Article 9 of the Data Protection Act
sets out the legal grounds for the processing of personal data. This shall mean that when processing personal
data, a data controller is required to satisfy one of these criteria to
legitimise the processing operation.
(a) The data subject has unambiguously
given his consent;
Consent can be given orally, in writing or in any other appropriate form and the data subject
can be considered to freely have given consent after being adequately informed.
Such consent can in principle be withdrawn without retroactive effect.
(b) Processing is necessary for the
performance of a contract to which the data subject is party or in order to
take steps at the request of the data subject prior to entering into a contract;
When two parties mutually agree to
enter into a contractual agreement and which entails the processing of personal
An individual enters into a two year
contract with a service provider; the service provider processes such personal
data in terms with the contractual agreement.
(c) Processing is necessary for
compliance with a legal obligation to which the controller is subject;
Wherever there is a statutory duty that
obliges the data controller to process personal data.
(d) Processing is necessary in order to
protect the vital interests of the data subject;
This condition applies in cases
of life or death situations, such as where an individual’s medical history is
disclosed to a hospital’s Accident and Emergency department treating them after
a serious road accident where the individuals consent cannot be given or when
the individual’s consent has been reasonably withheld.
(e) Processing is necessary for the
performance of an activity carried out in the public interest or in the
exercise of official authority vested in the controller or in a third party to
whom the data is disclosed;
In terms of article 36 of the
Malta Statistics Authority Act, the NSO has the power to request “any person
or undertaking to complete a form, questionnaire or other record” for the
purposes of obtaining statistical information.
The Courts of Jutice, being an
official authority, after various attempts to deliver the service of a judicial
act, in terms of article 187 (3) of the Code of Organization and Civil
Procedure, may order that such service
is affected by publishing a summary containing personal data in the Gazette.
(f) Processing is necessary for a
purpose that concerns a legitimate interest of the controller or of such third
party to whom any personal data is provided, except where such interest is
overridden by the interest to protect the fundamental rights and freedoms of
the data subject and in particular the right to privacy;
balancing exercise must be carried out to weigh the legitimate interest and the
data subjects’ fundamental rights and freedoms on the other. For an interest to
be legitimate, it must be compelling and beneficial to the society at large.
The data controller must indeed have a significant benefit to derive from the
processing of the personal data and such benefit should not be vague, frivolous
or based on mere conjectures.
balancing test is not a simple analysis but places a responsibility on the
Commissioner to assess all the elements which may be pivotal to determine
whether the impact on the rights of the data subjects is significant enough to
override the processing undertaken by a data controller.
journalist might argue that notwithstanding that a public figure is enjoying
his or her private life; photographs may be taken and published without the
required consent since the general public will have a legitimate interest in
knowing the public figures whereabouts or how she or he behaved generally in
their private life. However, this is not always the case as it has been decided
by the European Court in Human Rights numerous times.
is to institute court proceedings against his debtor as he did not honor such
payments, thus the individual discloses the debtor’s personal data to his
lawyer for this purpose. In this case, although the debtor has not consented to
such disclosure, such processing is legitimate since the individual has a
legitimate interest to seek repayment of such debt.
Article 9 of the Act is strictly
limited to the processing of “personal data”, thus not extended to the
processing of “sensitive personal data” which means personal data that reveals “race or ethnic origin, political opinions, religious or philosophical
beliefs, membership of a trade union, health, or sex life” .
The processing of sensitive
personal data is regulated by article 12 et seq of the Act, whereby in principle
such data cannot be processed, unless:
(a) the data subject has given his explicit
consent, unless to protect the vital interest of the data subject who is
physically or legally incapable of giving his consent; or
(b) the data subject has made the
Such sensitive personal data may
also be processed if the processing is necessary in order for the controller
will to comply with his duties or exercise his rights under any law regulating
the conditions of employment or in order to establish, exercise or defend legal