Data Privacy and Protection Legislation in Malta, GDPR
January 31, 2022 | 4 minutes read
Malta’s Data Protection Act (Act XX 2018) is a data privacy law that was passed in 2018. The Data Protection Act (Act XX 2018) was passed for the purposes of implementing the provisions of the General Data Protection Regulation or GDPR into Matalan law, as Malta is a member state within the European Union. As such, the Data Protection Act (Act XX 2018) mandates that data controllers and processors within Malta adhere to the same requirements and obligations that are applicable to similar parties in other EU member states. Moreover, the Data Protection Act (Act XX 2018) also varies from the EU’s GDPR law in certain instances, particularly as it concerns the legal basis upon which data may be collected, processed, and ultimately used within the country of Malta.
What are the primary differences between Malta’s Data Protection Act and the GDPR law?
In terms of the differences between Malta’s Data Protection Act (Act XX 2018) and the EU’s GDPR law, both pieces of legislation are largely similar as it concerns the legal framework that data controllers and processors within Malta must adhere to when processing personal data. For instance, Malta’s Data Protection Act (Act XX 2018) requires data controllers and processors within Malta to process personal data in accordance with the same data protection principles that were established by the EU’s GDPR law. These principles include but are not limited to ensuring that personal data is processed in a manner this is lawful, fair, and transparent, and all personal data that is processed must be accurate. However, the two laws do vary as it relates to personal data that is processed in the interest of the general public.
As stated in Malta’s Data Protection Act (Act XX 2018), “the Act establishes under Article 6(2) that controllers and processors may derogate from the provisions of Articles 15, 16, 18, 19, 20, and 21 of the GDPR for the processing of personal data for archiving purposes in the public interest. This is so, in so far as the exercise of the rights set out in those articles are likely to render impossible or seriously impair the achievement of those purposes or the controller reasonably believes that such derogations are necessary for the fulfillment of those purposes. Further to this, however, Article 7 of the Act stipulates that the controller must consult with and obtain authorization from the Commissioner where the controller intends to process data in the interest of the public. This authorization is required when the data is related to genetic data, biometric data, data concerning health for statistical or research purposes, and special categories of data related to the management of social care services and systems.”
What are the rights of Matalan citizens under Malta’s Data Protection Act?
The rights of Matalan citizens under Malta’s Data Protection Act (Act XX 2018) are largely the same as those provided to citizens who reside within other member states in the European Union. These rights include:
- The right to be informed.
- The right to access.
- The right to rectification.
- The right to erasure.
- The right to object or opt-out.
- The right to data portability.
- The right not to be subject to automated decision-making.
- The right to restriction of data processing.
Alternatively, Malta’s Data Protection Act (Act XX 2018) does set forth certain conditions and circumstances upon which the data privacy rights of Matalan may be derogated from. To illustrate this point further, the right to be informed of data processing activities may be derogated from under Malta’s Data Protection Act (Act XX 2018), permitting data processing activities are in relation to personal data that is used in the context of “scientific and historical research purposes, official statistics, and archiving purposes in the public interest.” Conversely, the law also mandates that the right to data portability be derogated from, in instances where data portability would be “likely to render impossible or seriously impair the achievement” of the personal data that was processed.
What are the penalties for violating Malta’s Data Protection Act?
As it relates to penalties and punishments that can be imposed against individuals and organizations that violate the provisions of Malta’s Data Protection Act (Act XX 2018), the Information and Data Protection Commission or the IDPC for short, Malta’s data protection authority, has the authority to levy a number of sanctions against data controllers and processors who fail to maintain compliance with the law. Such sanctions include monetary penalties ranging from €25,000 to €50,000 ($28,541 to $57,083), depending on the scope and severity of the particular offense, as well as daily monetary penalties ranging from €25 to €50 ($28 to $57) for each day in which a violation under the law persists.
Malta’s Data Protection Act (Act XX 2018) serves as a means to secure the data protection and personal privacy rights of Matalan citizens. As the law implements the various provisions of the EU’s GDPR law into Matalan law, said citizens have various avenues for recourse should their rights be violated or infringed upon during the course of data collection or processing activities. Furthermore, through provisions in the EU’s GDPR law that allow member states to make changes to the legislation to fit the unique data protection needs of their citizens, Malta can continue to improve the data privacy landscape of their country for years to come.