MALTA Law and Practice Contributed by: Andrew J Zammit, James Bartolo and Nicholas Scerri, GVZH Advocates
data be stored on EEA-based servers so that the appropriate regulatory authority can easily access it. The Malta Gaming Authority (MGA), which mandates that regulatory data be accessi - ble, available and traceable, is one example. For this purpose, the MGA demands access to real- time information, which could present problems if such data is in a different jurisdiction or on the cloud. The matter can be solved by real-time replication of the data, on a live replication server in Malta, although this is not the only solution. Discussions with the MGA can serve to address these issues. Challenges With Technology Agreements in Regulated Industries Certain regulated industries, such as banking, insurance and gaming, are subject to greater restrictions than others due to their reliance on sensitive data, stringent compliance require - ments, and potential risks to consumers and the economy. These industries are typically gov - erned by sector-specific regulations that impose additional obligations when entering into tech - nology agreements, including those for cloud computing, IT services and outsourcing. Banking and insurance The MFSA regulates the financial services sec - tor and requires licence holders to comply with strict rules when outsourcing technology ser - vices. Key restrictions include the following. • Materiality assessment – agreements involv - ing critical services, such as data hosting or transaction processing, are deemed material and require prior notification or approval by the MFSA. • Due diligence and risk management – institu - tions must assess the technical and financial capability of the service provider, evaluate data security measures, and ensure ongoing
compliance with the Guidance on Technology Arrangements, ICT and Security Risk Man - agement, and Outsourcing Arrangements. • Audit and access rights – agreements must include provisions granting regulators and the institution the right to audit the service pro - vider and access necessary data for compli - ance and enforcement purposes. • Cross-border data transfers – if the technol - ogy provider operates outside the EU/EEA, agreements must ensure compliance with the GDPR, particularly regarding international data transfers. Gaming The MGA imposes specific restrictions on tech - nology agreements through the Gaming Authori - sations Regulations and the Policy on Outsourc - ing by Authorised Persons. • Approval of service providers – cloud com - puting or other IT service providers offering material gaming supplies must be approved by the MGA as part of the licensing process. • Regulatory responsibility – gaming opera - tors remain fully responsible for outsourced services, including ensuring compliance with AML and data protection laws. • Mandatory contractual provisions – technolo - gy agreements must include clauses address - ing data confidentiality, security and service continuity in case of operational disruptions. Healthcare Agreements involving patient data are subject to GDPR and local health data regulations, empha - sising data security, confidentiality and account - ability for processing sensitive personal data. Telecommunications Technology agreements must comply with net - work and information security obligations under
265 CHAMBERS.COM
Powered by FlippingBook