Data Advocacy for Malta

The relevant law is the Data Protection Act (Act) (Chapter 440 of the Laws of Malta) and the Regulations (at present nine in number) issued under it.

Office of the Information and Data Protection Commissioner Airways House

Second Floor

High Street

Sliema SLM 1549 Malta

T +356 2328 7100

F +356 23287198

[email protected]

The Information and Data Protection Commissioner (‘Commissioner’) has the function (among others) of generally ensuring the correct processing of personal data in order to protect individuals from violations of their privacy.

Under Maltese law there is presently no obligation to appoint data protection officers. However, the Act states that the controller of personal data shall notify the Commissioner on the appointment or removal of a personal data representative (if any). The personal data representative has the function (among others) of independently ensuring that the controller processes personal data in a lawful and correct manner and in accordance with good practice and in the event of the personal data representative identifying any inadequacies, he shall bring these to the attention of the controller.

Legal Notice 239 of 2011, which was brought into force as of 1st January 2013, has amended Subsidiary Legislation 440.01, Processing of Personal Data (Electronic Communications Sector) Regulations, making new provisions for breach notifications.

The Regulations provide that, in the case of a personal data breach, providers of publicly available electronic communications services must notify the breach to the Commissioner without delay. ‘Personal data breach’ is defined in the Regulations as ‘a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a publicly available electronic communications service’.

If the breach is likely to adversely affect the personal data or privacy of a subscriber or individual, the provider must also notify the subscriber or individual of the breach without delay. However, notification to the subscriber or individual concerned shall not be required on the condition that the provider demonstrates to the satisfaction of the Commissioner that he has implemented appropriate technological protection measures and that those measures were applied to the data concerned by the security breach. Such technological protection measures should render the data unintelligible to any person who is not authorised to access it.

If the provider has not already notified the subscriber or individual of the personal data breach, the Commissioner may require the provider to do so after considering the likely adverse effects of the breach.

The notification to the subscriber or individual must at least include the nature of the breach and the contact points where more information can be obtained. The notification must also recommend measures to mitigate the possible adverse effects of the breach. The notification to the Commissioner shall also include the consequences of and the measures proposed or taken by the provider to address the breach. The Regulations also provide that the Commissioner is to encourage the drawing up of guidelines and where necessary issue instructions concerning the circumstances in which providers are required to notify personal data breaches, the format that such notification is to take and the manner in which the notification is to be made.

Service providers are to maintain an inventory of personal data breaches consisting of the facts surrounding the breach, its effects and the remedial action taken which must be sufficient to enable the Commissioner to verify compliance with the provisions of the Regulations.

Opt-in regime: no direct marketing electronic mail can be legally sent without the express consent of the receiver, unless a pre-existing business or commercial relationship exists. (Consent is however not mandated for marketing to legal persons.)

Also, a specific opt out must be offered with each message. Disguised sender identities are prohibited, and a valid return address must be provided.

The term “Opt-Out Rule” means that the sending of e-marketing to the recipient is permitted on an opt-out basis if:

  • the recipient’s details were originally collected “in the context of a sale”.
  • the entity sending the marketing is the same legal entity that collected the recipient’s details initially.
  • the marketing relates to “similar” products and/or services for which the recipient’s details were originally obtained.
  • the recipient is given the opportunity free of charge to object to the e-marketing, both at the time their details were collected and in each subsequent communication.

Applicable Legislation:

Processing of Personal Data (Electronic Communications Sector) Regulations – Legal Notice 16 of 2003 as amended – implementing Directive 2002/58/EC (as amended) – the “Regulations”

First party e-marketing

(entity that collects the data will send the e-marketing itself)

B2C: Opt-in. Opt-out permitted where Opt-Out Rule applies.

B2B: Opt-in. Opt-out permitted where Opt-Out Rule applies

Third party e-marketing

(entity that collects the data will share with third party partner for e-marketing)

B2C: Opt-in

B2B: Opt-in.