Data Protection
The right to protection of personal data is a fundamental right. It is different from, but closely linked to, the right to respect for private and family life. This distinction is notably made in the EU Charter of Fundamental Rights – whereby the two rights are mentioned separately.
In the informational technology era we live, it is an undisputable fact that the landscape for processing personal data has become quite opaque. To this end, EU has adopted a robust regulatory framework. The central pieces of legislation are (i) Directive 95/46/EC of 24 October 1995, which regulates the protection of individuals with regard to the processing of personal data and the free movement of such data (‘Data Protection Directive’) and (ii) Directive 2002/58/EC of 12 July 2002, concerning the processing of personal data and the protection of privacy in the electronic communications sector (‘Privacy and Electronic Communications Directive’). Malta, being a fully-fledged EU member since its accession in 2004, has implemented the said Directives into national legislation, i.e. the 2001 Data Protection Act (Cap. 440 Laws of Malta). This, together with a number of subsidiary legislation, forms the local legislative framework for the protection of personal data. The Constitution of Malta also provide for the protection of the fundamental rights and freedoms of individuals.
Key Definitions
“Personal data” | any information relating to an identified or identifiable natural person; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity. |
“Controller of personal data” or “controller” | a person who alone or jointly with others determines the purposes and means of the processing of personal data |
“Processor” | a person who processes personal data on behalf of a controller. |
“Data subject” | a natural person to whom the personal data relates. |
“Processing” and “processing of personal data” | any operation or set of operations which is taken in regard to personal data, whether or not it occurs by automatic means, and includes the collection, recording, organisation, storage, adaptation, alteration, retrieval, gathering, use, disclosure by transmission, dissemination or otherwise making information available, alignment or combination, blocking, erasure or destruction of such data |
“Sensitive personal data” | personal data that reveals race or ethnic origin, political opinions, religious or philosophical beliefs, membership of a trade union, health, or sex life. |
Notification requirement for data controllers
Data controllers must notify their processing of personal data to the Office of Information and Data Protection Commissioner (‘the Commissioner’). Such notification is effected against an initial fee (and subsequently annually thereafter) prior to such processing.
In circumstances where the only personal data processed by a company are those contained in its Memorandum and Articles of Association as registered with the Registrar of Companies under the Companies Act, such company is exempted from the aforementioned notification requirement. Furthermore, the following categories of persons are obliged to notify but are exempt from payment of the notification fee: (i) self-employed persons who carry on a trade, business, profession or other economic activity and do not employ any employees with them; and (ii) any philanthropic institutions and similar organisations, band clubs, sports clubs and similar institutions, registered trade unions and political parties and clubs adhering to political parties, which are also exempt from tax under the Income Tax Act.
We will be pleased to assist you in the notification procedure as well as in functioning as intermediaries between you and the Commissioner.
Data subjects’ rights
A number of rights are envisaged under the Data Protection Act with reference to the data subjects, which are summarized below:
- Right of compensation against a data controller who processes data in contravention of the Data Protection Act or regulations made thereunder;
- Right of access, upon explicit request on behalf of the data subject, whereby the data controller is required to provide in written form actual information about the data which is processed, where the information has been collected, the purpose of the processing and to which recipients the information is disclosed. The controller is also required to provide in his written reply about the knowledge of the logic involved in any automatic processing of data concerning the subject;
- A data subject may oppose the processing of his data for direct marketing purposes. The data controller is obliged to appropriately inform the data subject of this right, at no cost. The controller must then cease such processing within a reasonable period;
- Right to have their data rectified, blocked or erased where the data would not have been processed in accordance with the Data Protection Act; and
- Right to ask the data controller to reconsider any decisions based solely on automated processing (unless such decisions are taken in the course of entering into or performing a contract with the data subject, under certain conditions)
Our firm is well equipped to advise both on your rights as data subjects as well as your obligations as data controllers and/or data processors.
Transfer of personal data to third countries
A transfer of personal data to another country amounts to processing and as such must be notified to the Commissioner. No restrictions or other formalities apply in relation to transfer of personal data to EU/EEA countries and Non-EU/EEA countries which are from time to time recognised by the EU Commission to provide an adequate level of protection.
By way of derogation to the above, a transfer of personal data to a third country which does not ensure an adequate level of protection may be effected provided that:
i. the data subject has given his consent unambiguously to the proposed transfer; or
ii. the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken in response to the data subject’s request; or
iii. the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and a third party; or
iv. the transfer is necessary or legally required on important public interest grounds, or for the establishment, exercise or defence of legal claims; or
v. the transfer is necessary in order to protect the vital interests of the data subject; or
vi. the transfer is made from a register which according to laws or regulations is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate legitimate interest, to the extent that the conditions laid down in law for consultation are fulfilled in the particular case.
Where none of the conditions mentioned under (i)-(vi) above are met, a transfer of personal data to third countries that do not provide an adequate level of protection may still be effected through one of the below routes:
a) Standard Contractual Clauses (or ‘Model Clauses’) – standardized, non-negotiable data export agreements approved by the European Commission;
b) Safe Harbour Agreement- intended for organizations within the European Union or United States which store customer data, the ‘Safe Harbour Principles’ are designed to prevent accidental information disclosure or loss. U.S. organizations subject to the jurisdiction of the Federal Trade Commission (FTC) or U.S. air carriers and ticket agents subject to the jurisdiction of the Department of Transportation (DOT) may opt into the Agreement; or
c) Binding Corporate Rules – applicable to multinational entities of a conglomerate, for intra-group transfers and processing;
Our firm is fully equipped with the knowledge and expertise to provide your business with comprehensive assistance with the regulation and other matters such as:
- design and implementation of Data Protection policies and procedures;
- notifying and liaising with the Commissioner;
- advice on your rights as data subjects and your obligations as data controllers or data processors;
- provision of training to managers, offices and company personnel;
- advice on the international transfer of data and drafting of Business Corporate Rules for your organization;
- design and implementation of screening policy when hiring new employees; and
- dealing with regulators and consulting on regulatory issues.