Data Protection

As of May 2018, the ’General Data Protection Regulation’ (Regulation 2016/679/EU) has entered into force in all EU countries including Malta. A new Data Protection Act, 2018 (Chapter 586 of the Laws of Malta), has also come into effect. Data controllers and processors had until this date to prepare for the various new, and in some cases, arduous obligations introduced by the GDPR. The GDPR seeks to:

• Ensure a consistent level of protection for natural persons throughout the Union
• Provide legal certainty and transparency for economic operators, including micro, small and medium-sized enterprises
• Provide natural persons in all Member States with the same level of legally enforceable rights and obligations and responsibilities for controllers and processors
• Ensure consistent monitoring of the processing of personal data
• Ensure equivalent sanctions in all Member States
• Ensure effective cooperation between the supervisory authorities of different Member States.

Overview of the GDPR

Applicability of the GDPR

The GDPR applies to:

1. The processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
   1. the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
   2. the monitoring of their behaviour as far as their behaviour takes place within the Union.

Lawfulness of processing

Processing shall be lawful only if at least one of the following applies:

• Data subject has given consent to the processing of his/ her personal data for one or more specific purposes
• Processing is necessary for the performance of a contract to which the data subject is a party
• Processing is necessary for compliance with a legal obligation to which the controller is subject
• Processing is necessary to protect interests of the data subject or another natural person
• Processing is necessary for the purposes of legitimate interests by the controller or a third party
• Processing is necessary for the performance of a task carried out in the public interest.

Data Subject Rights under the GDPR

The GDPR creates some new rights for the data subjects:

• The right to be informed
• The right of access
• The right to rectification
• The right to erasure
• The right to restrict processing
• The right to data portability
• The right to object
• Rights in relation to automated decision making and profiling.

How can novolegal assist?

We provide practical and business-focused advice to ensure that your business is GDPR compliant and offer a vast array of services in the field of data protection. Our services include the following:

• Legal analysis on the current practices of the company starting from the initial analysis of data collection and data processing procedures and flows;
• Proposals for action in order to be GDPR compliant;
• Drafting of data processing agreements & addenda and drafting of privacy notices for websites and other terms and conditions;
• Drafting of company policies and procedures and other notices and practical guidelines for handling all types of personal data including sensitive data;
• Assistance with Privacy Impact Assessment reports;
• Liaising with the competent authorities;
• Providing Data Security advice such as advising on measures which businesses should implement to address data security and deal with the response to data security breaches;
• Personalised advice the company’s marketing strategies to ensure compliance with the GDPR;
• Advising clients on developing strategies for addressing data subject requests.