What is the 'GDPR'?
The General Data Protection Regulation or 'GDPR' (Regulation 2016/679/EU) is a single EU law dealing with data protection that came into effect across the EU, including Malta, on 25 May 2018. The GDPR repealed Directive 95/46/EC and the domestic laws implementing the same. The Maltese Data Protection Act, 2018 (Chapter 586 of the Laws of Malta) has also come into effect replacing the former Data Protection Act (Chapter 440 of the Laws of Malta).
The GDPR and the implementing domestic laws regulate the manner in which the personal data of data subjects are processed by data controllers and data processors. The main goal of the GDPR was to increase the privacy rights of natural persons and to keep up with the digital age we live in.
Various new, and in some cases, onerous legal obligations were introduced by the GDPR. This document outlines some of the main changes that came into effect in Malta as a result of the coming into force of the GDPR.
The GDPR at a Glance:
- Fines up to €20,000,000.00 or 4% of an entity's total worldwide annual turnover
- Significantly expanded territorial scope
- Mandatory data breach notification in certain cases
- Mandatory appointment of a Data Protection Officer in certain cases
- Data processors now also directly responsible at law
- More stringent consent requirements
- Increased level of information to be provided to data subjects.
- More stringent requirements in controller-processor contracts
- Removal of the general notification requirement
- New data subject rights
What's New Under the GDPR?
Expanded Territorial Scope
Besides controllers and processors established within the European Union, the GDPR's reach has now been expanded to also capture organisations established outside the EU in the following two circumstances:
- Where such organisations offer goods or services to data subjects in the EU;
- Where such organisations monitor the behaviour of data subjects in the EU;
Consequently, several international organisations that previously escaped the scope of national data protection legislation are now subject to full compliance with the GDPR, regardless of where they are established.
EU data protection law now applies to many international organisations regardless of where they are established.
New Data Processor Obligations
Prior to the promulgation of the GDPR, data controllers were the entities that were mainly responsible for compliance with Maltese data protection law. Under the GDPR, action can be taken directly against defaulting data processors (i.e. those entities that process personal data on behalf of data controllers), meaning that liability no longer falls solely on data controllers and certain obligations are now imposed directly on data processors.
Moreover, among other obligations (subject to significant fines in case of default), data processors are obliged to:
- Keep a record of all processing activities performed on behalf of the controller;
- Only appoint sub-processors with the written consent of the controller;
- Interact directly with the local Information and Data Protection Commissioner ('Commissioner') when necessary;
- Implement appropriate security measures to protect personal data;
- Notify the data controller of data breaches without undue delay;
- Adhere to a number of obligations to be included in data processing agreements entered into between the controller and the processor (such as the processor's obligation to demonstrate compliance with the GDPR).
Maltese data processors are now directly answerable at law for data protection infringements.
As a general rule introduced in Malta by the GDPR, data controllers must report a data breach to the Information and Data Protection Commissioner within 72 hours of becoming aware of it. By way of exception to the general rule above, breach notification to the Commissioner is not required where the data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
Notification to the Commissioner must include, inter alia, a description of the breach, the number of affected data subjects, the categories of data affected, the name and contact of the Data Protection Officer ('DPO'), the likely consequences of the breach and the measures taken by the data controller to remedy or mitigate the breach.
No matter how big or small, all breaches (notifiable or otherwise) must be recorded, usually by the DPO, and reported to the Commissioner on demand. The GDPR also introduced the obligation to notify affected data subjects (without undue delay) in the event of a data breach which is likely to result in a high risk to the rights and freedoms of natural persons. In this case, notification must include the name and contact of the DPO, the likely consequences of the breach and the measures taken by the controller to remedy or mitigate the breach.
"It is not mandatory for all data breaches to be notified to the Commissioner or the affected data subjects. This is why Controllers should seek legal advice on a case-by-case basis."
Such notification (to data subjects) will not be necessary when:
- Risk of harm is remote because data is protected;
- Controller has taken measures to protect against the harm;
- Notification would require disproportionate efforts.
Once a data processor becomes aware of any data breach, the data processor will have to notify the data controller of any such breach without undue delay. In this respect, the data controller's 72 hours will commence upon being notified by the data processor.
Therefore, Maltese organisations must carefully evaluate and, where needed, update their internal procedures to comply with these requirements. Upon becoming aware of a breach, a risk assessment should be carried out as a matter of urgency.
As a general rule, data controllers in Malta now have to notify the Information and Data Protection Commissioner and data subjects of certain data breaches and this, within very short timeframes.
To view the full article please click here.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.