Home | Databases | WorldLII | Search | Feedback Maltese Laws

Data Protection Act (Cap. 440) Processing Of Personal Data (Telecommunications Sector) Regulations, 2003 (L.N. 16 Of 2003 )

DATA PROTECTION ACT (CAP. 440)
Processing of Personal Data (Telecommunications Sector) Regulations, 2003
IN exercise of the powers conferred by article 54 of the Data Protection Act, the Minister of Justice and Local Government, after consultation with the Data Protection Commissioner, has made the following regulations>–

Citation.

Commencement.

Definitions.

1. The title of these regulations is the Processing of Personal
Data (Telecommunications Sector) Regulations, 2003.
2. These regulations shall come into force as the Minister may by order in the Gazette determine and different dates may be appointed in respect of different regulations.
3. (1) Unless otherwise stated in these regulations, the definitions in the Telecommunications (Regulation) Act and the Data Protection Act shall apply.
requires>
(2) In these regulations, unless the context otherwise

Cap. 440.

“Act” unless otherwise stated in these regulations, means the
Data Protection Act<
“Authority” means the Malta Communications Authority< “Commissioner” means the Data Protection Commissioner<
“communication” means any information exchanged or transmitted between a finite number of parties by means of a publicly available telecommunications service. This does not include any information conveyed as part of a broadcasting service to the public over a telecommunications system except to the extent that the information can be related to the identifiable subscriber or user receiving the information<
“consent” means consent by a user or subscriber and corresponds to the consent given by a data subject in accordance with article 2 of the Act<
“controller” means the controller of personal data and shall have the same meaning as under the Act<
“directory of subscribers” or “directory” means a directory of subscribers to publicly available telecommunications services, whether in printed form or in electronic form -
(a) which is available to the public or a section of the public, or
(b) information which is normally provided by a directory enquiry service<
“electronic mail” means any text, voice, sound or image message sent over a public telecommunications system which can be stored in the system or in the recipient’s terminal equipment until it is collected by the recipient<
“information society service” shall have the same meaning as under the Electronic Commerce Act<
“location data” means any data processed in a telecommunications system, indicating the geographic position of the terminal equipment of a user of a publicly available telecommunications service<
“Minister” unless otherwise stated in these regulations means the Minister responsible for data protection<
“person” includes any body corporate and any body of persons whether or not it has a legal personality distinct from that of its members<
“personal data” means any information relating to an identified or identifiable person< an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to that person’s physical, physiological, mental, economic, cultural or social identity<
“processing” and “processing of personal data” mean any operation or set of operations which is taken in regard to personal data, whether or not it occurs by automatic means, and includes the collection, recording, organisation, storage, adaptation, alteration, retrieval, gathering, use, disclosure by transmission, dissemination or otherwise making information available,
B 217

Cap. 426.

B 218

Application.

alignment or combination, blocking, erasure or destruction of such data<
“public telecommunications system” means transmission systems and, where applicable, switching equipment and other resources which permit the conveyance of signals between defined termination points by wire, by radio, by optical or by other electromagnetic means, which are used, in whole or in part, for the provision of publicly available telecommunications services<
“service provider” means any person who holds a valid licence or permit to provide a public telecommunications service under the Telecommunications (Regulation) Act, or is registered under the Telecommunications (Regulation) Act as a person authorised as aforesaid (whether or not he is also a telecommunications system provider)<
“system provider” means any person who holds a valid licence or permit to operate a public telecommunications system under the Telecommunications (Regulation) Act, or is registered under the Telecommunications (Regulation) Act as a person authorised as aforesaid (whether or not he is also a telecommunications service provider)<
“traffic data” means any data processed for the purpose of the conveyance of a communication on a telecommunications system or for the billing thereof<
“user” means any natural person using a publicly available telecommunications service, for private or business purposes, without necessarily having subscribed to such service<
“value added service” means any service which requires the processing of traffic data or location data other than traffic data beyond what is necessary for the transmission of a communication or the billing thereof.
4. These regulations shall apply to the processing of personal data in connection with the provision of publicly available telecommunications services in public telecommunications systems in Malta and any other country as the Minister may after consultation with the Minister responsible for telecommunications, designate by notice in the Gazette.
5. (1) Without prejudice to regulation 11 no person other than the user, shall listen, tap, store or undertake any other form of interception or surveillance of communications and of any related traffic data, without the consent of the user concerned.
(2) This regulation shall not affect any legally authorised recording of communications and the related traffic data in the course of lawful business practice for the purpose of providing evidence of a commercial transaction or of any other business communication.
6. (1) The use of telecommunications systems to store information or to gain access to information stored in the terminal equipment of a subscriber or user shall only be allowed on condition that the subscriber or user concerned is provided by the controller with clear and comprehensive information, including information about the purposes of the processing, in accordance with the Act.
(2) The subscriber or user shall be entitled to object at any time to the controller to the processing of such data and to refuse such processing.
(3) The requirements in this regulation shall not prevent the technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication over a telecommunications system or as may be strictly necessary in order to provide an information society service explicitly requested by the subscriber or user.
7. (1) Without prejudice to sub-regulations (2), (3) and (4) of this regulation, traffic data relating to subscribers and users processed for the purpose of the transmission of a communication and stored by a service provider or by a system provider shall be erased or made anonymous when it is no longer needed for the purpose of the transmission of a communication.
(2) Traffic data necessary for the purposes of subscriber billing and interconnection payments may be processed provided that such processing shall only be permissible up to the end of the period during which the bill may lawfully be challenged or payment pursued.
(3) For the purpose of marketing its own telecommunications services or for the provision of value added services to the subscriber, the service provider may process the data referred to in sub-regulation (1) of this regulation to the extent and for the duration necessary for such services, provided the subscriber has given his consent.
B 219

Confidentiality of communications.

Access to information stored in terminal equipment.

Traffic data.

B 220

Location data.

(4) The service provider shall inform the subscriber or user of the types of traffic data that are processed and of the duration of such processing for the purposes mentioned in sub-regulation (2) of this regulation and, prior to obtaining consent, for the purposes mentioned in sub-regulation (3) of this regulation.
(5) Processing of traffic data in accordance with sub- regulations (1) to (4) of this regulation shall be restricted to persons acting under the authority of the service providers and of the system providers handling billing or traffic management, customer enquiries, fraud detection, marketing the telecommunications services of the provider or providing a value added service, and shall be restricted to what is necessary for the purposes of such activities.
(6) Nothing in this regulation shall preclude the furnishing of traffic data to any competent authority for the purposes of any law relating to the settling of disputes, in particular interconnection and billing disputes.
8. (1) Where location data other than traffic data, relating to users or subscribers of public telecommunications systems or services can be processed, such data may only be processed when it is made anonymous, or with the consent of the users or subscribers to the extent and for the duration necessary for the provision of a value added service.
(2) Prior to obtaining the consent of the users or subscribers, the service provider shall inform them of the following>
(a) the type of location data other than traffic data, which shall be processed,
(b) the purposes and duration of the processing, and
(c) whether the data shall be transmitted to a third party for the purpose of providing the value added service>
Provided that at any time users or subscribers may withdraw their consent for the processing of location data other than traffic data.
(3) Where consent of the users or subscribers has been obtained for the processing of location data other than traffic data, the user or subscriber shall continue to have the possibility, using a simple means and free of charge, of temporarily refusing the processing of such data for each connection to the system or for each transmission of a communication.
(4) The processing of location data other than traffic data in accordance with sub-regulations (1), (2) and (3) of this regulation shall be restricted to persons acting under the authority of the service provider or of the system provider or of the third party providing the value added service, and shall be restricted to what is necessary for the purposes of providing the value added service.
9. (1) Any person who produces a directory of subscribers shall, without charge to the subscriber and before any personal data relating to the subscriber is included in the directory, ensure that -
(a) the subscriber is informed about the purposes of such a directory of subscribers and of any usage possibilities based on search functions embedded in the electronic version of the directory<
(b) no personal data are included in such a directory without the consent of the subscriber. In giving his consent the subscriber shall determine which data is to be included in the directory, to the extent that such data is relevant for the purpose of the directory as determined by the provider of the directory service. Subscribers shall be given the opportunity to verify, correct or withdraw such personal data from the directory< and
(c) the personal data in such a directory relating to a subscriber is limited to what is necessary to identify the subscriber and the number allocated to him, unless the subscriber has given his additional consent to the provider of the directory service authorising him to include in the directory additional personal data of the subscriber>
Provided that the above shall apply only to subscribers who are natural persons.
(2) This regulation shall not apply to an edition of a directory that has been already produced or placed on the market in printed or off-line electronic form before the coming into force of these regulations.
(3) Where the personal data of subscribers to fixed or mobile public voice telephony services has been included in a public subscriber directory before the coming into force of these regulations, the personal data of such subscribers may remain in this public directory in its printed or electronic versions, including versions with reverse search functions, unless subscribers indicate otherwise, after having received complete information from the provider of the directory services about the purposes and options in accordance with this regulation.
B 221

Directory of subscribers.

B 222

Unsolicited communications.

Non-applicability of certain regulations.

10. (1) A person shall not use, or cause to be used, any publicly available telecommunications service to make an unsolicited communication for the purpose of direct marketing by means of -
(a) an automatic calling machine, or
(b) a facsimile machine, or
(c) electronic mail,
to a subscriber, who is a natural person, unless the subscriber has given his prior explicit consent in writing to the receipt of such a communication.
(2) Notwithstanding sub-regulation (1) of this regulation, where a person has obtained from his customers their contact details for electronic mail in relation to the sale of a product or a service, in accordance with the Act that same person may use such details for direct marketing of its own similar products or services>
Provided that customers shall be given the opportunity to object, free of charge and in an easy and simple manner, to such use of electronic contact details when they are collected and on the occasion of each message where the customer has not initially refused such use.
(3) A person who uses or causes to be used any other means of communication other than those stated in sub-regulations (1) and (2) of this regulation for the purpose of direct marketing shall, at no charge to the subscriber, ensure that any such communications to a subscriber are not sent if the subscriber requests that such communications cease>
Provided that this sub-regulation shall apply only to subscribers who are natural persons.
(4) In all cases the practice of sending electronic mail for the purposes of direct marketing, disguising or concealing the identity of the sender on whose behalf the communication is made, or without a valid address to which the recipient may send a request that such communications cease, shall be prohibited.
11. The provisions of regulations 5, 6, 7 and 8 shall not apply when a law specifically provides for the provision of information as a necessary measure in the interest of>
(a) national security<
(b) defence<
(c) public security<
(d) the prevention, investigation, detection and prosecution of criminal or administrative offences, or of breaches of ethics for regulated professions<
(e) an important economic or financial interest including monetary, budgetary and taxation matters<
(f) a monitoring, inspection or regulatory function connected, even occasionally, with the exercise of official authority referred to in paragraphs (c), (d) and (e) of this regulation< or
(g) the protection of the subscriber or user or of the rights and freedoms of others.
12. (1) A person who suffers any loss or damage because of any contravention of these regulations by any other person shall be entitled to take action before the competent court seeking compensation from that other person for that loss or damage.
(2) The period of limitation provided for in subarticle (2) of article 46 of the Act shall apply to an action under sub-regulation (1) of this regulation.
13. The Commissioner shall ensure compliance with the provisions of these regulations.
14. Any person who contravenes or fails to comply with these regulations shall be liable to an administrative fine not exceeding one thousand liri, which fine shall be determined and imposed by the Commissioner.
15. Any person aggrieved by a decision taken by the Commissioner in accordance with these regulations and having a legal interest to contest such a decision may appeal to the Data Protection Appeals Tribunal.
16. The Commissioner may seek the advice of, and shall where appropriate consult with, the Authority in the exercise of his functions under these regulations.
B 223

Compensation for failure to comply with regulations.

Enforcement.

Administrative fines and sanctions.

Appeals from decisions of the Commissioner.

Advice and consultation with the Authority.

B 224

Request that the Commissioner exercise his enforcement functions.

17. Where it is alleged that any of these regulations have been contravened, the Authority or any aggrieved person may request the Commissioner to exercise his enforcement functions in respect of that contravention>
Provided that nothing in this regulation shall be interpreted as a limitation on the discretionary powers of the Commissioner.

Ippubblikat mid-Dipartiment ta’ l-Informazzjoni – 3, Pjazza Kastilja – Published by the Department of Information – 3, Castille Place

Mitbug[ fl-Istamperija tal-Gvern – Printed at the Government Printing Press

Prezz 18c – Price 18c