FAQ - Frequently Asked Questions

What does the General Data Protection Regulation and the Data Protection Act regulate?

 The General Data Protection Regulation (GDPR), as further complemented by the Data Protection Act, makes provision for the protection of individuals against the violation of their privacy by the processing of personal data. The law establishes obligations on data controllers on the way how personal data is to be processed, based on the principles relating to processing of personal data (Article 5 of GDPR).

What is processing?

Processing is any operation which is performed on personal data or on sets of personal data, whether or not by automated means. Article 4 of GDPR states many possible actions which are considered processing, such as “collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”.

What is personal data?

Personal data is any information relating to an identified or identifiable natural person (defined as “Data subject” by the Regulation). An identifiable natural person is one who can be directly or indirectly related to that data, which means there are many possible identifiers as identification number, location data and online identifier (e.g., name, phone number, photograph, email address, or even IP address as a uniquely identifiable to a specific terminal and user).

Structured filled system:

In order to fall within the scope of GDPR, the personal data are supposed to be contained or intended to be contained in a filling system, either for automated means or for manual processing. Therefore, according to Recital 15 of GDPR, files which are not structured according to specific criteria should not be considered personal data and they are not under personal data protection.

Automated decision making:

The GDPR has provisions on cases where there is a decision solely by automated means, without any human involvement, and also concerning profiling (automated processing of personal data to evaluate certain things about an individual). In this matter, profiling could be part of an automated decision-making process.

Article 22 of the GDPR has additional rules to protect individuals and just allow solely automated decision-making where the decision is: necessary for the entry into or performance of a contract; or authorised by Union or Member state law applicable to the controller; or based on the individual’s explicit consent. When it is allowed, the controller shall identify whether any of your processing falls under Article 22 and, if so, make sure to give individuals right information and introduce easy manners to request human intervention or challenge a decision.

By way of additional background, you might have a look at the EDPB Guideline concerning this topic.

Household exemption:

The GDPR does not apply to personal data processed in the course of a purely personal or household activity, with no connection to a professional or commercial activity. In other words, it’s outside GDPR’s scope when the processing is for domestic purposes. To illustrate further, if you only use personal data for similar private matters such as communicating with family and friends, or even taking pictures for your own enjoyment, the processing does not fall within the scope of GDPR.

Back to top​

What is a Data Controller?

A data controller is a natural or legal person who determines the purposes and means of the processing. It could be even a public authority, agency or other body.

Once the Controllers define the purpose of processing, they are the main decision-makers in the processing. If two or more controllers jointly determine the purposes and means of the processing of the same personal data, they are joint controllers. On the other hand, the person acting on behalf of the controller, normally following the instructions, is defined by the GDPR as the Processor.

To determine whether you are exercising a role of a controller or processor, your responsibilities and concerning data processing activities are meant to be considered. If the person exercises overall control of the purpose and means of the processing of personal data, deciding even what data to process and why there is a controller. In contrast, if the person it’s only acting on a client’s instructions, it’s likely to be a processor.

 Back to top​

What are the principles relating to the processing of personal data?

 The principles are set out in article 5 of the GDPR and require that information is handled properly. The main principles can be enlisted as follows:  lawfulness, fairness and transparency; purpose limitation which is collecting data for specified, explicit and legitimate purposes; data minimisation to adequate, relevant and limited processing; storage limitation to ensure the appropriate retention period; the accuracy; integrity and confidentiality; demonstration of accountability; etc.

Further information about the principles, including additional provisions on the lawfulness of processing can be found in Chapter II, Articles 5 to 11 of GDPR.

 Back to top​

What are the Rights of Data Subject?

 The Data Protection Regulation provides several rights to the data subject under articles 12 to 23. To summarise we can highlight that the individual shall have the right to information, access, erasure, restriction, objection from marketing and profiling, portability, and also the right not to be subject to a decision based solely on automated processing, including profiling.  

Specifically concerning the right to information (Art.13 and 14 GDPR), at the time when personal data are obtained, the controller shall provide the data subject with all information listed under Art. 13 of GDPR, as can be mentioned the purposes, contact details, identity of controller, etc.

In addition, the information provided must be transparent due article 12 which stipulates that the Controller shall provide appropriate measures, using a “concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child”. (art. 12)

It’s important to know that all these rights can be exercised directly with the data Controller or with the Data Protection Officer (DPO) when such person is appointed. Moreover the Controller shall provide a response within one month from receipt of a communication, accordingly to Article 12. Subsequently, if the controller fails to respond or if otherwise the data subject is not satisfied with the reply, the data subject may lodge a complaint through our online form.

The Controller could extend the time to respond if the request is complex or when receiving several requests from the individual, however in such cases, the Controller should reply within one month of receiving their request and explain why the extension is necessary.

Back to top​


What is the Right of Access?

 The right of access, commonly referred to as subject access, allows individuals to obtain a copy of their personal data as well as other additional information like the purposes of processing, the categories of personal data concerned and even the existence of automated decision-making, including profiling. It supports individuals to comprehend how controllers are using their personal data and claiming for the lawful processing.

Among the possible requests, data subjects could request confirmation as to whether their personal data is being processed, and when this is the case, a copy of their personal data stored, and other supplementary information as listed under Article 15 of the GDPR (mainly the same information which should be provided as part of the Data Protection Notice). Regarding this Notice, it should include at least contact details, type of data being processed, lawful basis for processing, how the data will be processed, the retention period applicable and list the data subject rights.

This right is to be exercised directly with the data controller, and consequently, the data subject may submit a formal request. Following such request, the controller shall provide a response within one month from receipt of a communication, in accordance with Article 12 of GDPR. Subsequently, if the controller fails to respond in a satisfactory manner within one month as stipulated by law, the data subject may wish to pursue with a complaint through our online form.

 Back to top​

What is the Right to Erasure ('Right to be forgotten')?​

Under Article 17 of the GDPR, an individual has the right to have personal data erased, however the right is not absolute and only applies in certain circumstances, namely:

  • The personal data is no longer necessary for the purpose for which it was originally collected or processed;
  • The consent was the lawful basis for holding data and the data subject withdrew it;
  • Where there is no overriding legitimate interest to continue this processing;
  • Where there is an individual objection to the processing for direct marketing;
  • The personal data was unlawfully processed;
  • Where the processing is still necessary to comply with a legal obligation.

 In those cases where individuals have a doubt as to the source from where their personal data has been obtained, they are able to file a right of access request directly with the controller to clearly request information on the processing of their personal data and also the source from where such data has been obtained and further processed.  With this information in hand, data subjects can decide which additional steps to take. For instance, in the case of marketing, data subjects  are able to unsubscribe and request the erasure of their personal data, exercising such right directly with the controller, as well as other entities which may have been indicated as the original source of the information.

Where the controller does not adequately respond to the requests, the data subject may lodge a complaint with this Office by using the form available on our website.

Back to top​


How can I use CCTV responsibly at my residence?

 Domestic CCTV system refers to the use of any video surveillance equipment mounted or fixed on someone’s home. It is reasonable to use surveillance camera systems to protect and monitor your property, however there is a need to respect the privacy of other individuals.

Controllers capturing images beyond their property boundary, shall have a clear and justifiable reason for doing so. In fact, they must be able to give the reason and necessity of these footages, in case some individual or the Commissioner requests it.

Since the controller decides to install a CCTV system and the risk is assumed, it is important to ensure that neighbours and passers-by are warned about such monitoring by means of appropriate signage. Apart from this, the controller should ensure that the capture of recordings is necessary to achieve the purpose for which the surveillance camera(s) are installed.

Even when cameras are installed for domestic use, capturing images of third parties outside your property would fall within the scope of the data protection laws, and therefore it is essential to limit as much as possible the capture of areas outside your property to avoid possible intrusion on the rights of other persons. The controller would need to give justifications why an area or areas beyond the boundary of his property are captured. For further study, EDPB has published guidelines on video surveillance and ECJ ruled domestic CCTV’s as well.

            Regarding the retention period, the legal requirement is to keep the footage for no longer than is necessary. This implies deletion or overwriting of images when they are no longer needed. One relevant question to be asked is whether live feed or viewing of the images in real-time would be enough instead of recording the images. In these cases, live viewing in real-time may result in a lower impact on data subjects, provided that the live images are not uploaded or streamed on a publicly available source. The uploading or streaming of footage on a public source would need to satisfy a lawful ground for processing.

            It’s not within the role of this Commissioner to authorise specific retention periods proposed by a controller. In this regard, the GDPR provides for a risk-based approach and consequently, it is for the controller to assess the risks involved and determine storage periods which are commensurate to such risks.

Our role is to investigate and determine whether the retention periods are appropriate taking into account the operational risks involved. Nevertheless, under normal circumstances, recorded images should not be kept for more than few days, which are generally deemed sufficient for the controller to investigate security incidents. Where an incident requiring investigation happens, the controller can keep extracts of the relevant footage. In this regard, specific controls should be in place to ensure that access to recordings is also logged and auditable.

Back to top​


What is the retention period to keep personal data records? 

Article 5(1)(e) of the GDPR stipulates that any information collected should not be retained for no longer that is necessary for the purposes for which the personal information is processed.​

Given that the General Data Protection Regulation (GDPR) adopts a risk-based approach, it is the responsibility of the controller to ensure that retention/ storage periods are justified, and not longer than what is strictly required.

Nevertheless, the Controller may wish to note that the law requires the carrying out of a data protection impact assessment (DPIA) in those cases where the processing of personal data is likely to result in a high risk to the rights and freedoms of individuals. More information about these instances, and where you would need to consult with this Office is available on the following link.

The GDPR also requires the controller to inform individuals about the intended storage periods, or at least the criteria used to determine such retention periods by referring to the specific legal obligations laying down a mandatory retention period. E.g. The retention period for telephone recordings varies depending on the purpose for processing such recordings, however a general rule, and in line with established EDPB guidelines, telephone recordings ought not be kept for a period longer than thirty (30) days.

 Back to top​

Does the Commissioner have the role to approve or otherwise authorise any document or policy?

The Commissioner does not have the role to proofread documents prepared by entities, to assess whether these are compliant with the legal framework. Consequently, any specific reviews of policies or approval would not be possible. The role as supervisory authority creates conflicts in case where a complaint is filed by an individual on a policy or text which was specifically reviewed or approved.  

The General Data Protection Regulation (GDPR)​ adopts a risk-based approach and therefore it is up to the respective entities to ensure compliance with the relevant obligations. Due the recommendation to assure about which lawful basis for processing personal data is applied, in order to comply with the principles of Article 7 of the GDPR.

Furthermore, and apart from consent, the Controller would need to comply with the transparency requirements laid down by Article 13 which outlines the information which should be provided to individuals upon collecting their personal data. The Commissioner has also developed a t​emplate information clause which is available on the following link.

 Back to top​

What are the data protection concerns about posting pictures and videos on social media?

Private images or videos identifying a natural person are not supposed to be posted online via social media or another platform without the consent of the data subject. This action may constitute an infringement of GDPR unless the processing of personal data is not undertaken in the course of a purely personal activity.

Therefore, pictures or videos shared directly on a personal one to one basis through private chat and have not been made available elsewhere fall outside the scope of law. However, the situation changes if the information is made available on a publicly available source or used for purposes beyond the personal scope.

The purpose of the data shall be considered before any posting. In order to make it available, when another person posts the photo/video and makes it available on an open profile on social media, such upload would need to satisfy one of the lawful criteria for processing stated under Article 6(1) of the GDPR, e.g. obtaining consent from the individuals being portrayed in the image.

Without a lawful basis, the upload would be unlawful, and the individual would have the right to request its deletion initially with the person or organisation uploading the images and with the relevant social media platform and subsequently exercise the applicable remedies contemplated in Chapter 8 of the GDPR, which include: filing a complaint with a Supervisory Authority, filing a claim for compensation, seeking redress in Court, etc.

 Back to top​

How to handle a research in compliance with GDPR and Data Protection Act?

 Given that in principle, research is conducted on a voluntary basis, the processing of personal data as part of research would require the prior consent from the individuals (in the case of minors, through their parents). In addition, individuals shall be provided with sufficient information about the intended processing as part of the research project. For this purpose, an information notice in line with the requirements of Article 13 GDPR shall be drawn up.

Where the processing of data involves health, biometric or genetic data, the procedure also requires an ethical approval from a Research Ethics Committee recognised by the Commissioner to approve such research. An approval from the appropriate ethics committee would signify a positive advice for the Commissioner’s endorsement.

Where research is related to academic studies linked to a University or similar institution, the researcher would need to obtain ethics approval from the University Research Ethics Committee within The University of Malta or another recognized Ethics Committee within the specific institution if available. However, there are other situations where research is purely medical and not related to the attainment of a University-related qualification. For such cases, the approval will have to be obtained from the Health Ethics Committee​.

Furthermore, the retention period of personal data shall be as long as required in order to finalise the research project and specific measures shall be taken to render the information unidentifiable as soon as possible. As to the visual images, these shall also be subject to the prior consent, with clear information about where the data will be published.

 Back to top​

How to report a Data Breach?

 In case of a data breach, which is likely to result in a risk to the rights and freedoms of data subjects, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal this Supervisory Authority. These notifications shall be submitted using a specific form available on our website.

In addition, where the assessment on the severity of the breach will take longer than the timeframe stipulated by law, the controller should submit a preliminary notification and then the final notification within 10 working days.

The data breach report generates a number and this reference number is indicated in the acknowledgement email that will be received following the submission of the online form. It is Important to keep it, since the number should be cited for the purpose of any further communication with this Office on a notified data breach.

Back to top​


Where to request information about the Schengen Information System (SIS II) regarding an entry ban?

 In Malta, similar requests should be made directly with the National Competent Authority responsible for SIS II which is the Police.

Therefore, the Commissioner advises to request this information to the following address: The Data Protection Officer, Legal Unit, Police Headquarters, Floriana. Email dpu.police@gov.mt and telephone +356 21224001. In addition, any further information about the exercise of data subjects’ rights for personal data processed in the SIS is available on the following link.

Back to top​


What are the direct marketing rules?

The sending of marketing communications is subject to the GDPR and also specific national provisions regulating electronic communications, “Subsidiary Legislation 586.01​”. Where the intention is to send specifically electronic marketing, S.L. 586.01 applies as further complemented by the GDPR.

Such regulation stipulates that similar communications are only permissible with the prior consent from the individual, or where the same individual has provided his/her contact details to the same entity, in the context of acquiring similar products or services.

It is essential for controllers to ensure that consent is documented to be able to demonstrate and justify the processing in the event of a contention raised by the data subject.

Furthermore, individuals shall be adequately informed about the intended use of their personal data within the meaning of Article 13 of the GDPR, in particular, their right to object at any time from further receiving marketing communication.

In the case of emails, an unsubscribe option/link should also be provided to facilitate such process.

Back to top​


What are the restrictions on international transfers?

 As the GDPR primarily applies to controllers and processors located in the European Economic Area (the EEA), there is a risk of losing the protection afforded by GDPR when transferring  personal data outside the EEA. Consequently, before transferring personal data outside the EEA, the controller needs to ensure that there are sufficient guarantees for the protection of personal data.

Primarily, the controller needs to check whether the third country where the data will be transferred affords an adequate level of data protection. Such adequacy level is declared by the EU Commission when issuing an  “adequacy decision”. This decision is a finding by the Commission that the legal framework in place in that country, territory, sector or international organisation provides ‘adequate’ protection for individuals’ rights and freedoms for their personal data. Please follow the link to the adequacy decisions on European Commission’s website.

In the absence of “adequacy decision”, the controller would need to introduce “appropriate safeguards”, in accordance with the GDPR (Article 46) and ensure that both parties are going to legally protect individuals’ personal data. These appropriate safeguards may be provided by means of standard contractual clauses adopted or approved by the EU Commission. Where such contracts are used without any modifications, no specific authorisation from our Supervisory Authority will be required.

The Commissioner encourages the use of standard contractual clauses (SCC) in order to ensure that the rights of individuals are safeguarded even in countries which do not ensure an adequate level of protection.

There are adequacy tools which may be considered by controller. Binding Corporate Rules (BCRs) could be a suitable option for a group of companies, with establishments located outside the EU. These BCR’s would trigger a cooperation procedure between the Supervisory Authorities involved, mainly the lead and concerned SAs. This cooperation will result in a decision from the Supervisory Authorities, as to whether the BCR may be used to regulate data transfer outside the EU.

Other situations relate to legally binding agreements or administrative arrangement for the public sector. These can also be relied as adequacy tools. For administrative arrangements, the Commissioner would need to approve such transfers.

Moreover, there are derogations contemplated under Article 49 of the GDPR would be involved as a left hypothesis to justify the transfer of personal data outside the EEA. Such derogations only apply where the transfer is necessary, not repetitive, suitable safeguards and concerns only a limited number of data subjects (Art. 49,2).

Back to top​


How to file a complaint?​

 Where a data Subject feels that his or her data protection rights have allegedly been infringed, the individual may lodge a complaint with this Office against the data Controller responsible for processing.

To submit a complaint, the individuals or the legal person acting on behalf of them are to fill-in our dedicated online form, attaching appropriate evidence.

Indeed, the subject’s personal data will be processed for the purposes of investigating, which purposes are detailed on our data protection policy. The complainant may choose to remain anonymous but, in such eventuality, this office may not be able to send you the acknowledgment, to investigate the case and to inform about the outcome.

Back to top​​