The Data Protection Act (Cap. 440)

The Data Protection Commissioner writes:

The Data Protection Act, which was enacted in 2001 and fully brought into force in 2003, provides for the privacy of the individual in terms of personal data. In fact, this is an extension of the right already vested by the Constitution of Malta and by the European Convention of Human Rights, which has been adopted on our statute.

Our model follows the European model and transposes the provisions of EC Directive 95/46 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and the free movement of this data, and Directive 2002/58/EC on the processing of personal data and the protection of privacy in the electronic communications sector.

The principal function of the Commissioner for Data Protection is therefore to safeguard the rights of individuals in relation to personal data, which is processed by other persons who are termed data controllers.

The rights of an individual include the right to be informed before his data is processed, to have access to this data, and to have the data updated, corrected and blocked in cases where processing has not been carried out in accordance with the Act.

On the other hand, the law imposes certain obligations on data controllers, which include:

¤ to notify the Commissioner about the data being processed in relation to their activity;

¤ to obtain consent from individuals where necessary so as to process data about them;

¤ to inform individuals about the processing purposes, the recipients to whom data may be disclosed, and about their rights under the Data Protection Act;

¤ to process personal data which is relevant and necessary for specific purposes;

¤ to take all reasonable measures to ensure that personal data is correct and up to date;

¤ to process data only for a period as required by the specific purpose of processing; and

¤ to protect personal data from accidental destruction, loss, and unlawful processing by implementing appropriate security measures.

The law empowers the Commissioner to exercise control over data controllers and to impose administrative penalties and other sanctions. The Commissioner is vested with the following functions:

¤ to create and maintain a public register of all processing operations being notified by Data Controllers

¤ to investigate and have access to personal data processed by the Controller;

¤ to institute civil legal proceedings in cases where the provisions of the Act have been or are about to be violated;

¤ to encourage the drawing up of suitable codes of conduct by the various sectors;

¤ to order the blocking, erasure or destruction of data, impose a temporary or definitive ban on processing, or warn or admonish the controller; and

¤ to collaborate with supervisory authorities of other countries to the extent necessary for the performance of his duties.