Malta: 2018 Q&A Report On Data Security & Cybercrime In Malta

Jurisdiction snapshot

Trends and climate

Would you consider your national data protection laws to be ahead or behind of the international curve?

Malta has been proactive in the implementation and development of its national data protection legal framework and is fully compliant with EU standards and best practice. Accordingly, Malta is a member of the EU Article 29 Data Protection Working Party and actively and periodically ensures that all of its policies and best practices are in line with those established by the working party.

From a commercial and practical perspective, Malta's development as a hub for e-commerce, remote gaming and payment services has played a significant role in keeping its national data protection laws ahead of the curve.

Are any changes to existing data protection legislation proposed or expected in the near future?

The General Data Protection Regulation is set to come into force on May 25 2018. As a result, certain policies and practices previously adopted by the Office of the Information and Data Protection Commissioner are expected to undergo changes. However, it is unclear whether these changes will be adopted by way of a legal instrument (ie, a law or regulation) or by updating the Office of the Information and Data Protection Commissioner's policies.

To this end, it is pertinent to note that on the 13th of March 2018, the Minster for Justice, Culture and local Government submitted his proposal for the First Reading in Parliament of the Data Protection Bill, which will effectively implement the GDPR principles into Maltese legislation.

Legal framework


What legislation governs the collection, storage and use of personal data?

The Data Protection Act (Chapter 440 of the Laws of Malta) and its subsidiary legislation seek to protect individuals against violations of their privacy through the processing of their personal data.

The 'processing' of data effectively refers to the processing (automated, mechanical, manual or otherwise) of a person's data in a filing system or in what is intended to form part of a filing system.

Scope and jurisdiction

Who falls within the scope of the legislation?

The Data Protection Act applies to:

  • data controllers established in Malta;
  • data controllers in a Maltese embassy or high commission outside Malta; and
  • equipment used for data processing situated in Malta, even where the data controller is located outside the European Union.

What kind of data falls within the scope of the legislation?

'Personal data' is defined as any information relating to an identified or identifiable natural person (ie, a physical person and not a company or similar legal person).

A person is considered to be identifiable when he or she can be identified, directly or indirectly by reference to an identification number or one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity.

Data relating to companies and organisations (including addresses, phone numbers and email addresses) are excluded from the Data Protection Act's remit.

Are data owners required to register with the relevant authority before processing data?

Yes. A data controller must register with the Office of the Information and Data Protection Commissioner notifying his or her intention to process data before undertaking such operations. Data controllers must also notify the office regarding:

  • the appointment or removal of a personal data representative; and
  • the planned transfer of personal data to countries outside the European Union.

Registration with the Office of the Information and Data Protection Commissioner involves an annual notification fee of €23.29, although certain exemptions exist for non-profit organisations and small businesses.

The afore-mentioned obligation of notification is subject to change with the coming into effect of the GDPR provisions. Indeed, the GDPR states that the obligation of notification produced administrative and financial burdens and therefore such obligation should be abolished. The local office of the Information and Data Protection Commission has confirmed that the notification requirement will be abolished as from 25 May 2018, meaning that compliance with data protection obligations is automatic and does not involve any obligations for notification.

Is information regarding registered data owners publicly available?

Yes. A request for information must be made to the Office of the Information and Data Protection Commissioner.

Is there a requirement to appoint a data protection officer?

The appointment of a data protection officer (referred to by Maltese law as a 'data protection representative') is not mandatory.


Which body is responsible for enforcing data protection legislation and what are its powers?

The Office of the Information and Data Protection Commissioner is responsible for enforcing data protection legislation. It has the power to:

  • create and maintain a public register of all processing operations;
  • exercise control and verify whether the processing is carried out in accordance with the Data Protection Act;
  • receive reports from data subjects on violations under the Data Protection Act and to take remedial action;
  • issue such directions as may be required;
  • institute civil or legal proceedings in the case of violations under the Data Protection Act;
  • inform and advise the general public of the provisions under the Data Protection Act;
  • order the blocking, erasure or destruction of data;
  • impose a temporary or definitive ban on data processing;
  • warn or admonish a data controller;
  • advise the government on the promulgation of legislation;
  • draw up annual reports on commission activities;
  • collaborate with other supervisory authorities;
  • carry out the functions assigned under the Freedom of Information Act;
  • impose administrative fines in the case of contravention of data protection legislation; and
  • obtain access to personal data on request.

Collection and storage of data

Collection and management

In what circumstances can personal data be collected, stored and processed?

The processing of personal data is allowed by law only if:

  • the data subject gives his or her unambiguous consent;
  • it is necessary for the performance of a contract to which the data subject is party. If the data controller is not party to the contract, it may still process the information when the data subject requests it for this reason;
  • it is necessary to fulfil a legal obligation by the data controller;
  • it is necessary to protect the data subject's vital interests;
  • it is necessary for carrying out an activity in the public interest or in the exercise of official authority; or
  • it is necessary for the purpose of a legitimate interest of the controller, insofar as that interest will not violate the data subject's fundamental rights and freedom.

Are there any limitations or restrictions on the period for which an organisation may (or must) retain records?

Although the Data Protection Act states that personal data should not be kept for "a period which is longer than is necessary" having regard to the purposes for which the data is processed, there are no objective timeframes provided for specific categories of data. However, it is possible for data controllers to draft their own customised data retention policies and submit them to the Office of the Information and Data Protection Commissioner for review and approval.

Telecommunications companies and internet service providers that fall within the parameters of the Processing of Personal Data (Electronic Communications Sector) Regulations (Subsidiary legislation 440.01) must retain data required to:

  • trace and identify a communication's source;
  • identify a communication's destination;
  • identify a communication's date, time and duration;
  • identify the type of communication;
  • identify users' communication equipment or what purports to be their equipment; and
  • identify the location of mobile communication equipment.

Where the communication's data relates to internet access and email logs, the retention period is six months from the date on which the communication was created.

Conversely, where the communication data relates to fixed network or internet telephony, the data must be retained for one year from the date on which the communication was created.

Under the same regulations, the police are granted the power to issue an order for the conservation of data by a data controller. Where such an order has been issued, the service provider must conserve the data:

  • for a further six months following the basic retention period outlined above (subject to a two-year maximum). If such order is issued by a magistrate or a competent court, the retention obligation may exceed two years; or
  • for criminal proceedings which have been commenced within the above retention periods, the data controller may be obliged to retain the relevant data for such time as may be necessary until the conclusion of the proceedings.

Do individuals have a right to access personal information about them that is held by an organisation?

The data subject has the right to access any personal data held by a data controller in his or her regard, provided that such requests are made by the individual at reasonable intervals.

The law requires that data controllers provide the following information on request:

  • actual information about the individual data subject that has been processed;
  • where the data was collected;
  • the recipients of the processed data;
  • the purpose of processing the data; and
  • a simple explanation of the automated processes involved in processing the data.

Do individuals have a right to request deletion of their data?

If the data subject requests it, the data controller must immediately rectify, block or erase personal data that has not or is not being processed in accordance with the provisions of the Data Protection Act and its subsidiary legislation.

In such circumstances, the data controller must also notify all other third-party data controllers to whom it may have disclosed such data. This notification is not required in circumstances where it would involve a disproportionate effort.

Consent obligations

Is consent required before processing personal data?

Yes. The data subject must give his or her consent freely and unambiguously.

If consent is not provided, are there other circumstances in which data processing is permitted?

Data may be processed without consent where the processing is required:

  • for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject before entering into a contract;
  • for compliance with a legal obligation to which the controller is subject;
  • in order to protect the data subject's vital interests;
  • for the performance of an activity that is carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data is disclosed; or
  • for a purpose that concerns a legitimate interest of the data controller or of a third party to whom the personal data is provided, except where such interest is overridden by the interest to protect the fundamental rights and freedoms of the data subject and – in particular – the right to privacy.

Sensitive personal data may be processed without consent where:

  • the data subject has made the data public;
  • the data controller can comply with his or her duties or exercise his or her rights under any law regulating the conditions of employment;
  • the vital interests of the data subject or another person will be protected and the data subject is physically or legally incapable of giving his or her consent;
  • legal claims will be able to be established, exercised or defended;
  • a body of persons (not being a commercial body or entity with political, philosophical, religious or trade union aims) is processing sensitive data concerning its own members or other persons who are in regular contact with the body (for internal purposes);
  • the processing is for health and hospital care purposes, provided it is necessary for preventative medicine and the protection of public health, medical diagnoses, healthcare or the treatment or management of health and hospital care services; or
  • the processing is for research and statistical purposes, provided that it is necessary for the public interest.

What information must be provided to individuals when personal data is collected?

In all cases where data is collected for processing, the data controller must provide the following information to the data subject:

  • the identity and habitual residence or principal place of business of the data controller and any other person authorised by him or her in that capacity;
  • the purpose of the data processing;
  • any information relating to the recipients, whether the reply to any questions asked is mandatory or not; and
  • information about the right of access.

In all cases where data is obtained from a third party in order to contact the data subject, the same information as above must be provided to the data subject with respect to the data controller who acquired the data from the other data controller.

Data security and breach notification

Security obligations

Are there specific security obligations that must be complied with?

A data controller must implement appropriate technical and organisational measures to protect personal data against destruction, loss or any form of unlawful processing. Security measures must consider:

  • available technical possibilities;
  • the cost of implementing the security measures;
  • special risks that exist in the processing of personal data; and
  • the sensitivity of the personal data being processed.

Breach notification

Are data owners/processors required to notify individuals in the event of a breach?

The Processing of Personal Data (Electronic Communications Sector) Regulations (Subsidiary Legislation 440.01), which implements EU Regulation 611/2013, imposes an obligation on electronic communications providers to notify any personal data breach to the subscriber or individual concerned. This notification must be made when the breach:

  • is likely to affect the personal data or privacy of the person involved adversely; and
  • is made in addition to the notification that must be made to the Office of the Information and Data Protection Commissioner.

The notification obligation to the subscriber or individual may be waived only if encryption measures have been undertaken by the electronic communications provider to the Office of the Information and Data Protection Commissioner's satisfaction, rendering the data concerned unintelligible to an unauthorised person.

The Electronic Communications Networks and Services (General) Regulations (Subsidiary Legislation 399.28) provide that where there is a significant risk of a breach of security or integrity of the services or network, the provider must appropriately, and without undue delay, notify any users concerned of the possible risks and remedies available, as well as contact points for more information. Where the Communications Authority – the authority responsible for network security in Malta – determines that the network security breach is in the public interest, it may inform the public or require the undertaking concerned to do so accordingly.

Are data owners/processors required to notify the regulator in the event of a breach?

While there is no clear general obligation established in the Data Protection Act regarding the notification of unauthorised access to the information held by data controllers, providers of publicly available electronic communications services are subject to such an obligation. Such providers must notify a personal data breach to the Office of the Information and Data Protection Commissioner immediately.

Electronic marketing and internet use

Electronic marketing

Are there rules specifically governing unsolicited electronic marketing (spam)?

Data collected by a data controller cannot be used for direct marketing without the data subject's express consent. The data controller must make it clear to the data subject that he or she has the right to opt out whenever he or she wishes.


Are there rules governing the use of cookies?

Yes. Regulation 5 of the Processing of Personal Data (Electronic Communications Sector Regulations), which implements the provisions of the EU Privacy and Electronic Communications Directive (2002/58/EC), requires data controllers to obtain the data subject's prior consent for processing his or her personal data, unless it is strictly necessary for the provision of an information society service.

Data transfer and third parties

Cross-border data transfer

What rules govern the transfer of data outside your jurisdiction?

Such transfers may be effected by the data controller if the data subject has given his or her unambiguous consent or if the transfer:

  • is necessary for the performance or conclusion of a contract between the data subject and the data controller;
  • is necessary for the performance or conclusion of a contract between the data subject and a third party;
  • is necessary on the grounds of public interest or for the establishment, exercise or defence of legal claims;
  • is necessary to protect the data subject's vital interests; or
  • is made from a public register that is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, provided that the conditions for consultation set out in the law are fulfilled in the particular case.

Are there restrictions on the geographic transfer of data?

The Third Country (Data Protection) Regulations (Subsidiary Legislation 440.03) provide that before transferring personal data to a third country, data controllers are required to notify the Office of the Information and Data Protection Commissioner about any transfers of data that may be involved as part of a processing operation. The transfer of data to third countries (ie, a country not included in the list maintained by the commissioner for this purpose) may be made only:

  • to a country that ensures an adequate level of protection (to be decided by the commissioner on a case-by-case basis);
  • to a country that does not ensure an adequate level of protection and the commissioner has made an exemption; or
  • with the data subject's unambiguous consent.

Third parties

Do any specific requirements apply to data owners where personal data is transferred to a third party for processing?

Sensitive personal data may be transferred to a third party only if a data subject explicitly consents thereto.

Penalties and compensation


What are the potential penalties for non-compliance with data protection provisions?

Penalties for non-compliance depend on the level of breach. The courts may impose the following penalties:

  • Level 1: a fine between €120 and €600 and/or a maximum of one month's imprisonment;
  • Level 2: a fine between €250 and €2,500 and/or one to three months' imprisonment; or
  • Level 3: a fine between €2,500 and €23,300 and/or three to six months' imprisonment.

The Office of the Information and Data Protection Commissioner may impose the following fines without recourse to a court hearing:

  • Level 1: a fine between €120 and €600 or a daily fine between €20 and €60;
  • Level 2: a fine between €250 and €2,500 or a daily fine between €25 and €250; or
  • Level 3: a fine between €2,500 and €23,300 or a daily fine between €250 and €2,500.


Are individuals entitled to compensation for loss suffered as a result of a data breach or non-compliance with data protection provisions by the data owner?

Yes. A data subject may, by way of an application filed before the court, exercise an action for damages against any data controller who processes data in contravention of the Data Protection Act. Such action must be instituted by the data subject within 12 months from the date on which he or she becomes aware or could have become aware of the circumstances causing the damage.

While there is no specific provision on the size of damages that may be awarded for a breach of a data subject's rights, the basic principles of Maltese tort law would require the data subject to prove the value of actual damages suffered and any lost earnings caused by such a breach.


Cybersecurity legislation, regulation and enforcement

Has legislation been introduced in your jurisdiction that specifically covers cybercrime and/or cybersecurity?

Yes. Maltese laws dealing with various aspects of cybersecurity include:

  • the Criminal Code, which deals with cybercrime in the chapter entitled 'Of Computer Misuse';
  • the Processing of Personal Data (Electronic Communications Sector) Regulations (Subsidiary Legislation 440.01); and
  • the Electronic Communications Networks and Services (General) Regulations (Subsidiary Legislation 399.28).

Malta has also been a signatory to the Council of Europe Cybercrime Convention since 2001, which was ratified in April 2012.

It is noteworthy to point out that the Malta Critical Infrastructure Directorate (CPID) which operates within the portfolio of the Ministry of Home Affairs and National Security (MHAS) in Malta, has recently issued a draft Legal Notice for Public Consultation regarding Malta's transposition of EU Directive 1148 of 2016 regarding Security of Network and Information Systems ('NIS Directive'). This Directive represents the first EU-wide rules on cybersecurity. Interested parties and stakeholders were invited to review the draft Legal Notice and provide their feedback and proposals. The deadline for submission of feedback fell on the 11th of April 2018, following which submissions will be duly considered by the Ministry in finalising a draft text for tabling before Parliament.

What are the other significant regulatory considerations regarding cybersecurity in your jurisdiction (including any international standards that have been adopted)?

The principal international standard adopted by data-centric businesses in Malta with regard to managing their data security is International Organisation for Standardisation Standard 27001. There is no obligation to adopt this standard, but it is encouraged in both the public and private sectors and serves to demonstrate efforts towards taking adequate cybersecurity measures. This standard is duly recognised in the Malta Cyber Security Strategy 2016.

Which cyber activities are criminalised in your jurisdiction?

The Criminal Code criminalises unlawful access to, or use of, information, particularly through the use of computers or other devices. The following actions may result in a criminal offence:

  • the unlawful use of a computer or other device or equipment to access any data;
  • unauthorised activities that hinder access to any data;
  • unlawful disclosure of data or passwords; and
  • the misuse of hardware.

Which authorities are responsible for enforcing cybersecurity rules?

The Office of the Information and Data Protection Commissioner is empowered to regulate and enforce cybersecurity aspects of personal data processing.

The Communications Authority is the authority responsible for enforcing the security of Malta's public communication networks.

The Maltese police are responsible for detecting, investigating and prosecuting cybercriminals, primarily through a specialised team – known as the Cyber Crime Unit.

Other industry-specific authorities, such as the Financial Service Authority and the Gaming Authority, are the relevant authorities to report to for operators holding licences issued by such authorities.

Cybersecurity best practice and reporting

Can companies obtain insurance for cybersecurity breaches and is it common to do so?

Insurance coverage for cybersecurity is available in Malta. However, it is uncommon for businesses to obtain such coverage.

Are companies required to keep records of cybercrime threats, attacks and breaches?

No – companies are not specifically required to keep records of cybercrime threats, attacks and breaches.

Are companies required to report cybercrime threats, attacks and breaches to the relevant authorities?

The Electronic Communications Networks and Services (General) Regulations (Subsidiary Legislation 399.28) provide that where there is a significant risk of a breach of security or integrity of services or a network, the provider must notify the Communications Authority and any users concerned appropriately and without undue delay. Serious and significant breaches are to be notified to the authority which will inform regulatory authorities in other EU member states and the European Network Information Security Agency where appropriate.

Are companies required to report cybercrime threats, attacks and breaches publicly?

No – there is no legal obligation to publicly report any cybercrime threats, attacks and breaches.

Criminal sanctions and penalties

What are the potential criminal sanctions for cybercrime?

The criminal penalties provided for under the Criminal Code for cybersecurity offences are a maximum fine of €150,000, a maximum of four years' imprisonment or both.

What penalties may be imposed for failure to comply with cybersecurity regulations?

The Data Protection Act imposes penalties which may consist of fines between €120 and €23,300 and a maximum of six months' imprisonment. The criminal penalties vary depending on the provisions of the act being breached. Other breaches of the act may result in administrative fines, ranging from one-time fines of up to €23,300 and daily fines of up to €2,500, depending on the provisions of the act being breached.

In the remote gaming sector, if operators are found to be in breach of their information security policy and system access control policy, the Gaming Authority may take action to ensure compliance. If the operator is found to be in breach, administrative fines may be imposed. In the financial sector, the Financial Services Authority reserves the right to impose penalties on non-compliant licence holders. These range from the revocation or restriction of a licence to the imposition of administrative penalties if found to be in breach of law.

Law stated date

Correct as of April 12th, 2018

Originally published in Lexology 2018 Q&A Report On Data Security & Cybercrime In Malta

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on

Click to Login as an existing user or Register so you can print this article.

Similar Articles
Relevancy Powered by MondaqAI
KPMG Malta
GANADO Advocates
Some comments from our readers…
“The articles are extremely timely and highly applicable”
“I often find critical information not available elsewhere”
“As in-house counsel, Mondaq’s service is of great value”

Related Topics
Similar Articles
Relevancy Powered by MondaqAI
KPMG Malta
GANADO Advocates
Related Articles
Up-coming Events Search
Font Size:
Mondaq on Twitter
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
Email Address
Company Name
Confirm Password
Mondaq Topics -- Select your Interests
 Law Performance
 Law Practice
 Media & IT
 Real Estate
 Wealth Mgt
Asia Pacific
European Union
Latin America
Middle East
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of

To Use you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions