Legal Criteria for Processing

Article 9 of the Data Protection Act sets out the legal grounds for the processing of personal data.  This shall mean that when processing personal data, a data controller is required to satisfy one of these criteria to legitimise the processing operation.

(a) The data subject has unambiguously given his consent;

Consent can be given orally, in writing or in any other appropriate form and the data subject can be considered to freely have given consent after being adequately informed. Such consent can in principle be withdrawn without retroactive effect.

(b) Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

When two parties mutually agree to enter into a contractual agreement and which entails the processing of personal data.


An individual enters into a two year contract with a service provider; the service provider processes such personal data in terms with the contractual agreement.

(c) Processing is necessary for compliance with a legal obligation to which the controller is subject;

Wherever there is a statutory duty that obliges the data controller to process personal data.

(d) Processing is necessary in order to protect the vital interests of the data subject;

This condition applies in cases of life or death situations, such as where an individual’s medical history is disclosed to a hospital’s Accident and Emergency department treating them after a serious road accident where the individuals consent cannot be given or when the individual’s consent has been reasonably withheld.

(e) Processing is necessary for the performance of an activity carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data is disclosed;


In terms of article 36 of the Malta Statistics Authority Act, the NSO has the power to request “any person or undertaking to complete a form, questionnaire or other record” for the purposes of obtaining statistical information.

The Courts of Jutice, being an official authority, after various attempts to deliver the service of a judicial act, in terms of article 187 (3) of the Code of Organization and Civil Procedure, may order that such service is affected by publishing a summary containing personal data in the Gazette.

(f) Processing is necessary for a purpose that concerns a legitimate interest of the controller or of such third party to whom any personal data is provided, except where such interest is overridden by the interest to protect the fundamental rights and freedoms of the data subject and in particular the right to privacy;

A balancing exercise must be carried out to weigh the legitimate interest and the data subjects’ fundamental rights and freedoms on the other. For an interest to be legitimate, it must be compelling and beneficial to the society at large. The data controller must indeed have a significant benefit to derive from the processing of the personal data and such benefit should not be vague, frivolous or based on mere conjectures. 

This balancing test is not a simple analysis but places a responsibility on the Commissioner to assess all the elements which may be pivotal to determine whether the impact on the rights of the data subjects is significant enough to override the processing undertaken by a data controller.


A journalist might argue that notwithstanding that a public figure is enjoying his or her private life; photographs may be taken and published without the required consent since the general public will have a legitimate interest in knowing the public figures whereabouts or how she or he behaved generally in their private life. However, this is not always the case as it has been decided by the European Court in Human Rights numerous times.

An individual is to institute court proceedings against his debtor as he did not honor such payments, thus the individual discloses the debtor’s personal data to his lawyer for this purpose. In this case, although the debtor has not consented to such disclosure, such processing is legitimate since the individual has a legitimate interest to seek repayment of such debt.​ 

Sensitive data

Article 9 of the Act is strictly limited to the processing of “personal data”, thus not extended to the processing of “sensitive personal data” which means personal data that reveals “race or ethnic origin, political opinions, religious or philosophical beliefs, membership of a trade union, health, or sex life” .

The processing of sensitive personal data is regulated by article 12 et seq of the Act, whereby in principle such data cannot be processed, unless:

(a)  the data subject has given his explicit consent, unless to protect the vital interest of the data subject who is physically or legally incapable of giving his consent; or

(b) the data subject has made the data public.

Such sensitive personal data may also be processed if the processing is necessary in order for the controller will to comply with his duties or exercise his rights under any law regulating the conditions of employment or in order to establish, exercise or defend legal claims.