What key protections exist for personal data?
The Data Protection Act, Chapter 440 of the Laws of Malta (the ‘DPA’), along with the subsidiary legislation issued thereunder provides the main protections for personal data. The DPA provides certain safeguards for personal data that must be ensured by anyone processing such data. In particular personal data must be processed fairly and lawfully, processed in accordance with good practice, only for specific, explicitly stated and legitimate purposes, is correct and kept up-to-date. Further to this, the DPA provides that personal data may only be processed if certain criteria are adhered to, such as when the data subject has unambiguously given his consent or that the processing of such personal data is necessary for the performance of a contract to which the data subject is party to. Moreover, the DPA states that where the data subject notifies the controller of personal data that he opposes to his personal data being processed for direct marketing purposes, then such data may not be processed.
With respect to sensitive personal data, the DPA requires that additional safeguards need to be implemented for the processing of such data and the processing is necessary in order that:
(i) the controller complies with his obligations or rights under employment law; or
(ii) the vital interests of the data subject or of some other person will be able to be protected and the data subject is physically or legally incapable of giving his consent; or
(iii) legal claims will be able to be established, exercised or defended.
In addition to this, the DPA provides specific purposes for when sensitive personal data may be processed such as processing concerning health or medical purposes, processing for research and statistics purposes and processing by foundations and similar entities. With respect to processing data relating to legal offences the DPA allows such data to solely be processed under the control of a public authority, unless otherwise provided under any law.
The DPA provides rights to data subjects such as requiring that the controller provides the data subject with relevant information and the right of access to his personal data, when requested. In fact, where such data is collected from a third party and not from the data subject himself the controller must provide the data subject with specific details.
Further to the above, the DPA explicitly requires that appropriate technical and organisational measures are implemented by the controller to ensure that any processed personal data is secured against unlawful forms of processing, accidental destruction or loss.
Act no. 31 of 14 April 2000 relating to the Processing of Personal Data (the Personal Data Act) Section 1 prescribes that the Act shall protect data subjects from violation of their rights to privacy through the processing of personal data and help to ensure that personal data are processed in accordance with the subjects fundamental rights to privacy.
As the Act has implemented Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data, the data subjects are offered the Directive’s key protections such as the requirements of:
- A lawful basis to process personal data;
- explicit, lawful and specified purpose that restricts the processing of personal data to said purpose;
- adequate, relevant and not excessive processing of the personal data;
- accurate and, where necessary, up to date personal data;
- personal data not being stored longer than necessary for the achievement of the stated purpose;
- appropriate technical and organisational measures to prevent the unauthorised or unlawful processing of, or the accidental loss or destruction of, or damage to, personal data; and
- limitations on the transfer of the personal data to other countries.
The Law on Protection of Personal data w. no 6698 protects personal data. The Law which is similar to the 95/46 Directive is based on fundamental data protection principles.
Data controllers must comply with the principles set out in Article 4 of the Data Protection Law, that is, that the data must be:
- processed fairly and lawfully;
- accurate and up-to-date;
- processed for a specific, explicit and legitimate purpose;
- relevant, adequate and not excessive;
- kept for a term that is necessary for the purpose for which the data is being processed.
Personal data can be processed by obtaining explicit consent of the data subject or with any of the 7 grounds mentioned below;
- Processing is expressly ordered/required in the law.
- Processing is necessary for the protection of the data subject's or third parties' life or physical integrity.
- For processing personal data of contracting parties, provided the processing is directly related to the execution or performance of a contract.
- Processing is mandatory for the data controller to perform his/her legal obligations under the law.
- Personal data has been made open to the public by the data subject.
- Processing is mandatory for assigning, using or protecting a right.
- Processing is mandatory for the legitimate interest of data controller, provided the processing does not harm the data subject's fundamental rights and freedoms.
Further, data subjects have certain rights such as right to request deletion, rectification or request damages.