Privacy, GDPR & Data Protection

Europe is at the forefront when it comes to safeguarding individual privacy and personal data in general. In fact, in Europe, data protection rights are considered to be fundamental human rights and are regulated by a special legal framework which ensures protection. With the introduction of the General Data Protection Regulation (GDPR) (EU Reg. 2016/679) companies now face significant obligations when handling personal data and are made answerable for all kinds of processing activities, some of which are more onerous than others.

The principal source of data protection legislation in the EU came is the GDPR. Its adoption led to EU Member states to harmonise their data protection laws. Additionally, in Malta complementing the GDPR, we find its transposition within the Data Protection Act, Chapter 586 of the Laws of Malta. It is also notable to mention that apart from these main sources, there exists other subsidiary legislation implemented under Chapter 586 such as, amongst others, the Processing of Personal Data (Protection of Minors) Regulation.

The GDPR seeks to educate data subjects and make them aware and understand the data collected about them and their rights in relation to the processing of such data. The new law applies to both companies and entities which process personal data in the EU regardless of where such data is processed and also to companies established outside the EU but offer goods or services in the EU.

Its application is limited to the collection, storage, use and sharing of ‘personal data’ which is defined as ‘any information relating to an identified or identifiable natural person (‘data subject’). Additionally, an identifiable natural person is one who can be ‘identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. It is therefore very wide in scope, meant to offer a robust protection to data subjects.

In controlling and processing personal data concerning identifiable data subjects, there are certain key principles which must necessarily be adhered to.

In an attempt to strengthen the enforcement of the provisions of the GDPR, penalties and fines are imposed on any company which fails to comply or infringes the provisions of such regulation. Such fines may reach up to the amount of 20 million euros or 4% of the annual worldwide turnover of the infringing company.

Assisting you in ensuring that your business is in full compliance with this regulation is our priority.

• Transparency – Personal Data must be processed in a lawful, fair and transparent manner. In fact, Controllers (i.e. Companies who control personal data) must provide information to data subjects regarding the collection and processing of their data. This information must be clear, accessible, transparent and concise.

• Lawful basis for processing – In order to processes personal data one must have a lawful reason, indeed article 6 of the GDPR lists down legal basis on which personal data may be processed. In this regard, it is important that those processing data choose the correct basis, which choice is not plain sailing and requires a thorough analysis. Our firm can assist with guiding clients to the correct lawful basis. Some of these basis are the following:
  • i) the data subject has given consent to the processing of his/her personal data for one or more specific purposes;
  • ii) processing is necessary for the performance of a contract to which the data subject is party;
  • iii) processing is necessary for compliance with a legal obligation which the controller is subject;
  • iv) processing is necessary in order to protect the vital interests of the data subject or of another natural person.

• Purpose Limitation – This means that Controllers may only process data in accordance with a specific and legitimate purpose and the data cannot be further processed in a manner which is incompatible with that purpose.

• Data minimisation – Data minimization ensures that the data must be limited to what is necessary and that one cannot collect and process data which is not required.

• Proportionality -A balance needs to be achieved between the means used and the intended aim.

• Retention -Personal Data cannot be stored for longer than is necessary.

In complying with the strict provisions of GDPR, Gonzi & Associates, Advocates can assist by first identifying any functions, processes and areas that involve processing of personal data including but not limited to:

• Employee contact details
• Payroll data
• Customer contact data
• Mailing lists and
• Online forms

Through the preliminary information audit, we would be able to assess and identify what personal data is being processed and the reasons for such processing. For any company to be able to collect and use personal data, a lawful basis needs to be identified for every processing activity. Furthermore, companies are obliged to limit the storage of such data ensuring that personal data is only retained for the period in which it is required.

Gonzi & Associates, Advocates can assist in:

• Implementing a GDPR compliance check list. The aim of this is to identify gaps in compliance found up to this stage.
• Formulate an action plan and document the measures and actions that are to be taken to gain compliance in each area.

The GDPR itself requires that entities must implement procedures which ensure that data remains protected. In fact, the regulation highlights the need to implement appropriate technical and organisational measures which may include internal data protection policies such as staff training, maintaining relevant documentation on processing activities, appointing a data protection officer and implementing measures that meet the principles of data protection. These measures may include pseudonymization, anonymization and encryption.

In ensuring full compliance, our firm can also assist with drafting Privacy Notices. Moreover, since the activities of the company may rely on consent of the processing activities, we would need to review the consent mechanisms and ensure that they are clear and unambiguous, opt in and not bundled with any T&C’s.

The GDPR requires that certain safeguards and arrangements are in place when an entity shares personal data externally or receives such personal data. This is achieved through the implementation of appropriate Controller-Processor or other Data Sharing or Data Processing Agreements, most notably, DPAs. We can assist by reviewing existing arrangements or drafting new agreements with your service providers who may be controllers, processors or both.