MALTA Law and Practice Contributed by: Andrew J Zammit, James Bartolo and Nicholas Scerri, GVZH Advocates
4.3 Data Sharing Key Legal Requirements The key legal requirements for IoT companies with respect to data sharing are as follows. • Lawful basis for processing – IoT companies must ensure that any personal data collected and shared has a lawful basis under the Data Protection Act. This includes obtaining explicit consent from data subjects, perform - ing tasks in the public interest, pursuing legitimate interests, etc. • Transparency and purpose limitation – com - panies are required to inform data subjects about the purposes of data collection and ensure that personal data is not processed in ways incompatible with those purposes. • Data minimisation and storage limitation – only data necessary for the specified pur - poses should be collected and shared, and personal data should not be retained longer than necessary. • Data protection impact assessments (DPIA) – for high-risk data processing, such as large- scale IoT deployments, businesses must conduct a DPIA to evaluate and mitigate risks before launching new IoT services. • Consultation with the Information and Data Protection Commissioner (IDPC) – processing biometric, genetic, or health data for public interest or research purposes requires prior consultation with the IDPC. Thresholds Whilst the Data Protection Act applies to all enti - ties that process personal data in Malta or that target Maltese residents (regardless of whether it is based in Malta), specific thresholds do exist within Malta such as the following. • Record-keeping requirements – IoT com - panies with fewer than 250 employees are
exempt from maintaining records of process - ing activities unless they engage in high-risk processing, such as handling special catego - ries of data or monitoring large-scale data processing. • Appointment of a data protection officer (DPO) – a DPO is required if an IoT company engages in systematic monitoring of indi - viduals on a large scale or processes special categories of data as a core activity. Heightened Requirements Malta imposes stricter regulations on the pro - cessing of certain categories of personal data, particularly: • special categories of personal data as defined in Article 9 of the GDPR; • health, biometric, and genetic data – process - ing these data types for statistical, scientific or research purposes requires prior authorisa - tion from the IDPC; and • identity documents and national identifiers – the processing of identity cards, passports or other national identifiers must be clearly justi - fied and is permitted only under strict legal safeguards. 5. Audiovisual Media Services 5.1 Requirements and Authorisation Procedures Audiovisual Service Requirements and Applicability – Broadcasting Licences According to the Broadcasting Act (Chapter 350, Laws of Malta), no one may broadcast audio or video content in Malta for the entire country or any part of it without a written permit from the Malta Broadcasting Authority (MBA), nor may anyone broadcast audio or video content from Malta to any foreign country without a written
259 CHAMBERS.COM
Powered by FlippingBook