The legal framework

When planning to open an online store, you need to become familiar with the different pieces of legislation related to eCommerce and distance selling. The main laws governing online contracts are the Electronic Commerce Act (hereinafter the eCommerce Act) and the Electronic Commerce (General) Regulations (hereinafter the eCommerce Regulations), whereas the law that deals with the various aspects of customer protection in the online world is the Consumer Rights Regulations. If you are transacting online with customers, you must ensure that you are in conformity with the applicable customer protection legislation. Moreover, respecting customers’ rights over and above what is obligatory at law makes good business sense. You should also get acquainted with customer rights in other EU countries where you intend to offer your products and services, notwithstanding that Maltese legislation is in line with EU Directives. If you explicitly direct your online activities at other member states[1] (Example: you provide content in another language/s other than your own or makes available different currencies on your website, etc.), you need to ensure that you abide by the customer legislation applicable in those countries.

Another important law that you need to be aware of is the Data Protection Act. Although this applies to both offline and online business, it becomes extremely significant when dealing with the collection of information through electronic means. The technological changes brought about by the Internet have increasingly facilitated the collection, collating, manipulation and use of data, whilst simultaneously adding risks of abuse of the same information. The very nature of eCommerce enables the collection of information about customers in a cost-efficient manner. As an online trader you need to effectively implement a bold data protection strategy to ensure the correct use and the protection of the data you process. This will help customers build trust in your services and overcome their fears when sharing personal data, particularly their card details.

Other laws, which are not directly linked to eCommerce but that you would also need to be aware of, are the Commercial Code, the Civil Code and the Consumer Affairs Act, with special reference to the provisions regarding the use of unfair terms[2] and unfair commercial practices[3].

The eCommerce Act and Regulations

The eCommerce Act and the eCommerce Regulations establish the local legal framework for eCommerce and are based on the EU Directive for eCommerce, and apply to all those who sell or intend to sell products and/or services over the Internet.

The eCommerce Act, essentially, establishes the:

  • Legal validity of transactions taking place via electronic communications;
  • Legal validity of electronic contracts and the parameters within which these are to be concluded;
  • Obligations that online traders must fulfill.

The eCommerce Act ensures that electronic transactions have the same legal validity as paper-based transactions and establishes that information in the form of electronic communications, electronic documents and electronic records, satisfy legal requirements to provide information in the physical form.

The Act also defines the term ‘information society services’ which is used to describe eCommerce services that are provided:-

  • At a distance – the trader and the customer are not simultaneously in the same place when the transaction takes place;
  • By electronic means – the service is provided electronically by means of electronic equipment, for the storage and the processing of the information; and
  • At the individual request of a recipient of the service – it is the customer who requests the service.

When you accept online orders or sell goods or services over the Internet, you are providing an information society service. Even sites which are commercially operated and which offer services to customers, even when the customer does not pay for the service, such as some online newspapers or certain search engines, fall within this definition[4]. On the other hand, websites that only convey information about a particular business without generating any revenue whatsoever from either customers or business partners, are not considered to offer information society services. Nonetheless, it bodes well to abide by the rules set out in the eCommerce Act since it reassures customers that the company is reliable and trust-worthy.

For any queries related to selling over the internet, one may contact the MCA on 21336840 or send an e-mail to

The Consumer Rights Regulations

As from June 2014, the Consumer Rights Regulations replaced the Distance Selling Regulations established in September 2001. These regulations are based on the EU Directive on Consumer Rights which aims to harmonise customer protection legislation relating to customer contracts (subject to certain exceptions) in all European Union Member States.

These regulations provide safeguards to customers buying at a distance, taking into account that they cannot inspect goods or services before they commit to buy. The regulations also set out the information that traders must make available to customers, prior to the conclusion of a distance contract which must be provided in a clear and comprehensible manner. The Consumer Rights Regulations also stipulate that a customer can opt out of a contract without incurring any penalty within fourteen (14) days from the date of delivery and that the trader must execute an order within a maximum of thirty (30) days from the day after a contract is concluded, unless specified otherwise in the contract of sale.

It must be noted that certain activities are not covered under these regulations. These activities can be viewed here.

For any queries related to consumer issues, one may contact the Malta Competition and Consumer Affairs Authority (MCCAA) on 23952000.

The Data Protection Act

The Data Protection Act which was enacted in December 2001 and brought fully into force in July 2003, seeks to protect individuals against the violation of their privacy by the processing of personal data, held electronically or in manual form. Personal data is defined as any information that relates to an identified or identifiable individual, distinguishing him/her from any other person. Therefore, according to the Act, if an individual can be ‘identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity’ then that information is classified as personal data.


 The principles underpinning the Data Protection Act

The Act establishes that personal data shall:

  • Be processed fairly and lawfully;
  • Always be processed in accordance with good practice;
  • Only be collected for specific and legitimate purposes which are explicitly stated;
  • Not be processed for any purpose other than that for which the information is collected;
  • Be adequate and relevant in relation to the purposes of the processing;
  • Be processed correctly and, if necessary, kept updated;
  • Be processed no more than is necessary;
  • Not be kept for a period longer than is necessary[5].


The criteria for the processing of personal data

The Act establishes that personal data may only be processed if it meets any one of these criteria:

  • When a consumer has explicitly given his/her consent; or
  • For the performance of a contract to which a consumer is party; or
  • To comply with a legal obligation deriving from a specific law; or
  • To safeguard the vital interests of a consumer (such criterion is usually contemplated in life or death situations); or
  • For the performance of an activity that is carried out in the public interest; or
  • For a purpose that concerns a legitimate interest of the trader or of a third party.


Processing personal data for direct marketing

The Processing of Personal Data (Telecommunications Sector) Regulations distinguishes between the processing of personal data for the purposes of direct marketing sent by conventional means, that is, by normal post or by telephone, and those sent by electronic means, that is, by e-mail, SMS or fax.

In cases where you opt to send the marketing material by conventional means, then the OPT-OUT[6] regime applies, which means that you can send the communication but are in duty bound to appropriately inform the customer of his/her right to oppose such processing Therefore, if the customer notifies you that s/he opposes such processing, it would be unlawful to proceed with the processing of such data[7].

On the other hand, if you opt to send the marketing communication by electronic means, such communication cannot be sent unless[8]:

  • the customer has given his prior consent in writing to the receipt of such   communication (OPT-IN); or
  • the customer has already submitted his/her contact details to you in relation to the sale of a product or service. In this case, you may only use such details for direct marketing of your own similar products or services.

Notwithstanding the above-mentioned scenarios, you are still obliged to inform the customer of the right to oppose the receipt of such marketing communications. It must be noted that it is illegal  to send direct marketing via email if you disguise or conceal your true identity from the customer.


Related link:
European Data Protection Supervisor (EDPS)


In principle, the value added tax (VAT) is the consumption tax applicable on most goods and services, bought and sold for consumption in Malta and across the European Union. Broadly speaking, all traders operating from Malta, whether selling from a traditional shop or through the Internet, are subject to VAT for the supply of goods and/or services, as set out in the Value Added Tax Act. Traders whose turn-over does not exceed a certain threshold may opt to register as “exempt persons”.


VAT charged on Goods

As a general rule, the VAT applicable on goods sold at a distance[9], for example via the Internet, is that of the place of origin. For example, if you are selling goods to a non-taxable customerin Germany you would have to charge the customer the VAT that is pertinent to Malta. However, if you exceed the distance selling threshold[10] in any one of the EU member states,  you would need to charge the VAT applicable in that particular EU country. Nevertheless, you can, out of your own free will, even opt to register for VAT in a particular member state, irrespective of whether the threshold in that country is exceeded or not. In such cases, it is recommended to consult with the VAT authorities[11], both in Malta and in that particular member state, especially in relation to the rates applicable to specific goods. If you sell goods to customers residing outside the EU, no VAT will be charged, given that you register such sales as export[12].


VAT charged on services

Generally, the tax applicable on a service is that of the trader’s place of establishment[13]. However, exceptions exist and in a number of cases the VAT treatment of a service will be dealt with according to the place of supply rules, specific to the particular type of service. These may include services related to immovable property, transport of passengers or goods, cultural, artistic, sporting, scientific, educational, and entertainment services[14] and others.


VAT charged on electronically supplied services

As from January 2015, electronically supplied services rendered within the EU or outside the EU, are deemed to take place where the customer is established and therefore not subject to Maltese VAT. For example, if you electronically sell music, films, games etc. to a customer in the EU, then no Maltese VAT would apply and instead you will be liable to charge the VAT of the member state of the customer. In order to avoid having to register and comply with all the VAT obligations in all the member states where you are trading, you may opt to use the special simplification scheme known as MOSS (Mini-One-Stop-Shop) providing for a single online registration via the Maltese VAT Department web-portal. Such registration would enable you to charge and account for the VAT due in all the member states in which you are trading.

It is important to note that the VAT rules governing online sales between businesses (B2B) differ from the above, and are not within the scope of these guides.

Should you be interested in setting up an online shop in Malta, it is advisable that you consult with the local VAT Department for more case-specific information.


Related links:
Guidelines for the VAT treatment of electronically supplied services
VAT mini-one-stop-shop

[1] Regulation (EC) no 593/2008 of the European Parliament and of the Council of 17 June 2008 on the law applicable to contractual obligations (Rome I), art. 6 –
[2] Consumer Affairs Act, cap 378, arts. 44 to 47.
[3] Consumer Affairs Act, cap. 378, part VII, arts. 51(A) to 55.

[4] Information society services ‘extend to services which are not remunerated by those who receive them, such as those offering on-line information or commercial communications, or those providing tools allowing for search, access and retrieval of data; information society services also include services consisting of the transmission of information via a communication network, in providing access to a communication network or in hosting information provided by a recipient of the service’. European eCommerce Directive, 2000/31/EC –
[5] Data Protection Act, cap. 440, art. 7.
[6] Processing of Personal Data (Electronic Communications Sector) Regulations, s.l. 440.01, reg. 9 (3)]:
[7] Data Protection Act, cap 440, art. 10.
[8] Processing of Personal Data (Electronic Communications Sector) Regulations, s.l. 440.01, reg. 9:
[9] Value Added Tax Act, cap 406, art. 7 –
[10] Distance selling thresholds:
[11] VAT authorities within the EU –
[12] Value Added Tax Act, cap. 406, art. 9
[13] Value Added Tax Act, cap. 406, art. 7
[14]Value Added Tax Act, cap. 406, art. 7