Establishing a Business in Malta

Malta’s business friendly environment has attracted many businesses to its shores. Hundreds of businesses have physically relocated to Malta from various parts of Europe and many others have been established as start-ups primarily in the sectors of regulated financial services (including asset management, payment services and insurance), i-gaming, technology and telcoms. This phenomenon has contributed to making Malta significantly more cosmopolitan over the past years and is also evidenced by a significant increase in the island’s population.

So what is it that makes Malta so attractive to do business?

Below is a detailed summary of the steps to incorporate and register a new business in Malta.

Formalities for Establishment

Any person/s or undertaking/s looking to operate in particular sectors would need to apply for and be granted a licence or authorisation under the applicable laws and regulations.  The main authorities responsible for examining applications for the acquisition of the relevant licences are the following:

Trade Licensing Unit

Issues licences related to the commercial activities such as manufacturing activities, wholesale and retail trade, construction services, professional and business services and social services

Malta Tourism Authority

Issues licences related to related to commercial activities in the tourism industry, such as travel agencies, restaurants, hotels, residences and beaches

Malta Lotteries and Gaming Authority (LGA)

Issues licences in respect of all forms of gaming activities in Malta

Malta Financial Services Authority (MFSA)

Issues licences to businesses involved in banking, investments, insurance, pensions and stock broking.

The grant of the necessary licence is not a pre-requisite to the formation of the company which intends to operate in the particular sector.  In many cases, the company is first formed and the application for the licence is filed thereafter.

In the more regulated sectors, such as banking and insurance, the preparatory work required for the issue of a licence or authorisation will need to be commenced before the submission of the documentation in respect of the registration of the company.  The practice in those sectors regulated by the Malta Financial Services Authority is that the said regulatory authority would process the application and, if satisfied that the conditions for the issue of the licence or authorisation will be met, to issue an ‘in principal’ authorisation to grant the licence.  The licence will then be issued on or around the date of the registration of the company.

It is not mandatory for any company, partnership, and any form of association, foundation, business chamber, organisation or body of persons registered in Malta and engaged in commercial or industrial activity in or from Malta to become a member of the Chamber of Commerce in Malta. However in the interest of the development of the business community, membership of the Malta Chamber of Commerce is recommended.

Data Protection Issues

The Data Protection Act – Chapter 440 of the Laws of Malta is generally intended to implement international standards of data protection in terms of the European Data Protection Directive.

Any organisation conducting the processing of personal data (that is data relating to individuals and NOT companies or other legal entities) in the course of its activities is considered to be a “Data Controller” and is required to notify the Data Protection Commissioner before undertaking any data processing operations.  Thus, if the Company is expected to process personal data relating to its employees, customer and/or suppliers, amongst others, it would be obliged to effect such notification.

A company processing only the personal data of its Shareholder/s, Director/s and Company Secretary as contained in its Memorandum and Articles of Association as registered with the Registrar of Companies under the Companies Act is not required to effect such notification in terms of the Data Protection Act.

In order to comply with the Data Protection Act, it is recommended that the following steps are taken once a company is set up in Malta and conducts the processing of personal data in the course of its business operations:

  1. Identify those persons who are expected to be involved in the processing of personal data and the appropriate profiling of such processors for the purposes of determining database accessibility rights;
  2. Draw up a contract (or insert clause in any relevant contract) executed between the company and each of the processors (whether employees, subcontractors or otherwise) for the purposes of stipulating that the company processor (i) shall act only on instructions received from the company and (ii) shall take all those security measures to protect the personal data against accidental destruction or loss or unlawful forms or processing as set out in the Data Protection Act.
  3. Security- Implementation of appropriate technical and organisational measures to protect personal data against accidental destruction, loss or unlawful processing.
  4. Training- ensuring that each processor can implement the security measures that must be taken and actually takes the measures identified by the company.
  5. Revision of all legal forms used by the company to collect personal data from its customers/ clients to ensure compliance with international data processing standards and to ensure that a data subject is provided with the following minimum information at the time when submitting his/her personal data to the company:
    a) the identity and habitual residence or principal place of business of the controller and of any other person authorised by him in that behalf, if any;
    b) the purposes of the processing for which the data are intended;
    c) whether the reply to any questions made to the data subject is obligatory or voluntary, as well as the possible consequence of failure to reply; and
    d) the existence of the data subject’s right to access, the right to rectify, and, where applicable, the right to erase the data concerning him/her,
  6. Devising a system for the purposes of recording all processing operations.
  7. Identifying whether information of a sensitive nature is processed by the company- such information would include personal data that reveals race or ethnic origin, political opinions, religious or philosophical beliefs, membership of a trade union, health or sex life, and ensuring that such information is afforded suitable treatment as sensitive personal data.