Olga Finkel and Robert Zammit have recently written the Malta chapter for Data Protection & Privacy 2015 issue of Getting The Deal Through. The chapter addresses how data is handled in Malta as well as the legal and regulatory issues surrounding data protection and privacy.
Law and the regulatory authority
1. Legislative framework
Summarise the legislative framework for the protection of personally identifiable information (PII). Does your jurisdiction have a dedicated data protection law? Have any international instruments on privacy or data protection been adopted in your jurisdiction?
Malta enacted the Data Protection Act in 2001. This, together with a number of subsidiary legislation, forms the local legislative framework for the protection of PII. The Constitution of Malta also provide for the protection of the fundamental rights and freedoms of individuals.
Malta is also a party to the Universal Declaration of Human Rights, to the Convention for the Protection of Individuals with regards to Automatic Processing of Personal Data, and to the European Convention for the Protection of Human Rights and Fundamental Freedoms. Malta is a member of the European Union and consequently is bound to adhere with all directives, regulations and recommendations including Directive 95/46/EC.
2. Data protection authority
Which authority is responsible for overseeing the data protection law? Describe the powers of the authority.
The authority responsible for overseeing the data protection law is the Office of Information and Data Protection Commissioner (‘the Commissioner’). The Commissioner has a number of functions, which include, but are not limited to:
- creating and maintaining a public register of all processing operations according to notifications submitted to him;
- exercising control and verifying whether processing is being carried in accordance to the Act and the regulations;
- issuing directions
- instituting civil legal proceedings in case of breach of the Act and referring to competent authorities any criminal offence encountered in the course of his function;
- ordering of blocking, erasure and/or destruction of data, or imposing temporary or permanent ban on processing, or warning or admonishing controllers;
- at the request of data subjects, verifying that processing of data is complaint with the Act.
The Commissioner is entitled to obtain on request access to personal data that is being processed and information about and documentation of the processing of personal data and security of such processing. The Commissioner in exercising this function is empowered to enter and search any premises as are vested in executive police by any law.
3. Breaches of data protection
Can breaches of data protection lead to criminal penalties? How would such breaches be handled?
Breaches of particular provisions of the Act may lead to criminal penalties, which may vary from fines (multa) between €120 to €23,300 and imprisonment of not more than 6 months. The criminal penalties may vary depending on the provisions of the Act being breached. On encountering a breach of the Act, which could lead to criminal proceedings, the Commissioner is to refer the situation to the competent authorities who in turn would need to take action in the Criminal Courts of Malta.
Other breaches of the act may result in administrative fines which can vary from one time fines of up to €23,300 and daily fines of up to €2,500, depending on the provisions of the Act being breached.
4. Exempt sectors and institutions
Does the data protection law cover all sectors and types of organisation or are some areas of activityoutside its scope?
The Act does not apply to processing of personal data where such processing is undertaken by a natural person in the course of a purely personal activity and to processing operations concerning public security, defence, State security (which includes economic well-being of the State when the processing operation relates to security matters) and activities of the State in areas of criminal law.
5. Communications, marketing and surveillance laws
Does the data protection law cover interception of communications, electronic marketing or monitoring and surveillance of individuals? If not, list other relevant laws in this regard.
The Act covers direct marketing. However interception of communications, unsolicited communications over electronic communications, and monitoring and surveillance of individuals are covered by the Processing of Personal Data (Electronic Communications Sector) Regulations 2003 which implement the provisions of the Directive 2002/58/EC and the Commission Regulations 611/2013.
6. Other laws
Identify any further laws or regulations that provide specific data protection rules for related areas.
Under the Act a number of subsidiary legislations have been enacted.
The Processing of Personal Data (Protection of Minors) Regulations provide for permitted processing in case of any information obtained by a teacher or any other person acting in loco parentis or in his professional capacity in relation to a minor if such processing is in the best interest of the minor.
The Data Protection (Processing of Personal Data in the Police Sector) Regulations are to ensure high level of data protection in the Police sector, and any other public body exercising police powers.
The Processing of Personal Data (Police and Judicial Cooperation in Criminal Matters) Regulations have been enacted to ensure a high level of protection of fundamental rights and freedoms of natural persons.
7. PII Formats
What forms of PII are covered by the law?
The Act covers both the processing of personal data as well as sensitive personal data. The Act defines personal data as any information relating to an identified or identifiable natural person, whereby an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity. Sensitive personal data is defined as personal data that reveals race or ethnic origin, political opinions, religious or philosophical beliefs, membership of a trade union, health or sex life.
Is the reach of the law limited to data owners and data processors established or operating in the jurisdiction?
The territorial scope of the Act is limited to processing of personal data in Malta or in a Maltese Embassy or High Commission abroad, and to where the processing of personal data where the controller is established in a third country but the equipment used for processing is located in Malta, except where the equipment is only used for purpose of transmitting the information.
9. Covered uses of PII
Is all processing or use of PII covered? Is a distinction made between those who control or own PII and those who provide services to owners?
Processing is defined in the Act as any operation or set of operations which is taken in regard to personal data, whether or not it occurs by automatic means and includes the collection, recording, organisation, storage, adaptation, alteration, retrieval, gathering, use, disclosure by transmission, dissemination or otherwise making information available, alignment or combination, blocking, erasure or destruction of such data.
Different responsibilities are placed on the controller of the personal data and the processor, who processes personal data on behalf of a controller. The process is not allowed to process personal data other than in accordance with instruction from the controller, unless there is a legal requirement. Furthermore, the Act requires that the processing by a processor is to be done under a written contract whereby the processor is bound to act only on instructions of the controller and to ensure that the required security measures relating to processing are in place.
Legitimate processing of PII
10. Legitimate processing – grounds
Does the law require that the holding of PII be legitimised on specific grounds, for example to meet the owner’s legal obligations or if the individual has provided consent?
According to the Act, Article 9, personal data may be processed only in the circumstances below:
- Data subject giving unambiguous consent; or
- Processing is necessary for:
- performance of a contract to which data subject is a part to or in order to take steps at the request of the data subject prior to entering into a contract; or
- compliance with a legal obligation to which the controller is subject; or
- protection of the vital interests of the data subject; or
- the performance of an activity which is carried out in the public interest; or
- a purpose that concerns a legitimate interest of the controller or of such a third party to whom personal data is provided, except where such interest is overridden by the interest to protect the fundamental rights and freedoms of the data subject and in particular the right to privacy.
11. Legitimate processing – types of data
Does the law impose more stringent rules for specific types of data?
The Act specifies that sensitive personal data may not be processed unless explicit consent is obtained from the data subject or the data subject made the sensitive personal data public.
Furthermore, the Act provides that sensitive personal data may be processed if appropriate safeguards are adopted and the processing is necessary in order that the controller will be able to comply with his duties as an employer, or the vital interests of the data subject will be able to be protected and the data subject is physically or legally incapable of giving his consent, or legal claims will be able to be established, exercised or defended.
The Act further provides that there are other situations where sensitive personal data may be processed.
These include when the processing of sensitive data is done:
- On the members of a body of persons or other entity not being a commercial body, with political, philosophical, religious or trade union objects in the course of its legitimate activities with appropriate guarantees, by the mentioned body of persons;
- For health and hospital care purposes, provided that it is necessary for preventive medicine and the protection of public health; medical diagnosis; health care or treatment; or management of health and hospital care services;
- For research and statistics purposes provided that processing is necessary for the performance of an activity which is carried out in the public interest.
Processing of sensitive personal data for research and statistics purposes may also be done if in case of statistics the Commission approval such processing; and in case of research the Commissioner on the advice of a research ethics committee of an institution recognised by the Commissioner.
A legal valid identification document may in the absence of consent only be processed when such processing is clearly justified having regard to the purpose of the processing; the importance of a secure identification; some other valid reason as may be prescribed.
Data relating to offences, criminal convictions or security measures may only be processed under the control of a public authority unless specifically provided for under any other law.
Data handling responsibilities of owners of PII
Does the law require owners of PII to notify individuals whose data they hold? What must the notice contain and when must it be provided?
The owners of PII must provide the individuals whose data they hold the identity and habitual residence or principal place of business of the owner of PII and of any other person authorised by him to process data, the purpose of processing, any further information relating to the recipients or categories of the recipients of data, whether the reply to any question made to the data subject are obligatory or voluntary, and the existence of the right to access, the right to rectify and the right to erase the data.
This information must also be provided in the situation where the data collected was collected from other sources,
Such information need to be provided at the time of undertaking the recording of the personal data, or when the information is obtained from other sources, not later than the time when the data is first disclosed.
13. Exemption from notification
When is notice not required?
The information does not need to be provided where the data subject already has this information, and where the processing is for statistical purposes or for historical or scientific research, or if there are provisions in any other law and adequate safeguards are adopted.
14. Control of use
Must owners of PII offer individuals any degree of choice or control over the use of their information? In which circumstances?
On request from the individuals on which owners of PII hold data, the owners of PII are required to provide without excessive delay and without expense written information as to whether personal data concerning the data subject.
It is to be noted that such request for information on the data held by the owners of PII, should only be made at reasonable intervals.
The owners of PII should provide the individual what information is being processed, where the information was collected, the purpose of the processing, to whom the information is disclosed and knowledge of the logic involved in any automatic processing of data concerning the individual.
The owner of PII is required to immediately rectify, block or erase personal data on the request of the individual in accordance with the law.
15. Data accuracy
Does the law impose standards in relation to the quality, currency and accuracy of PII?
The owner of PII is required by law to ensure that the personal data is processed fairly and lawfully. The owner of PII is also required to ensure that the personal data is correct and up to date.
16. Amount and duration of data holding
Does the law restrict the amount of PII that may be held or the length of time it may be held?
The information is not to be kept for a period longer than is necessary, having regard to the purposes for which they are processed. This would mean that if information is obtained in the creation of a business relationship, then one would look into the prescriptive period in which a claim may be made following the termination of the relationship and such period would be the maximum period that the owner of PII is allowed by law to keep that information.
17. Finality principle
Are the purposes for which PII can be used by owners restricted? Has the ‘finality principle’ been adopted?
Yes, the owner of PII is to ensure that personal data is only collected for specific, explicitly stated and legitimate purposes. Furthermore, no more personal data is processed than is necessary.
18. Use for new purposes
If the finality principle has been adopted, how far does the law allow for PII to be used for new purposes? Are there exceptions or exclusions from the finality principle?
The personal data cannot be processed for any other purpose other than the explicitly stated purpose. This means that if the owner of PII is to process it for some other purpose, the owner of PII would need to get explicit consent for such processing, unless one of the other grounds for processing applies.
19. Security obligations
What security obligations are imposed on data owners and entities that process PII on their behalf?
The law provides that the owners of PII are to implement technical and organisation measures, appropriate to protect the personal data from accidental destruction or loss or unlawful forms of processing.
The adequate security should be in line with technical possibility available, costs of implementing security measures, special risk that exist in the processing of the personal data and the sensitivity of the personal data. Thus allowing the owners of PII some discretion in implementing the security measures which they consider sufficient in their circumstances.
20. Notification of security breach
Does the law include obligations to notify the regulator or individuals of breaches of security?
There is no requirement under the Act which obliges the owner of PII to notify the regulator or the individual on whom information is collected that a breach of security ensued.
However the PII is to submit to the Commissioner requests for processing of personal data that involves particular risks of improper interference with the rights and freedoms of the individuals.
Furthermore, if the PII is a provider of publicly available electronic communications services is required to notify the Commissioner of a personal data breach immediately. If the breach is likely to also affect the personal data or privacy of an individual the owner of PII is also to notify the individual of the breach without undue delay.
The notification to the individual shall not be required if the owner of PII has demonstrated to the satisfaction of the Commissioner that he has implemented appropriate technological protection measures, and that those measures were applied to the data concerned by the security breach.
The notification to the individual shall at least include the nature of the personal data breach and the contact points where more information can be obtained, and shall recommend measures to mitigate the possible adverse effects of the personal data breach.
The notification to the Commissioner shall, in addition, include the consequences of, and the measures proposed or taken by the provider to address, the personal data breach.
21. Data protection officer
Is the appointment of a data protection officer mandatory? What are the data protection officer’s legal responsibilities?
It is only a mandatory requirement to appoint a representative established in Malta when the owner of PII is established in a third country and the equipment used for processing is situated in Malta. There is no other mandatory requirement to appoint a data representative. However, if a data representative is appointed he shall have an independent role and is required to ensure that the owner of PII processes the personal data in a lawful and correct manner, and in accordance with good practice. The data representative is only bound to inform the owner of PII should he notices any inadequacies.
It is the personal data representative who is bound to report to the Commissioner if there is suspicion that the owner of PII has contravened the provisions for processing and no rectification was implemented after the personal data representative informed the owner of PII of the situation.
The personal data representative is an independent function and is required to consult with the Commissioner in the event of doubt about how the rules applicable to prepressing are to be applied.
22. Record keeping
Are owners of PII required to maintain any internal records or establish internal processes or documentation?
Owners of PII are legally obliged to process personal data in line with the principles established by the Act and to ensure that they are adequately protecting that personal data throughout its lifecycle, from collection to use to disclosure to destruction. It is of utmost importance that owner of PII effectively manage personal data which they collect and process.
Although the Act doesn’t specifically state this, apart from technical and physical measures to protect personal data, owners of PII must take the necessary administrative measures. These safeguards include measures such as company policies, procedures, privacy notices [external statements] to ensure the proper management of privacy and security of customer and employee personal data.
One must not forget the proposed Draft Data Protection Regulation. The proposed regulation currently includes documentation obligations on data controllers – as well as the appointment of a personal data representative if the organisation legally qualifies for one – therefore it would be wise for data controllers to start preparing for this. In case of a breach, the company would need to show that it took all the necessary steps [technical/administrative/ physical] it could take to keep the personal data safe and secure and that it acted in a responsible manner throughout, in its defence. Moreover the commissioner can carry out an on-site investigation to make sure that the company did in fact take all these measures.
Registration and notification
Are owners and processors of PII required to register with the supervisory authority? Are there any exemptions?
Yes, owners and processors of PII are to register with the Commissioner. The notification should be made before carrying out any wholly or partially automated or manual processing operation.
The Commissioner may allow the simplification of or the exemption from notification obligation only in respect of processing operations which are unlikely to prejudice the rights and freedoms of data subjects, and in respect of which the Commissioner specifies the purposes of the processing, the data or categories of data being processed, the category or categories of data subjects affected by such processing, the recipients or categories of recipients to whom the data is to be disclosed and the length of time for which the data is to be stored.
What are the formalities for registration?
The notification is to be submitted before carrying out any processing operation and should include the name of and address of the data controller and of any other person authorise by him, the purpose or purposes of processing, description of category of data subject and of the data relating to them, the recipients to whom data might be disclosed; proposed transfers of data to third countries and general description allowing preliminary assessment to be made of the appropriateness of the security measures taken.
Unless the data provided in the first notification changes the owner of PII is not required to resubmit any documentation.
A fee of €23.27 is payable on a yearly basis, whereby the year is considered from July to June.
What are the penalties for a data owner or processor for failure to make or maintain an entry on the register?
The Commissioner may impose an administrative fine if the controller fails to notify the Commissioner of the commencement of processing of data, which fine shall be considered as a civil debt. The administrative fine in this case can vary between €120 to €600, in addition to a daily fine which can be between €20 to €60.
26. Refusal of registration
On what grounds may the supervisory authority refuse to allow an entry on the register?
The Act is silent on refusal on entry in the register as a data controller or personal data representative. The obligation is on the owner of PII to submit the necessary form and fee to be so registered. In case of breach of such obligation, the Commissioner may impose certain restrictions on the owner of PII, such as temporary ban on processing and can admonish, issue warnings and impose fines.
27. Public access
Is the register publicly available? How can it be accessed?
The register of data controllers and personal data representative is public and is available online on the website idpc.gov.mt
28. Effect of registration
Does an entry on the register have any specific legal effect?
There is no specific legal effect on entrance on the registry, since on commencement of the processing of personal data, the data owner or processors are bound by the requirements of the law.
Transfer and disclosure of PII
29. Transfer of PII
How does the law regulate the transfer of PII to entities that provide outsourced processing services?
The owner of PII may appoint third parties to process data. Such third parties may only process the personal data in accordance with the instructions of the owner of PII, unless the third party is otherwise required to do so by law. A written agreement is required for the appointment of third party providers to provide processing services, which agreement should provide the instructions from the owner of PII and also the technical and organisational measures which the controller implements to protect the personal data, so that the service provider follows the same measures. It is in fact the responsibility of the owner of PII to ensure that third party providers can implement such measures and does so.
30. Restrictions on disclosure
Describe any specific restrictions on the disclosure of PII to other recipients.
As long as the owner of PII has obtained explicit consent from the data subject to disclose the PII to other recipients, and it is made clear what the purpose of the disclosure is, then there are no other restrictions on disclosure of PII to other recipients.
31. Cross-border transfer
Is the transfer of PII outside the jurisdiction restricted?
Transfer of PII outside of the jurisdiction is allowed for as long as the jurisdiction whereto the transfer of PII is to occur has adequate levels of protection of data. It is in the Commissioner’s discretion who decides whether or not a third country has the adequate levels of protection of data. Thus, the owner of PII is required to obtain the Commissioner’s approval to transfer PII outside of the jurisdiction.
The law further specifies that transferring to a third country which does not have the adequate levels of protection is prohibited. Nevertheless, it is allowed to transfer to a third country which does not have adequate levels of protection if the Commissioner is satisfied that the controller will provide adequate safeguards, such as clear contractual obligations with the service provider in the third country. The Commissioner in analysing whether the agreements with the service provider is sufficient, the Commissioner should consider the provisions of the Commission Decision 2001/497/EC of 27 December 2004 and the Commission Decision 2010/87/EU of 5 February 2010.
Moreover, such transfer is also allowed if the transfer is necessary for the performance of a contract, or is necessary or legally required on public interests grounds, or for the establishment, exercise or defence of legal claims, to protect the vital interests of the data subject. In addition transfer may be effected to a third country where there is no adequate level of protection if it is made from a register that according to laws is intended to provide information to the public.
It is to be noted that any country which is a Member of the European Union, member of EEA, third countries which are not members of the EU or the EEA which are from time to time recognised by the EU commission to have an adequate level of protection (currently include Andorra, Argentina, Australia, Canada, Switzerland, Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand and Uruguay), and organisations complying with the US Department of Commerce’s Safe Harbour Privacy Principles are not considered as a third countries and therefore transfer to these jurisdictions is allowed and do not require obtaining authorisation from the Commissioner.
32. Notification of transfer
Does transfer of PII require notification to or authorisation from a supervisory authority?
The owner of PII is required to notify the Commissioner where international data transfer is to be made, by means of a submission of a form. Where the transfer of data is to be made to a third county, then the approval of the Commissioner is required to be obtained prior such transfer is made.
33. Further transfer
If transfers outside the jurisdiction are subject to restriction or authorisation, do these apply equally to transfers to service providers and onwards transfers?
The restrictions/authorisations requirement for transfer of data to a third country is irrespective of whether the transfer is to be made to a service provider or to other data owners.
Rights of individuals
Do individuals have the right to see a copy of their personal information held by PII owners? Describe any limitations to this right.
The law provides that the individuals has the right of access, however the right does not include the right to see a copy of their personal information held by PII owners. The PII owners is required however to provide to the individual in written form actual information about the data subject which is processed, where the information has been collected, the purpose of the processing and to which recipients the information is disclosed. The PII owner is also required to provide in his written reply about the knowledge of the logic involved in any automatic processing of data concerning the individual.
The individual is required to make such a request in writing and cannot be made frequently, but should be made at reasonable intervals.
35. Other rights
Do individuals have other substantive rights?
Under the Act, data may not be processed for direct marketing, unless the individual has given his explicit consent. It is of note that the individual however, has the right to oppose the processing of his data at no cost for the purpose of direct marketing.
The individuals also have the right to rectify, and where applicable, the right to erase the data concerning him. It is in fact the duty of the owner of PII to immediately rectify, block or erase personal data which is not being processed in accordance with the act.
Are individuals entitled to monetary damages or compensation if they are affected by breaches of the law? Is actual damage required or is injury to feelings sufficient?
Individuals are entitled to sue for damages an owner of PII who processed data in contravention of the Act, by filing with the competent court a sworn application. Under Maltese law, there has to be actual damage for there to be compensation.
Are these rights exercisable through the judicial system or enforced by the supervisory authority or both?
Actions for damages are to be filed with the competent courts however, individuals may apply to the Commissioner for the Commissioner to take adequate action against the owners of PII should the individuals feel that there was a breach of the Act.
Exemptions, derogations and restrictions
38. Further exemptions and restrictions
Does the law include any derogations, exclusions or limitations other than those already described? Describe the relevant provisions.
The principles of data protection, the requirement to provide the individual with certain information, the right to access and the maintenance by the Commissioner of a register of processing operations shall not apply when a law specifically provides that the processing of the data is a necessary measure in the interest of national security, defence, public security, prevention, investigation, detection and prosecution of criminal offences or of breaches of ethics for regulated professions, important economic or financial interest including monetary, budgetary and taxation matters, monitoring, inspection or regulatory function connected, even occasionally, with the exercise of official authority, or such information being prejudicial to the protection of the individual or of the rights and freedoms of others.
39. Judicial review
Can data owners appeal against orders of the supervisory authority to the courts?
Data owners may appeal to the Information and Data Protection Appeals Tribunal, which tribunal is formed of a chairman and 2 other members appointed by the Minister responsible for freedom of information and data protection. The appeal has to be filed within 30 days from the decision of the Commissioner.
The grounds for an appeal to the Tribunal are limited to material error on the facts of the case, material procedural error, error of law, or material illegality, including unreasonableness or lack of proportionality.
A party may furthermore appeal a decision of the Tribunal with the Court of Appeal on questions of law.
40. Criminal sanctions
In what circumstances can owners of PII be subject to criminal sanctions?
Criminal sanctions may be initiated in the case of an owner of PII providing untrue information to individuals, or providing untrue information in the notification to the Commissioner upon application and upon request, and in the case of illegal processing of personal sensitive data.
41. Internet use
Describe any rules on the use of ‘cookies’ or equivalent technology.
42. Electronic communications marketing
Describe any rules on marketing by e-mail, fax or telephone.
The Act provides that direct marketing is only allowed if the individual has given his consent. However, the Processing of Personal Data (Electronic Communications Sector) Regulations provide that an owner of PII shall not use or cause to be used email, fax or telephone for the purpose of direct marketing unless the individual has given prior consent in writing. Having said that, if the contact details where obtained in relation to the sale of a product or a service it is allowed to use email for marketing purposes for similar products or services.
The owner of PII is however required at the time of collection to give the opportunity to the individual to object, free of charge and in an easy and simple manner to such use of the email details.
It is not allowed to send email for direct marketing whereby the identity of the sender is disguised or concealed.
UPDATE & TRENDS
Currently discussions are underway at EU level for the issuing of a Data Protection Regulation. The proposed regulation currently includes obligations on owners of PII which should bring about a harmonized way in the treatment of personal data throughout the European Union. The appointment of a personal data representative, if the organisation qualifies to appoint one, is one of the proposed obligations which will be introduced. Small and medium enterprises will be excluded from certain obligations such as the appointment of the personal data representative, notifications to supervisory authorities, and the obligation to carry out an impact assessment unless there is a specific risk. Another important development will be the right to be forgotten and right to erasure for individuals.