Data Protection

Updates to Maltese Data Protection Law

17 Dec 2019

3 min read

The last quarter of 2019 brought a number of changes to our data protection legislation.

Secondary Processing of Personal Data in the Health Sector

Legal Notice 263 of 2019 was published in October 2019 and enacts Subsidiary Legislation 528.10, Processing Personal Data (Secondary Processing) (Health Sector).

These Regulations regulate the further processing of personal data in the health sector (also referred to as secondary processing) which processing is not linked to the primary purposes for which the data was originally collected.

Under these Regulations, which Regulations are to be read in conformity with the GDPR, secondary processing of personal data in the health sector shall be permitted where:

  1. The processing and analysis of records are for the purpose of managing and enhancing the health service;
  2. The analysis of health records supplied to the Ministry for Health are to ensure the quality and cost effectiveness of the health services at a national level;
  3. The monitoring of contractual obligations, including for quality control and for the management of information and monitoring of services and systems arising from public-private partnerships and partnerships with non-governmental organisations, are to ensure that such bodies are adhering to their contractual obligations to deliver a safe and accessible service;
  4. The fulfilment of obligations related to the provision of statistical information may involve linkage to existing administrative and disease registers;
  5. The compilation of evidence in medico-legal cases;
  6. The investigation and monitoring of health threats for the protection of public health; and
  7. Access to health records is for the purpose of research activities.

In all other cases not listed within the Regulations, the consent of the data subject must be acquired.

Secondary processing under points (c) and (g) above may only be carried out when such research activities are in the public interest and where the processing may not be conducted with anonymised data, it will only be permissible following approval by the Health Ethics Committee within the Ministry of Health where the research is conducted by the Ministry for Health or its partners and following approval by any other ethics committee recognised by the Information and Data Protection Commissioner where the research activity is carried out by academics or students. Both instances require authorisation from the Commissioner for Data Protection.

Revocation of Outdated Laws

Through Legal Notices 296, 297 and 298 of 2019, outdated legislation which is no longer applicable due to the coming into force of the General Data Protection Regulation (‘GDPR’) in May of 2018 was revoked, namely:

  • N 296 of 2019, Transfer of Personal Data to Third Countries (Revocation) Order, 2019 revoked S.L 586.05, Transfer of Personal Data to Third Countries Order.
  • N 297 of 2019, Notification and Fees (Data Protection Act) (Revocation) Regulations, 2019 revoked S.L 586.02, Notification and Fees (Data Protection Act) Regulations.
  • N 298 of 2019, Third Country (Data Protection Act) (Revocation) Regulations, 2019 revoked S.L 586.03, Third Country (Data Protection Act) Regulations.

Keep abreast with the latest legal developments by following GVZH Advocates on LinkedIn and Facebook. For more information about how we can help you safeguard your data protection rights, write to us at