The General Data Protection Regulation (EU) 2016/679 (GDPR) and the Data Protection Act (Chapter 586 of the Laws of Malta) regulate the processing of personal data whether held electronically or in manual form. The Malta Competition and Consumer Affairs Authority (“MCCAA”) is set to fully comply with the Data Protection Principles as set out in such data protection legislation.
Personal Data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Purposes for collecting data
The Malta Competition and Consumer Affairs Authority as legally set up in terms of the Malta Competition and Consumer Affairs Authority Act (Chapter 510 of the Laws of Malta) is composed of four main entities as follows:
The Office for Competition
The Office for Consumer Affairs
The Technical Regulations Division
The Standards and Metrology Institute
The MCCAA collects and processes information to carry out its obligations in accordance with present legislation. All data is collected and processed in accordance with the abovementioned Data Protection Legislation and the relevant legislation regulating the MCCAA and its entities, namely:
The Malta Competition and Consumer Affairs Authority Act (Chapter 510 of the laws of Malta)
The Competition Act (Chapter 379 of the Laws of Malta) and subsidiary legislation made thereunder
The Consumer Affairs Act (Chapter 378 of the Laws of Malta) and subsidiary legislation made thereunder
The Product Safety Act (Chapter 427 of the Laws of Malta) and subsidiary legislation made thereunder
The Pesticides Control Act (Chapter 430 of the Laws of Malta) and subsidiary legislation made thereunder
The Food Safety Act (Chapter 449 of the Laws of Malta) and subsidiary legislation made thereunder
The Metrology Act (Chapter 454 of the Laws of Malta) and subsidiary legislation made thereunder
European Regulations that are directly applicable in Malta and relevant directives of the EU that are transposed into Maltese law which subject matter, falls within the remit of MCCAA.
To fulfill its investigative, enforcement and regulatory role in line with the relevant legislation, the MCCAA ensures that it only processes personal data if at least one of the following criteria is met:
The data subject has given consent to the processing of his or her personal data for one or more specific purposes;
The processing is necessary for the performance of a contract to which the data subject is party in order to take steps at the request of the data subject prior to entering into a contract;
The processing is necessary for compliance with a legal obligation to which the MCCAA is subject;
The processing is necessary in order to protect the vital interests of the data subject or of other natural persons;
The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the MCCAA
The processing is necessary for the purposes of the legitimate interests pursued by the MCCAA, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
Processing of Special Categories of Personal Data
The special categories of personal data as defined in the General Data Protection Regulation (GDPR) include:
personal data revealing racial or ethnic origin;
religious or philosophical beliefs;
trade union memberships;
genetic and biometric data processed for the purpose of uniquely identifying a natural person;
data concerning health;
data concerning a natural person’s sex life or sexual orientation.
The MCCAA ensures that it only processes special categories of personal data if at least one of the following criteria is met:
The data subject has given explicit consent to the processing of those personal data for one or more specified purposes;
Processing is necessary for the purposes of carrying out the obligation and exercising specific rights of the MCCAA or of the data subject in the field of employment and social security and social protection law;
Processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or incapable of giving consent;
Processing relates to the personal data which is manifestly made public by the data subject;
Processing is necessary for the establishment, exercise or defence of legal claims;
Processing is necessary for reasons of substantial public interest;
Throughout the processing of special categories of personal data, the MCCAA ensures to strike a fair balance between the aim pursued in collecting such data while safeguarding the fundamental rights of the data subject.
Recipients of data
Personal Information is accessed by the employees who are assigned to carry out the functions of the four respective entities of the MCCAA. Your personal data will be disclosed to the relevant officers within the MCCAA assigned for that specific task, provided that, where the disclosure of personal data is such that the MCCAA has to fulfil its investigative and enforcement obligations emanating from the laws specified above, disclosure will be made to relevant third parties as authorised by law.
You are entitled to know, free of charge, what type of information the MCCAA holds and processes about you and why, who has access to it, how it is held and kept up to date, for how long it is kept, and what the Unit is doing to comply with data protection legislation.
The GDPR establishes a formal procedure for dealing with data subject access requests. All data subjects have the right to access any personal information kept about them by the MCCAA either on computer or in manual files. Requests for access to personal information by data subjects are to be made in writing and sent to the Data Protection Officer of the MCCAA as per contact details specified below. Your identification details such as ID number, name and surname have to be submitted with the request for access. In case we encounter identification difficulties, you may be required to present an identification document.
The MCCAA aims to comply as quickly as possible with requests for access to personal information and will ensure that it is provided within a reasonable timeframe and in any case not later than one month from receipt of request, unless there is good reason for delay. When a request for access cannot be met within a reasonable time, the reason will be explained in writing to the data subject making the request. Should there be any data breaches, the data subject will be informed accordingly.
All data subjects have the right to request that their information is not used or is amended if it results to be incorrect.
Data subjects may also request that their data is erased (‘right to be forgotten’) in accordance with the following:
the personal data is no longer necessary in relation to the purpose for which it was collected or otherwise processed;
the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing;
the data subject objects to the processing and there is no overriding legitimate grounds for the processing;
the personal data has been processed unlawfully;
the personal data has to be erased for compliance with a legal obligation in Union or Member State law to which the Controller is subject
The right to be forgotten is restricted by the MCCAA if the personal data is necessary for any of the following grounds:
for compliance with a legal obligation to which the MCCAA is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the MCCAA;
for the establishment, exercise or defence of legal claims;
for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in so far as the right to erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing.
In case you are not satisfied with the outcome of your access request, you may refer a complaint to the Information and Data Protection Commissioner, whose contact details are provided below.
The MCCAA, and its four main entities, ensure that personal data is only retained for as long as is necessary to fulfil its obligations namely:
to submit to the data subjects’ requests (such as receiving a complaint or vetting personal details submitted by the data subject to fill in an online form related to any services offered by the MCCAA and as accessed from the MCCAA’s website);
to carry out its regulatory, enforcement and investigative functions in accordance with the laws specified above;
for the establishment, exercise or defence of legal claims.
Saving the applicability of relevant laws, the MCCAA ensures that the retention periods are set proportionately to fulfill the obligations of the MCCAA while safeguarding the rights of the data subject. Once the purpose of the personal data held by the MCCAA and its four entities ceases to exist, the data will either be permanently deleted or anonymised, on a case by case basis.
The Data Protection Officer of the MCCAA may be contacted on email@example.com or by telephone on 23952615. You may also wish to submit a written complaint to:
‘Data Protection Officer’,
Malta Competition and Consumer Affairs Authority,
Blata l-Bajda, HMR9010,
The Information and Data Protection Commissioner
The Information and Data Protection Commissioner may be contacted at: