Guide to Nationwide Execution of GDPR: Malta

Guide to Nationwide Execution of GDPR: Malta

Under Malta's implementation of the General Data Protection Regulation (GDPR), processing personal data in compliance with a legal obligation requires strict adherence to the GDPR's general principles, tailored to meet specific legal requirements while safeguarding data subjects' rights. Here are some key points to note:

1. Lawfulness: Personal data can be processed if it is strictly necessary to comply with a legal obligation to which the controller is subject. This is one of the lawful bases under GDPR.
2. Purpose limitation: The data must be processed only for the stated legal obligation and not for unrelated purposes.
3. Data minimization: Only personal data that are adequate, relevant, and limited to what is necessary for the legal obligation should be processed.
4. Storage limitation: Personal data must not be retained longer than necessary for the legal obligation or as mandated by law.
5. Transparency and rights: Data subjects must be informed about the processing in a clear manner, including the legal basis for processing, and must be able to exercise their rights (such as access, rectification, restriction, objection) unless constrained by overriding legal reasons.
6. Accountability: The controller must demonstrate compliance with these rules and respond promptly to data subject requests in line with GDPR timeframes.

In Malta's context, personal data processed to fulfil legal obligations are kept no longer than necessary or as otherwise required by law. Data subjects can request access, correction, or deletion of data unless overriding legal obligations prohibit such actions. Controllers must handle data subject requests promptly and ensure all processing abides by these principles.

Controllers in Malta typically appoint a Data Protection Officer (DPO) to oversee GDPR compliance and handle data requests. The Office of the Information and Data Protection Commissioner is the DPA in Malta, with contact information available at idpc.org.mt/en/Pages/Home.aspx.

Educational authorities may process personal data of students as well as the personal data of parents and legal guardians under certain safeguards. Data transfers from public registers are not subject to specific rules. DPOs are only mandatory in the circumstances set out in Art. 37(1) GDPR.

Personal data contained in identity documents can only be processed when such processing is clearly justified and the importance of a secure identification, or any other valid reason set out in law, is provided. The national identity number, or any other identifier of general application, is used only under appropriate safeguards for the rights and freedoms of the data subject.

In extraordinary circumstances, the DPA may request the assistance of the police in order to enter and search any premises. These points represent the application of GDPR’s legal obligation basis in Malta’s context as found in Maltese data controllers’ privacy statements and GDPR guidelines.

1. White & Case, a renowned global law firm, offers extensive legal services in the industry, including advice on international regulatory matters.
2. A corporate lawyer at White & Case might specialize in counselling clients on compliance with GDPR regulations for legal obligations.
3. In publishing news and publications on whitecase.com, the firm shares insights on the latest developments in the legal field, including GDPR compliance.
4. A partnership between a medical-conditions research organization and a lawyer with experience in environmental science could result in groundbreaking research on the impact of certain health-and-wellness practices on the environment.
5. Under GDPR, personal data processed for legal obligations must be stored for no longer than necessary, as outlined in the practice of data minimization.
6. In the wake of a data breach, a law firm's compliance with GDPR can be critical to avoiding substantial fines and protecting its reputation.
7. A legal practice that specializes in intellectual property law may assist clients in ensuring their inventions are well-protected while meeting GDPR requirements.
8. Companies operating in Malta must ensure they have robust compliance measures in place to match the strict standards demanded by the GDPR's legal-obligation basis.
9. The protection of personal data in the field of environmental science is a complex issue, requiring the knowledge and guidance of a seasoned data protection professional.
10. In the event of a data subject exercising their rights under GDPR, controllers must promptly respond and demonstrate their adherence to the regulation's principles.
11. The science community and legal professionals should collaborate to develop regulations that strike a balance between safeguarding personal data and advancing scientific progress, especially in key areas like health-and-wellness and environmental science.

Read also: