sets out the key definitions contained in the Data Protection Act, explaining
what they mean in practical terms, and where the Act applies.
What is the
scope of the Data Protection Act?
The Act aims
to protect the individuals against the violation of their privacy by the
processing of “personal data”.
Personal Data means ANY
(a) Relating to
an identified or identifiable natural person;
identifiable person is one who can be identified, directly or indirectly, in
particular by reference to an identification number or to one or more factors
specific to his physical, physiological, mental, economic, cultural or social
The term “any” makes it clear
that the spirit of the Act is not to narrow the definition by listing what
constitutes information, for instance, a person’s name and surname, but leaves
the definition open to interpretation.
Indirectly Identified: A photographer published a photo of a vehicle registration
number. This number does not identify individuals by name, but bear unique
reference numbers can be matched to a system to identify the individuals
concerned. The vehicle registration number is personal data.
Directly Identified: A photographer publishes a photograph of a
person which clearly identifies him or her.
means a natural person to whom
the personal data relates. A deceased person and a legal
person are not considered as data subjects.
Controller of personal data means a person who alone or jointly with
others determines the purposes and means of the processing of personal data. A data controller could be
individuals, organisations or any other body corporate. Data controllers must ensure that any
processing of personal data for which they are responsible complies with the
Processor means a person who processes personal
data on behalf of the controller.
A company engages another company
to provide an internal business service on its behalf, such as, the employees’
payroll. The carrying out of processing by way of processor is to be governed
by a contract or other legally binding instrument.
of personal data, mean
any operation or set of operations which is taken in regard to personal data,
including the collection, recording, organisation, storage, adaptation,
alteration, retrieval, gathering, use, disclosure by transmission,
dissemination or otherwise making information available, alignment or
combination, blocking, erasure or destruction of such data.
Applicability of the Data
The Act applies to:
(a) manual, automated or partly automated
processing operations which is intended to form part of a structured filing
processing of personal data carried out by a controller in Malta or in a
Maltese Embassy or High Commission abroad;
processing of personal data where the controller is established in a third
country provided that the equipment used for the processing is situated in
Malta (shall not apply if the equipment is used only for purposes of transit of
information between a third country and another such country).
The Act does not apply to:
(a) processing of personal data where such
processing is undertaken by a natural person in the course of a purely personal
If a person takes a photograph of a number plate of another person and
keeps the image on his mobile phone or installs a CCTV camera system to capture
the perimeter of own property, the Act shall not apply due to the household
exemption. However, when publishing the photograph or publicly streaming the
recorded footage of the CCTV camera, which contains personal data, the Act
shall apply and the person would assume the role of a data controller.
(b) processing operations concerning public
security, defence, State security and activities of the State in areas of