REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (GDPR) is directly applicable in Maltese law. This Regulation lays down the various rights and obligations of both data subjects (individual who may be identified from the personal data) and the data controller (individual or legal entity who determines the purpose of data processing.)

The Data Protection Act (Cap 586 of the Laws of Malta) deals amongst others with the powers of the Commissioner for Freedom of Information and Data Protection.

Subsidiary legislation issued under the Data Protection Act, deals with specific issues such as the processing of personal data relating to minors.

Reach of Data Protection Regulation

The GDPR is far reaching. It applies to the processing of personal data by a controller who is in the European Union, regardless of whether the processing takes place in the EU or not. It also applies to the processing of personal data of data subjects who are in the European Union, by a controller or processor not established in the EU, where the processing activities relate to the offer of goods or services, or the monitoring of data subject behaviour in so far as it takes place within the Union.

Data subjects’ Rights/Data Controllers’ Obligations

If you are a business that processes personal data, be it personal data of customers, employees or suppliers you should be aware that under the GDPR individuals/data subjects have the following rights:

• The right to be informed – A data controller should inform the data subject at the time of collecting his/her personal data, of the reason for using the data, what type of data it uses, how long it shall keep the data, if it shall transfer the data to third parties and if so the categories of recipients, whether it intends to transfer the data to third countries, and the right to lodge a complaint with the Information and Data Protection Commissioner.
• The right to access one’s personal data by receiving a copy of such data.
• The rights to have one’s personal data rectified by the data controller and the right to have one’s personal data erased, also known as the right to be forgotten
• The right to data portability
• The right to object to the processing of one’s personal data
• The right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects,
• Where the processing of personal data infringes the GDPR, the data subject has the right to lodge a complaint with the IDPC against the data controller/your business.

Promethian can guide you through the maze of data protection obligations as well as offers your business legal representation before the Information and Data Protection Commissioner and Data Protection Tribunal, should the need arise.

Data Protection Principles

It is the responsibility of the data controller to ensure that personal data is:

• processed lawfully, fairly and in a transparent manner;
• collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
• adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed ;
• accurate and, where necessary, kept up to date;
• kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
• processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Basis for the processing of personal data

The processing of personal data needs a legal basis. For instance the data subject’s consent to processing is one such legal basis. Alternatively processing may be necessary order for the data controller to fulfil a contractual obligation with the data subject, or is necessary to comply with a legal obligation of the data controller.

Consent as a basis for the processing of personal data

In order to obtain freely given consent, it must be given on a voluntary basis and the data subject must have a real choice. Consent should also be specific and the data subject should be informed that it may withdraw consent at any time.

Consent requests should be granular. Separate opt-in and information for each purpose must be provided. Pre-ticked boxes, silence or inactivity do not constitute valid consent.

Fines for non-compliance with the GDPR

Serious infringements of the GDPR may attract a fine of up to 20 million Euro or 4 % of your firm’s worldwide annual revenue, whichever is the higher.

How can Promethian help you?

Promethian ‘s legal advisory team is experienced in data protection matters. It can audit your business for data protection compliance, equip your business with the right data protection policies, marketing consent forms and provide your employees with practical data protection training. Contact us to find out more…