|
|
Home
| Databases
| WorldLII
| Search
| Feedback
Maltese Laws |
DATA PROTECTION ACT
To make provision for the protection of individuals against the violation of their privacy by the processing of personal data and for matters connected therewith or ancillary thereto.
22nd March, 2002*
15th November, 2002†
15th July, 2003‡
ACT XXVI of 2001, as amended by Acts XXXI of 2002 and IX of 2003; Legal Notices 181 and 186 of 2006, 426 of 2007; and Act XVI of 2008.
PART I - PRELIMINARY
"blocking" in relation to personal data, means the operation to suspend modification of data or suspend or restrict the
provision of information to a third party when such provision is so suspended or restricted in accordance with the provisions of
this Act;
"Com missioner" means the Information and Data Protection Commissioner appointed under article 36 and includes any officer
or employee of the Commissioner authorised by him in that behalf;
"consent" m e ans any freely given specific an d informed indication of the wishes of the data subject by which he signifies
his agreement to personal data relating to him being processed;
"controller of personal data" or "controller" means a person who alone or jointly with others determines the purposes
and means of the processing of personal data;
"data subject" means a natural person to whom the personal data relates;
"identity card number" means the identifying number contained in an identity card as provided in the Identity Card Act;
"Mi n i s ter " me ans th e M i n i st er respo n si bl e fo r freed om of information and data protection;
"personal data" means any information relating to an identified or identifiable natural person; an identifiable person is
one who can be identified, directly or indirectly, in particular by reference to an
Short title. Interpretation.
Amended by:
XVI. 2008.46.
Cap. 258.
*Part VIII (articles 36 to 53, both inclusive) was brought into force as from 22nd
March, 2002, by Legal Notice 70 of 2002.
†Articles 2 and 54 were brought into force as from 15th November, 2002, by Legal
Notice 382 of 2002.
‡Articles 3 to 28 (both inclusive) were brought into force as from 15th July, 2003, by
Legal Notice 150 of 2003 - but see Legal Notice 150 of 2003 re applicability of
provisions of articles 7 to 9 and 12 to 17.
Part VII (articles 29 to 35, both inclusive) and article 55 were brought into force as
from 15th July, 2003, by Legal Notice 151 of 2003.
Article 56 of Part IX was brought into force as from 15th July, 2003, by Legal Notice
156 of 2003.
identificatio n number or to one or m o re factors specific to hi s p hysical, p hysio logi cal, men t al , economic, cultural or
social identity;
"p erson a l dat a filin g system" or "fili ng system" means any structured set of personal data which is acce
ssible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;
"personal data representative" means a person, appointed by the controller of personal data, who shall independently ensure
that the personal data is processed in a correct and lawful manner;
"p rescri bed" mean s prescribed by regul at ion s made by th e M i nister in accordance with the provisions of this Act,
after consultation with the Commissioner;
"processing" and "processing of person al data" mean any operation or set of operations which is taken in regard
to personal data, whether or not it occurs by automatic means, and includes the collection, recording, organisation, storage, adaptation,
alteration, retrieval, gathering, use, disclosure by transmission, dissemination or otherwise making i n form at ion available, alignm
en t or combination, blocking, erasure or destruction of such data;
"processor" mea n s a person who processes personal data on behalf of a controller;
"recipient" means a person to whom personal data is provided; h o wever , when p e rsonal d a t a is provid e d in ord e
r th at the Commissioner may perform such supervision, control or audit that i t i s un der a dut y to att e nd to, the Com m i ssio
n er shal l n o t be regarded as a recipient;
"sensitive personal data" means personal data that reveals race or ethnic origin, political opinions, religious or philosophical
beliefs, membership of a trade union, health, or sex life;
"third country" means a state that is not included in an Order issued for the purpose of determining which states are not
to be considered as a third country for the purposes of this Act as may be prescribed from time to time under this Act;
"third party" means a person othe r than the data subject, the controller of personal data, the personal data representative,
the processor and such persons who under the direct responsibility of the controller of personal data or the processor are authorised
to process personal data.
Mode of
Processing.
PART II - APPLICABILITY
Territorial scope. 4. (1) This Act shall also apply:
(a) to the processing of personal data carried out in the
context of the activities of an establishment of a controller in Malta or in a Maltese Embassy or High Commission abroad;
(b) to the processing of personal data where the controller is established in a third country provided that the equipment
used for the processing of the personal data is situated in Malta.
(2) Without prejudice to the following proviso, the provisions of subarticle (1)(b) shall not apply if the equipment is used only for pu rposes of transit of information between a thir d country and another such
country:
Provided that the controller in such a case shall appoint a person established in Malta to act as his representative.
(a) to processing of personal data where such processing is undertaken by a natural person in the course of a purely personal activity;
and
(b) to processing operations concerning public security, defence, State security (including the economic well being of the
State when the processing operation relates to security matters) and activities of the State in areas of criminal law:
Provided that the Minister may, after consultation with the Commissioner and with the concurrence of the Minister responsible for
th e Po lice, by regu latio ns m a ke provi si ons ext e ndin g th e app licati on of t h i s Act o r add i ng t o o r dero gatin
g f r om the prov isions of this subarticle to enforce the prov isions of any in ternational o b ligati on, convention or treaty
relati ng to the p r otect i on of p e rson al data, to w h ich Mal t a is a party, o r may become a party.
6. (1) Subject to the following provisions of this article, nothing in this Act shall prejudice the application of the provisions
of the European Convention Act relating to freedom of expression, or the provisions of the Press Act relating to journalistic freedoms.
(2) Notwithstanding the provisions of subarticle (1) the Commissioner shall encourage the drawing up of a suitable
code of conduct to be applicable to journalists and to the media to regulate the processing of any personal data and the code of
conduct shall provide appropriate measures and procedures to protect the data subject, having regard to the nature of the data.
(3) In the absence of such code of conduct, the Commissioner may establish specific measures and procedures to protect the data
subjects; in such a case journalists and the media are to comply with measures and procedures so established.
(4) If the measures and procedures contained in the code of cond uct appl icabl e to jo urn a lists and the med i a i n t e rm
s of subarticle (2) or (3) are not complied with, the Commissioner may prohibit any person concerned from carrying out any processing,
in w h o l e o r i n p a rt, an d ord e r th e bl ocki ng of dat a wh en , h a v i n g
Non-applicability of the Act.
Freedom of expression
Cap. 319. Cap. 248.
regard to the nature of the data, the means of the processing or the effects that it may have, there is a serious risk of a relevant damage to one or more data subjects.
Requirements for processing.
Processing for historical purposes, etc.
Criteria for processing.
PART III - REQUIREMENTS AND CRITERIA FOR PROCESSING
(a) personal data is processed fairly and lawfully;
(b) personal data is always processed in accordance with good practice;
(c) personal data is only collected for specific, explicitly stated and legitimate purposes;
(d) personal data is not processed for any purpose that is incompatible with that for which the information is collected;
(e) personal data that is processed is adequate and relevant in relation to the purposes of the processing;
(f) no more personal data is processed than is necessary having regard to the purposes of the processing;
(g) personal data that is processed is correct and, if necessary, up to date;
(h) all reasonable measures are taken to complete, correct, block or erase data to the extent that such data is incomplete
or incorrect, having regard to the purposes for which they are processed;
(i) personal data is not kept for a period longer than is necessary, having regard to the purposes for which they are processed.
Provided that the Controller shall ensure that:
(a) the appropriate safeguards are in place where personal data processed for historical, statistical or scientific purposes
may be kept for a period longer than is necessary having regard to the purposes for which they are processed; or
(b) personal data kept for historical, statistical or scientific purposes shall not be used for any decision concerning
a data subject.
(a) the data subject has unambiguously given his consent;
or
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps
at the request of the data subject prior to entering into a contract; or
(c) processing is necessary for compliance with a legal obligation to which the controller is subject; or
(d) processing is necessary in order to protect the vital interests of the data subject; or
(e) processing is necessary for the performance of an activity that is carried out in the public interest or in the exercise
of official authority vested in the controller or in a third party to whom the data is disclosed; or
(f) processing is necessary for a purpose that concerns a legitimate interest of the controller or of such a third party to whom
personal data is provided, except where such interest is overridden by the interest to protect the fundamental rights and freedoms
of the data subject and in particular the right to privacy.
(2) The controller shall appropriately inform the data subject of his right to oppose, at no cost, the processing referred to subarticle (1) of this article.
Direct marketing.
11. (1) In those cases where the processing of personal data is made in terms of article 9(e) and (f), the data subject, except where otherwise provided in any other law, shall be entitled to object at any time to the controller on
compelling legitimate grounds to the processing of such data.
(2) Saving the provisions of article 10, where the processing of personal data takes place with the consent of the data subject,
the data subject may at any time revoke his consent for compelling legitimate grounds relating to his particular situation.
Provided that such personal data may be processed in those cases provided for under subarticle (2) and under articles 13 to 16 o r
as m a y be prescribed by th e Min i ster havi ng regard to an important public interest.
(2) Sensitive personal data may be processed if the data subject:
(a) has given his explicit consent to processing; or
(b) has made the data public.
Revocation of consent.
Sensitive personal data.
Necessary processing.
(a) the controller will be able to comply with his duties or exercise his rights under any law regulating the conditions
of employment; or
(b) the vital interests of the data subject or of some other person will be able to be protected and the data subject
is physically or legally incapable of giving his consent; or
(c) legal claims will be able to be established, exercised or defended.
Processing by foundations, etc.
Processing concerning health or medical purposes.
Cap. 31.
Processing concerning research and statistics
PART IV - PROCESSING FOR SPECIFIC PURPOSES
Provided that sensitive personal data may be provided to a third party only if the data subject explicitly consents thereto.
(a) preventive medicine and the protection of public health;
(b) medical diagnosis;
(c) health care or treatment; or
(d) management of health and hospital care services:
Provided that the data is processed by a health professional or other person subject to the obligation of professional secrecy.
For the purposes of this article "health professional" means a person in possession of a wa rrant to exercise a profess
i on regulated by the Medical and Kindred Professions Ordinance and any person acting under the personal direction and supervision of such person.
16. (1) Sensitive personal data may be processed for research and statistics purposes, provided that the processing is necessary as
stipulated in article 9(e).
(2) If the processing referred to in subarticle (1) has been approved:
(a) in the case of statistics, by the Commissioner himself; (b) in the case of research, by the Commissioner on the
advice of a research ethics committee of an institution recognised by the Commissioner for the purposes of this paragraph;
the provisions of subarticle (1) shall be deemed to be satisfied.
(3) Personal data may be provided to be used for the purposes ref e rr ed to in su barticle (1 ), un less oth e rw ise prov ided
by applicable rules on secrecy and confidentiality.
Processing concerning legal offences.
(2) For this purpose, the Minister may by regulations authorise any person to process the data referred to in subarticle (1) subject
to such suitable specific safeguards as may be prescribed:
Provided that a complete register of criminal convictions may only be kept under the control of a public authority.
(a) the purpose of the processing;
(b) the importance of a secure identification;
(c) some other valid reason as may be prescribed. PART V - DATA COLLECTION AND RIGHT OF ACCESS
that behalf must provide a data subject from whom data relating to
the data subject himself are collected, with at least the following information, except, where the data subject already has it:
(a) the identity and habitual residence or principal place of business of the controller and of any other person authorised by him
in that behalf, if any;
(b) the purposes of the processing for which the data are intended; and
(c) any further information relating to matters such as:
(i) the recipients or categories of the recipients of data;
(ii) whether the reply to any questions made to the data subject is obligatory or voluntary, as well as the possible consequence
of failure to reply; and
(iii) the existence of the right to access, the right to rectify, and, where applicable, the right to erase the data concerning
him,
and, insofar as such further information is necessary, having regard to the spec ific circumstance s in which the da ta is collected,
to guarantee fair processing in respect of the data subject.
(a) the identity and habitual residence or principal place of business of the controller and of any other person authorised by him
in that behalf;
(b) the purposes of the processing;
(c) any further information including:
(i) the categories of data concerned;
(ii) the recipients or categories of recipients;
(iii) the existence of the right of access, the right to
Processing of identity card number.
Information to data subject.
Data collected
from other sources.
rectify, and, where applicable, the right to erase the data concerning him;
and insofar as such further information is necessary, having regard to the specific circumstances in which the data is processed,
to guarantee fair processing in respect of the data subject.
(2) The information referred to in subarticle (1) shall be provided at the time of undertaking the recording of personal
data or, if a disclosure to a third party is envisaged, not later than the time when the data are first disclosed.
(3) Information referred to in subarticle (1) need not be p r ovi ded if th ere are p r ov isi ons concerning the registrat
i on or d i sclo su re of any such person al d a ta i n any oth e r law and appropriate safeguards are adopted.
(4) Information under subarticle (1) need not be provided if the personal data is required:
(a) for processing for statistical purposes;
(b) for purposes of historical or scientific research;
and insofar as the provision of such information proves impossible or would involve a disproportionate effort.
Right of access. 21. (1) The controller of personal data at the request of the data subject shall provide to the data subject, without excessive delay and wit hout expense, written information as to whether personal data concerning the data subject is processed:
Provided that a request by the data subject under this subarticle sh all only be made by the data su bject at reasonable
intervals.
(2) If such data is processed the data controller shall provide to the data subject written information in an intelligible form
about:
(i) actual information about the data subject which is processed;
(ii) where this information has been collected; (iii) the purpose of the processing;
(iv) to which recipients or categories of recipients the information is disclosed; and
(v) knowledge of the logic involved in any automatic processing of data concerning the data subject.
(3) An application under subarticle (1) shall be made in writing to the controller of personal data and is to be signed by the
data subject.
Rectification. 22. (1) The controller shall be liable at the request of the data subject to immediately rectify, block or erase such personal data that has not been processed in accordance with this Act or with regulations made under this Act.
(2) The controller shall notify the third party to whom the data has been disclosed about the measures undertaken under subarticle
(1) of this article:
Provided that no such notification need be provided if it is shown to be impossible or it will involve a disproportionate effort.
PART VI - EXEMPTIONS, RESTRICTIONS AND OTHER MEASURES
(a) national security; (b) defence;
(c) public security;
(d) the prevention, investigation, detection and prosecution of criminal offences, or of breaches of ethics
for regulated professions;
(e) an important economic or financial interest including monetary, budgetary and taxation matters;
(f) a monitoring, inspection or regulatory function connected, even occasionally, with the exercise of official
authority referred to in paragraphs (c), (d) and (e); or
(g) such information being prejudicial to the protection of the data subject or of the rights and freedoms of others.
(2) The provisions of article 21 shall not apply when data is processed solely for purposes of scientific research or is kept
in persona l form for a period which does not exceed the period necessary for the sole purpose of compiling statistics:
Provided that the provisions of this subarticle shall not app l y w h ere t h e dat a is used for t a k i ng measu r es o
r deci si ons r e g a rd ing any particul ar ind i vi dual or w h ere there is a risk o f breaching the privacy of the data subject.
(2) The provisions of subarticle (1) shall not apply where the decision is taken in the course of the entering into or performance
of a contract with the data subject, provided that the request for the entering into or the performance of the contract, lodged by
the data subject, has been satisfied or that there are suitable measures to safeguard his legitimate interests such as the right
to be heard.
(3) A person who is the subject of a decision referred to in su bart icl e (1 ) sh all b e ent itl ed to o b tai n up on rep r
esen tat i o n i n formatio n fro m the contr o ller abou t wh at has con t roll ed the automated processing that resulted in the
decision:
Provided that information made available by the controller
Exemptions and restrictions in case of secrecy, etc.
Decisions based on automated processing.
Persons authorised to process data.
Security measures relating to processing.
Transfer of data to a third country.
shall be subject to the provisions of article 21.
(2) The carrying out of processing by way of a processor is to be governed by a contract or other legally binding instrument in
a written or in an equivalen t fo rm bi nding the processo r to th e controller and stipulating in particular that the processor:
(a) shall act only on instructions from the controller;
(b) shall take those measures referred to in article 26(1).
(a) technical possibilities available;
(b) cost of implementing the security measures;
(c) special risks that exist in the processing of personal data;
(d) sensitivity of the personal data being processed.
(2) If the controller engages a processor, the controller shall ensure that the processor:
(a) can implement the security measures that must be taken;
(b) actually takes the measures so identified by the controller.
(2) The adequacy of the level of protection of a third country shall be assessed in the light of all the circumstances surrounding
a data transfer operation or a se t o f d a t a tr an sfer op eratio ns; particular consideration shall be given to the nature of
the data, the purpose and du ration of the proposed processing operation or operations, the country of origin and country of final
destination, the rules of law, both general and sectoral, in force in the third co unt ry in questi on an d t h e p r ofession al
ru les an d securi ty measures which are complied with in that country.
(3) It is for the Commissioner to decide whether a third country ensures an adequate level of protection.
(4) The transfer of personal data to a third country that does not ensure adequate protection is prohibited.
(2) A transfer of personal data to a third country that does not ensure an adequate level of protection within the meaning of
article
27(2) may be effected by the controller if the data subject has given his unambiguous consent to the proposed transfer or if the transfer
-
(a) is necessary for the performance of a contract between the data subject and the controller or the implementation
of precontractual measures taken in response to the data subject's request;
(b) is necessary for the performance or conclusion of a contract concluded or to be concluded in the interests of the data subject
between the controller and a third party;
(c) is necessary or legally required on public interest grounds, or for the establishment, exercise or defence of legal claims;
(d) is necessary in order to protect the vital interests of the data subject; or
(e) is made from a register that according to laws or regulations is intended to provide information to the public and which
is open to consultation either by the public in general or by any person who can demonstrate legitimate interest,
provided that the conditions laid down in law for consultation are fulfilled in the particular case.
(3) Without prejudice to subarticle (1) the Commissioner may authorise a transfer or a set of transfers of personal data to a
third country that does not ensure an adequate level of protection within the meaning of article 27(2):
Provided that the controller provides adequate safeguards, which may result particularly by means of appropriate contractual p r ov
ision s , wit h r e spect t o t h e pro t ect i on of th e priv acy an d fundamental rights and freedoms of individuals and with
respect to their exercise.
PART VII - NOTIFICATION AND OTHER PROCEDURES
(2) The Minister may prescribe on any matter relating to the form of notification to be made under this subarticle in respect of -
Exemptions from the prohibition of the transfer of data to third country
Obligation for notification
(a) processing whose sole purpose is the keeping of a register which according to laws or regulations is intended
to provide information to the public and which is open to consultation either by the public in general or by any person
demonstrating a legitimate interest; and
(b) processing operations referred to in article 14.
(3) The notification referred to in subarticle (1) must specify: (a) the name and address of the data controller and of any
other person authorised by him in that behalf, if any;
(b) the purpose or purposes of the processing;
(c) a description of the category or categories of data subject and of the data or categories of data relating to them;
(d) the recipients or categories of recipient to whom the data might be disclosed;
(e) proposed transfers of data to third countries; and
(f) a general description allowing a preliminary assessment to be made of the appropriateness of the measures
taken pursuant to article 26 to ensure security of processing:
Provided that the controller shall notify the Commissioner of any changes affecting the info rm ati on referred to u nder t hi s subarticle
and the Minister may prescribe any matter related to the form of such notification.
(4) The Commissioner may allow the simplification of or the exemption from the notification obligations provided for under this
Part o f t h i s A c t o n l y in res p ec t of c a te go ri es of proc essi ng operations -
Derogation from the obligation for notification.
Function of data representative.
(i) which are unlikely, due account being taken of the data being processed, to prejudice the rights and freedoms of data subjects,
and
(ii) in respect of which the Commissioner specifies the purposes of the processing, the data or categories of data being
processed, the category or categories of data subjects affected by such processing, the recipients or categories of recipients
to whom the data is to be disclosed and the length of time for which the data is to be stored.
(2) Where a personal data representative has been so appointed the notification required in terms of article 29(1) and (3) shall not be required.
w ith goo d practice and in the event of th e perso n al data representative identifying any inadequacies, he shall bring these
to the attention of the controller.
(2) If the personal data representative has reason to suspect that the controller has contravened the provisions applicable for
processing personal data and if rectification is not implemented as soon as practicable after such contravention has been pointed
out, the personal data representative shall notify this situation to the Commissioner.
(3) The personal data representative shall also consult with the Commissioner in the event of doubt about how the rules applicable
to processing of personal data are to be applied.
34. (1) (a) Processing of personal data that involves particular risks of improper interference with the rights and freedoms
of data subjects shall be submitted for prior checking to the Commissioner.
(b) The Minister may by regulation define the p r ocessing o p eratio ns i n v o lv in g p a r ticu l ar ri sks as r
e ferred to in paragraph ( a ) an d presc r i b e rul e s in relation thereto.
(2) The prior checking referred to in subarticle (1) shall be carried out by the Commissioner following receipt of a notification
from either the controller or the personal data representative:
Provided that in the case of doubt, the controller or personal data representative shall consult the Commissioner.
35. (1) The Commissioner shall maintain a register of processing operations notified in accordance with article 29(1). The
register shall contain the information listed in article 29(3)(a) to (e).
(2) The controller or the personal data representative, if so instructed by the controller, shall provide at least the information
referred to in article 29(3)(a) to (e) to any person who requests it expeditiously and in an appropriate manner about such automated or other processing of personal data
that have not been notified to the Commissioner under article 29(3):
Provided that the provisions of this subarticle shall not apply to the information specified in article 29(2)(a).
Register of processing subject to notification.
Assistance to data subject.
Mandatory notification.
Register of processing operations.
Information and Data Protection Commissioner.
Independence of functions. Amended by:
IX. 2003.118.
Commissioner may not hold other offices of profit. Exceptions.
PART VIII - THE INFORMATION AND DATA PROTECTION COMMISSIONER
(2) A person shall not be qualified to hold office as
Commissioner if he:
(a) is a Minister, Parliamentary Secretary, or a Member of the House of Representatives; or
(b) is a judge or magistrate of the courts of justice; or
(c) is an officer in the public service; or
(d) is a member of a local council; or
(e) has a financial or other interest in any enterprise or activity which is likely to affect the discharge of his functions as
a Commissioner:
Provided that the disqualification of a person under this paragraph may be waived if such person declares the interest and such declaration
and waiver are published in the Gazette.
(2) It shall not be lawful for the Commissioner to carry out any other profession, business or trade or to hold any other office of profit whatsoever, even thou gh of a temporary nature, wi th the exception of any temporary judicial office on any international court or tribunal or any international adjudicating body, and the office of examiner at a University.
Legal personality and representation of the Commissioner.
Tenure of office. Amended by: XXXI. 2002.263.
(2) Any document purporting to be an instrument made or issued by the Commissioner and signed by him shall be received in evidence and shall, until the contrary is proved, be deemed to be an instrument made or issued by the Commissioner.
(2) The Commissioner shall not be removed from his office except by the Prime Mi nister upo n an address of t h e House of Representatives
supported by the votes of not less than two thirds of all the members thereof and praying for such removal on the ground of proved
inability to perform the functions of his office (whether arising from infirmity of body or mind or any other cause) or proved misbehaviour.
(3) If the Commissioner resigns or if his office is otherwise vacant or if the Commissioner is for any reason unable to perform
the functions of his office, or for any other temporary purpose where the Commissioner considers it necessary not to carry out any
of his functions because of such circumstances, that were he a judge of the superior courts, he would abstain, the Prime Minister
shall, after he has consulted the Leader of the Opposition, appoint a person who is qualified to be appointed as a temporary Commissioner,
if such person is qual i fi ed to be a Co mm issioner; and any person so appointed shall cease to be such a Com missioner when
a Commissioner is appointed to fill the vacancy or, as the case may be, when the Com missioner who was unable t o p e r f o r m
t h e functions of his office resumes those functions or, in the case of a temporary purpose, the temporary Commissioner has performed
the function assigned to him.
(4) The appointment of a temporary Commissioner for a temporary purpose as provided in subarticle (3) shall be exercised
only on a certificate signed by the Commissioner to the effect that, in his opinion, it is necessary for the due conduct of the business
of the Commissioner under this Act, that a temporary Commissioner be appointed.
(a) to create and maintain a public register of all processing operations according to notifications submitted
to him as specified in this Act;
(b) to exercise control and, either of his own motion or at the request of a data subject, verify whether the processing
is carried on in accordance with the provisions of this Act or regulations made thereunder;
(c) to instruct the processor and controller to take such measures as may be necessary to ensure that the processing is
in accordance with this Act or regulations made thereunder;
(d) to receive reports and claims from data subjects or associations representing them on violations of this Act or
regulations made thereunder, to take such remedial action as he deems necessary or as may be prescribed under this Act,
and to inform such data subjects or associations of the outcome;
(e) to issue such directions as may be required of him for the purposes of this Act;
(f) to institute civil legal proceedings in cases where the provisions of this Act have been or are about to be violated and to
refer to the competent public authority any criminal offence encountered in the course of or by reason of his functions;
(g) to encourage the drawing up of suitable codes of conduct by the various sectors affected by the provisions
of this Act and to ascertain that the provisions of such codes are in accordance with the provisions of this Act
and for such purpose the
Functions of the Commissioner. Amended by: XVI. 2008. 46.
Cap. 496. Commissioner’s
right of access to
information.
their representatives;
(h) to take such measures as may be necessary so as to bring to the knowledge of the general public the provisions of this
Act and for such purpose to give advice to any person where it is required;
(i) to order the blocking, erasure or destruction of data, to impose a temporary or definitive ban on processing, or to warn or admonish
the controller;
(j) to advise the Government on any legislative measures that are required to be taken to enable him carry out his functions appropriately;
(k) to draw up annual reports of his activities at regular intervals, at least once a year, which reports shall be made public;
(l) at the request of a data subject to verify that the processing of the personal data described in article 23 of this
Act is compliant with the provisions of this Act or of any law as specified in subarticle (1) of the said article 23 and in such
a case the data subject shall be informed accordingly; and
(m) to collaborate with supervisory authorities of other countries to the extent necessary for the performance of his duties,
in particular by exchanging all useful information, in accordance with any convention to which Malta is a party or
other any international obligation of Malta; and
(n) to carry out the functions assigned to him by the
Freedom of Information Act.
(a) access to the personal data that is processed, and;
(b) information about and documentation of the processing of personal data and security of such processing:
Provided that where the personal data is processed for the p u rp ose of comp lian c e with a leg a l ob ligat ion to which the controller
is subject, the Minister may by regulation prescribe rules and procedures for the purposes of the implementation of subarticle (1)(a).
(2) Without prejudice to any other provision of any other law, any person who does not comply with any lawful request relevant
to an investigat ion by the Commission er shall be guilty of an offence against this article.
(3) The investigations on the data processing described in article 23 are subject to the written authorisation of the
Commissioner.
(4) If the Commissioner cannot, pursuant to a request under subarticle (1), obtain sufficient information in order to conclude
that the processing of personal data is lawful, the Commissioner may p r ohi bit t h e controller of p e rsonal data from processing
personal data in any other manner than by storing them.
(5) In the exercise of his functions under this article the Commissioner shall have the same powers to enter and search
any premises as are vested in the executive police by any law as may from time to time be in force.
(2) If the controller does not implement security measures in
terms of article 26, the Com missi on er may imp ose an administrative fine as stipulated in the following subarticle.
(3) In any of the cases mentioned in the preceding subarticles or in article 41(2), the Commissioner may, by order in writing,
require the controller of personal data to pay such administrative fine as may be prescribed, provided that if the controller fails
to comply with such requirement the Commissioner shall commence proceedings against the controller:
Provided that such administrative fine shall be due to the Commissioner as a civil debt, constituting an executive title for the purposes
of Title VII of the Code o f Or ganizati on and Ci vil Procedure as if payment of the amount of the fine had been ordered by a judgement of a court of civil jurisdiction.
(2) If the controller of personal data feels aggrieved by the decision of the Commissioner, he may, within fifteen days from the
receipt of the notice referred to in subarticle (1), by application request the Court of Appeal as constituted in accordanc e with
article 41(6) of the Code of Organization and Civil Procedure, to revoke the order of the Commissioner.
44. The Commissioner, before taking a decision in the exercise of his functions under article 40(c) or (e) which may significantly i m p a ct the operat i on of any government dep a rtment or of an y public or private enterprise, shall
consult the interested party or parties who may be directly affected by the decision and he shall give reasons for his decisions.
45. The Commissioner and any officer and employee of the Commissioner shall, before assuming their duties, take an oath of office contained
in the Schedule to this Act to carry out their duties with equity and impartiality and in accordance with the provisions of this
Act and shall be subject to the provisions of the Official Secrets Act, and the Code of Ethics applicable to public officers. The oath of office shall be taken before the Attorney General.
Commissioner to seek rectification.
Cap. 12.
Application for erasure.
Collaboration with other authorities.
Oath of secrecy.
Cap. 50.
Amended by:
L.N. 181 of 2006;
L.N. 186 of 2006.
Penalties.
Amended by:
L.N. 426 of 2007.
Information and Data Protection Appeals
Tribunal. Amended by: XVI. 2008. 46.
co ntr o ller who pro c esses data in co ntr a v e n tio n o f th is Act or regulations made thereunder.
(2) An action under this article shall be commenced within a period of twelve months from the date when the d a ta subject becom
e s aware or could have become aware of such a contravention, which ever is the earlier.
(a) provides untrue information to data subjects as is prescribed by this Act, or in the notification to the Commissioner
under article 29 or to the Commissioner when the Commissioner requests information in accordance with article 41;
(b) processes personal data in contravention of the provisions of articles 12 to 17;
(c) transfers personal data to a third country in contravention of article 27 and 28;
(d) omits to give notification under article 29(1) or in accordance with regulations issued under article 34;
shall be guilty of an offence and shall on conviction be liable to a fine (multa) not exceeding twenty-three thousand and two hundred and ninety-three euro and seventy-three cents (€23,293.73) or to i m prison
ment fo r six m onth s or to both such fin e and imprisonment.
(2) Any person who fails to comply with an order in writing to pay an administrative fine in accordance with the provisions of
article 41(2) or of article 42(1), shall not be subject to the payment of a penalty under the provisions of this article.
(2) The Tribunal shall consist of a chairman and two other members appointed by the Minister.
(3) The chairman shall be an advocate with a minimum of twelve years legal experience.
(4) The two other members mentioned in subarticle (2) shall be person s who in the o p in ion of the Mini st er represent th
e interests of data subjects and of data controllers.
(5) The chairman and other members of the Tribunal shall hold office for such period being of not less than three years as may
be determ ined in their appointment and cannot be removed during their term of of fice except on g r ou nd s o f prov ed in ab il
it y to perform the functions of their office whether arising from infirmity of body or mind or any other cause, or proved misbehaviour.
(6) A member of the Tribunal may be challenged or abstain for any of the reasons for which a judge may be challenged or abstain
in accordance with article 734 of the Code o f O rgani zation and Civi l Procedu r e . In any such case the Mi nister shal l ap poi nt a person, hav i ng the qual i ficatio ns of the m em b er chall enged or abstaining,
to sit as a member of the Tribunal in substitution of the said member.
(7) A member of the House of Representatives or of a Local Council, a Judge or a Magistrate, or an officer in the public service
shall be disqualified from being appointed or continuing to be a member of the Tribunal for so long as he holds that office.
(8) The Minister shall also designate a person to serve as secretary to the Tribunal.
(2) An appeal to the Tribunal may be made on any of the following grounds:
(a) that a material error as to the facts has been made; (b) that there was a material procedural error;
(c) that an error of law has been made;
(d) that there was some material illegality, including unreasonableness or lack of proportionality.
(3) The Tribunal shall give reasons for its decision and shall cause such decisi ons to be made pub li c o mi tti ng , if i t
d eem s it appropriate for reasons of confidentiality, the names of the persons involved.
(4) In determining an appeal under this article the Tribunal may:
Cap. 12.
Appeals.
(i) dismiss the appeal; (ii) annul the decision;
and where the Tribunal annuls the decision it may refer the matter to the competent authority with a direction to reconsider it and
reach a decision in accordance with the findings of the Tribunal.
(5) The effect of a decision to which an appeal relates shall not except where the Tribunal or the Court of Appeal, as the case
may be, so orders, be suspended in consequence of the bringing of the appeal.
(2) For the exercise of its functions, the Tribunal may summon any person to appear befo re i t an d gi ve evid ence and prod uce documents; and the chairperson shall have the power to administer t h e oat h . The Tr i bunal may also appo int exp e rt s t o advice the Tribunal on any technical issue that may be relevant to its decision.
Powers and procedures of the Tribunal.
Appeal to the
Court of Appeal.
Cap. 12.
Financial provision. Amended by: XVI. 2008. 46. Cap. 496.
Accounts and audit. Amended by:
XVI. 2008. 46.
Cap. 496.
law.
(4) Save as may be prescribed, the Tribunal may regulate its own procedure.
41(6) of the Code of Organization and Civil Procedure by means of an application filed in the registry of that court within thirty days
from the date on which that decision has been notified.
52. (1) The expenses required by the Commissioner to exercise his functions under this Act and under the Freedom of Information Act and other laws as may be fixed by the House of Representatives in accordance with this article shall be a charge on
th e Co nso lid ated Fund w i t hou t th e need o f an y fur t her appropriation other than this Act.
(2) Where during the course of any financial year the sum f i x e d by th e Ho use of Rep r esen tat i ves is i n th
e op in ion o f the Commissioner insufficient to enable him to efficiently fulfil his functions the Commissioner shall prepare supplementary
estimates for consideration by the House of Representatives.
(3) The Commissioner shall cause to be prepared in every financial year, and shall not later than six weeks after the
end of each such year adopt, estimates of the income and expenditure of the Commissioner for the next following financial year:
Provided that the estimates for the first financial year of the Commissioner shall be prepared and adopted within such time as the
Mi nist er may b y not ice in wr iti ng to th e Commissi oner specify.
(4) A copy of the estimates shall, upon their adoption by the Commissio n er, be sent forthwith by t h e Commissioner to th
e Minister and to the Minister responsible for finance.
(5) The Minister shall at the earliest opportunity and not later than six weeks after he has received a copy of the estimates
from the Commissioner, approve the same with or without amendment after consultation with the Minister responsible for finance.
53. (1) The Commissioner shall cause to be kept proper accounts and other records in respect of his operations under this Act
and under the Freedom of Information Act and other laws and shall cause to be prepared a statement of accounts in respect of each financial year.
(2) The accounts of the Commissioner shall be audited by an au ditor or audit o rs to be app o int e d by th e Commissioner and
approved by the Minister:
Provided that the Minister responsible for finance may af ter co nsul tati on wi th th e Mi ni ster r e q u ir e th e bo oks
or th e accounts of the Commissioner to be audited or examined by the
Auditor General who shall for the purpose have the power to carry out such physical checking and other certifications as he may deem
necessary.
(3) After the end of each financial year, and not later than the date on which the estimates of the Commissioner are forwarded
to the Minister under article 52(3), the Commissioner shall cause a copy of the statement of account duly audited to be transmitted
to the Minister and to the Minister responsible for finance together with a copy of any report made by the auditors on that statement
or on the accounts of the Commissioner.
(4) The Minister shall, at the earliest opportunity and not later than eight wee k s a f ter he has receive d a copy of every
s u ch statement and report, or if at any time during that period the House of Representatives is not in session, within eight weeks
from the beginning of the next following session, cause every such statement and report to be laid on the Table of the House of Representatives.
(5) The Commissioner shall, not later than six weeks after the end of each financial year, make and transmit to the Minister and
to the Minister responsible for finance a report dealing generally with the activities of the Commissioner during the financial year
and contain such information relating to the proceedings and policy of the Commissioner as either of the said Ministers may from
time to time require. The Minister shall, at the earliest opportunity and not later than eight weeks after he has received a copy
of every such
repo rt, or if at any time duri ng t h at period the Ho use of
Rep r esent at i ves is not i n session, within eight weeks from the beginning of the next following session cause a copy of every
such report to be laid on the Table of the House of Representatives.
PART IX - GENERAL
(a) the cases in which processing of personal data is permitted;
(b) the requirements which are imposed on the controller when processing personal data;
(c) what a notification or application to a controller should contain;
(d) which information shall be provided to the data subject and how information shall be provided;
(e) notification to the Commissioner and the procedure when information notified has been altered;
(f) rules and procedures relating to access by the Commissioner of data held in instances where the controller
processes data for compliance with a legal obligation;
(g) the qualifications required for a person to be appointed
Power to make regulations. Amended by: XXXI. 2002.263; L.N. 426 of 2007.
English text to prevail.
Amendment to the Malta Communications Authority Act. Cap. 418.
as a personal data representative;
(h) the minimum guarantees to be provided by the bodies of persons or other entities referred to in article 14 in the processing of
personal data;
(i) the fees that may be levied by the Commissioner;
(j) the administrative fines that may be imposed by the Commissioner and the administrative violations in respect of which
such fines be imposed; provided that such fines shall not be in an amount exceeding twenty- three thousand and two hundred and ninety-three
euro and seventy-three cents (€23,293.73) for each violation and two thousand and three hundred and twenty-nine
euro and thirty-seven cents (€2,329.37) for each day during which such violation persists;
(k) the penalties that may be imposed under this Act;
(l) for establishing rules, procedures, formalities and time limits in respect of any matter provided for under this Act;
(m) the extension of the application of this Act to any particular activity or sector and to provide for the manner
in which data protection is to be implemented in specific sectors or in respect of specific activities; and
(n) for anything that may be prescribed under any of the provisions of this Act.
Act shall be amended as follows:
(a) paragraph 2 thereof shall be deleted; and
(b) paragraph 3 thereof shall be re-numbered as paragraph
2.
SCHEDULE
Article 45
Oaths of Office
I ………………………………………… solemnly swear / affirm that I will faithfully and conscientiously perform my du
ties as (Information and Data Protection Commissioner / Officer of the Information and Data Protection Commissioner / Employee of
the Information and Data Protection Commissioner) in terms of the Data Pr otection Act and in accor danc e with the laws of Malta,
without fear or favour. (So help me God.).
WorldLII:
Copyright Policy
|
Disclaimers
|
Privacy Policy
|
Feedback
URL: http://www.worldlii.org/mt/legis/laws/dpa440c294