Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.

Data security and breach notification

Security obligations

Are there specific security obligations that must be complied with?

A data controller must implement appropriate technical and organisational measures to protect personal data against destruction, loss or any form of unlawful processing. Security measures must consider:

  • available technical possibilities;
  • the cost of implementing the security measures;
  • special risks that exist in the processing of personal data; and
  • the sensitivity of the personal data being processed.

Breach notification

Are data owners/processors required to notify individuals in the event of a breach?

The Processing of Personal Data (Electronic Communications Sector) Regulations (Subsidiary Legislation 440.01), which implements EU Regulation 611/2013, imposes an obligation on electronic communications providers to notify any personal data breach to the subscriber or individual concerned. This notification must be made when the breach:

  • is likely to affect the personal data or privacy of the person involved adversely; and
  • is made in addition to the notification that must be made to the Office of the Information and Data Protection Commissioner.

The notification obligation to the subscriber or individual may be waived only if encryption measures have been undertaken by the electronic communications provider to the Office of the Information and Data Protection Commissioner’s satisfaction, rendering the data concerned unintelligible to an unauthorised person.

The Electronic Communications Networks and Services (General) Regulations (Subsidiary Legislation 399.28) provide that where there is a significant risk of a breach of security or integrity of the services or network, the provider must appropriately, and without undue delay, notify any users concerned of the possible risks and remedies available, as well as contact points for more information. Where the Communications Authority – the authority responsible for network security in Malta – determines that the network security breach is in the public interest, it may inform the public or require the undertaking concerned to do so accordingly.

Are data owners/processors required to notify the regulator in the event of a breach?

While there is no clear general obligation established in the Data Protection Act regarding the notification of unauthorised access to the information held by data controllers, providers of publicly available electronic communications services are subject to such an obligation. Such providers must notify a personal data breach to the Office of the Information and Data Protection Commissioner immediately. 

Click here to view the full article.