TRILANTICServicesSectorsPartnersResourcesAbout UsContact Us
Case StudiesTRILANTIC NewsletterFree Trial with your DataCost Savings CalculatorAsk The Experts
Document Library
Industrial Links
Glossary
News ReleasesFeatured Articles
Media KitForthcoming EventsEuropean Data Protection Rules

MALTA

 

The Office of the Data Protection Commissioner website: http://www.dataprotection.gov.mt/index.aspx

 

The Data Protection Act 2001 (as amended): http://www.dataprotection.gov.mt/dbfile.aspx/DPAen.pdf

 

What needs to be done prior to collection?

 

NOTIFY THE COMMISSIONER

 

Article 29 – Obligation for Notification

 

(1)     The Controller shall notify the Commissioner before carrying out any wholly or partially automated processing operation or set of such operations intended to serve a single purpose or several related purposes

 

(2)     The Minister may prescribe on any matter relating to the form of notification to be made under this article in respect of –

a.       Processing whose sole purpose is the keeping of a register which according to laws or regulations is intended to provide information to the public and which is open to consultation either by the public in general or by any person demonstrating a legitimate interest; and

b.       Processing operations referred to in Article 14

 

(3)     The notification referred to in sub article (1) must specify:

a.       The name and address of the data controller and of any other person authorised by him in that behalf, if any;

b.       The purpose of purposes of the processing;

c.        A description of the category or categories of data subject and of the data or categories of data relating to them;

d.       The recipients or categories of recipient to whom the data might be disclosed;

e.        Proposed transfers of data to third countries; and

f.         A general description allowing a preliminary assessment to be made of the appropriateness of the measures taken pursuant to Article 26 to ensure security of processing

 

Provided that the controller shall notify the Commissioner of any changes affecting the information referred to under this sub article and the Minister may prescribe any matter related to the form of such notification

 

(4)     The Commissioner may allow the simplification of or the exemption from the notification obligations  provided for under this part of the Act only in respect of categories of processing operations –

a.       Which are unlikely, due to account being taken of the data being processed, to prejudice the rights and freedoms of data subjects; and

b.       In respect of which the Commissioner specifies the purposes of the processing, the data or categories of data being processed, the category or categories of data subjects affected by such processing, the recipients or categories of recipient to whom the data is to be disclosed and the length of time for which the data is to be stored

 

CONTACT THE DATA SUBJECT

 

Article 19 – Information to Data Subject

 

The Controller or any other person authorised by him in that behalf must provide a data subject from whom data relating to the data subject himself are collected, with at least the following information, except, where the data subject already has it:

 

(a)     The identity and habitual residence or principal place of business of the controller and of any other person authorised by him in that behalf, if any;

(b)     The purposes of the processing for which the data are intended; and

(c)     Any further information relating to matters such as:

1.       The recipients or categories of recipients of data;

2.       Whether the reply to any questions made to the data subject is obligatory or voluntary, as well as the possible consequences of the failure to reply; and

3.       The existence of the right to access, the right to rectify, and, where applicable, the right to erase the data concerning him

 

And, insofar as such further information is necessary, having regard to the specific circumstances in which the data is collected, to guarantee fair processing in respect of the data subject

 

Article 20 – Data Collected from other Sources

 

(1)     Where the data have not been obtained from the data subject, the controller or any other person authorised by him in that behalf shall provide the data subject with at least the following information, except, where the data subject already has it:

a.       The identity and habitual residence or principal place of business of the controller and of any other person authorised by him in that behalf;

b.       The purposes of the processing; and

c.        Any further information including:

                                                               i.      The categories of the data concerned;

                                                             ii.      The recipients or categories of recipient;

                                                           iii.      The existence of the right to access, the right to rectify, and, where applicable, the right to erase the data concerning him

 

And, insofar as such further information is necessary, having regard to the specific circumstances in which the data is collected, to guarantee fair processing in respect of the data subject

 

(2)     The information referred to in sub article (1) shall be provided at the time of undertaking the recording of personal data or, if a disclosure to a third party is envisaged, not later than the time when the data are first disclosed

 

(3)     Information referred to in sub article (1) need not be provided if there are provisions concerning the registration or disclosure of any such personal data in any other law and appropriate safeguards have been adopted

 

(4)     Information referred to in sub article (1) need not be provided if the personal data is required:

a.       For processing for statistical purposes;

b.       For purposes of historical or scientific research

 

And insofar as the provision of such information proves impossible or would involve a disproportionate effort

 

Article 23 – Exemptions

 

The provisions of Articles 20 and 21 shall not apply when a law specifically provides for the provision of information as a necessary measure in the interest of:

a.       National security;

b.       Defence;

c.        Public security;

d.       The prevention, investigation, detention and prosecution of criminal offences, or of breaches of ethics for regulated professions;

e.        An important economic or financial interest including monetary, budgetary and taxation matters;

f.         A monitoring, inspection or regulatory function connected, even occasionally, with the exercise of official authority referred to in paragraphs (c), (d) and (e); or

g.        Such information being prejudicial to the protection of the data subject or of the rights and freedoms of others

 

What needs to be done prior to shipping?

 

Article 27 – Transfer of data to a third country

 

(1)     Without prejudice to the provisions of Article 28, the transfer to a third country of personal data that is undergoing processing or intended processing, may only take place subject to the provisions of this Act and provided that the third country to which the data is transferred ensures an adequate level of protection.

 

(2)     The adequacy of the level of protection of a third country shall be assessed in the light of all the circumstances surrounding a data transfer operation or a set of data transfer operations; particular consideration shall be given to the nature of the data, the purpose and duration of the proposed processing operation or operations, the country of origin and country of final destination, the rules of law, both general and sectoral, in force in the third country in question and the professional rules and security measures which are complied with in that country

 

(3)     It is for the Commissioner to decide whether a third country ensures an adequate level of protection

 

(4)     The transfer of personal data to a third country that does not ensure adequate protection is prohibited

 

Article 28 – Exemptions from the prohibition of the transfer of data to a third country

 

(1)     For the purpose of implementing any international convention to which Malta is a party or any other international obligation of Malta, the Minister may by Order designate that the transfer of personal data to any country listed in the said Order shall not, notwithstanding the provisions of this Act or any other law, be restricted on grounds of protection of privacy. In making such Order the Minister may include conditions and restrictions provided for in any said international instrument

 

(2)     A transfer of personal data to a third country that does not ensure an adequate level of protection within the meaning of Article 27 (2) may be effected by the controller if the data subject has given his unambiguous consent to the proposed transfer or if the transfer –

a.       Is necessary for the performance of a contract between the data subject and the controller or the implementation of precontractual matters taken in response to the data subject’s request

b.       Is necessary for the performance or conclusion of a contract concluded or the be concluded in the interests of the data subject between the controller and a third party;

c.        Is necessary or legally required on public interest grounds, or for the establishment, exercise or defence of legal claims;

d.       Is necessary in order to protect the vital interests of the data subject; or

e.        Is made from a register that according to laws or regulations is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate legitimate interest, provided that the conditions laid down in law for consultation are fulfilled in the particular case

 

(3)     Without prejudice to sub article (1) the Commissioner may authorise a transfer or a set of transfers of personal data to a third country that does not ensure an adequate level of protection within the meaning of Article 27 (2):

 

Provided that the controller provides adequate safeguards, which may result particularly by means of appropriate contractual provisions, with respect to the protection of privacy and fundamental rights and freedoms of individuals and with respect to their exercise.

 

 

What are the sanctions for non-compliance?

 

Section 46 – Compensation for Damages

 

(1)     The data subject may, by sworn application filed in the competent court, exercise an action for damages against the controller who processes data in contravention of this Act or regulations made thereunder

 

(2)     An action under this article shall be commenced within a period of twelve months from the date when the data subject becomes aware or could have become aware of such a contravention, whichever is the earlier

 

Section 47 – Penalties

 

Any Person who:

 

(a)     ….

(b)     ….

(c)     Transfers personal data to a third country in contravention of Articles 27 and 28

(d)     Omits to give notification under Article 29 (1)

 

Shall be guilty of an offence and shall be liable to a fine not exceeding EUR 23,293.73 or to imprisonment for six months or to both such fine and imprisonment

 

 

 

Please refer to the Office of the Data Protection Commissioner website for further details on the Statute

 
© TRILANTIC - All rights reserved. | Disclaimer | Client Login