MALTA

CHART INSTRUCTIONS:

 Local law does not deviate from the GDPR.

 Local law deviates from the GDPR.

name

Data Protection Act, Cap. 586 (May 28, 2018) [relevant subsidiary legislations referenced and provided below]

Status: Adopted

SME exception

No Deviation

LAWFULNESS OF PROCESSING (ART 6)

No Deviation

CHILD’S CONSENT (ART 8)

POSSIBLE REGULATIONS:
The minister for data protection may, after consulting with the SA, prescribe regulations for establishing the age for a child’s consent to information society services (Art 33(g) Maltese Act) (Art 8 GDPR).

SPECIFYING PROVISION:
The processing of personal data of a child for information society services is lawful when the child is 13 years old (Art 4 Subsidiary Legislation 586.11) (Art 8 GDPR).

SENSITIVE DATA (GENETIC, BIOMETRIC AND HEALTH DATA) (ART 9 (4))

ADDITIONAL REQUIREMENT:
When a controller intends to process the following personal data in the public interest, the controller must consult with and obtain prior authorization from the SA: (1) genetic data, biometric data, or data concerning health for statistical purposes; (2) genetic data, biometric data, or data concerning health for research purposes (in these instances, the SA must consult a research ethics committee or relevant institution); or (3) special categories of data for the management of social services and systems (Art 7 Maltese Act). 

An identity document can only be processed if the national identity number or other identifiers will only be used under appropriate safeguards for individuals’ rights and freedoms and when processing is clearly justified, taking into account the purpose of processing and (1) the importance of a secure identification; or (2) any other valid reason permitted by law (Art 8 Maltese Act) (Art 9(4) GDPR).

The processing of data concerning health is lawful when subject to suitable and specific safeguards and when necessary and proportionate for the purposes of an insurance policy and (1) the controller cannot reasonably be expected to obtain an individual’s consent; and (2) the controller is not aware that the data subject is withholding consent (Art 4 Subsidiary Legislation 586.10) (Art 9(4) GDPR).

CCTV (Art 6)

No Deviation

CRIMINAL CONVICTIONS/SECURITY MEASURES (ART 10)

No Deviation

Information obligation (Art 13 & 14)

No Deviation

AUTOMATED INDIVIDUAL DECISION-MAKING (ART 22)

No Deviation

RESTRICTIONS TO DATA SUBJECT'S RIGHTS (ART 23)

RESTRICTING REGULATIONS:
The minister may restrict individuals’ rights by means of regulation (Art 5 Maltese Act) (Art 23 GDPR).

Any restriction to individuals’ rights must respect individuals’ fundamental rights and freedoms and must be a necessary and proportionate measure. A restriction will only apply when necessary for: (1) safeguarding and maintaining national security, public security, defense, and international relations; (2) preventing, detecting, investigating, and prosecuting criminal offenses and the execution of related penalties; (3) administering tax, duty, fines, fees, or other money due or owed to the state; (4) administering social security benefits and when such data has been obtained in confidence when carrying out an investigation against fraud; (5) establishing, exercising, or defending legal claims; (6) performing functions of the SA; (7) delivering social services by a public authority or other body in instances when data was obtained in confidence for the purposes of delivering such services; (8) health data when it would be likely that the exercise of rights would cause serious harm to the vital interests of a patient; and (9) matters relating to Maltese citizenship when the relevant minister or authorized person refuses an application for citizenship (Art 4 & 7 Subsidiary Legislation 586.09).

The retention period for personal data subject to a restriction should not be longer than: (1) what is necessary for the purposes of processing; (2) the period required to achieve the aim of the restriction; or (3) as permitted by law (Art 5 Subsidiary Legislation 586.09).

The controller must inform the data subject about any restriction, provided such disclosure will not be prejudicial to the purposes of the restriction (Art 6 Subsidiary Legislation 586.09) (Art 23 GDPR).

Joint controller responsibilities (Art 26 (1))

No Deviation

Ad hoc notifications – records of processing activities (Art 30)

No Deviation

Security of processing (Art 32)

No Deviation

Data breach (Art 33 & 34)

No Deviation

Data protection impact assessment (Art 35)

No Deviation

Data protection officer (Art 37(4))

POSSIBLE REGULATIONS:
The minister may, after consulting with the SA, prescribe regulations for DPO appointments (Art 33 Maltese Act) (Art 37(4) GDPR).

Certification (Art 42)

SPECIFYING PROVISION:
The certification body will be accredited by the National Accreditation Board (Malta) (Art 32 Maltese Act) (Art 42 & 43 GDPR).

Data transfer derogations (Art 49(5))

RESTRICTING REGULATIONS:
The minister may, after consulting with the SA, prescribe regulations that set limits on the transfer of specific categories of personal data to a third country or international organization for important reasons of public interest (Art 10 Maltese Act) (Art 49(5) GDPR).

Powers of supervisory authorities (Art 58)

SPECIFYING PROVISION:
The SA (1) has the power to institute civil judicial proceedings for violations of the Maltese Act or GDPR; (2) may seek the advice of and consult with any other competent authority in the exercise of the SA’s functions; (3) in the exercise of investigative powers, may request the assistance of the executive police to enter and search any premises; and (4) in the event of joint operations with other SAs, may confer powers, including investigative powers, on the secondary SA’s staff (Art 15 & 16 Maltese Act).

The SA also has recourse to civil action to recover amounts due when a notice imposing an administrative fine is served and (1) the person fails to appeal within the applicable timeframe and fails to pay the fine; or (2) the person appeals to the tribunal and the appeal is withdrawn or the tribunal determines the appropriate fine and no further appeal is filed with the Court of Appeal, or if an appeal is filed with the Court of Appeal and the court determines the appropriate penalty, or the imposed penalty is not paid within 15 days from the date of the decision or the withdrawal of the appeal, or the date when the tribunal or the Court of Appeal determines the appropriate fine or penalty (Art 20(3) Maltese Act) ) (Art 58 GDPR).

Class actions (Art 80(2))

No Deviation

Administrative sanctions (Art 83)

SPECIFYING PROVISION:
The SA may impose an administrative fine on a public authority or body: (1) of up to €25,000 per violation of Art 83(4) GDPR, and, additionally, a daily fine of €25 for each day the violation persists; and (2) of up to €50,000 per violation of Art 83(5, 6) GDPR and, additionally, a daily fine of €50 for each day the violation persists (Art 21 Maltese Act) (Art 83 GDPR).

The Act establishes the Information and Data Protection Appeals Tribunal, which consists of a chairperson and two other members appointed by the minister, and has the same powers as the First Hall, Civil Court. Individuals have a right to appeal, on certain grounds, to the tribunal when the SA has made a legally binding decision and to the Court of Appeal (Art 24, 26, 27 & 29 Maltese Act) (Art 83 GDPR). 

POSSIBLE REGULATIONS:
The minister may, after consulting with the SA, prescribe regulations for fees that may be levied by the SA (Art 33 Maltese Act) (Art 83 GDPR).

Penalties (Art 84)

SPECIFYING PROVISION:
Any person who knowingly provides false information to the SA pursuant to his/her investigative powers or does not comply with any lawful request by the SA in the course of an investigation is in violation of the Act, punishable by fine (€1,250 to €50,000) and/or imprisonment (up to 6 months). The SA must provide information to any officer of the Executive Police before initiating proceedings for such alleged infringements (Art 22 Maltese Act) (Art 84 GDPR).

POSSIBLE REGULATIONS:
The minister may, after consulting with the SA, prescribe regulations for criminal penalties imposed under the Act (Art 33 Maltese Act) (Art 84 GDPR).

Freedom of expression and information (Art 85)

Personal data processing for the purpose of exercising the right to freedom of expression and information is exempted or derogated from the following GDPR provisions: (1) principles related to processing, Art 5(1)(a–e) GDPR; (2) lawfulness of processing, Art 6 GDPR; (3) conditions for consent, Art 7 GDPR; (4) processing relating to criminal convictions and offenses, Art 10 GDPR; (5) processing not requiring identification, Art 11(2) GDPR; (6) information provided to data subjects, Art 13(1–3)
& 14(1–4) GDPR; (7) right of access, Art 15(1–3) GDPR; (8) right to erase, Art 17(1–2) GDPR; (9) right to restriction, Art 18(1)(a, b, d) GDPR; (10) right to data portability, Art 20(1–2) GDPR; (11) right to object, Art 21(1) GDPR; (12) data protection by design and default, Art 25 GDPR; (13) representatives of controllers or processors not established in the EU, Art 27 GDPR; (14) records of processing, Art 30 GDPR; (15) data breach notification, Art 33 & 34 GDPR; (16) certification and certification bodies, Art 42 & 43 GDPR; (17) cooperation, Art 60–62 GDPR; and (18) consistency, Art 63–67 GDPR (Art 9 Maltese Act) (Art 85 GDPR).

HR processing (Art 88)

No Deviation

Processing for archiving, scientific, historical research, or statistical purposes (Art 89)

SPECIFYING PROVISION:
“Statistical purposes” is further articulated under the definition “official statistics,” which is information collected, analyzed, and produced for the benefit of society to characterize collective phenomena in a considered population and produced by the Maltese National Statistics Office as provided for by law, or by other national authorities as designated by Eurostat following recommendation by the National Statistics Office (Art 3 Maltese Act) (Art 89 GDPR). See also Art 6 Maltese Act.

Obligations of secrecy (Art 90)

No Deviation

Local DPA guidance and legal sources

Remarks

The Maltese Act establishes the office of the SA, or the Information and Data Protection Commissioner, who may hold office for a term of five years with the possibility of reappointment (Art 11 & 14 Maltese Act) (Art 51–57 GDPR).

Actions taken against a controller and/or processor that are filed with the First Hall, Civil Court, per Art 30 of the Maltese Act, must be commenced within 12 months from the date when the individual became or ought to have reasonably become aware of an alleged infringement (Art 30 Maltese Act) (Art 82 GDPR).