Is it legal to record a conversation?

record a conversation - legal advice

Is my Company allowed to record a conversation?

Like any lawyer would say, it depends!

The answer is YES; however, it depends. As a Data controller, a company must take into consideration the lawfulness of recordings and how this can be achieved and protected with strong cybersecurity mechanisms. It is the Company’s obligation to ensure which devices may be used and to consider the implementation of additional safeguards on a best effort basis.

Call Recording under the GDPR

Rules for recording calls encompass more than consent. The recording of audio conversations is only possible if there is a valid and legal reason for that relevant information to be collected.

Call/ Audio Recording is allowed under the GDPR, as recordings of conversations are not prohibited, but there are applicable additional requirements to protect the rights and freedoms of data subjects under the GDPR.

With the GDPR in place, all Companies recording conversations need to justify their purpose for recording a call. Such justification would need to fulfil one of the following:

    1. Person/s which are call participant/s have given their consent to be recorded. Such consent has to be specific and unambiguous and may take different forms such as oral acceptance;
    2. The purpose of recording a call is to fulfil a contract to which the individual taking part in the call is a party thereto;
    3. The call recording is required to fulfil a legal obligation to which the company recording the call is subject to;
    4. Recording is required to protect the interests of one or more participants of the call;
    5. Recording is being made in the interest of the public;
    6. Recording is in the recorder’s interest given that such interest is ‘less’ important than the interest of the participant in the call.

As a data subject you need to know that you have the right to be informed on the gathering pf personal data and the processing thereof. Also, as the data subject you need to understand that you have the right to access data relating to you, be informed about the existence and processing of such data, rectify incorrect personal data and oppose further processing given that there are serious and legitimate grounds.

Is it legal to record a conversation? Call Recording under the GDPR

To read more about the Lawfulness of Processing click here:

Right of Information

The GDPR gives individuals the right to be informed about the collection and use of their personal data, which leads to a variety of information obligations.

Recorders must be able to recall any audio files and/or data gathered during a recorded call upon request, and thus should be able to provide customers with the requested information within one month of the request.

A request can be made for a copy of the recording under data protection legislation- known as a subject access request.

A subject access request (SAR) is simply a written request made by or on behalf of an individual for the information which he or she is entitled to ask for. A SAR maybe in any form. The Company having the information has one month within which it is to provide the requested information, in line with the GDPR.

Is an audio recording personal data?


The context in which voice data is being obtained is not what classifies it as personal data.  Voice is legally defined as a persona datadespite the context and/or support that the data originates from.

The GDPR applies because recording calls are generally considered as ‘personal data’ and, potentially, ‘special categories’ of personal data. The GDPR strives to find a balance between having a strong Regulation which gives data subjects clear protection and being flexible from businesses perspectives. For this reason, the GDPR delves into defining personal data.

The likelihood that calls will involve special category personal data depends on the context. For instance, a company within the health industry that records its call/s with the customers will be recording and handling special category personal data – in the form of health information. However, for most companies, it should in general be unlikely that any given call will involve special category personal data.

Use of video conferencing tools

In view of the general rise in the use of video conferencing tools, it is worthwhile to invest in an efficient cybersecurity management system as part of the Company’s risk management. One needs to also make sure that GDPR rules are adhered to when satisfying certain legal obligations.

Use case – If your company is a subject person under the Implementing Procedures, your Company may be making use of video conferencing tools, especially during these times. Such tools allow you to verify the identity using different online tools.

When carrying out such verification, compliance with the Implementing Procedures should be demonstrated and for this reason records should be kept. As per the FIAU’s requirements, which are binding on all persons carrying out relevant financial business or relevant activity, a subject person should keep at least an audio recording of the video call or the entire video call itself, which shall also include the entire conversation between the subject person and the customer.

Read more here:


As users of digital technology, we all have the right to privacy, and thus what is important to note is that personal data shall remain secure and protected. For every processing of personal data there needs to be a compliance process which complies with the GDPR. If you are interested to know more, contact us on .

Disclaimer: The above-mentioned article is simply based on independent research carried out by Dr. Werner and Partner and cannot constitute any form of legal advice. If you would like to meet up with any of our representatives to seek further information, please contact us for an appointment.

FAQs pertaining Employment and Industrial Relations in light of COVID-19

Due to the COVID-19 situation, several modes of operations had to be adjusted to ensure business continuity. Companies had to resort to temporary measures to continue with their operations. These exceptional circumstances raise many questions amongst the employers and their employees.

For this reason, we, at DWP Dr Werner and Partner have compiled some FAQs in light of the COVID-19 situation and Employment Relations.

Article 42 of the Employment and Industrial Relations Act (EIRA) holds that:

Unless in such case as is otherwise provided by this Act, if a contract of service between an employee and his employer or a collective agreement entered into between the employer and the recognised union representatives, provides for any conditions of employment, including conditions relating to the termination of the contract, less favourable to the employee than those specified in or under this Act, they shall have effect as if for those conditions less favourable to the employee there were substituted the conditions specified in or under this Act:

 Provided that, in exceptional cases,  the  employer  in agreement with the employee or union representatives may provide for different conditions of employment than those specified in or under this Act as long as such agreement is a temporary measure to avoid redundancies and as long as it is approved by the Director, which approval needs to be reviewed every four weeks.

As an employer can I change the conditions of work of my employees?  

Yes, subject to permission.

The wage regulation orders cover the conditions of work including inter alia maximum hours of work, sick leave, minimum wages and overtime rates. Companies can file a written request to apply for permission from the Director General of Industrial & Employment Relations. Such request can be made to change applicable conditions of work on a temporary basis.

For more information read here:

As an employer can I change the conditions of work without informing my employees and representatives?

No, there should be an arrangement.

Measures are to be proposed after an agreement is reached between the employer and its employees and/ or representatives. Changes of conditions of work are considered as exceptional cases whereby the employer must agree with its employees to provide different conditions of employment. Different work conditions shall strive to reduce or avoid redundancies and are to be approved by the Director General of Industrial & Employment Relations.

With whom can an employer discuss alternative solutions if the employees are not represented by a Union?

The Employee (Information and Consultation) Regulations sets out the minimum requirements of Information and Consultation of Employees in line with EU Law. When alternative conditions of work are being proposed, all employees must be in agreement. An employer is to make the necessary arrangements to allow all employees to exercise their rights under the above-mentioned Regulation.

What can an employer propose as temporary measures in light of COVID-19?

COVID-19 is pandemic and thus it is considered as a force majeure situation. Employers can utilise pro-rata vacation leave, implement reduced working hours and many others.

Can I force my employees to take leave?

‘Forced Leave’ is a measure which can be utilised by the Employer.  If the employer opts to enforce forced leave it shall be binding on the employer to justify such request based on the directives given by the Health Ministry as a result of the COVID-19 outbreak. The employer has to provide his employees with a written justification of why forced leave is being applied.

Is it allowed to reduce wages?

Unless expressly permitted by the provisions of the Employment & Industrial Relations Act, wages should not be deducted as per Article 15 of the above-mentioned Act.

Will the Government pay my wage?  

The Covid Wage Supplement provides a basic wage to the employee which strives to address the disruption caused by COVID-19. Employers are to apply for schemes which they may be eligible for with Malta Enterprise.

For more information read here:

Is it allowed to terminate employments based on Redundancy?

Under Employment Law, the Employer may only terminate a contract of employment on the basis of a good and sufficient cause, redundancy and retirement of employee. Where the employer plans to terminate the employment of an employee based on redundancy, the employer is required to terminate the employment of that person who was engaged last affected by such redundancy.

Do I need to give my notice if I am resigning?

Yes, employees would need to follow regulations stipulated in the EIRA regarding their notice periods. An employee can either work the notice period or can choose not to. If the employee chooses not to work such notice period, the employee would need to pay the employer a sum equal to half the wages of the unworked notice period.

What if I need more information?

You may contact us on  or 21377700 should you require any further information on the above or any information regarding Government Aid related to COVID-19.

The most important thing is that you Stay Safe, make sure you know your rights and that you strive to continue business as usual with no serious disruptions.

COVID-19: Adopting Remote Working Measures

Remote Working Measures


COVID-19 (the coronavirus) continues to impact the global and local community, all the staff of Dr Werner and Partner have been monitoring the situation of the COVID-19 and implementing different measures to make sure that we are all staying safe.

As a Company, the main goal is to protect your own people and to continue business as usual with no serious disruptions to client service levels. To this effect the Business Continuity Plan (BCP) is a very important document.

The BCP is not to be seen as other Policies and Procedures. It is aimed at ensuring, in the case of an interruption to its systems and procedures, the preservation of essential data and functions, and, where that is not possible, the timely recovery of such data and functions.

Remote Working measures shall ensure the smooth running of the day-to-day operational activities whilst continuing to provide esteemed clients business as usual with minimal disruption. In the current environment, the health and safety of everyone is a shared responsibility and one that us to be taken very seriously.

Remote Working Policies

Certain contingencies must be in place to ensure continuity of work.

TIP: We suggest that together with the Business Continuity Plan, your Company also implements a Remote Working Policy.

An Employee Remote Working policy should outline a Company’s guidelines for employees who work from a location other than their offices.

To ensure that employee performance will not suffer in remote work arrangements, remote employees are advised to:

  • Choose a quiet and distraction-free working space;
  • Have an internet connection that’s adequate for their job;
  • Dedicate their full attention to their job duties during working hours;
  • Team members and managers should determine long-term and short-term goals;
  • There should be frequent online meetings to discuss progress and results.

Tips for remote workers

Occupational Health and Safety

The employer is responsible for the protection of occupational health and safety of the remote workers in accordance with Council Directive about ‘the introduction of measures to encourage improvement in the health and safety of workers at work’ (Directive 89/391/EC) and relevant directives, national legislation, namely the Occupational Health and Safety Authority Act, and collective agreements.

Given the very limited control over the remote worker’s physical movement and activity whilst engaged in remote working, the employer’s health and safety responsibility in respect of the remote worker is limited only to the specific place wherein the Employee will be working from.

Remote Working in line with the GDPR

Companies should abide by the GDPR to prevent data breaches and enhance data security. The main purpose of the GDPR is to protect personal information and reduce the number of data breaches by allowing more control over personal and sensitive data. Putting a remote working policy in place is essential for managing a remote team and keeping the data secure.

Remote working may impose huge risks for a Company if data is lost or damaged. Remote working is a very practical example of how easy it is to breach the GDPR. In order to minimize such risks, Companies are to adopt remote working policies as part of their business continuity measures so as to ensure that business is done as usual and data is safeguarded accordingly.

For this reason, as a remote worker it is important to keep the equipment password protected. Remote working does not mean that you can work from whichever location you choose. It is important to have a dedicated workspace whereby the data on your equipment can be protected, the same way it is protected when you are at the office, or even better.  In this regard it is also important to follow all data encryption, protection standards and settings, and refrain from downloading suspicious, unauthorized or illegal software.

When adopting remote working policies, Companies are to make sure that remote employees are prohibited from using public Wi-Fi. Why?

It is NOT completely safe to connect to a public Wi-Fi, especially when using office equipment and software which contain important data and information.  Hackers can easily fetch personal data by doing a Man in the middle Attack (MITM). In a MITM attack the hackers access packets of data which will be transmitting between a device and the public hotspot.

For every processing of personal data there needs to be a compliance process which complies with the GDPR. If you are interested to know more, contact us on .


The most important thing is that you Stay Safe and that you make sure to protect your own people and to continue business as usual with no serious disruptions to client service levels.

In Malta, we might see force majeure as being farfetched however, COVID-19 is a concern for many people around the world, and not only because of its medical implications but also of the legal implications thereof. At Dr Werner and Partner, we adopted remote working measures and thus we are putting our Business Continuity Plan into practice. Should you need any further information or guidelines on how to draft and implement effective Policies and Procedures, contact us on .

Surveys: Compliance with the GDPR!

Surveys: Compliance with the GDPR!

Surveys need to adhere to the GDPR?

Hint – Just like any lawyer would tell you… it depends. However, if personal data is being collected, handled and/or processed, then GDPR needs to be adhered to.

If you are conducting a survey whereby personal data is involved, then GDPR applies. However, it does not affect all companies that conduct a survey (whether it’s in relation to an employee or to a customer).

If the survey being conducted is anonymous and thus there is no need to input personal data to submit the survey, then GDPR does not apply.

Anonymous (ish)

On the contrary, an anonymous survey ensures that responses cannot be connected to individual people.” – Talmetrix – CEO Chris Powell.

The term anonymous is quite a vague term especially when referring to a survey. Anonymous survey usually refers to surveys which are conducted by a researcher, an author or a Company to eliminate the collection of the respondent’s personal data or private information so that whoever participates and fills up the survey is unknown. The question that may arise at this stage is whether a survey can be truly anonymous.

If the data submitted through a survey may be traced to the respondent of the survey, then the survey would not be anonymous, and it would classify as a personalised survey. This may be generally traced to analytical tools which allows you to view individual responses.

A company which decides to run an anonymous survey is obliged to prevent the participants from being identified.

If the survey is not anonymous, it needs to comply with GDPR requirements. In this case, a survey can identify its respondent if it is asking for personal data that when combined, the respondent may be identified (such as e-mail address, contact details, age and gender).

The Specific Guidelines

All the data that is being processed needs to be legally, ethically and transparently handled.

This process includes inter-alia earmarking, data minimisation (collecting minimal data as possible) and accountability (Companies must be able to prove that their methods of collecting personal data are compliant with GDPR at any time.) as per Article 5 of the GDPR. A company which is conducting the survey is obliged to follow the GDPR.

A company should be aware of the impact of GDPR on its daily operations. Although, a general approach cannot be taken in this regard, it is important to know that Article 7 of the GDPR impact most of the companies conducting such surveys.

To be in line with this Article, survey participants must provide their consent to allow the company conducting the survey to collect and handle their personal data.

 Clear Consent

In this regard, the consent of the participants is ONLY effective if the stipulated conditions are met. The Survey needs to include a section whereby it clearly informs the participants about how the collected data will be used and the purpose of the survey.

It is the participant’s choice whether to participate or not. For this reason, the consent check box cannot be pre-ticked, and the participants need to tick it themselves. It is important to note that participants shall reserve the right to revoke their consent.

GDPR Conditions for consent

What if a Data Breach Occurs?

A data breach must be reported to the appointed supervising authority within 72 hours from when the data breach occurred. In the report, there needs to be a detailed description of the incident and an identification of any potential risks. The report needs to also highlight the measures that were taken to minimise or eliminate the identified risks.

As of 25th May of 2018, Companies were obliged (and still are) to follow and comply with the GDPR. When it comes to surveys, if the company conducting the survey is or wants to process data then it is a must to meet GDPR requirements.

Tip: Evaluate all data to determine whether it is truly required for the survey or whether it can be removed.

To prevent having a data breach in relation to your survey/s, it is important to consult and get GDPR advice. For every processing of personal data there needs to be a compliance process which complies with the GDPR. If you are interested to know more, contact us on .


The above-mentioned article is simply based on independent research carried out by Dr. Werner and Partner and cannot constitute any form of legal advice. If you would like to meet up with any of our representatives to seek further information, please contact us for an appointment.

Corona Virus – The Legal Implications

“There is a need to balance legal obligations with sensible practicalities, in a scenario which we haven’t really seen before.”

COVID-19: better known as the coronavirus has been the latest concern of many people around the world. We would not delve into the medical impact, the symptoms or the ‘cure’ to such virus, but rather focus on the economical impact, the legal risks and protection measures which may be taken by businesses.

The coronavirus is not just a speculation. At the end of January, the World Health Organisation declared the outbreak of the coronavirus as a public health emergency. Since the outbreak, widespread disruption has been caused. You do not even have to justify whether such chaos is needed in an affected country, but measures were/are being taken which led/are leading to such disruption.

From a legal perspective this means that force majeure claims may arise.

Force Majeure

Overview: Force Majeure relates to circumstances which are not foreseeable, and which prevent someone from fulfilling a control and/or obligation. Legally this means that in such instances, there can be a request for an exemption from certain obligations. So, what do you get? – The right to object in cases of exceptional circumstances.

When there is a contract, therefore it might be claimed that it was impossible to perform. A clause of force majeure functions to delay or absolve one or both parties to a contract of all or part performance of their obligations on the manifestation of certain events which are beyond their control. Such events may include acts of God, natural disasters, pandemics/ epidemics, war, strikes and actions taken by governments.

So, the question that may arise here would be whether or not the coronavirus will constitute a force majeure event. Hint: It Depends. The constitution of a force majeure events depends on the relevant contractual language and understanding.

Arbitral termination of a contract

If the outbreak of the coronavirus constitutes a force majeure event under a working contract, employers could be faced with contractors, sub-contractors and suppliers, claiming they are entitled to invoke provisions in their contracts and to suspend the performance thereof.

When it comes to contracts of work, Maltese Law, in particular, Article 1640(1) of the Civil Code states that, ‘it shall be lawful for the employer to dissolve the contract, even though the work has been commenced’.

Moreover, sub-article (3), reads as follows:

If the employer has valid reason for the dissolution, he is to pay the contractor only such sum which shall not exceed the expenses and work of the contractor, after taking into consideration the usefulness of such expenses and work to the employer as well as any damages which he may have suffered’.

Therefore, the court has 3 remedies at its disposal which it can grant to the creditor:

  • authorise the creditor to carry out the primary obligations itself, at the expense of the debtor;
  • order the debtor to fulfil the primary obligations itself; or
  • payment for the damages suffered, in terms of losses incurred and profits which could have been made had the obligations been fulfilled.

If the contract contains cost protection measures that relate to force majeure events, employers could similarly be challenged with claims arising from the effect of the outbreak.

Depending on the terms of the agreement, the affected party may be under an obligation to mitigate the effects of the event, sourcing materials or workers from elsewhere.

Coronavirus – Claims for Force Majeure – Contracts

Coronavirus – Claims for Force Majeure – Contracts

The China Council for the Promotion of International Trade, which is a trade body founded in 1952 announced that it shall issue force majeure certificates. Such certificates may be used in legitimising claims for force majeure. The burden, however, remains on the party claiming force majeure.

Considering the coronavirus, this means that party making such claim has the onus of proof in proving that the coronavirus falls within the wording of the contract and that the non-performance of a contract was a result of the outbreak. Such party needs to also show that there were no other means to perform its obligations and that all reasonable steps were taken to ensure the performance of the contract.

What to do now?

As the coronavirus disruption is set to continue all around the globe, companies should now:

  • evaluate all contracts in which force majeure may be a reason – whether used by or against a company;
  • consider time limits and notice for using a force majeure clause;
  • consider possible alternative ways to perform contractual obligations and take appropriate mitigation steps;
  • collect all evidence of disruption, including documents proving delay / cancellation;
  • when and if entering into new contracts, clauses should sufficiently cover eventualities such as the coronavirus outbreak; and
  • consider whether insurance cover applies.

Conclusion (and a Tip for your Company)

Yes, as an employer you should be concerned about protective measures which your company can take to prevent any sort of virus and not only the coronavirus, such as giving advice to the employees to clean and disinfect frequently touched objects and surfaces or to wash their hands often. It might sound obvious, but this is an important routine for every company. However, legally, as a company you should take care of your contracts and seek advice to minimise the impact of the outbreak on your company. In Malta, we might see such situations as being farfetched however, the coronavirus is a concern for many people around the world, and not only because of its medical implications but also of the legal implications thereof.

Disclaimer: The above-mentioned article is simply based on independent research carried out by Dr. Werner and Partner and cannot constitute any form of legal advice. If you would like to meet up with any of our representatives to seek further information, please contact us for an appointment.

Brexit: What will happen to Residence Statuses?


As you may now, Brexit is no longer a speculation. However, there were no immediate changes, or at least not yet. The transition is still in process; however, many European Countries are showing that the preservation of status quo is of their utmost importance, including Malta.

Continue reading

Blockchain Technology vis-à-vis the GDPR

Blockchain GDPR

The use of blockchain technology is still new to our digital age, however it is important to view such usage from a GDPR Perspective. The GDPR mainly focuses on the Protection Data and highlights the importance of compliance with the requirements set out in the Regulation. Despite the incompatibilities, the GDPR and Blockchain Technology can co-exist.

Continue reading

Summary to the MFSA Circular regarding Amendments to Chapter 3 of the Rulebook

MFSA Circular regarding Amendments to Chapter 3 of the Rulebook

Chapter 3 of the VFA Rulebook applies to VFA Service Providers who are seeking to obtain their license within the VFA sphere as per the laws and regulations of Malta.

The MFSA issued a circular addressed to VFA Service Providers in support of innovation of the sector adapting a more principles-based approach. The new amendments shall be effective as at 1st February of 2020.

1. Systems Auditor 

The Authority shall require the engagement of a Systems Auditor when there is an Innovative Technology Arrangement (ITA) in place or where the operations interact with an ITA in some way or another. Consent must be obtained from the MFSA before engagement or replacement of the auditor of the system.

The Systems Auditor shall be registered with the MDIA.

Responsibility of Systems Auditor: To review and audit the ITA.

IT Auditor Requirement 

If there is no ITA in place, the MFSA has introduced an IT Auditor Requirement.

The IT Auditor shall be responsible to review and audit the systems of the applicant. Upon application, the applicant shall submit an IT Audit Report to the Authority. Such Report shall confirm that there is no ITA in place and shall be submitted at the application stage and then on an annual basis.

Forensic Note Guidelines 

The Applicant shall have a Live Audit Log and there shall be an appointed person responsible for legal compliance and operational behaviour of the system (similar to the role of a Technical Administrator) in line with the Forensic Node Guidelines ( This shall be notified to the MFSA given that the Authority may object to the proposed appointment or replacement.

Deletion of Proviso 

The following proviso of R3- has been deleted: “Provided that where the Licence Holder’s IT Infrastructure is not located in Malta, or is located in a cloud environment, the Licence Holder shall ensure that data is replicated real time by virtue of a live replication server located in Malta.”

Additional Information 

Service providers operating in transitory who wish to continue with the provision of their services following the expiration of the transitory periods or applicants commencing their application before 1st February 2020 shall submit the first Systems Audit Report or IT Audit Report within 6 months from the granting of the license or commencement of business.

2. Live Replication Server 

The Live Replication Server shall be understood as the machine connected to the rest of the system of the service provider and thus to avoid confusion this is now being referred to as ‘Live Audit Log’.

The Live Audit Requirement shall apply to all service providers irrespective of whether there is an ITA in place or not.

3. Fitness and Properness 

The Fitness and Properness shall apply to every:

  • A person having a qualifying holding;
  • Beneficial owner;
  • Member of the BOA;
  • Senior Manager;
  • MLRO;
  • Compliance Officer;
  • Any other person which the Authority may deem necessary.

This still applies a case-by-case basis.

Also, since there are limited approved courses for Compliance Officers and/or MLRO, they are no longer required to complete an approved course before the license. These individuals shall still be subject to a mandatory interview.

To fulfil the competency requirements, both Compliance Officer and MLRO are to attend the training which is relevant to their role.

The Authority shall amend its FAQs to indicate accepted courses.

4. Exercising a European Right 

The Rulebook shall now refer to the provision of services in other jurisdictions. The service provider shall be required to list the countries in which they are providing their VFA Services. The requirement to obtain a legal opinion from other jurisdictions is no longer required, however, the service provider shall still be responsible to comply with the rules and regulations of such jurisdictions.

5. Approval 

The engagement of administrators, senior managers and/or other employees engaged in portfolio management or investment advice shall now be notified to the MFSA and the written consent is no longer required.

6. Cyber Security 

Cybersecurity architecture shall be in line with the guidelines of the cybersecurity (issued by the Authority). For this reason, the following has been removed: “Pursuant to R3-, the Licence Holder shall ensure that its Cybersecurity Framework complies with internationally recognised cyber security standards, any guidelines issued by the Authority and shall also be in line with the provisions of the GDPR.”

7. Board of Administration (BOA)  

The BOA shall no longer be required to oversee policies on the VFAs and VFA Services concerning the risk tolerance and characteristics/needs of clients to whom they will be offered or provided.

8. Compliance Certificate 

The Compliance Certificate shall be based on the Compliance Monitoring Plan which is to be carried out by the Compliance Officer.

The certificate shall now include the outcome of the compliance monitoring plan which shall also list identified breaches. The certificate shall confirm that all local AML/CFT requirements are satisfied as per the confirmation of the MLRO, and it shall also list the disciplinary actions taken against clients; describing the breaches and actions taken.

9. Financial Instrument Test (FIT)  

The FIT shall no longer be the responsibility of the Compliance Officer but of the person responsible for carrying out the FIT in line with the business model and endorsed by at least one administrator.

10. Insurance Requirement 

The Service Provider shall ensure that it has a Professional Indemnity Cover which is in line with market standards and covers business associated risks.

11. Supplementary Conditions 

  • Presence of Systems Auditor: The Systems Auditor is not required at all times but shall be appointed to carry out the Systems Audit concerning the ITA.
  • Listing Criteria: The Listing Criteria was decreased to two (2) criteria:
  1. (i) The Technological experience, track record and reputation of the issuer and the development team thereof;
  2. (iv) The determination under the FIT and its endorsement.
  • Custody: Custody Requirements shall now apply to all Service Providers.
  • Suspension/Removal of VFAs from Trading: Notification regarding the suspension/removal of a VFA from trading shall only be required when such suspension/removal has regulatory implications.
  • Systems Resilience: There is no longer a requirement to report the parameters for halting trading and any material changes thereof. Also, there is no longer the requirement of identification of orders by algorithmic trading.
  • Bye-Laws: There shall be guidelines about the bye-laws.
  • Inability to discharge functions: Where a Licence Holder is unable to discharge its functions it shall notify the Authority without undue delay instead of on the day of occurrence (given that it may not always be feasible to do so.)

Disciplinary Action: The list of disciplinary actions shall now be included in the Compliance Certificate and not notified every time an action is taken.

12. Capital Requirements

Additional capital requirements were deemed too prescriptive and thus have been removed.

13. Inducement Rules 

Inducement Rules shall apply across the board given that there may be further implications when carrying out activities. (These were only applicable to investment advice and portfolio management).

14. Sales Processes and Selling Practices 

The requirements of the Licence Holder dealing with a person who is acting under a power of attorney have been removed and the FIAU’s Implementing Procedures shall apply instead.

The rule covering the reception of client money has been revised as follows: ‘The Licence Holder shall acknowledge receipt to the Client of all money received in connection with a virtual financial asset or VFA Service and that any charge or fee imposed shall be disclosed separately.

With regards to the Assessment of Appropriateness, the Licence Holder, when providing a VFA Service which is not investment advice or portfolio management shall warn the clients of associated risks through a Risk Disclosure Document which shall deal with the risks involved when investing in VFAs.

15. Disclosure Requirements and Transitory 

The Disclosure requirements laid down in the Rulebook shall be disclosed to the Authority instead of the general public.

Article 62 of the VFA Act which covers the transitory provision has been removed since the transitory period has ended.

16. Glossary 

The Glossary shall be updated by the Authority to reflect new definitions.



Things you really need to know about Security Token Offerings (STOs) in Malta


Let’s start off by pointing out that the term Security Token Offering – STO is an umbrella term and attempting to decipher this term can at times be all-but impossible.

STOs give you ownership or part thereof of an asset or of a company. So, what is inherently different when it comes to STOs? The main difference is the underlying technology.

When thinking of an STO think of it as having the same characteristics as an Initial Public Offering but having the variations of MiFID instruments.

Malta enacted a new regulatory framework which is mainly comprised of three Acts: the Malta Digital Innovation Authority Act (the “MDIA” Act), the Innovative Technology Arrangement and Services Act (the “ITAS” Act), and the Virtual Financial Assets Act (the “VFA” Act). STOs fall under the Investment Services Act (Malta) and the technology therein fall under the Malta Digital Innovation Authority (MDIA) Act.O

Defining a Security Token Offering (STO)?

STOs are the ‘process of investing funds that represent the fractional ownership of real-world assets such as bonds, stocks, and real estate, amongst others, on the blockchain, and are powered by DLT technology’.

We cannot say that they are powered by Smart Contracts and here is the reason why. One can create a token on their own ecosystem which is not a smart contract and can still resemble an STO. This is like how traditional investments are carried out. If you replace the paper work with a new token, you do not necessarily need a smart contract.

Security tokens are on the blockchain and allow the owner to have monetary rights. Tokenisation provides ownership of an underlying asset and that is why it is not considered to be a utility token. Utility tokens can be differentiated from STOs insofar as their main use is for the exclusive purchase of goods or services on a platform/system.

Why Malta is STO friendly…

In the Malta Blockchain Summit of 2018, the Prime Minister of Malta Joseph Muscat described Malta as “the land of opportunity for Blockchain.” Malta has attempted to create a robust crypto-friendly framework to primarily guarantee legal certainty and investor protection. In this connection, Malta has introduced new methods of regulating Blockchain (DLT) Technology.

In fact, back in November 2018, the Maltese Parliament passed three very relevant bills into law and established the first regulatory framework in the world. It therefore comes as no surprise that given Malta’s foresight and initiative, the island-nation was aptly termed: ‘Blockchain Island’. Malta is having its own identity and focusing on 3 main principles being; market integrity, consumer protection and industry protection.

Therefore, it is safe to say that Malta has a business-friendly legislative framework covering the whole ‘umbrella’ term of Cryptocurrencies and the traditional ‘financial instruments’.

Within a European Jurisdiction, whereby the investors are the target of the Company issuing the token, the security token would generally qualify as a security if it can be traded without boundaries and it can thus fit for capital markets. In this regard, the EU Prospectus Directive (Directive 2003/71/EC of the European Parliament and of the Council of 4 November 2003 on the prospectus to be published when securities are offered to the public or admitted to trading and amending Directive 2001/34/EC) would be applicable.

The public offering of such tokens in Malta can happen if a securities prospectus is created and approved by the MFSA, which would need to be published prior to the offering.

The method of introduction of a security token offering in Malta entails the issuer to apply to the MFSA and prospective issuers are required to submit documentation to the competent authority for its approval.

STOs in light of the VFA Act

Malta’s aim is to act as a leader by being the first to attempt something on this scale and all other countries will follow.

The VFA Act is an innovative piece of legislation which regulates Initial Virtual Financial Assets Offerings and outlines their licensing requirements, entitled The Virtual Financial Assets Act, 2018. In the context of this Act, STOs are likely to constitute financial instruments if one must undertake the Financial Instrument test.

Thus, STOs would currently fall outside the scope of the above-mentioned Act and would thus (as previously hinted) be subject to the provisions of traditional regulation.

The meaning of a Virtual Financial Asset as per the regulatory framework of Malta, is computed in a ‘negative format’. Thus, a VFA is a form of digital recordation that is NOT electronic money, a financial instrument and neither a Virtual (Pure Utility) Token.

Securities Prospectus

The EU Prospectus Directive outlines the obligation to publish a securities prospectus upon offering the security token.

Such obligation applies when the offering is to the public. If it is offered to family and friends or to investors who already have an established relationship, then a prospectus would not be necessary.

As per the Companies Act (Chapter 386 of the laws of Malta): To the public” does not include securities which are made only to qualified investors, an offer made available to less than 150 non-qualified investors within the EU and/or the EEA, where the minimum offer is at least €100,000 per offer, where the nominal value of each security is at least €100,000 or not exceeding such limit thereto within a 12 month period, where the offer of total securities within the EU and the EEA does not exceed €5,000,000 within a 12 month period or where an offer of non-equity securities by credit institution is less than €75,000,000 in the EU and the EEA over a 12 month period.

When asking for the admission to trade on a regulated market, one can be exempt from such imposed obligation and would thus benefit from the single passport.

The securities prospectus shall contain all information which enables the investors to be able to asses the assets and the liabilities thereof, the financial soundness, prospects of the issuer and rights attached thereto.


Essentially STOs are tokens on the blockchain that grant the owner of such STOs certain rights. This is thus essentially what differs STOs from Utility tokens. The EU Prospective Directive is applicable to those tokens and having a securities prospectus is seen as an obligation, saving some exceptions. From a Maltese Jurisdiction perspective, Malta has a business-friendly legislative framework and it is within a European Jurisdiction.

Within a such jurisdiction, whereby the investors are the target of the Company issuing the token, the security token would generally qualify as a security if it can be traded without boundaries and it can thus fit for capital markets.


The above-mentioned article is simply based on independent research carried out by Dr. Werner and Partner and cannot constitute any form of legal advice. If you would like to meet up with any of our representatives to seek further information, please contact us for an appointment.