The General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’), implemented by the Data Protection Act (Act XX 2018) (Chapter 586) ('the Act') places direct data processing obligations on companies at an EU-wide level.
The GDPR applies to “processors” and “controllers” of personal data. Whereas the data controller determines the purpose and means of processing the personal data, the data processor only processes the personal data on behalf of the data controller like for example, a payment provider. By collecting data to sell and market products, eCommerce retailers are likely to fall under the definition of a controller.
The GDPR requires that a data controller only engages a data processor who offers sufficient guarantees. These guarantees should be included in a written contract between the data controller and processor. The contract must also contain a number of mandatory clauses, including, for example, a clause stipulating that the data processor will only process personal data on the documented instructions of the data controller.
In Malta, the Office of the Information and Data Protection Commissioner ('IDPC') is the Data Protection Authority (DPA) responsible for monitoring and enforcing the application of the provisions of the Act and the GDPR in order to protect the fundamental rights and freedoms of natural persons in relation to processing of personal data, and to facilitate the free flow of personal data between Malta and other Member States.
The GDPR applies to any business that processes personal data by automated or manual processing. Article 4 of the GDPR defines ‘personal data’ broadly. Essentially, it refers to any identifier from which an individual can be directly or indirectly identified. The individual’s consent must be obtained every time that his/her personal data is collected.
According to the GDPR, a company can only process personal data under certain conditions. For instance, the processing should be fair and transparent, for a specified and legitimate purpose and limited to the data necessary to fulfil this purpose. It must also be based on one of the following legal grounds:
According to the GDPR, actions such as collecting, using and deleting personal data all fall within the definition of processing personal data. The GDPR applies strict rules for processing data based on consent. The purpose of these rules is to ensure that the individual understands what he or she is consenting to.
This means that the consent should be freely given, specific, informed and unambiguous by way of a request presented in clear and plain language. Furthermore, consent should be given by a statement or an affirmative act, such as checking a box online or signing a form. Especially, in the case of special categories of personal data (sensitive personal data), consent must be explicitly expressed. The data subject must be informed of his/her right to withdraw his/her consent (at will) from the processing of his/her data at any time. In fact, under the GDPR, “it shall be as easy to withdraw as to give consent”.
Companies must provide individuals with information on who is processing what and why. At a minimum, this information must clearly state:
In some cases, the information must also state:
Right to access and right to data portability
Individuals have the right to request access to their personal data, free of charge and in an accessible format.
If you receive such a request, then you have to:
In addition, when the processing is based on consent or a contract, the individual can ask for their personal data to be returned or transmitted to another company. This is known as the right to data portability. The data should be provided in a commonly used and machine-readable format.
Right to erasure (right to be forgotten)
In some circumstances, an individual can request that the data controller erase their personal data, such as when the data is no longer needed to fulfil the processing purpose. However, your company is not obliged to comply with an individual request if:
Right to correct and right to object
If an individual believes that their personal data is incorrect, incomplete or inaccurate, he or she has the right to have it rectified or completed without undue delay. An individual may also object at any time to the processing of their personal data for a particular use when your company processes it on the basis of your legitimate interest or for the performance of a task in the public interest. Unless you have a legitimate interest that overrides the interest of the individual, you must stop processing the personal data. Likewise, an individual can ask to have the processing of their personal data restricted while it is determined whether or not your legitimate interest overrides their interest. However, in the case of direct marketing, you are always obliged to stop processing the personal data at the request of the individual.
Appoint a Data Protection Officer
A DPO is responsible for monitoring your compliance with the GDPR. One of the DPO’s core tasks is to inform and advise employees who carry out the actual processing of personal data about their obligations. The DPO also cooperates with the DPA, serving as a contact point towards the DPA and individuals.
However, your company is only required to appoint a DPO if:
For example, if you process personal data to target advertising through search engines based on people’s online behaviour, then the GDPR requires that you have a DPO. If, however, you only send your clients promotional material once a year, then you will not need a DPO.
Responding to requests
If your company receives a request from an individual who wants to exercise their rights, you should respond to this request without undue delay and in any case within 1 month of receiving the request. However, this response time may be extended by 2 months for complex or multiple requests, so long as the individual is informed about the extension. Furthermore, requests should be dealt with free of charge. If a request is rejected, then you must inform the individual of the reasons for doing so and of their right to file a complaint with the DPA.
Demonstrate compliance and keep records
One of the GDPR’s core principles is to demonstrate compliance. Therefore, as a company you must be able to prove that you act in compliance with the GDPR and that you satisfy all applicable obligations, in particular, upon request or inspection from the DPA.
It is therefore suggested that detailed records are kept on the following:
Furthermore, your company should also maintain — and regularly update — written procedures and guidelines and make them known to your employees.
Data Protection Impact Assessment (DPIA)
A DPIA must be conducted whenever the intended processing would pose a high risk to the rights and freedoms of individuals. Such case would be, for instance, when new technologies are introduced.
For cross-border processing, a supervisory authority of another country, and not your national DPA, may be the competent authority. Typically, this is the DPA of the country that hosts your company’s main establishment (where decisions about the means and purposes of processing are made) within the EU.