Malta: Data Protection Laws of the World Handbook: Second Edition - Malta
E-Commerce And Privacy Alert

LAW

The relevant law is the Data Protection Act ("Act") (Chapter 440 of the Laws of Malta) and the Regulations (at present six in number) issued under it.

DEFINITION OF PERSONAL DATA

Personal data is defined in the Act (Chapter 440 of the Laws of Malta) as:

"...any information relating to an identified or identifiable natural person; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity"

DEFINITION OF SENSITIVE PERSONDAL DATA

Sensitive personal data is also defined in the same Act as meaning:

"...personal data that reveals race or ethnic origin, political opinions, religious or philosophical beliefs, membership of a trade union, health, or sex life"

NATIONAL DATA PROTECTION AUTHORITY

Office of the Data Protection Commissioner

The Information and Data Protection Commissioner ("Commissioner") has the function (among others) of generally ensuring the correct processing of personal data in order to protect individuals from violations of their privacy.

REGISTRATION

Controllers of data (defined in the Act as persons who alone or jointly with others determine the purposes and means of the processing of personal data), unless exempted by the Commissioner in the circumstances mentioned in the Act or in the circumstances mentioned in Subsidiary Legislation 440.02, must generally notify the Commissioner before carrying out wholly or partially automated processing operations or a set of such operations which are intended to serve either a single or several related purposes. The Commissioner maintains a Register of processing operations which have been notified to him.

The Register must contain the following information:

• the name and address of the data controller and of any other person authorised by him in that respect, if any;
• the purpose or purposes of the processing;
• a description of the category or categories of data subject and of the data or categories of data relating to them;
• the recipients or categories of recipient to whom the data might be disclosed; and
• proposed transfers of data to third countries.

DATA PROTECTION OFFICERS

Under Maltese law there is no obligation to appoint data protection officers. However, the Act states that the controller of personal data shall notify the Commissioner on the appointment or removal of a personal data representative (if any). The personal data representative has the function (among others) of independently ensuring that the controller processes personal data in a lawful and correct manner and in accordance with good practice and in the event of the personal data representative identifying any inadequacies, he shall bring these to the attention of the controller.

COLLECTION AND PROCESSING

Personal data may be processed (which includes also the collection of data) only if:

• the data subject has unambiguously given his consent;
• processing is necessary for the performance of a contract to which the data subject is a party to or in order to take steps at the request of the data subject prior to entering into a contract;
• processing is necessary for compliance with a legal obligation to which the controller is subject;
• processing is necessary in order to protect the vital interests of the data subject;
• processing is necessary for the performance of an activity that is carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data is disclosed; or
• processing is necessary for a purpose that concerns a legitimate interest of the controller, or of such a third party to whom personal data is provided, except where such interest is overridden by the interest to protect the fundamental rights and freedoms of the data subject and in particular the right to privacy.

If the data subject gives notice to the controller of his opposition, personal data cannot be processed for the purposes of direct marketing.

As a general rule, sensitive personal data cannot be processed except in the cases mentioned in the Act (e.g. where the data subject has given his explicit consent to processing or has made the data public).

The data subject has a right to be provided, by the controller or any person authorised by him, with information such as the identity and habitual residence, or principal place of business, of the controller and of any other person authorised by him in that respect; the purpose of the processing; and any further information relating to matters such as the recipients of the data, whether the reply to any questions made to the data subject is obligatory or voluntary and the existence of the right to access, rectify and erase the data concerning him. The controller must guarantee fair processing in respect of the data subject.

TRANSFER

The controller must notify the Commissioner of any proposed transfers of data to third countries, since such transfers also constitute 'processing' under Maltese law. 'Third countries' only include countries which are not Member States of the European Union. The transfer may only take place if the third country to which the data is to be transferred ensures an adequate level of protection. Whether the country ensures such a level of protection shall be decided by the Commissioner.

A transfer of data to a third country that does not ensure an adequate level of protection may still be effected by the controller but only if the data subject gives his unambiguous consent to the proposed transfer or if the transfer:

• is necessary for the performance of a contract between the data subject and the controller or the implementation of pre contractual measures taken in response to the data subject's request;
• is necessary for the performance or conclusion of a contract concluded or to be concluded in the interests of the data subject between the controller and a third party;
• is necessary or legally required on public interest grounds, or for the establishment, exercise or defence of legal claims;
• is necessary in order to protect the vital interests of the data subject; or
• is made from a register that according to laws or regulations is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate legitimate interest, provided that the conditions laid down in law for consultation are fulfilled in the particular case.

In these cases the Commissioner's approval is not required but the transfer must still be notified.

The Commissioner has the power to authorise such a transfer of personal data to a third country that does not ensure an adequate level of protection provided however that the controller provides adequate safeguards, such as by contractual provisions, with respect to the protection of privacy and fundamental human rights.

The Minister responsible for freedom of information and data protection may also designate by Order, in order to implement any international convention to which Malta is party or any other international obligation of Malta, that the transfer of personal data to any country listed in the Order shall not be restricted on grounds of protection of privacy.

Apart from notification to the Commissioner, no other restrictions or formalities apply in relation to transfer of personal data to:

• Member States of the European Union;
• Member States of the EEA;
• Third countries which are recognised by the EU Commission to have an adequate level of protection; or
• Organisations complying with the US Safe Harbor privacy principles.

SECURITY

Data controllers must implement the appropriate technical and organisational measures to protect personal data which is processed against accidental destruction or loss or unlawful forms of processing. An adequate level of security must be provided which gives regard to:

• the technical possibilities available;
• cost of implementing the security measures;
• special risks that exist in the processing of personal data; and
• sensitivity of the personal data being processed.

If a processor is engaged by the controller, the controller must ensure that the processor can implement the necessary security measures and that the processor actually takes such measures.

BREACH NOTIFICATION

Legal Notice 239 of 2011, which will soon come into force, will amend Subsidiary Legislation 440.01, Processing of Personal Data (Electronic Communications Sector) Regulations, making new provisions for breach notifications.

The Regulations will provide (after the amendments have been brought into force) that, in the case of a personal data breach, the provider of publicly available electronic communications service must notify the breach to the Commission without delay. "Personal data breach" will be defined in the Regulations as "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a publicly available electronic communications service".

If the breach is likely to adversely affect the personal data or privacy of a subscriber or individual, the provider must also notify the subscriber or individual of the breach without delay. However, notification to the subscriber or individual concerned shall not be required on the condition that the provider demonstrates to the satisfaction of the Commissioner that he has implemented appropriate technological protection measures and that those measures were applied to the data concerned by the security breach. Such technological protection measures should render the data unintelligible to any person who is not authorised to access it.

If the provider has not already notified the subscriber or individual of the personal data breach, the Commission may require the provider to do so after considering the likely adverse effects of the breach.

The notification to the subscriber or individual must at least include the nature of the breach and the contact points where more information can be obtained. The notification must also recommend measures to mitigate the possible adverse effects of the breach.

The notification to the Commission shall also include the consequences of and the measures proposed or taken by the provider to address the breach.

The Regulations will also provide that the Commissioner is to encourage the drawing up of guidelines and where necessary issue instructions concerning the circumstances in which providers are required to notify personal data breaches, the format which such notification is to take and the manner in which the notification is to be made.

Service providers are to maintain an inventory of personal data breaches consisting of the facts surrounding the breach, its effects and the remedial action taken which must be sufficient so as to enable the Commissioner to verify compliance with the provisions of the Regulations.

ENFORCEMENT

The Act states that any person who does not comply with any lawful request relevant to an investigation by the Commissioner shall be guilty of an offence under the Act.

In the exercise of his functions under the Act, the Commissioner has the same powers to enter and search any premises as are vested in the executive police by any law as may be in force from time to time.

If the Data Protection Commissioner concludes that personal data is processed or may be processed in an unlawful manner, the Commissioner shall order rectification, and if rectification is not effected or if the matter is urgent, the Commissioner may prohibit the controller of personal data to continue processing the personal data in any manner other than to store that data.

If the controller does not implement security measures in terms of the Act, the Data Protection Commissioner may impose an administrative fine.

Where the Data Protection Commissioner decides that personal data has been unlawfully processed, the said Commissioner shall by notice order the controller of personal data to erase the personal data. If the controller of personal data feels aggrieved by the decision of the Commissioner, he may, by application, request the Court of Appeal of Malta to revoke the order of the Commissioner.

The data subject may, by sworn application filed in the court, exercise an action for damages against the controller who processes data in contravention of the Act or regulations made there under.

In addition, any person who provides untrue information to data subjects as is prescribed by the Act, or in the notification to the Commissioner; or processes personal data in contravention of the provisions of the Act; or transfers personal data to a third country in contravention of the Act; or omits to give notification under the provisions of the Act or any regulation issued there under, shall be guilty of an offence and shall on conviction be liable to a fine (multa) not exceeding EUR 23,293.73 or to imprisonment for six months or to both.

Any person aggrieved by a decision of the Commissioner shall have the right to appeal in writing to the Information and Data Protection Appeals Tribunal within thirty days from the notification to him of the said decision.

Any party to an appeal to the said Tribunal who feels aggrieved by a decision of the Tribunal, or the Commissioner if he feels aggrieved with any such decision, may on a question of law appeal to the Court of Appeal of Malta within thirty days from the date on which that decision has been notified.

ELECTRONIC MARKETING

The Act applies also to most electronic marketing activities since in the course of such activities, it is likely that 'personal data' as defined above (including e-mails) will be 'processed' as understood by the Act. In relation to direct marketing (even electronic), consent may be revoked at will by the data subject(s). The Controller is legally bound to inform the data subject that he/she may oppose such processing at no cost.

Apart from the Act, the 'Processing of Personal Data (Electronic Communications Sector) Regulations 2003' (Legal Notice 16 of 2003 as amended) (the 'Electronic Communications Regulations') address a number of activities relating specifically to electronic marketing.

In the case of subscriber directories, the producer of such directories shall ensure (without charge to the subscriber) that before any personal data relating to the subscriber (who must be natural persons) is inserted in the directory, the subscriber is informed about the purposes of such a directory of subscribers and its intended uses (including information regarding search functions embedded in the electronic version of the directories). No personal data shall be included without the consent of the subscriber. In furnishing his consent the subscriber shall determine which data is to be included in the directory and he is free to change, alter or withdraw such data at a later date. The personal data which shall be used in the directory must be limited to what is necessary to identify that subscriber and the number allocated to him, unless the subscriber has given his additional consent authorising the inclusion of additional personal data.

The Electronic Communications Regulations also deal with the issue of unsolicited communications. A person is prohibited from using any publicly available electronic communications service to engage in unsolicited communications for the purpose of direct marketing by means of:

• an automatic calling machine
• a facsimile machine, or
• electronic mail, to a subscriber, irrespective of whether such subscriber is a natural person or a legal person, unless the subscriber has given his prior explicit consent in writing to the receipt of such a communication.

By way of exception to the above, where a person has obtained from his customers their contact details for electronic mail in relation to the sale of a product or a service, in accordance with the Act that same person may use such details for direct marketing of its own similar products or services. However, the customers must be given the opportunity to object, free of charge and in an easy and simple manner, to such use of electronic contact details when they are collected and on the occasion of each message where the customer has not initially refused such use.

In all cases the practice of sending electronic mail for the purposes of direct marketing, disguising or concealing the identity of the sender or without providing a valid address allowing the recipient to send a request requesting that such communication cease, is strictly prohibited.

ONLINE PRIVACY (INCLUDING COOKIES AND LOCATION DATA)

Cookie Compliance – Legal Notice 239 of 2011 entitled 'Processing of Personal Data (Electronic Communications Sector)(Amendment) Regulations 2011 is yet to enter into force. Once brought into force, this Legal Notice would amend present regulations thereby implementing into Maltese Law the amendments under Article 2(5) of Directive 2009/136/ EC. These regulations shall enter into force on such date as the Minister responsible for data protection shall determine by notice in the Malta Government Gazette. We have no indication of when such date may be although we expect that this will occur in the not-so-distant future.

Traffic Data – In terms of the Electronic Communications Regulations', traffic data relating to subscribers and users processed by an undertaking which provides publicly available electronic communications services or which provides a public communications network, shall be erased or made anonymous when it is no longer required for the purpose of transmitting a communication.

Traffic data required for the purposes of subscriber billing or interconnection payments may be retained provided however that the retaining of such data shall only be permissible up to the period during which the bill may be lawfully challenged or payment pursued.

Furthermore, traffic data may be processed where the aim is to market or publicise the provision of a value-added service, however, the processing of such data shall only be permissible to the extent and for the duration necessary to render such services.

Processing of traffic data is also permissible by an undertaking providing publicly available electronic communication for the following purposes:

• managing billing or traffic management;
• customer enquiries;
• fraud detection; or
• rendering of value-added services.

Location Data – where location data (other than traffic data) relating to users of subscribers of public communications networks or of publicly available electronic communications services can be processed, such data may only be processed when it is made anonymous or with the consent of the users or subscribers, to the extent and for the duration necessary for the provision a value-added service.

Prior to obtaining the user or subscriber's consent, the undertaking providing the service shall inform them of the following:

• the type of location data which shall be processed;
• the purpose and duration of processing; and
• whether the processed data shall be transmitted to a third party for the purpose of providing the value-added service

A user and/or subscriber may withdraw their consent for the processing of such location data (other than traffic data) at any time.

© DLA Piper

This publication is intended as a general overview and discussion of the subjects dealt with. It is not intended to be, and should not used as, a substitute for taking legal advice in any specific situation. DLA Piper Australia will accept no responsibility for any actions taken or not taken on the basis of this publication.

DLA Piper Australia is part of DLA Piper, a global law firm, operating through various separate and distinct legal entities. For further information, please refer to www.dlapiper.com