Privireal Home Page Privacy in Research, Ethics and Law
"examining the implementation of the Data Protection Directive 95/46/EC
in relation to medical research and the role of ethics committees"

Malta - Data Protection

History of Data Protection in MALTA

The Maltese Data Protection Act of 2001 was the first law in Malta that directs itself exclusively to the protection of personal data. It was introduced in order to render Maltese law compatible with Directive 95/46/EC, even though at the moment of its introduction Malta was not a member state. This was partly to facilitate the transfer of data with EU member states, and partly in preparation for the potential accession of Malta to the EU.

The Act came into force on 15 July 2003.

After a polarised and politicised debate inside the country, Malta finally joined the EU on 1 May 2004.

Summary of Data Protection in MALTA

Title of Data Protection Legislation Data Protection Act 2001
Name of supervisory authority Office of the Data Protection Commissioner
General Powers of supervisory authority The functions of the Commissioner are set out in Article 40 of the Data Protection Act. They include: (a) to create and maintain a public register of allprocessing operations according to notificationssubmitted to him as specified in this Act;
(b) to exercise control and, either of his own motion or atthe request of a data subject, verify whether theprocessing is carried on in accordance with theprovisions of this Act or regulations made thereunder;
(c) to instruct the processor and controller to take suchmeasures as may be necessary to ensure that theprocessing is in accordance with this Act orregulations made thereunder;
(d) to receive reports and claims from data subjects orassociations representing them on violations of thisAct or regulations made thereunder, to take suchremedial action as he deems necessary or as may beprescribed under this Act, and to inform such datasubjects or associations of the outcome; (i) to order the blocking, erasure or destruction of data, toimpose a temporary or definitive ban on processing, orto warn or admonish the controller;
(j) to advise the Government on any legislative measuresthat are required to be taken to enable him carry outhis functions appropriately; Article 41 grants the commissioner a right of access to personal data that is processed, and information about and documentation of the processing of personal data and security of such processing.
Who has standing to notify the supervisory authority of breaches? Data subjects and associations representing them, and 'Personal Data Representatives', who are appointed by controllers to independently ensure that data is processed properly.
What are the penalties for data controllers if they breach the law? Section 42(1) of the 2001 law states that if data is being processed unlawfully then processing can be stopped. 42(2) also permits the levying of fines. If there are criminal rather than a merely administrative breaches than imprisonment is also possible (Section 47).
Have any provisions been made for the processing of a national identification number or a general identifier, as per Article 8(7)? Yes. Article 18 of the 2001 Act states that the identity card number can only be processed without consent if "such processing is clearly justified having regard to: a) the purpose of the processing, b) the importance of a secure identification, c) some other valid reason as may be prescribed".
Is it necessary to obtain consent before processing personal data, or are alternatives available even when obtaining consent would not be impracticable or inappropriate? It is probably sufficient to use alternatives to consent even when it is not impracticable or inappropriate to obtain it.
Does the Data Protection Legislation cover the deceased? Yes
Who is able to indirectly identify the data subject? Probably anybody. The 2001 Act uses the same wording as the Directive on this point.

Laws and Regulations