Data Protection for Organisations
Interpretation of Regulation 4(e) of Subsidiary Legislation 586.09 in
Subject Access Requests
Article 23 of the General Data Protection Regulation (GDPR) provides that Union or Member State law may restrict the scope of certain data subject rights and controller obligations where such a restriction respects the essence of fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society. The purpose of such restrictions must fall within one of the legitimate aims listed under article 23(1) GDPR. The European Data Protection Board has also issued Guidelines 10/2020 on article 23 GDPR, which clarify that restrictions must be interpreted narrowly and must not undermine the fundamental rights provided under the GDPR. In Malta, article 23 GDPR has been implemented through Subsidiary Legislation 586.09 - Restriction of the Data Protection (Obligations and Rights) Regulations, which sets out the specific grounds under which the rights and obligations under the GDPR may be restricted.
In light of the volume of complaints received by the Commissioner concerning the application of regulation 4(e) of the Subsidiary Legislation 586.09, particularly in the context of subject access requests submitted by individuals seeking access to their personal data from gaming companies, this position statement is being issued to address the legal considerations surrounding the application of regulation 4(e) of the Subsidiary Legislation 586.09, particularly in the context of restrictions imposed on a data subject’s right of access under article 15 GDPR.
Article 15 GDPR grants data subjects the right to obtain confirmation of whether their personal data is being processed, as well as access to such data. This right is also grounded in article 8(2) of the Charter of Fundamental Rights of the European Union, which guarantees individuals access to data collected concerning them. The Court of Justice of the European Union (CJEU) has consistently interpreted article 15 in a broad and purposive manner, affirming that data subjects are not required to justify their access requests. This interpretation is further supported by the European Data Protection Board, which has explicitly stated that controllers should not assess why the data subject is requesting access, but only what is being requested and whether such data is held.
While the GDPR allows for certain restrictions to data subject rights under national law, such limitations must be clearly justified. Regulation 4(e) of Subsidiary Legislation 586.09 provides that “[a]ny restriction to the rights of the data subject referred to in Article 23 of the Regulation shall only apply where such restrictions are a necessary measure required: (e) for the establishment, exercise or defence of a legal claim and for legal proceedings which may be instituted under any law”. However, any such restriction must be assessed strictly in light of regulation 7 of the same legislation, which mandates that any limitation imposed must constitute a necessary and proportionate measure.
For a restriction under regulation 4(e) of Subsidiary Legislation 586.09 to be justified, the controller must demonstrate that it is strictly necessary to defend an actual legal claim or legal proceedings. A restriction cannot be based merely on the possibility that the data subject may initiate legal action following receipt of the information. A hypothetical or speculative rationale does not satisfy the legal threshold. Without clear and substantiated evidence of an existing or imminent legal claim, invoking regulation 4(e) of Subsidiary Legislation 586.09 constitutes an unlawful interference with the right of access.
There is an obligation on controllers who decide to restrict data protection rights based on one of the permissible grounds under article 23 GDPR, as further implemented in national law by virtue of Subsidiary Legislation 586.09, to conduct a necessity and proportionality assessment and to properly document such assessment internally pursuant to their organisational accountability obligations. Pursuant to article 5(2) GDPR, the controller must be able to concretely demonstrate how the restriction is indeed necessary, and if this part of the test is passed, must then proceed to demonstrate that the measure is also proportionate. The case law of the Court of Justice of the European Union (CJEU) emphasises that any limitation to the rights of data subjects must pass a strict necessity test. In Case C-73/07, the CJEU held that “derogations and limitations in relation to the protection of personal data … must apply only insofar as is strictly necessary”.
It is therefore imperative that controllers invoking regulation 4(e) of Subsidiary Legislation 586.09 adhere strictly to these legal standards. Restrictions must be supported by objective and verifiable evidence, limited to what is strictly necessary and should not be based on speculative or pre-emptive grounds. The right of access is a cornerstone of data protection law and any interference with this right must be exceptional, justified and fully compliant with both national and European legal requirements.