The following law(s) specifically govern personal data / information:
The General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR), and the Data Protection Act (Chapter 586 of the Laws of Malta) and Regulations issued thereunder.
The key data protection principles in this jurisdiction are:
- consent of the data subject for one or more specific purposes;
- contractual necessity;
- compliance with a legal obligation of the controller to perform the relevant processing;
- protection of the vital interests of the data subject or of another natural person;
- performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or
- legitimate interests (i.e. the processing is necessary for the purposes of legitimate interests pursued by the controller, except where the controller’s interests are overridden by the interests, fundamental rights or freedoms of the affected data subjects).
The processing of sensitive personal data requires stronger grounds and is only permitted under certain conditions, of which the most relevant are:
- explicit consent of the affected data subject;
- the processing is necessary in the context of employment or social security law; or
- the processing is necessary for the establishment, exercise or defence of legal claims.
Personal data must be processed lawfully, fairly and in a transparent manner. Regarding the processing of personal data, controllers are obliged to provide certain information to data subjects. Such information must be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language.
Personal data may only be collected for specified, explicit and legitimate purposes and must not be further processed in a manner that is incompatible with those purposes.
The processing of personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which those data are processed.
Personal data must be accurate and, where necessary, kept up to date.
Personal data must be stored in a form that permits identification of data subjects for no longer than it is necessary for the purposes for which the personal data was initially collected.
Integrity and confidentiality
Personal data must be processed in a manner that ensures appropriate security of those data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
The controller is responsible for processing of data in accordance with the GDPR. In particular, the controller is obliged to implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in compliance with the GDPR.
The supervisory authority / regulator in charge of data protection is:
The Information and Data Protection Commissioner (the IDPC).
Is there a requirement to register with a supervisory authority / regulator?
No, there is no registration requirement in order to process personal data.
Is there a requirement to notify the supervisory authority / regulator?
As explained in further detail below, the controller must inform the IDPC of a transfer to a third country that is not the subject of an adequacy decision and if appropriate safeguards are absent.
Is it possible to register with / notify the supervisory authority / regulator online?
The key data subject rights under the data protection laws of this jurisdiction are:
- Right to information
Pursuant to Articles 13 and 14 GDPR, data subjects have the right to be provided with information on the identity of the controller, the reasons for processing their personal data and other relevant information necessary to ensure the fair and transparent processing of personal data.
- Right of access
A data subject has the right to obtain from a controller certain information in respect of the data subject’s personal data as listed in Article 15 GDPR.
Additionally, the data subject may request a copy of the personal data being processed.
- Right to rectification of errors
Pursuant to Article 16 GDPR, data subjects have the right to rectification of inaccurate personal data.
- Right to deletion/right to be forgotten
Data subjects have the right to erasure of their personal data (the “right to be forgotten”) if one of the reason as listed in Article 17 GDPR apply.
- Right to restriction of processing
Data subjects have the right to request restriction of the processing of personal data, which means that the data may only be processed for limited purposes as defined in Article 18 GDPR.
- Right to data portability
Data subjects have a right to receive a copy of their personal data in a commonly used machine-readable format, and transfer their personal data from one controller to another or have the data transmitted directly between controllers (Article 20 GDPR).
- Right to object to processing
Data subjects have the right to object, on grounds relating to their particular situation, to the processing of personal data where the basis for that processing is either public interest (Article 6 para 1(e) GDPR) or legitimate interest of the controller (Article 6 para 1(f) GDPR). The controller must cease such processing unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the relevant data subject or requires the data in order to establish, exercise or defend legal rights.
Data subjects have the right to object to the processing of personal data for marketing purposes, including profiling.
- Right to withdraw consent
A data subject has the right to withdraw their consent at any time (Article 7 para 3 GDPR). The withdrawal of consent does not affect the lawfulness of processing based on consent before the withdrawal.
- Right to complain to the relevant data protection authority(ies)
Data subjects have the right to lodge complaints concerning the processing of their personal data with the competent data protection authority.
- Right not to be subject to automated individual decision-making
Under certain circumstances, data subjects have the right not to be subject to a decision based solely on automated processing of data (including profiling), which produces legal effects or similarly significantly effects for the data subject (Article 22 GDPR).
Is there a requirement to appoint a data protection officer (or equivalent)?
Maltese law requires a Data Protection Officer (DPO) to be designated where:
- the processing is carried out by a public authority or body, except for court acting in their judicial capacity;
- the core activities of the controller or processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
- the core activities of the controller or processor consist of processing on a large scale of special categories of data and/or personal data relating to criminal convictions and offenses.
Do data protection/ privacy impact assessments need to be carried out in certain circumstances?
Where a type of processing, in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller is required, prior to the processing, to carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.
In particular, a data protection impact assessment is required in the case of:
- a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
- processing on a large scale of special categories of data, or of personal data relating to criminal convictions and offences; or
- a systematic monitoring of a publicly accessible area on a large scale.
The IDPC provides a non-exhaustive list of types of processing operations where a data protection impact assessment may be required:
- Systematic monitoring;
- Use of innovative technologies;
- Special categories of personal data;
- Biometric data;
- Genetic data;
- Data concerning vulnerable persons; and
- Employee monitoring.
Does this jurisdiction have any specific data breach notification requirements?
In the case of a data breach, the controller must notify such a personal data breach to the IDPC within 72 hours from becoming aware of such breach.
The notification is not required in those specific cases where the controller determines that the breach is unlikely to result in a risk to the rights and freedoms of data subjects.
When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller is required to communicate the personal data breach to the data subject without undue delay.
The following restrictions apply to the international transfer of personal data / information:
In terms of the GDPR, the protection offered travels with the data, and therefore the rules protecting personal data continue to apply regardless of where the data lands. This also applies when data is transferred to a country which is not a member of the EU, i.e. a third country.
A third country may be declared as offering an adequate level of protection through a European Commission decision, meaning that data can be transferred in that third country without the data exporter being required to provide further safeguards or being subject to additional conditions. This means that transfers to an ‘adequate’ third country will be comparable to a transmission of data within the EU.
In the absence of an adequacy decision, a transfer can take place through the provision of appropriate safeguards and on condition that enforceable rights and effective legal remedies are available to the data subjects. Such safeguards may include binding corporate rules, standard data protection clauses adopted by the European Commission, or adherence to a code of conduct or certification mechanism.
If a transfer of personal data is envisaged to a third country that is not the subject of an adequacy decision and if appropriate safeguards are absent, the GDPR provides for derogations for specific situations. These may include cases where the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers, and where the transfer is necessary for important reasons of public interest. As mentioned above, the controller must inform the IDPC of such a transfer.
Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?
The GDPR applies to both the processing of personal data in the context of the activities of an establishment of a controller or a processor in the EU, regardless of whether the processing takes place in the EU or not, and to the processing of personal data of data subjects who are in the EU by a controller or processor not established in the EU, where the processing activities are related to:
- the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the EU; and/or
- the monitoring of their behaviour as far as their behaviour takes place within the EU.
The following rules specifically deal with marketing:
The Processing of Personal Data (Electronic Communications Sector) Regulations specifically prohibit the use of any publicly available electronic communications service to make an unsolicited communication for the purpose of direct marketing by means of:
- an automatic calling machine;
- a facsimile machine; or
- electronic mail;
to a subscriber or user, irrespective of whether such subscriber or user is a natural person or legal person, unless the subscriber or user has given their prior consent in writing to the receipt of such a communication.
Notwithstanding the above, where a person has obtained from customers their contact details for electronic mail in relation to the sale of a product or a service, that person may use such details for direct marketing of its own similar products or services. However, customers shall be given the opportunity to object, free of charge and in an easy and simple manner, to such use of electronic contact details at the time of their collection and on the occasion of each message where the customer has not initially refused such use.
Do different rules apply to business-to-business and business-to-consumer marketing?
As per the above, the Regulations do not make a distinction between the recipient of communication.
The following rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc):
Please refer to the above.
The following rules specifically deal with cookies:
The Processing of Personal Data (Electronic Communications Sector) Regulations implement the provisions of the ePrivacy Directive (Directive 2009/136/EC), which is often referred to as the ‘Cookie Law’.
In terms of the Maltese Regulations, the storing of information or the gaining of access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given their consent, having been provided by the controller with clear and comprehensive information.
In addition, traffic data relating to subscribers and users processed for the purpose of the transmission of a communication and stored by an undertaking which provides publicly available electronic communications services or by an undertaking which provides a public communications network must be erased or made anonymous when it is no longer needed for the purpose of the transmission of a communication.
In addition, any person who contravenes or fails to comply with the Processing of Personal Data (Electronic Communications Sector) Regulations shall be liable to an administrative fine not exceeding €23,293.73 for each violation and €2,329.37 for each day during which such violation persists, which fine shall be determined and imposed by the IDPC.
The consequences of non compliance with data protections laws (including marketing laws) are:
The Maltese Data Protection Act does not specifically set-out the applicable administrative fines which may be imposed by the IDPC for non-compliance. Since the GDPR is directly applicable, the IDPC may impose the administrative fines as set-out in Article 83 of the Regulation.
Without prejudice to the above, in terms of the Data Protection Act, any person who:
- knowingly provides false information to the IDPC when so requested by the IDPC pursuant to its investigative powers in terms of the GDPR, or any other law; or
- does not comply with any lawful request pursuant to an investigation by the IDPC;
shall be guilty of an offence and shall, upon conviction, be liable to a fine of not less than €1,250 and not more than €50,000 or to imprisonment for six months or to both such fine and imprisonment.
In broad terms, multinational organisations should be aware of the following key factors if they process personal data / information from individuals within this jurisdiction, without being located there:
Since Malta is a member state of the EU, it is very important to keep in mind that the processing of personal data of individuals who are physically present in Malta will fall within the scope of the GDPR.
Multinational organisations should be aware of the following upcoming data protection developments:
At a European level, the EU is currently discussing the ePrivacy Regulation which will be repealing the current Privacy and Electronic Communications Directive (Directive 2002/58/EC). However, as of today there is still no fixed date by when this new Regulation will come into effect.