Practice Areas > Commercial & Intellectual Property > Privacy, GDPR & Data Protection
Overview
Europe is at the forefront when it comes to safeguarding individual privacy and personal data in general. In fact, in Europe, data protection rights are considered to be fundamental human rights and are regulated by a special legal framework which ensures protection. With the introduction of the General Data Protection Regulation (GDPR) (EU Reg. 2016/679) companies now face significant obligations when handling personal data and are made answerable for all kinds of processing activities, some of which are more onerous than others.
Legal Framework
GDPR & The Data Protection Act
The principal source of data protection legislation in the EU came is the GDPR. Its adoption led to EU Member states to harmonise their data protection laws. Additionally, in Malta complementing the GDPR, we find its transposition within the Data Protection Act, Chapter 586 of the Laws of Malta. It is also notable to mention that apart from these main sources, there exists other subsidiary legislation implemented under Chapter 586 such as, amongst others, the Processing of Personal Data (Protection of Minors) Regulation.
The GDPR seeks to educate data subjects and make them aware and understand the data collected about them and their rights in relation to the processing of such data. The new law applies to both companies and entities which process personal data in the EU regardless of where such data is processed and also to companies established outside the EU but offer goods or services in the EU.
Its application is limited to the collection, storage, use and sharing of ‘personal data’ which is defined as ‘any information relating to an identified or identifiable natural person (‘data subject’). Additionally, an identifiable natural person is one who can be ‘identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. It is therefore very wide in scope, meant to offer a robust protection to data subjects.
Your Business in a World of Personal Data
How does GDPR affect your Business?
In controlling and processing personal data concerning identifiable data subjects, there are certain key principles which must necessarily be adhered to.
In an attempt to strengthen the enforcement of the provisions of the GDPR, penalties and fines are imposed on any company which fails to comply or infringes the provisions of such regulation. Such fines may reach up to the amount of 20 million euros or 4% of the annual worldwide turnover of the infringing company.
Assisting you in ensuring that your business is in full compliance with this regulation is our priority.
Key Principles in Processing Data Protection
- Transparency – Personal Data must be processed in a lawful, fair and transparent manner. In fact, Controllers (i.e. Companies who control personal data) must provide information to data subjects regarding the collection and processing of their data. This information must be clear, accessible, transparent and concise.
- Lawful basis for processing – In order to processes personal data one must have a lawful reason, indeed article 6 of the GDPR lists down legal basis on which personal data may be processed. In this regard, it is important that those processing data choose the correct basis, which choice is not plain sailing and requires a thorough analysis. Our firm can assist with guiding clients to the correct lawful basis. Some of these basis are the following:
- i) the data subject has given consent to the processing of his/her personal data for one or more specific purposes;
- ii) processing is necessary for the performance of a contract to which the data subject is party;
- iii) processing is necessary for compliance with a legal obligation which the controller is subject;
- iv) processing is necessary in order to protect the vital interests of the data subject or of another natural person.
- Purpose Limitation – This means that Controllers may only process data in accordance with a specific and legitimate purpose and the data cannot be further processed in a manner which is incompatible with that purpose.
- Data minimisation – Data minimization ensures that the data must be limited to what is necessary and that one cannot collect and process data which is not required.
- Proportionality -A balance needs to be achieved between the means used and the intended aim.
- Retention -Personal Data cannot be stored for longer than is necessary.
Data Subjects' Rights
The abovementioned key principles are based on a number of rights enjoyed by data subjects. In fact ,individuals who have their data processed have their rights protected by the GDPR. The GDPR highlights a number of rights which can be availed of by data subjects. These include the following:
- Right to access the data
- Right to rectification of errors
- Right to be forgotten
- Right to object the processing
- Right to restrict the processing
- Right to data portability
- Right to withdraw consent
- Right to object to marketing
- Right to complain to the relevant data protection authority.
Other Important Considerations
Appointment of a Data Protection Officer ('DPO')
Sometimes, it is necessary for a data protection officer to be appointed. In fact, the law notes that a data protection officer must be appointed where the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 or personal data relating to criminal convictions and offences referred to in Article 10.
If a data protection officer is appointed, details of such data protection officer must be communicated to the Information & Data Protection Commissioner.
Data Protection Agreements
A company controlling personal data may facilitate the collection of such data by appointing a ‘data processor‘ (a company that collects and processes data on behalf of the controller).
In the event that a data processor is appointed, an agreement must be entered into between the company and the data processor which must regulate the processing, duration of processing, the purpose of the processing and the duties and rights.
Not only are controller-processor Data Protection Agreements required under law, but also offer clarity to the parties with regards to the regulation of their relationship. While such agreement certainly provides for obligations, it concurrently offers protection to the parties in certain scenarios.
How can we help?
Data Protection Assessments
In complying with the strict provisions of GDPR, Gonzi & Associates, Advocates can assist by first identifying any functions, processes and areas that involve processing of personal data including but not limited to:
- Employee contact details
- Payroll data
- Customer contact data
- Mailing lists and
- Online forms
Through the preliminary information audit, we would be able to assess and identify what personal data is being processed and the reasons for such processing. For any company to be able to collect and use personal data, a lawful basis needs to be identified for every processing activity. Furthermore, companies are obliged to limit the storage of such data ensuring that personal data is only retained for the period in which it is required.
Identification of Gaps in Compliance & Formulation of an Action Plan
Gonzi & Associates, Advocates can assist in:
- Implementing a GDPR compliance check list. The aim of this is to identify gaps in compliance found up to this stage.
- Formulate an action plan and document the measures and actions that are to be taken to gain compliance in each area.
The GDPR itself requires that entities must implement procedures which ensure that data remains protected. In fact, the regulation highlights the need to implement appropriate technical and organisational measures which may include internal data protection policies such as staff training, maintaining relevant documentation on processing activities, appointing a data protection officer and implementing measures that meet the principles of data protection. These measures may include pseudonymization, anonymization and encryption.
Drafting of External Facing Privacy Notices
In ensuring full compliance, our firm can also assist with drafting Privacy Notices. Moreover, since the activities of the company may rely on consent of the processing activities, we would need to review the consent mechanisms and ensure that they are clear and unambiguous, opt in and not bundled with any T&C’s.
Arrangements with Third Parties
The GDPR requires that certain safeguards and arrangements are in place when an entity shares personal data externally or receives such personal data. This is achieved through the implementation of appropriate Controller-Processor or other Data Sharing or Data Processing Agreements, most notably, DPAs. We can assist by reviewing existing arrangements or drafting new agreements with your service providers who may be controllers, processors or both.
The Process
Specialising
Lawyers
Augusto’s other interests include planning road trips, movie nights, and playing the violin with various ensembles.
Education
2020: Master of Laws, University of London
2018: Post Graduate Diploma in Laws, University of London
2016: Doctor of Laws, University of Malta
2016: Maltese Financial Regulations, Institute of Financial Services
2014: Diploma of Notary Public, University of Malta
2013: Bachelor of Laws, University of Malta
Professional Experience
2020: Senior Associate, Gonzi & Associates, Advocates
2017: Associate Lawyer, Gonzi & Associates, Advocates
2015: Legal Trainee, Gonzi & Associates, Advocates