Data Protection – Data Privacy – Data Solutions
In a digital age and an era of cloud computing, personal data is constantly collected and transferred across borders – both virtual and geographical – and stored on servers in multiple countries both within and outside the European Union.
The globalised nature of data transfer and data storage has demanded a strengthening of the individual’s data protection rights on an international level with minimal complexity, resulting in mechanisms such as Binding Corporate Rules.
As a member of the European Union, Malta’s data protection legislation is fully conformant to European rules and regulations, mainly the EU Data Protection Directive 95/46/EC which is fully transposed into national law.
The objective of the Malta Office of the Information and Data Protection Commissioner is “the protection of the individual’s right to privacy by ensuring the correct processing of personal data”.
Malta’s Data Protection Act (Chapter 440 of the Laws of Malta) gives a broad definition of “processing” and “processing of personal data” – an operation or set of operations, whether or not it/they occur with automatic means, and includes the “collection, recording, organisation, storage, adaptation, alteration, retrieval, gathering, use, disclosure by transmission, dissemination or otherwise making information available, alignment or combination, blocking, erasure or destruction of such data”
- Provision of legal advice on data privacy and data security matters under the EU Data Protection Directive 95/46/EC
- Managing, directing and monitoring data privacy and data protection compliance efforts of multinational companies
- Driving the creation of and supporting internal data protection policies and procedures
- Overseeing cross-border projects and global initiatives relating to data protection and privacy issues
- Identifying and remedying privacy and/or data protection vulnerabilities
- Drafting and reviewing agreements with third parties and updating contractual provisions (data transfer agreements, employee agreements/vendor/supplier/service provider agreements) relating to data privacy, and processing, storage and use of data, including model contractual clauses under Commission Decision 2001/497/EC of 27 December 2004 and Commission Decision 2010/87/EU of 5 February 2010
- Interacting with EU Data Protecti European data protectionon Authorities to ensure access to appropriate information to data subjects and complete, timely submission of required notifications, registrations and accompanying documents
- Assistance in comprehensive data processing operations transfer from EU member states to third countries (including United States) under Article 27 and 28 of the Malta Data Protection Act and Legal Notice 155 of 2003 Third Country (Data Protection Act) Regulations (as amended).
- Preparing and directing changes to be made in preparation of the proposed European General Data Protection Regulation, across teams in different EU member states
- Coordination and delivery of training/presentations to management and staff
- Evaluation of privacy compliance assessments
- Assistance in proper handling of inspections, audits and data privacy requirements according to applicable legislation and internal company policy
- Assistance in compilation of SOPs, reports and other procedures
- Legal advice on the Data Protection Act (Chapter 440 of the Laws of Malta)
- Acting as Personal Data Representative to clients
Personal Data Representative
The role of the Personal Data Representative (PDR) is established under Articles 31, 32 and 33 of the Data Protection Act (Chapter 440 of the Laws of Malta).
The PDR shall independently ensure that the data controller processes personal data in a lawful and correct manner, in accordance with good practice and bring any inadequacies at the attention of the data controller. The PDR consults with the Data Commissioner on the application and interpretation of data protection rules. A register of processing operations similar to those required in the notification, shall also maintained by the PDR.
Although appointment of a PDR is, to date, optional, there are a number of advantages companies take into account when deciding to engage a PDR:
- A PDR ensures that specific attention is given to data protection matters as an ongoing business process;
- Specific personal data issues may be proactively identified and anticipated before embarking on business projects involving data processing
- The role of the PDR will be further strengthened by the introduction of the upcoming EU General Data Protection Regulation:
- new obligations on data controllers
- obligation to carry out privacy impact assessments prior to implementing processing operations
- hefty fines and penalties for non-compliance with the law