DATA PROTECTION

​The Data Protection Act

The applicable laws in Malta regulating Data processing procedures have been updated and are now found under the Data Protection Act, DPA CAP. 586 and under the General Data Protection Regulation (GDPR Regulations).

Updated information may be obtained from the website of the Office of the Information and Data Protection Commissioner.

 

The General Data Protection Regulation
 
The General Data Protection Regulation 2016/679 is a regulation in EU law on data protection and privacy for all individuals, citizens of the European Union and the European Economic Area. It also addresses the export of personal data outside the EU and EEA areas.
 
Implemented on the 25th May 2018, it replaced Data Protection Directive 95/46/ec, and is the primary law regulating how companies protect EU citizens' personal data.  he purpose of the GDPR is to provide a set of standardised data protection laws across all the member countries. This should make it easier for EU citizens to understand how their data is being used, and also raise any complaints, even if they are not in the country where its located.

Data Protection Laws ensure that:

  • personal information is only gathered for a specific purpose
  • the individual about whom information is obtained knows that you are gathering and storing information about him or her
  • the personal information is used only for the purpose for which it was obtained
  • personal information is not passed on to third parties without the individual’s consent
  • individuals have access to the personal information retained by others
  • use and access to personal information is controlled

 

The Nine Principles of ‘Good Information Handling’

The controller shall ensure that:

  1. Personal data is processed fairly, transparently and lawfully;
  2. Personal data is always processed in accordance with good practice (security - integrity and confidentiality);
  3. Personal data is only collected for specific, explicitly stated and legitimate purposes (purpose limitation);
  4. Personal data is not processed for any purpose that is incompatible with that for which the information is collected;
  5. Personal data that is processed is adequate and relevant in relation to the purposes of the processing;
  6. No more personal data is processed than is necessary (data minimisation) having regard to the purposes of the processing;
  7. Personal data that is processed is correct, accurate and, if necessary, up to date.
  8. All reasonable measures are taken to complete, correct, block or erase data to the extent that such data is incomplete or incorrect, having regard to the purposes for which they are processed (accountability);
  9. Personal data is not kept for a period longer than is necessary (storage limitation), having regard to the purposes for which they are processed.

Data Protection Terminology

Who is the Data Controller?
In GDPR and other privacy laws, the data controller has the most responsibility when it comes to protecting the privacy and rights of the data's subject, (example: user of a website). In simple terms, the data controller controls the procedures and purpose of data usage.
 
The data controller determines the purposes for which and the manner in which personal data is processed. It can do this either on its own or jointly or in common with other organisations. This means that the data controller exercises overall control over the 'why' and the 'how' of a data processing activity.
 
Who is the Data Processor?
The data processor is a person or organization, who deals with personal data as instructed by a data controller for specific purposes and services offered to the data controller that involve personal data processing (example: 3rd Party entity providing outsourced payroll to the entity processing the entities employees wages data).
 
What is Personal Data?
Personal data means any information about an identifiable living individual, a data subject.
 
Who is a Data Subject?
The term 'data subject' refers to any living individual whose personal data is collected, held or processed by an organisation. Personal data is any data that can be used to identify an individual, (example: name, home address or credit card number).
 
What are the rights of data subjects?
There are eight fundamental rights under GDPR.
 
       I.            Right to Access Personal Data. (Article 15)
       II.          Right to Rectification. (Article 16)
       III.         Right to Erasure / Right to be Forgotten. (Article 17)
       IV.         Right to Restrict Data Processing. (Article 18)
       V.           Right to be Notified. (Article 19)
       VI.          Right to Data Portability. (Article 20)
      VII.          Right to Object. (Article 21)
    VIII.       Right to Reject Automated Individual Decision-Making. (Article 22)


Does GDPR affect my business?

GDPR applies to all businesses and organizations established in the EU, regardless of whether the data processing takes place in the EU or not. Even non-EU established organizations will be subject to GDPR. Almost all businesses are affected by the GDPR, from sole traders to multinationals. But even though the GDPR intends to unify data protection rules across the EU, not all businesses will face the same problems.
 
If your business offers goods and/ or services to citizens in the EU, then it's subject to GDPR.  This is because your business must still comply if it's involved in regular processing (which includes collecting, storing and using) of personal data.

For every new process that will collect personal data the Notification of New Process Form needs to be filled and submitted to the Data Protection Commissioner.

Online Application

Data Protection Notification Form​