Introduction to GDPR in Malta

| 27 Jul 2023

Introduction to GDPR in Malta img

Data Protection in a Nutshell 

In the digital age, characterised by the growth of cloud computing and remote access, the importance of protecting personal data has gained new significance. Privacy has become one of the pivotal issues in our time, which does not only affect legislators or technology innovators, but has become relevant to every household, which has internet access or has welcomed smart gadgets home. This has also impacted the Malta domain from a socio-legal perspective; whereas EU related data protection and privacy regulation has been with us since before the turn of the century, the anticipation for the coming into force of the new regulations has, for the first time, created a sense of urgency and importance on matters which were otherwise second or third priority within commercial culture in Malta.

European Union – Leading Ahead  

Being one of the largest markets in the world, and assuming a leading position in electronic commerce, the European Union has taken an active role in privacy law. Considered as ‘the most consequential regulatory development in information policy in a generation the General Data Protection Regulation, May 2018 brings personal data into a protective regulatory regime. Although perhaps, ideas embodied in the GDPR are not entirely European, nor novel in nature, the Regulation has proven to be a pinnacle legislation. Albeit, in weaker and less prescriptive forms, some notions found in the GDPR are also found in US privacy laws and in Federal Trace Commission settlements. In Malta, the GDPR, which is directly applicable within such jurisdiction has generally followed suit in the typical areas for which it has competence to derogate from or otherwise

GDPR – Beginnings and Growth  

Superseding the Data Protection Directive 95/46 EC the regulation relates to the processing of personal data of individuals (or, also known as data subjects) who are within the EEA. It applies to any enterprise, irrespective of its location which processes personal information of individuals located within the EEA. Since its early inception in 2012, the regulation has undergone rounds of discussions and negotiations, however its main aim has been vital throughout, as is very much a part of the regulation – to give individuals control over their personal data and to simplify the regulatory environment for international business by unifying the regulations with the EU. In Malta, with the introduction of the GDPR, the prior Act, Chapter 440 of the Laws of Malta was repealed and Chapter 586 of the Laws of Malta was consequently enacted, to officially transpose the GDPR, whilst also enacting subsidiary legislation to better provide within the fields of its competence.

GDPR – Principles  

Essentially, personal data of individuals may not be processed without a lawful purpose. The GDPR lays down what are to be considered as lawful processes for data processing, which shall be discussed in detail in following publications. In transposing the GDPR via Chapter 586 of the Laws of Malta, the Maltese legislator utilised the leeway afforded to it under the regulation, to invoke derogations to certain GDPR principles in particular prescribed instances, such as in prescribed cases of freedom of expression.

Looking Ahead on Data Protection Law 

Following years of negotiations and consultations, the European Union considers the GDPR as an active piece of legislation which has proved itself in its initial years into force. It is estimated that in two years following the entry into force of the legislation, in May 2018, until May 2020, over 4.3 million citizens and businesses have consulted the European Commission’s online portal on GDPR. This series of publications shall be delving deeper into the practical implications of data protection and privacy, including specifically in terms of data protection guidelines and regulations vis-à-vis Malta.

What this means for you 

  • The GDPR legal regime follows a risk-based approach.
  • Moreover, the mitigation measures which are available and which may be employed do not follow a one-size-fits-all approach.
  • And most of all, the GDPR’s legal regime is comprehensive, deriving from various EU court judgements, Data Protection Authority (DPA) rulings, and the EU’s compendium of guidelines.

This means achieving GDPR compliance for your business requires more than just adhering to the text of the GDPR and determining internal policies on web Q&As and examples. 

How we can help 

Chetcuti Cauchi’s data protection lawyers not only embrace technology and privacy in continuous development, but are also able to examine the business’s processes and systems to give advice on suitable Data Protection policies and measures tailored to their particular circumstances, in addition to standard data protection contractual approaches. Given our data protection legal expertise, we are also suitably qualified to provide Data Protection Officer (DPO) assistance. 

Request More Information

Please send me legal and other updates

Key Contacts

Dr Charlene Mifsud

Partner, Corporate & Commercial

+356 2205 6298