DATA PROTECTION

CAP.586  Data Protection Act

 
Formerly CAP.440 Data Protection Act, repealed by Act XX of 2018, the applicable laws in Malta regulating Data processing procedures have been updated and are now found under CAP.586 Data Protection Act and under the General Data Protection Regulation (GDPR).
 
Updated information may be obtained from the website of the Office of the Information and Data Protection Commissioner.
 
General Data Protection Regulation
 
The General Data Protection Regulation 2016/679 is a regulation in EU law on data protection and privacy for all individuals, citizens of the European Union and the European Economic Area. It also addresses the export of personal data outside the EU and EEA areas.
 
Implemented on the 25th May 2018, it replaced Data Protection Directive 95/46/ec, and is the primary law regulating how companies protect EU citizens' personal data.  The purpose of GDPR is to provide a set of standardised data protection laws across all the member countries. This should make it easier for EU citizens to understand how their data is being used, and also raise any complaints, even if they are not in the country where its located.
 
Data Protection Laws ensure that:
 
         I.            Personal information is only gathered for a specific purpose
       II.            The individual (data subject) about whom information is obtained, knows that you are gathering and storing information about him or her
     III.            The personal information is used only for the purpose for which it was obtained
    IV.            The personal information is not passed on to third parties without the individual’s consent
      V.            The individuals have access to the personal information retained
    VI.            The use and access to personal information is controlled
 
The Nine Principles of ‘Good Information Handling’
 
The data controller shall ensure that:
 
  1. Personal data is processed fairly, transparently and lawfully;
  2. Personal data is always processed in accordance with good practice (security-Integrity and confidentiality);
  3. Personal data is only collected for specific, explicitly stated and legitimate purposes (purpose limitation);
  4. Personal data is not processed for any purpose that is incompatible with that for which the information is collected;
  5. Personal data that is processed is adequate and relevant in relation to the purposes of the processing;
  6. No more personal data is processed than is necessary (data minimisation) having regard to the purposes of the processing;
  7. Personal data that is processed is correct, accurate and, if necessary, up to date.
  8. All reasonable measures are taken to complete, correct, block or erase data to the extent that such data is incomplete or incorrect, having regard to the purposes for which they are processed (accountability);
  9. Personal data is not kept for a period longer than is necessary (storage limitation), having regard to the purposes for which they are processed.
 
Data Protection Terminology
 
Who is the Data Controller?
In GDPR and other privacy laws, the data controller has the most responsibility when it comes to protecting the privacy and rights of the data's subject, (example: user of a website). In simple terms, the data controller controls the procedures and purpose of data usage.
 
The data controller determines the purposes for which and the manner in which personal data is processed. It can do this either on its own or jointly or in common with other organisations. This means that the data controller exercises overall control over the 'why' and the 'how' of a data processing activity.
 
Who is the Data Processor?
The data processor is a person or organization, who deals with personal data as instructed by a data controller for specific purposes and services offered to the data controller that involve personal data processing (example: 3rd Party entity providing outsourced payroll to the entity processing the entities employees wages data).
 
What is Personal Data?
Personal data means any information about an identifiable living individual, a data subject.
 
Who is a data subject?
The term 'data subject' refers to any living individual whose personal data is collected, held or processed by an organisation. Personal data is any data that can be used to identify an individual, (example: name, home address or credit card number).
 
What are the rights of data subjects?
There are eight fundamental rights under GDPR.
 
         I.            Right to Access Personal Data. (Article 15)
       II.            Right to Rectification. (Article 16)
     III.            Right to Erasure / Right to be Forgotten. (Article 17)
    IV.            Right to Restrict Data Processing. (Article 18)
      V.            Right to be Notified. (Article 19)
    VI.            Right to Data Portability. (Article 20)
   VII.            Right to Object. (Article 21)
 VIII.            Right to Reject Automated Individual Decision-Making. (Article 22)
 
What is a Data Protection Officer?
A Data Protection Officer (DPO) is an enterprise security leadership role required by the General Data Protection Regulation (GDPR). Data protection officers are responsible for overseeing a company's data protection strategy and its implementation to ensure compliance with GDPR requirements.
 
Does GDPR affect my business?
GDPR applies to all businesses and organizations established in the EU, regardless of whether the data processing takes place in the EU or not. Even non-EU established organizations will be subject to GDPR. Almost all businesses are affected by the GDPR, from sole traders to multinationals. But even though the GDPR intends to unify data protection rules across the EU, not all businesses will face the same problems.
 
If your business offers goods and/ or services to citizens in the EU, then it's subject to GDPR.  This is because your business must still comply if it's involved in regular processing (which includes collecting, storing and using) of personal data.
 
Do I need a Data Protection Officer for my business?
An organisation is required to appoint a designated data protection officer where:
         I.            The processing is carried out by a public authority or body;
       II.            The core activities of the controller or the processor consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale; or
     III.            The core activities of the controller or the processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offences.