The General Data Protection Regulation (GDPR) defines that all public authorities must adhere to the regulations thereof and Member State data protection legislation.
In terms of Chapter 363 of the Laws of Malta, the Southern Regional Council (hereafter referred to the ‘Regional Council’) is a statutory local government authority, hence a public authority under the GDPR, having a distinct legal personality and capable of entering into contracts, of suing and being sued, and of doing all such things and entering into such transactions as are incidental or conducive to the exercise and performance of its functions as are allowed under the Act. The full
and updated version of the Act can be reviewed from:
This Data Protection Policy sets out the Regional Council’s commitment to protecting the rights and privacy of individuals and details how to ensure compliance with the GDPR and Maltese data protection legislation.
2. Scope & purpose
Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
This policy applies to all personal data processing activities undertaken by the Regional Council and should be read in conjunction with other relevant Regional Council policies and documents. The Regional Council may supplement or amend this policy by additional policies and guidelines
from time to time.
3. Responsibility for this policy
The Regional Council is committed to compliance with The General Data Protection Regulation (EU) 2016/679 (GDPR) and the Data Protection Act (Cap 586) regulating the processing of personal data whether held electronically or in manual form, and to the protection of the rights and freedoms of individuals whose information it collects and processes.
The Executive Secretary is responsible for ensuring that this policy is implemented by all members of staff and any contracted party. All members of staff have a responsibility to comply with the Regional Council’s Data Protection Policy.
4. Data protection principles
All processing of personal data must be conducted in accordance with the data protection principles set out in relevant legislation. The Regional Council’s policies and procedures are designed to ensure that personal data shall be:
- processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1) of the Regulation, not be considered to be incompatible with the initial purposes (‘purpose limitation’);
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data
may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) of the Regulation, subject to implementation of the appropriate technical and organisational measures required by the Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
5. Rights of Individuals whose data is collected
The Regional Council implements appropriate policies and procedures, and facilitates training and provides advice to staff, to ensure that data subjects can exercise their rights as follows:
5.1 Right of access
The Regional Council implements procedures to ensure that requests from data subjects for access to their personal data will be identified and fulfilled in accordance with relevant legislation.
5.2 Right to rectification
The Regional Council is committed to holding accurate data about data subjects and will continue to implement processes and procedures to ensure that data subjects can rectify
their data where inaccuracies have been identified.
5.3 Right to erasure (right to be forgotten)
Data subjects have a right to request the erasure of their personal data in specific circumstances. Where such an objection is received, the Regional Council will assess
each case on its merits.
5.4 Right to restriction of processing
The Regional Council implements and maintains appropriate procedures to assess whether a data subject’s request to restrict the processing of their data can be implemented. Where the request for restriction of processing is carried out, the Regional Council will write to the data subject to confirm the restriction has been implemented and when the restriction is lifted.
5.5 Right to data portability
Where the Regional Council has collected personal data on data subjects by consent or by contract then the data subjects have a right to receive the data in electronic format to give to another data controller. It is expected that this right will apply only to a small number of data subjects.
5.6 Right to object
Data subjects have a right to object to the processing of their personal data in specific circumstances. Where such an objection is received, the Regional Council will assess
each case on its merits.
5.7 Right not to be subject to automated decision making
Data subjects have the right not to be subject to a decision based solely on automated processing, where such decisions would have a legal or significant effect concerning him or her. Data subjects will be informed when elements of processing include automated decision making or profiling.
5.8 Right to complain
The Regional Council implements and maintains a complaints process whereby data subjects can contact the Data Protection Officer. The Data Protection Officer’s role includes working with the data subject to bring complaints to a satisfactory conclusion for both parties. Data subjects are also informed of their right to bring their complaint to the Information and Data Protection Commissioner.
6. Responsibilities of the Regional Council as Data Controller
6.1 Ensuring appropriate technical and organisational measures
The Regional Council implements appropriate technical and organisational measures to ensure the security of personal data.
6.2 Maintaining a record of data processing
The Regional Council maintains a record of its data processing activities in the manner prescribed by the Regulation. The record is reviewed and signed off by the Executive Secretary, on at least an annual basis.
6.3 Implementing appropriate agreements with third parties
The Regional Council will continue to put in place appropriate agreements, memoranda of understanding, bilateral agreements or contracts (collectively “agreements”) with all third parties with whom it shares personal data.
6.4 Transfers of personal data outside of the European Economic Area
The Regional Council does not transfer the personal data of its data subjects outside of the European Economic Area unless an adequate level of protection is ensured. Data subjects will be informed where transfers to a third country are in place.
6.5 Data protection by design and by default
The Regional Council will continue to implement technical and organisational measures, at the earliest stages of the design of processing operations, in such a way that safeguards privacy and data protection principles right from the start (‘data protection by design’). By default, the Regional Council will also continue to ensure that personal data is processed with the highest privacy protection so that by default personal data isn’t made accessible to an indefinite number of persons (‘data protection by default’).
6.6 Data protection impact assessments
The Regional Council will implement procedures and documentation whereby all new types of processing, in particular using new technologies, that result in a high risk to the rights and freedoms of its data subjects shall carry out a data protection impact assessment. As part of this process, a copy of the impact assessment shall be shared with the Regional Council’s Data Protection Officer. Where the Regional Council is unable to identify measures that mitigate the high risks identified, the Regional Council will consult with the Information and Data Protection Commissioner prior to the commencement of processing.
6.7 Personal data breaches
The Regional Council defines a ‘personal data breach’ as meaning a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed (e.g. the most common breach incidents that can occur are correspondence issuing to an unauthorised third party). The Regional Council deems any loss of personal data in paper or digital format to be a personal data breach.
The Regional Council maintains a protocol for dealing with personal data breaches. This protocol establishes the methodology for handling a personal data breach and for notification of the breach to the Information and Data Protection Commissioner and to data subjects where this is deemed necessary.
6.8 Freedom of Information
The Freedom of Information Act obliges the Regional Council to publish information on its activities and to make the information available to citizens. The Regional Council will continue to maintain procedures to ensure that requests for personal data are correctly dealt with under either Data Protection or FOI legislation.
Compliance with relevant data protection legislation is monitored through the Regional Council by the Executive Secretary who continue to:
– Receive regular reports from the Data Protection Officer, including in relation to breaches of personal data;
– Review data protection impact assessments and approve or not the design of data protection elements of projects;
– Instigate investigations of data protection matters of interest where appropriate.
7. The Data Protection Officer’s Responsibilities
The Regional Council has designated a Data Protection Officer who reports to the Executive Secretary. The responsibilities of the Data Protection Officer include the following:
i. Keeping the Data Controller updated about data protection responsibilities, risks and issues;
ii. Acting as an advocate for data protection within the Regional Council, including informing and advising staff of their obligations pursuant to GDPR and other data protection legislation;
iii. Monitoring compliance with data protection legislation;
iv. Ensuring all data protection policies and policies are reviewed and updated on a regular basis;
v. Ensuring that appropriate data protection training and advice is made available to all staff members;
vi. Providing advice where requested in relation to data protection impact assessments and monitoring such assessments to ensure they are completed to an appropriate standard;
vii. Responding to individuals such as customers and employees who wish to exercise their data subject rights;
viii. Ensuring that the Record of Processing Activity is updated regularly.
ix. Acting as a contact point for, and cooperating with, the Information and Data Protection Commissioner
x. Monitoring the process of putting in place appropriate data processing agreements with third parties
xi. Carrying out any reviews or data protection audits as are required or necessary
8. Responsibilities of Staff
All staff processing personal data on behalf of the Regional Council have a responsibility to comply with this Data Protection Policy.
8.1 Training and awareness
All staff will receive training on this policy. New staff members will receive training as part of the induction process. In addition, staff are continuously reminded of data protection obligations through Office
Notices and emails to staff; informal awareness sessions; poster campaigns; corporate newsletters; and via the intranet.
8.2 Consequences of failing to comply
The Regional Council takes compliance with this policy very seriously. If a staff member knowingly or wilfully fails to comply with any requirement, the Regional Council may consider disciplinary action.
9. Queries about Data Protection
Members of the public and members of staff who wish to request more information about data
protection in the Regional Council should contact:
Data Protection Officer
c/o Southern Regional Council
Ħal Qormi, QRM 2504
Telephone: +356 7957 3417
The Executive Secretary
Southern Regional Council
Ħal Qormi, QRM 2504
Telephone. +356 2149 9389
The Information and Data Protection Commissioner
Level 2, Airways House,
Sliema, SLM 1549
Telephone: +356 2328 7100
10. Approvals and sign offs
This policy comes into effect on 15 June 2019.
Approved By – Executive Secretary
Date approved – 14 Jun 2019
Next review date – 30 January 2020
This policy will be reviewed on an ongoing basis. The DPO is responsible for initiating each review.
Version – 1.0
Date – 6 June 2019
Changes made by – DPO
Details – Draft Data Protection Policy