Practice Areas > Commercial & Intellectual Property > Privacy, GDPR & Data Protection

Overview

Europe is at the forefront when it comes to safeguarding individual privacy and personal data in general. In fact, in Europe, data protection rights are considered to be fundamental human rights and are regulated by a special legal framework which ensures protection. With the introduction of the General Data Protection Regulation (GDPR) (EU Reg. 2016/679) companies now face significant obligations when handling personal data and are made answerable for all kinds of processing activities, some of which are more onerous than others.

Legal Framework

GDPR & The Data Protection Act

The principal source of data protection legislation in the EU came is the GDPR. Its adoption led to EU Member states to harmonise their data protection laws. Additionally, in Malta complementing the GDPR, we find its transposition within the Data Protection Act, Chapter 586 of the Laws of Malta. It is also notable to mention that apart from these main sources, there exists other subsidiary legislation implemented under Chapter 586 such as, amongst others, the Processing of Personal Data (Protection of Minors) Regulation.

The GDPR seeks to educate data subjects and make them aware and understand the data collected about them and their rights in relation to the processing of such data. The new law applies to both companies and entities which process personal data in the EU regardless of where such data is processed and also to companies established outside the EU but offer goods or services in the EU.

Its application is limited to the collection, storage, use and sharing of ‘personal data’ which is defined as ‘any information relating to an identified or identifiable natural person (‘data subject’). Additionally, an identifiable natural person is one who can be ‘identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. It is therefore very wide in scope, meant to offer a robust protection to data subjects.

Your Business in a World of Personal Data

How does GDPR affect your Business?

In controlling and processing personal data concerning identifiable data subjects, there are certain key principles which must necessarily be adhered to.

In an attempt to strengthen the enforcement of the provisions of the GDPR, penalties and fines are imposed on any company which fails to comply or infringes the provisions of such regulation. Such fines may reach up to the amount of 20 million euros or 4% of the annual worldwide turnover of the infringing company.

Assisting you in ensuring that your business is in full compliance with this regulation is our priority.

Key Principles in Processing Data Protection

  • Transparency – Personal Data must be processed in a lawful, fair and transparent manner. In fact, Controllers (i.e. Companies who control personal data) must provide information to data subjects regarding the collection and processing of their data. This information must be clear, accessible, transparent and concise.
  • Lawful basis for processing – In order to processes personal data one must have a lawful reason, indeed article 6 of the GDPR lists down legal basis on which personal data may be processed. In this regard, it is important that those processing data choose the correct basis, which choice is not plain sailing and requires a thorough analysis. Our firm can assist with guiding clients to the correct lawful basis. Some of these basis are the following:
    • i) the data subject has given consent to the processing of his/her personal data for one or more specific purposes;
    • ii) processing is necessary for the performance of a contract to which the data subject is party;
    • iii) processing is necessary for compliance with a legal obligation which the controller is subject;
    • iv) processing is necessary in order to protect the vital interests of the data subject or of another natural person.
  • Purpose Limitation – This means that Controllers may only process data in accordance with a specific and legitimate purpose and the data cannot be further processed in a manner which is incompatible with that purpose.
  • Data minimisation – Data minimization ensures that the data must be limited to what is necessary and that one cannot collect and process data which is not required.
  • Proportionality -A balance needs to be achieved between the means used and the intended aim.
  • Retention -Personal Data cannot be stored for longer than is necessary.

Data Subjects' Rights

The abovementioned key principles are based on a number of rights enjoyed by data subjects. In fact ,individuals who have their data processed have their rights protected by the GDPR. The GDPR highlights a number of rights which can be availed of by data subjects. These include the following:

  1. Right to access the data
  2. Right to rectification of errors
  3. Right to be forgotten
  4. Right to object the processing
  5. Right to restrict the processing
  6. Right to data portability
  7. Right to withdraw consent
  8. Right to object to marketing
  9. Right to complain to the relevant data protection authority.

Other Important Considerations

Appointment of a Data Protection Officer ('DPO')

Sometimes, it is necessary for a data protection officer to be appointed. In fact, the law notes that a data protection officer must be appointed where the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 or personal data relating to criminal convictions and offences referred to in Article 10.

If a data protection officer is appointed, details of such data protection officer must be communicated to the Information & Data Protection Commissioner.

Data Protection Agreements

A company controlling personal data may facilitate the collection of such data by appointing a ‘data processor‘ (a company that collects and processes data on behalf of the controller).

In the event that a data processor is appointed, an agreement must be entered into between the company and the data processor which must regulate the processing, duration of processing, the purpose of the processing and the duties and rights.

Not only are controller-processor Data Protection Agreements required under law, but also offer clarity to the parties with regards to the regulation of their relationship. While such agreement certainly provides for obligations, it concurrently offers protection to the parties in certain scenarios.

How can we help?

Data Protection Assessment
As a starting point, our Firm can assist by first identifying any functions, processes and areas that involve processing of personal data.
Gap Analysis & Action Plan
Following a Data Protection Assessment, our Firm will identify gaps in compliance and accordingly formulate an action plan
Privacy Notices
In ensuring full compliance, our firm can also assist with drafting Privacy Notices
B2B Agreements & Arrangements
If you company shares personal data externally or receives personal data, make sure that these activities are properly regulated.

Data Protection Assessment

Data Protection Assessments

In complying with the strict provisions of GDPR, Gonzi & Associates, Advocates can assist by first identifying any functions, processes and areas that involve processing of personal data including but not limited to:

  • Employee contact details
  • Payroll data
  • Customer contact data
  • Mailing lists and
  • Online forms

Through the preliminary information audit, we would be able to assess and identify what personal data is being processed and the reasons for such processing. For any company to be able to collect and use personal data, a lawful basis needs to be identified for every processing activity. Furthermore, companies are obliged to limit the storage of such data ensuring that personal data is only retained for the period in which it is required.

Gap Analysis & Action Plan

Identification of Gaps in Compliance & Formulation of an Action Plan

Gonzi & Associates, Advocates can assist in:

  • Implementing a GDPR compliance check list. The aim of this is to identify gaps in compliance found up to this stage.
  • Formulate an action plan and document the measures and actions that are to be taken to gain compliance in each area.

The GDPR itself requires that entities must implement procedures which ensure that data remains protected. In fact, the regulation highlights the need to implement appropriate technical and organisational measures which may include internal data protection policies such as staff training, maintaining relevant documentation on processing activities, appointing a data protection officer and implementing measures that meet the principles of data protection. These measures may include pseudonymization, anonymization and encryption.

Privacy Notices - External Facing

Drafting of External Facing Privacy Notices

In ensuring full compliance, our firm can also assist with drafting Privacy Notices. Moreover, since the activities of the company may rely on consent of the processing activities, we would need to review the consent mechanisms and ensure that they are clear and unambiguous, opt in and not bundled with any T&C’s.

B2B Agreements and Arrangements

Arrangements with Third Parties

The GDPR requires that certain safeguards and arrangements are in place when an entity shares personal data externally or receives such personal data. This is achieved through the implementation of appropriate Controller-Processor or other Data Sharing or Data Processing Agreements, most notably, DPAs. We can assist by reviewing existing arrangements or drafting new agreements with your service providers who may be controllers, processors or both.

 

Here to help.

The Process

1

Preliminary Meeting

Our expert lawyers will invite you for a preliminary meeting during which you will be invited to provide an overview of your expected deliverables. Our lawyers will provide an initial overview of the applicable laws and instruct as to the appropriate steps going forward.
2

Engagement & Onboarding

Upon engagement, you will be invited to create your own custom Client Portal. This will help you keep track of our work for you.
3

Gap Analysis & Action Plan

Our lawyers will implement a GDPR compliance check-list. The aim is to identify gaps in compliance and formulate an action plan.
4

Delivery

Our expert lawyers will conduct the matter and deliver any deliverables within agreed time frames. Throughout the whole process, you will have full visibility of all the work done through continuous updates and your own Client Portal.

Specialising
Lawyers

Senior Associate

Dr Augusto Quintano

Augusto Quintano joined the Firm in 2015. He graduated with a Doctor of Laws at the University of Malta after completing his final year of his studies in 2016. He has then furthered his studies by obtaining a Masters in Law in 2020, with a in-depth focus on financial services regulation. Augusto’s main legal focus is in fact financial services law and heads the Firm’s Financial Services Department. He also assists clients in matters of regulatory compliance, contractual law and gaming matters. His expertise leads him to regularly serve on Boards of key market players in the jurisdiction, offering guidance and advice therein.

Augusto’s other interests include planning road trips, movie nights, and playing the violin with various ensembles.

Education

2020: Master of Laws, University of London
2018: Post Graduate Diploma in Laws, University of London
2016: Doctor of Laws, University of Malta
2016: Maltese Financial Regulations, Institute of Financial Services
2014: Diploma of Notary Public, University of Malta
2013: Bachelor of Laws, University of Malta

Professional Experience

2020: Senior Associate, Gonzi & Associates, Advocates
2017: Associate Lawyer, Gonzi & Associates, Advocates
2015: Legal Trainee, Gonzi & Associates, Advocates

Latest News

September 26, 2024 in Commercial & Intellectual Property

Price Parity Clauses in contracts by online booking platforms may hinder competition – CJEU

A recent judgment by the Court of Justice of the European (CJEU) (Second Chamber) held that price parity clauses between hotel operators and online intermediary service providers for reservation of…
Read More
May 22, 2024 in Debt Collection

We have partnered with Debitura!

As a leading debt collection law firm in Malta for a number of years, at Gonzi & Associates, Advocates, we have a wealth of experience in assisting clients in successful…
Read More
March 6, 2024 in Privacy & Data Protection

National Parliamentary Committees and the Scope of the GDPR

In a reference for a preliminary ruling, the Court of Justice of the European Union (CJEU) (Grand Chamber), held that the activity of a committee of a national parliament does…
Read More

Other Areas of Expertise

Investment Services, Fintech & Capital Markets
View Expertise
Corporate & Tax
View Expertise
Civil & Property
View Expertise
Aviation & Shipping
View Expertise
Gaming, IT & Telecoms
View Expertise
Residency & Employment
View Expertise

Engage Us