Substitution of the Schedule to Transfer of Personal Data to Third Countries Order (S.L.440.07)


The right to privacy is a fundamental human right enshrined and safeguarded in our Constitution. The enforcement of the right to privacy is facilitated by the protection of personal data from abuse. The prevalent Act in the Maltese Legislation is Chapter 440, which is in line with EU legislation, the Data Protection Directive.

A recent legal notice (L.N.), amending S.L. 440.07 has increased the number of third countries for which an exemption from the prohibition of the transfer of personal data to third country is set. The ‘Transfer of Personal Data To Third Countries’, S.L. 440.07 now lists a total of 62 third countries to which personal data may be transferred. Third Countries are countries that at the relevant time are not a Member State of the European Union.

Such exemptions apply for the exchange of information for the purpose of implementing the Double Taxation Agreements, Tax Information Exchange Agreements, the Joint Council of Europe/OECD Convention on Mutual Administrative Assistance in Tax Matters, Agreements for the Automatic Exchange of Information on Tax Matters as well as any Agreement for the Improvement of International Tax Compliance.

What is Personal Data?

‘Personal data’ refers to any information relating to an identified or identifiable natural person (the Data Subject); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.

The Processing of Personal Data

When the processing of personal data is necessary, it must be done in conformity with good working practice. This implies that entity processing personal data should perform this according to responsible professional practices.

Whenever personal data has to be collected, the data subject always has to be advised as to the reason for the data collection. Furthermore, the purpose for collection must be both specific and legal. One should adopt a minimalist approach in the amounts of data that are used wherever necessary. This implies that only relevant information for the purpose has to be collected, further to this, in the event of transfer of information from one entity to another, there should not be a transfer of information which is more than necessary for the reason the data was requested.

One requires that the Data Protection Commissioner is notified prior to the processing of any personal data by a person or entity. This obligation of notification arises when a data processor processes information related to the individual if the individual can be identified from the information that the data processor is in possession of or likely to possess. As a general rule any person or entity employing individuals, collecting or storing and/or organising information in relation to clients or requiring users of its website to register on the said website is duty bound to notify the Data Protection commissioner by virtue of a one-time submission of a notification form.