1. Relevant Legislation and Competent Authorities

1.1        What is the principal data protection legislation?

The principal data protection legislation is the Data Protection Act ("DPA"), Chapter 440 of the Laws of Malta.  This transposes Directive 95/46/EC on data protection (the "Data Protection Directive") into Maltese law.  The DPA makes provision for the protection of individuals against the violation of their privacy by the processing of personal data and for matters connected therewith or ancillary thereto.

1.2        Is there any other general legislation that impacts data protection?

General legislation which impacts data protection includes:

  • Notification and Fees (Data Protection Act) Regulations (Subsidiary Legislation 440.02).
  • Third Country (Data Protection Act) Regulations (Subsidiary Legislation 440.03).
  • Processing of Personal Data (Protection of Minors) Regulations (Subsidiary Legislation 440.04).
  • Transfer of Personal Data to Third Countries Order (S.L. 440.07).

1.3        Is there any sector-specific legislation that impacts data protection?

Sector-specific legislation relating to data protection includes:

  • Processing of Personal Data Electronic Communications Sector) Regulations (Subsidiary Legislation 440.01).
  • Data Protection (Processing of Personal Data in the Police Sector) Regulations (Subsidiary Legislation 440.05).
  • Processing of Personal Data (Police and Judicial Cooperation in Criminal Matters) Regulations (Subsidiary Legislation 440.06).
  • Processing of Personal Data for the purposes of the General Elections Act and the Local Councils Act Regulations (Subsidiary Legislation 440.08).
  • Processing of Personal Data (Education Sector) Regulations (Subsidiary Legislation 440.09).

1.4        What is the relevant data protection regulatory authority(ies)?

The relevant data protection regulatory authority is the Information and Data Protection Commissioner ("IDPC").

2. Definitions

2.1        Please provide the key definitions used in the relevant legislation:

  • "Personal Data"

"Personal data" means any information relating to an identified or identifiable natural person.  An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.

  • "Sensitive Personal Data"

"Sensitive personal data" means personal data that reveals race or ethnic origin, personal opinions, religious or philosophical beliefs, membership of a trade union, health or sex life.

  • "Processing"

"Processing" means any operation or set of operations which is taken in regard to personal data, whether or not it occurs by automatic means, and includes the collection, recording, organisation, storage, adaptation, alteration, retrieval, gathering, use, disclosure by transmission, dissemination or otherwise making information available, alignment or combination, blocking and erasure of destruction of such data.

  • "Data Controller"

"Data Controller" means a person who alone or jointly with others determines the purposes and means of the processing of personal data.

  • "Data Processor"

A processor is a person who processes personal data on behalf of a controller.

  • "Data Subject"

"Data Subject" means a natural person to whom the personal data relates.

  • Other key definitions – please specify (e.g., "Pseudonymous Data", "Direct Personal Data", "Indirect Personal Data")

A "personal data representative" means a person, appointed by the controller of personal data, who shall independently ensure that the personal data is processed in a correct and lawful manner.

3. Key Principles

3.1        What are the key principles that apply to the processing of personal data?

  • Transparency

Article 7 of the DPA establishes that the controller must ensure that personal data is processed fairly, lawfully and in accordance with good practice.  The controller or any other person authorised by him to process data must provide the data subject with information about the processing of personal data, to the extent that the data subject does not have such information.  This information includes:

(a) the identity and habitual residence or principal place of business of the controller or person authorised to carry out the processing;

(b) the purposes of the processing for which the data is intended; and

(c) any further information relating to:

(i)  the recipients of the data;

(ii) whether the reply to questions made to the data subject is obligatory or voluntary and the possible consequence of the failure to reply; and

(iii) the existence of data subject rights including the right to access, rectify and, where applicable, erase the data pertaining to him.

  • Lawful basis for processing

The DPA provides that personal data may only be processed for legitimate purposes.  Article 9 provides the grounds upon which personal data may be lawfully processed.  These legal bases are:

  1. the data subject has unambiguously given his consent;
  2. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to the contract;
  3. processing is necessary for compliance with a legal obligation to which the controller is subject;
  4. processing is necessary in order to protect the vital interests of the data subject;
  5. processing is necessary for the performance of an activity carried out in the public interest or in the exercise of the official authority vested in the controller or a third party to whom data is disclosed; and
  6. processing is necessary for a purpose that concerns a legitimate interest of the controller or a third party to whom data is disclosed, except where such interest is overridden by the interest to protect the fundamental rights and freedoms of the data subject and, in particular, the right to privacy.
  • Purpose limitation

The DPA provides that personal data may only be collected for specific, explicitly stated and legitimate purposes and cannot be processed for any reason incompatible with such purposes.

  • Data minimisation

The DPA establishes that no more personal data is processed than is necessary.

  • Proportionality

In terms of the DPA, personal data processed must be adequate and relevant for the purposes of this processing.

  • Retention

Personal data may not be kept for a period longer than is necessary, having regard to the purposes for which it is processed.

  • Other key principles – please specify

The controller of personal data is also bound to ensure that the personal data are correct and up to date.  Pursuant to this, all reasonable measures should be taken to complete, correct, block and erase data to the extent that such data are incomplete or incorrect.

Article 26 of the DPA also obliges the controller to implement appropriate and adequate security measures to protect the personal data against accidental destruction, loss or unlawful processing.

4. Individual Rights

4.1        What are the key rights that individuals have in relation to the processing of their personal data?

  • Access to data

In accordance with Article 21 of the DPA, the data subject has the right to request, at reasonable intervals, written information as to whether personal data concerning the data subject is processed.  The controller of data is bound to provide such information without expense or excessive delay.  The information to be provided includes:

  1. actual information about the data subject which is processed;
  2. where this information has been collected;
  3. the purpose of the processing;
  4. to which recipients the information is disclosed; and
  5. knowledge of the logic involved in any automatic processing of the data.
  • Correction and deletion

The data subject has the right to request the rectification, blocking or erasure of personal data which has not been lawfully processed.  In such a case, the controller shall notify the third party to whom the information has been disclosed about such measures, unless this involves a disproportionate burden.

  • Objection to processing

The data subject may object to the processing of personal data in two circumstances:

  1. where the processing of personal data is necessary for the performance of an activity carried out in the public interest or in the exercise of official authority vested in the controller or a third party to whom the data are disclosed; and
  2. where the processing is necessary for a purpose which concerns a legitimate interest of the controller of such third party.  Such an objection may be lodged at any time on the basis of compelling grounds.
  • Objection to marketing

Article 10 of the DPA grants the data subject the right to object to his data being used for direct market purposes, in which case his personal data cannot be processed for such purposes.

In addition, the Processing of Personal Data (Electronic Communications Sector) Regulations provide that a data subject may object free of charge and in an easy and simple manner to the use of their electronic contact details for the purpose of direct marketing, even in cases where such information was obtained from the data subject himself in relation to the sale of a product or service.

  • Complaint to relevant data protection authority(ies)

Complaints may be made to the IDPC by means of the following website: http://idpc.gov.mt/en/Pages/contact/complaints.aspx.

  • Other key rights – please specify

Pursuant to the ECJ ruling Google Spain SL, Google Inc. vs. Agencia Española de Protección de Datos (AEPD) & Mario Costeja González, there is also a right to be forgotten which has been stated more expressly.

To view the article in full click here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.