Data Retention Policy


1.           This Policy is aimed at regulating the retention, maintenance and disposal of documentation, both personal and other, within the Office of the Regulator, Granting of Citizenship for Excptional Services (OR-GCES), as provided for in the Maltese Citizenship Act, Cap 188, in accordance with the principles of Data Protection Legislation, and the National Archives Act, Cap 477, and other legal provisions in Maltese Law.




2.           The General Data Protection Regulation (GDPR) puts forward the principle that personal data and sensitive personal data should not be retained for periods that are longer than necessary, whereas the National Archives Act puts forward the principle that records of historical value are retained. In this context, the OR-GCES will be putting forward a retention policy for all data and documentation that it collects and processes, with the purpose of ensuring compliance to the GDPR and the National Archives Act





3.           This policy aims to achieve the following objectives:


a)       Regulate the retention of and disposal of the various types of documentation whether held in manual or automated filing systems within the OR-GCES, while adhering to the Data Protection principle that personal data should not be retained for a longer period than necessary;


b)           Make sure that records of enduring historical value are retained for posterity;  

c)    Dispose of unnecessary documentation that is no longer relevant and is taking up useful storage space, whilst ensuring that important (anonymous) documention is stored safely for future reference;


d)      Promote the digitisation of documentation as may be reasonably possible in order to minimize the use of storage space required to store documentation, as well as to promote a sustainable use of paper and printing consumables.




4.           Documentation is held and recorded by the two Units forming the OR-GCES, namely the Administration Unit and the GCES Monitoring and Vetting Unit. This Policy is therefore applicable to all such documentation. It will be the responsibility of the relevant afore-mentioned Units and OR-GCES’s Data Controller, Mr Carmel L. De Gabriele, to ensure that all provisions of this Policy are adhered to.





5.           As part of its operating requirements the OR-GCES requests, keeps and maintains a range of documentation including personal data. The various types of documentation utilised by OR-GCES may be categorised as follows:


a)                 Personal Data of OR-GCES’s staff members;


b)               Attendance and absence records;


c)               Discipline related records;


d)              Financial records and procurement documentation;


e)               Medical records;


f)             Vetted IIP and GCES Applications Records;


g)           IIP and GCES Complaints;


h)        Correspondence (Manual and/or Electronic formats) 



It should be  noted that removing the identification details in any record, rendering it anonymous, would be deemed as physically deleted for the purpose of the GDPR and could be retained indefinitely for future processing.





6.           Documentation is maintained in an accessible but secure location with adequate access provided to officials who have the clearance level to access the relevant documentation.  In the case of documents with sensitive personal data with higher clearance levels, access control protocols are fully adhered to, to ensure that only those that have the required security clearance have access to such documentation. 


7.           In the case of personal data, the GDPR also stipulates that only those required to process personal data should have access to personal records. 


8.           Personnel who are found to be in breach of these security protocols, and thus in breach of the GDPR, will be subject to disciplinary action.





9.           In terms of retention periods it needs to be pointed out that the same retention period applies for both electronic and manual data. 





10.         Retention of different categories of documents is governed by different requirements and different                  l​egislation and regulations.


 The following schedule outlines the retention requirements for the various categories of documentation within the OR-GCES:




Retention Period



HR Documentation  

As per HR Retention Policy



Financial Documentation


Tax and National Insurance Records

Twenty (20) years

Accounting Records

Ten (10) years

Yearly Financial Statements

Five (5) years

IIP-related and GCES-related Records and relative documentation


Reports of vetted IIP and GCES Applications

The report of each vetted IIP and GCES application is recorded on specific templates designed by this office.  Since the reports do not include personal data, these documents will be kept for an indefinite period.  

Reports of vetted IIP and GCES Applications that include personal records

Within one week from the date when any related issues are satisfactorily clarified and/or addressed.  Normally no personal data is recorded during vetting sessions  however, in exceptional circumstances – i.e. in extremely rare occasions – such details might need to be recorded in order to verify the eligibility or otherwise of the applicant in question.

Complaints et simile including ad hoc correspondence

Within ten years from the date of last action taken or correspondence exchanged (whichever is latest) on the complaint in question.  This does not apply in the case of pending complaints which shall be retained until a formal decision is taken in their regard by the Regulator GCES. 

After the lapse of the said ten years, a copy of the conclusions and decision reached by the Regulator (GCES), shorn of any personal data that may lead to the identification of the complainant and/or of any third parties that might have been involved, will, however, be kept on record.

General Correspondence

Within five years from the date of last action taken or correspondence exchanged (whichever is latest) on the subject being addressed.

​Annual Report The Annual Reports issued by the Office of the Regulator (GCES) in terms of the Maltese Citizenship Act (Cap 188) will be kept for an indefinite period.  The Annual Reports do not include personal data.​
​Special Reports Reports that are drawn up in specific circumstances or upon specific requests will be kept for an indefinate period.  This retention period also applies for any records related to the Minutes of Meetings held with internal and / or external stakeholders.​



 This retention policy aims to achieve a good working balance between the retention of useful and meaningful information in line with the provisions of the relevant legislation and the disposal of data which is no longer required and is being archived unnecessarily. Data that needs to be destroyed after the noted timeframes will be disposed of in an efficient manner to ensure that such information will no longer be available within the OR-GCES. Data Protection Controllers, Heads, and DPOs are aware of the noted retention periods and will instruct all relevant personnel to follow the indicated procedures accordingly.  


 It is to be noted that anonymous or statistical data do not fall within the parameters of this Retention Policy, since they do not constitute identifying personal data.

In the line with the provisions of the National Archives Act, Cap 477, this policy has been reviewed and endorsed by the National Archieves before implmentation.  In the case that the Office of the Regulator, Granting of Citizenship for Exceptional Services does not remain operational, or there is a change in policy for the retention of records that according to this document are being retained on an indefinite period, the National Archives must be consulted in order to evaluate on the potential enduring historical value of the records in question. 

Implimentation Date:  March 2021

(REP 2021-02)

Contact Information:

 Contact Name 
The Office of the Regulator,
Granting of Citizenship for Exceptional
62, Level 2
Blue Building
Qormi Road,
Luqa LQA9042

+356 25689381​