Navigation path

Action 11 in Malta flag Malta

In accordance with Data Protection Directive 95/46/EC, Member States will enable citizens to have electronic access to those personal data that are held on them when available electronically and will inform them electronically whenever such data are being processed by automatic means, in a simple and unambiguous manner.

Indicator Status Evidence
Under the existing Directive (95/46/EC), does your legislation give your citizens right to have electronic access to their personal data that are held by the third parties in the electronic form? No The right of access available to the data subject is regulated by article 21 of the Data Protection Act (Cap 440 of the Laws of Malta). The right is instigated upon a written request signed by the data subject. The data controller has no obligation to provide access in absence of a written request signed by the data subject. If a written request is made and signed by the data subject, the data controller is obliged to provide written information on the following: 1) The actual information being processed; 2) When the information was collected; 3) The purpose of the processing; 4) The recipients or categories of recipients to whom the information is disclosed; and 5) Knowledge of the logic involved in any automatic processing of personal data (basically the input and output of the processing operation). The Article does not specify the means by which the information is to be provided (i.e. electronic or manual). The obligation is to provide access. There is no specific right to grant access electronically if the data is in electronic form. The data controller may opt to provide the data in manual form.
Under the existing Directive (95/46/EC), does your legislation give your citizens right to be informed electronically whenever their personal data are processed by automatic means? No The right to be informed is dealt with in two instances under the Data Protection Act: 1) Article 19 – when data is collected from the data subject himself and 2) Article 20 – when the data is collected from other sources and not the data subject himself. When it is collected from other sources the right does not apply if disclosure is mandated by law or if the data is collected for statistical purpose, or historical or scientific research. Of course the assumption in the latter cases is that the processing is either strictly regulated by another law or the personal data is anonymous or in a form which will not affect decisions on the data subject in the case of statistics and other research. The obligation is again on the data controller to provide the following info: 1) Details of the controller; 2) The purpose of the processing; and 3) Further information. Where data is collected from the data subject: (a) The recipients or categories of recipients (i.e. to whom the data is disclosed); (b) Whether information being requested is voluntary or obligatory, and the consequences of failure to reply to any questions; and (a) Reference to the rights of the data subject i.e. to make a subject access request, to rectify data and where applicable to erase. Where data is collected from other sources: (b) The data being held (c) The recipients or categories of recipients (i.e. to whom the data is disclosed); (d) Reference to the rights of the data subject i.e. to make a subject access request, to rectify data and where applicable to erase. The obligation applies, unless the data subject has this information. Again the means of providing this information is not expressly mandated – so it may be provided in manual or electronic form.