may be processed in those cases but only as authorised by law.

Your rights

Any person shall be entitled to know, free of charge, what type of information OHSA holds and processes about you and why, who has access to it, how it is held and kept up to date, for how long it is kept, and what OHSA is doing to comply with data protection legislation.

The GDPR establishes a formal procedure in instances when dealing with data subject access requests.  All data subjects have the right to access any personal information kept in their regard by OHSA, whether such data exists electronically or in manual files. Requests for access to personal information by data subjects are to be made in writing and sent to the Data Controller at OHSA.  Your identification details such as ID number, name and surname must be submitted with the request for access. For verification purposes, you may be required to present an identification document.

OHSA aims to comply with requests for access to personal information expediently and will strive to provide the requested information within a reasonable timeframe and in any case not later than one month from receipt of request, unless there is good reason for delay. When a request for access cannot be met within this time, the reason will be explained in writing to the data subject making the request.  Should there be any data breaches, the data subject will be informed accordingly.

In terms of law Data subjects shall retain the right to request that their information is amended, erased or not used in the event the data results to be incorrect. In case that a person may not be satisfied with the outcome of one’s access request, a complaint to the Information and Data Protection Commissioner may be referred.

The Data Controller’s Contact Details:

OHSA’s Chief Executive Officer as the Data Controller of the Authority, may be contacted at:

Occupational Health and Safety Authority
17, Edgar Ferro Street, Pietà

Telephone: (+356) 21 247677      


Retention of External Documentation

1. Scope

The General Data Protection Regulation (GDPR) (EU) 2016/679 and the Data Protection Act (DPA), Cap. 586 of the Laws of Malta set forward the principle that personal data and sensitive personal data should not be retained for periods that are longer than necessary. In this context, the Occupational Health and Safety (OHSA) has drawn up a retention policy for all external documentation that it collects and processes, with the purpose of ensuring compliance and to ensure that no resources are utilised in the processing and archiving of data which is no longer of relevance.

This policy is aimed at regulating the retention, maintenance and disposal of external documentation in accordance with the principles of data protection legislation, and other legal provisions in Maltese Law.

2. Objectives

This policy aims to achieve the following objectives:

  1. Regulate the retention of and disposal of the various types of documentation whether held in manual or automated filing systems within OHSA, while adhering to the data protection principle that personal data should not be retained for a longer period than necessary.
  2. Dispose of unnecessary documentation that is no longer relevant and is taking up useful storage space.
  3. Promote the digitisation of documentation as may be reasonably possible in order to minimize the use of storage space required to store documentation, as well as to promote a sustainable use of paper and printing consumables.

3. Administration

Documentation is held and recorded by OHSA. This policy is therefore applicable to all such documentation. It will be the responsibility of the Chief Executive Officer and the Authority’s Data Controller to ensure that all provisions of this policy are adhered to.

4. Documentation held within the OHSA and their Retention Period

As part of its operating requirements OHSA, requests, keeps and maintains a wide range of documentation including personal information. The retention of different categories of documents is governed by different requirements and different legislation and regulations and may be categorised as follows:

Retention of documents and Affairs:

  • Documentation in relation to investigations, inspections, enquiries and complaints: 7 years
  • All Asbestos Related records 50 years

EU funded projects:

  • Documentation in relation to EU funded projects: 10 years

Financial Documentation:

  • Tax and National Insurance Records: 10 years
  • Procurement Records: 10 years
  • Accounting Records: 10 years
  • Inventory Records: 10 years
  • Yearly Financial Statements: 10 years


  • Documentation in relation to all forms of litigation including arbitration: 7 years from final judgement (includes Court of Appeal were applicable)


  • Documentation in relation to the recruitment process i.e. published calls for posts, application forms/letters, CV of chosen applicant, related correspondence, attendance at interviews, publication of results etc.: 1 year from publication of call for post.
  • Documentation related to CVs of persons who applied for a post but were not chosen. OHSA shall request such applicants if they would like to grant their consent to the Authority to keep their CVs in case of any future similar posts: 1 year from end of recruitment process. 
  • Jobsplus report: 5 years from end of recruitment process. 
  • Application Forms for the filling of positions co-financed from EU Funds: 8 years from end of recruitment process. 


  • Visitors Log: 1 year
  • Affidavits: 5 years

5. Security of Documentation

  1. Documentation is maintained in an accessible but secure location with adequate access provided to OHSA officials who have the clearance level to access the relevant documentation. In the case of documents with sensitive personal data with higher clearance levels, access control protocols are fully adhered to, to ensure that only those that have the required security clearance have access to such documentation.
  2. In the case of personal information, the GDPR also stipulates that only those required to process personal information should have access to personal records.
  3. Personnel who are found to be in breach of these security protocols, and thus in breach of the GDPR, will be subject to disciplinary action.

6. Manual vs Electronic Records

In terms of retention periods, it needs to be pointed out that the same retention period will apply for both electronic and manual information.

7. Conclusion

This data retention policy aims to achieve a good working balance between the retention of useful and meaningful information in line with the provisions of the relevant legislation and the disposal of information which is no longer required and is being archived unnecessarily. Data that needs to be destroyed after the noted timeframes will be disposed of in an efficient manner to ensure that such information will no longer be available within OHSA. Data Protection Controllers and Data Protection Officers are aware of the noted retention periods and will instruct all relevant personnel to follow the indicated procedures accordingly.

It is to be noted that anonymised or statistical data do not fall within the parameters of this data retention policy, since they do not constitute identifying personal data.

OHSA, 2022