Data Protection

General Data Protection Regulation
The General Data Protection Regulation 2016/679 is a regulation in EU law on data protection and privacy for all individuals, citizens of the European Union and the European Economic Area. It also addresses the export of personal data outside the EU and EEA areas.
Implemented on the 25th May 2018, it replaced Data Protection Directive 95/46/ec, and is the primary law regulating how companies protect EU citizens' personal data.  The purpose of GDPR is to provide a set of standardised data protection laws across all the member countries. This should make it easier for EU citizens to understand how their data is being used, and also raise any complaints, even if they are not in the country where its located.
Data Protection Laws ensure that:
  1.  Personal information is only gathered for a specific purpose
  2.  The individual (data subject) about whom information is obtained, knows that you are gathering and storing information about him or her
  3.  The personal information is used only for the purpose for which it was obtained
  4.  The personal information is not passed on to third parties without the individual’s consent
  5.  The individuals have access to the personal information retained
  6.  The use and access to personal information is controlled
Data Protection Image
Does GDPR affect my business?
GDPR applies to all businesses and organizations established in the EU, regardless of whether the data processing takes place in the EU or not. Even non-EU established organizations will be subject to GDPR. Almost all businesses are affected by the GDPR, from sole traders to multinationals. But even though the GDPR intends to unify data protection rules across the EU, not all businesses will face the same problems.
If your business offers goods and/ or services to citizens in the EU, then it's subject to GDPR.  This is because your business must still comply if it's involved in regular processing (which includes collecting, storing and using) of personal data.
Do I need a Data Protection Officer for my business?
An organisation is required to appoint a designated data protection officer where:
  • The processing is carried out by a public authority or body;
  • The core activities of the controller or the processor consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale; or
  •  The core activities of the controller or the processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offences.

Data Protection Terminology

Who is the Data Controller?
In GDPR and other privacy laws, the data controller has the most responsibility when it comes to protecting the privacy and rights of the data's subject, (example: user of a website). In simple terms, the data controller controls the procedures and purpose of data usage.
The data controller determines the purposes for which and the manner in which personal data is processed. It can do this either on its own or jointly or in common with other organisations. This means that the data controller exercises overall control over the 'why' and the 'how' of a data processing activity.
Who is the Data Processor?
The data processor is a person or organization, who deals with personal data as instructed by a data controller for specific purposes and services offered to the data controller that involve personal data processing (example: 3rd Party entity providing outsourced payroll to the entity processing the entities employees wages data).
What is Personal Data?
Personal data means any information about an identifiable living individual, a data subject.
Who is a data subject?
The term 'data subject' refers to any living individual whose personal data is collected, held or processed by an organisation. Personal data is any data that can be used to identify an individual, (example: name, home address or credit card number).
Who is a Data Protection Officer?
A Data Protection Officer (DPO) is an enterprise security leadership role required by the General Data Protection Regulation (GDPR). Data protection officers are responsible for overseeing a company's data protection strategy and its implementation to ensure compliance with GDPR requirements.

Principles of Good Information Handling


The Nine Principles of ‘Good Information Handling’

The data controller shall ensure that:

  1. Personal data is processed fairly, transparently and lawfully;
  2. Personal data is always processed in accordance with good practice (security-Integrity and confidentiality);
  3. Personal data is only collected for specific, explicitly stated and legitimate purposes (purpose limitation);
  4. Personal data is not processed for any purpose that is incompatible with that for which the information is collected;
  5. Personal data that is processed is adequate and relevant in relation to the purposes of the processing;
  6. No more personal data is processed than is necessary (data minimisation) having regard to the purposes of the processing;
  7. Personal data that is processed is correct, accurate and, if necessary, up to date.
  8. All reasonable measures are taken to complete, correct, block or erase data to the extent that such data is incomplete or incorrect, having regard to the purposes for which they are processed (accountability);
  9. Personal data is not kept for a period longer than is necessary (storage limitation), having regard to the purposes for which they are processed.

Rights Of Data Subjects

There are eight fundamental rights of Data Subjects under GDPR.
  1.  Right to Access Personal Data. (Article 15)
  2.  Right to Rectification. (Article 16)
  3.  Right to Erasure / Right to be Forgotten. (Article 17)
  4.  Right to Restrict Data Processing. (Article 18)
  5.  Right to be Notified. (Article 19)
  6.  Right to Data Portability. (Article 20)
  7.  Right to Object. (Article 21)
  8.  Right to Reject Automated Individual Decision-Making. (Article 22)

Legal References

CAP.586  Data Protection Act

 Formerly CAP.440 Data Protection Act, repealed by Act XX of 2018, the applicable laws in Malta regulating Data processing procedures have been updated and are now found under CAP.586 Data Protection Act and under the General Data Protection Regulation (GDPR).
Updated information may be obtained from the website of the Office of the Information and Data Protection Commissioner.

Data Protection Act (Cap. 586)

General Data Protection Regulation (GDPR)

Contact Details

Information and Data Protection Commissioner

More information can be found on the Information and Data Protection Commissioner website.

IDPC may be contacted here.

Skip to content