Home
Offshore
Malta
Privacy
CONTRIBUTOR
Email Ganado Advocates Visit Firm Website More Details about Ganado Advocates View press releases from Ganado Advocates
award logo
Most Read: Contributor Malta, February 2024
Email Ganado Advocates Visit Ganado Advocates website View Mondaq's Ganado Advocates profile page View Press Releases from Ganado Advocates
ARTICLE

Malta: General Data Protection Regulation

28 September 2017
by David Borg-Carbott and Philip Mifsud
Ganado Advocates
Your LinkedIn Connections
with the authors
To print this article, all you need is to be registered or login on Mondaq.com.

The European Parliament and the Council of the European Union reached an agreement in 2015 on the main principles behind the General Data Protection Regulation 2016/679 (hereinafter referred to as the "Regulation" or "GDPR"). This Regulation, which will come into effect on 25th May 2018, was proposed in order to address the difficulties and deficiencies arising under the 95/46/EC Directive.

The principle scopes of the GDPR are to (i) harmonise data privacy laws of EU Member States; (ii) facilitate the free flow of data in the digital single market; (iii) protect all citizens from data and privacy breaches; (iv) remove bureaucratic inconsistencies that organisations face with respect to data protection laws in different States; (v) provide further transparency and accountability by data controllers and possessors of data. This is becoming increasingly more relevant in a world where technological changes and globalisation are becoming more prominent in every sector, and people more reliant on technology to address basic requirements. In fact, the GDPR will empower EU citizens and protect them from invasive processing of data and privacy breaches.  In essence, the GDPR will seek to ensure that every person's fundamental right to the protection of any personal data concerning him or her (as stated in Article 8 sub-article 1 of the Charter of Fundamental Rights of the European Union) is respected.

The GDPR also increases the rights of individuals whose data is being processed. Compliance with the rules and monitoring of powers for the protection of personal data are ensured through strengthening of powers of authorities and increased sanctions.

This article will form part of a series of articles that will analyse the key points of GDPR. This first article focuses on Chapter 1 of the GDPR titled 'General Provisions'

The Regulation will apply:

  • to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not; and
  • to all companies processing data of individuals residing in the EU, even though the companies' location may not be in the EU. This means that a company outside the EU targeting consumers in Member States will now be subject to the Regulation.

This is one of the crucial departures from the Directive as the GDPR now has extra territorial scope and applies where a data controller (e.g. a company processing personal data) located outside the EU offers goods or of services to Member States' citizens, even if for free. What constitutes offering of goods or services is to be determined on a case-by-case basis, but a service provider located outside the EU that is offering a service in the language used in a Member State (if not also used in the third country), and mentioning customers or users in a Member State may be subject to the GDPR.

Additionally, the Regulation also applies where controllers and processors that are located outside the EU monitor the EU data subjects' behaviour. This is also to be determined on a case-by-case basis but instances which may apply include those where the choices and behaviour of individuals resident in the EU are tracked in order to predict their personal preferences through the formation of personal profiles.

To tackle the applicability of this extra territorial principle, the GDPR provides that entities processing the data of EU citizens, even though not established in the EU, must appoint a representative within the EU.

Most of the key definitions of the Directive have remained the same in the Regulation. For instance the main characteristics of controllers and processors have remained unchanged and only some minor modifications can be noted. The following is a commentary on some key differences of the main definitions as listed in Article 4 of the GDPR.

"Personal Data":

  • The definition of what constitutes "personal data" is very important, since the Regulation only protects what falls under this definition, thus, whatever is not considered to be "personal data" is not protected by the GDPR.
  • The definition has been widened to include location data, online identifiers and genetic data – for example certain types of cookies and IP addresses become personal data under the GDPR, if they can be (or are capable of being) linked back to the data subject without having to exercise any excessive amount of effort.

"Pseudonymous data":

  • Pseudonymous data was not specifically dealt with in the Directive as it was treated as personal data, but the Regulation – even though still treating such data as personal due to its identifiable nature – deals with the process through which such data is pseudonymised.

 "Consent":

The Regulation has added stricter requirements for consent to be valid, hence methods used by data collectors and processors under the Directive need to be reviewed in order to be in harmony with the new requirements set out in the Regulation. Existing consents may still be valid, provided they meet the new conditions imposed by the GDPR.

The consent of the data subjects needs to be:

  • Freely given;
  • Specific – consent cannot be general to cover all possible types of processing activities.
  • Unambiguous and easily legible – thus making sure that the data subject is aware of the reasons why their consent is being given.
  • Explicit.

Consent needs to be shown by some sort of explicit affirmative action. For example through:

  • A written statement;
  • An oral statement;
  • Electronic means.

The Data Controller needs to be able to show that consent was given. For this reason, silence or inactivity cannot amount to the consent of the data subject, whereas previously, under the Data Protection Directive, consent could be inferred.

"Data Breach":

The term "data breach" is only referred to in the Directive through an obligation placed on the controller to protect personal data against any sort of unauthorised access or disclosure. On the other hand, the Regulation provides a specific definition. The Regulation also has specific provisions relating to data breaches which will be covered in a later article.

 "Data Concerning Health":

Similarly to the case of "data breaches", "data concerning health" does not have a specific definition in the Directive. In the new definition set out in the Regulation, both mental health and physical health are expressly covered.

"Main Establishment":

Under the GDPR a new definition for "main establishment" has been added to provide a regulatory point of contact for a company or groups of companies operating in more than one Member State of the EU. A company will now need to have a lead supervisory authority for data compliance across the EU.

"Cross-Border Processing":

The Regulation has introduced a new definition which states that "cross-border processing" can either be:

  • processing of personal data which occurs in more than one Member State where the controller or processor is established in more than one Member State; or
  • processing of personal data of activities which occurs in a single establishment of the controller or processor but which affects or is likely to affect data subjects in more than one Member State.

As a final point, it is important to note that all organisations will be affected by the new Regulation in some way or another. Therefore, they need to bring their data processing mechanisms in line with new requirements by reviewing their current systems and determining whether any improvements are required or not.

This article was first published in The Times of Malta, 21 September 2017.

The authors would like to thank Ms Maronia Magri (intern at GANADO Advocates) for her research and assistance in the preparation of this article.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

AUTHOR(S)
David Borg-Carbott
Ganado Advocates
View Mondaq's David Borg-Carbott Profile page
Philip Mifsud
Ganado Advocates
View Philip Mifsud Mondaq Profile page
ARTICLE TAGS
POPULAR ARTICLES ON: Privacy from Malta
Ensuring Compliance: Essential Website Documents Under EU Legislation
Y. Vasiliou & Co LLC
In today's digital age, maintaining compliance with regulations is paramount for any website operating within the European Union (EU)...
Code Of Practice On Right To Request Flexible Working And Remote Working Published By WRC
Dillon Eustace
The Workplace Relations Commission (‘WRC') has published its Code of Practice (‘Code') for employers and employees on how to deal with requests for flexible working and remote working arrangements.
Smile – You Are On (Secret) Camera
Appleby
This article discusses the recent approach of the Cour de Cassation in France on rules of evidence in civil proceedings. In a recent ruling¹ relating to the dismissal of an employee...
Data Protection Law Now In Force In Seychelles
Appleby
In a significant move to safeguard the privacy and security of its citizens' personal information, Seychelles introduced the new Data Protection Act...
PIPA Compliance Is Not Just A Domestic Affair
Appleby
As organizations in Bermuda prepare for the full application of the Personal Information Protection Act, 2016 on 1 January 2025 ( PIPA ), they need to keep in mind that PIPA...
Privacy Rights Extend Outside Bermuda
Appleby
As Bermuda prepares for the full application of the Personal Information Protection Act 2016 on January 1, 2025, organisations that use personal information in Bermuda...
FREE News Alerts
Sign Up for our free News Alerts - All the latest articles on your chosen topics condensed into a free bi-weekly email.
Related Articles
Liability For Data Breaches And The Recognition Of Non-material Damage Under The GDPR Ganado Advocates
The Role Of The DPO Under The GDPR CSB Group
Tiktok's Request For Suspension Of "Gatekeeper" Status Under Digital Markets Act Dismissed By EU General Court Ganado Advocates
CJEU Ruling On The Notion Of 'Processing' In The Context Of Mobile Apps Ganado Advocates
Public Services KPMG Malta
Mondaq Webinars
APR24
Mastering Mediation & Arbitration: Strategies for Navigating the Rising Tide of Privacy Class Action Lawsuits
JAMS
APR25
Canadian Employment Law: Updates and Emerging Trends in Employment
McCarthy Tétrault LLP
More Webinars
Comparative Guides
Artificial Intelligence
Aviation Finance
Aviation Regulation
Banking Regulation
Blockchain
More Guides
Mondaq Advice Centres
Global
Trademarks in SAARC Countries
 
More MACs
Upcoming Events
More filters
Mondaq Social Media

  © Mondaq® Ltd 1994 - 2024. All Rights Reserved.