The General Data Protection Regulation (EU) 2016/679 (GDPR) and the Data Protection Act (Chapter 586 of the Laws of Malta) regulate the processing of personal data whether held electronically or in manual form. The Malta Competition and Consumer Affairs Authority (“MCCAA”) is set to fully comply with the Data Protection Principles as set out in such data protection legislation.
Personal Data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Purposes for collecting data
The Malta Competition and Consumer Affairs Authority as legally set up in terms of the Malta Competition and Consumer Affairs Authority Act (Chapter 510 of the Laws of Malta) is composed of four main entities as follows:
The MCCAA collects and processes information to carry out its obligations in accordance with present legislation. All data is collected and processed in accordance with the abovementioned Data Protection Legislation and the relevant legislation regulating the MCCAA and its entities, namely:
To fulfill its investigative, enforcement and regulatory role in line with the relevant legislation, the MCCAA ensures that it only processes personal data if at least one of the following criteria is met:
Processing of Special Categories of Personal Data
The special categories of personal data as defined in the General Data Protection Regulation (GDPR) include:
The MCCAA ensures that it only processes special categories of personal data if at least one of the following criteria is met:
Throughout the processing of special categories of personal data, the MCCAA ensures to strike a fair balance between the aim pursued in collecting such data while safeguarding the fundamental rights of the data subject.
Recipients of data
Personal Information is accessed by the employees who are assigned to carry out the functions of the four respective entities of the MCCAA. Your personal data will be disclosed to the relevant officers within the MCCAA assigned for that specific task, provided that, where the disclosure of personal data is such that the MCCAA has to fulfil its investigative and enforcement obligations emanating from the laws specified above, disclosure will be made to relevant third parties as authorised by law.
You are entitled to know, free of charge, what type of information the MCCAA holds and processes about you and why, who has access to it, how it is held and kept up to date, for how long it is kept, and what the Unit is doing to comply with data protection legislation.
The GDPR establishes a formal procedure for dealing with data subject access requests. All data subjects have the right to access any personal information kept about them by the MCCAA either on computer or in manual files. Requests for access to personal information by data subjects are to be made in writing and sent to the Data Protection Officer of the MCCAA as per contact details specified below. Your identification details such as ID number, name and surname have to be submitted with the request for access. In case we encounter identification difficulties, you may be required to present an identification document.
The MCCAA aims to comply as quickly as possible with requests for access to personal information and will ensure that it is provided within a reasonable timeframe and in any case not later than one month from receipt of request, unless there is good reason for delay. When a request for access cannot be met within a reasonable time, the reason will be explained in writing to the data subject making the request. Should there be any data breaches, the data subject will be informed accordingly.
All data subjects have the right to request that their information is not used or is amended if it results to be incorrect.
Data subjects may also request that their data is erased (‘right to be forgotten’) in accordance with the following:
The right to be forgotten is restricted by the MCCAA if the personal data is necessary for any of the following grounds:
In case you are not satisfied with the outcome of your access request, you may refer a complaint to the Information and Data Protection Commissioner, whose contact details are provided below.
The MCCAA, and its four main entities, ensure that personal data is only retained for as long as is necessary to fulfil its obligations namely:
Saving the applicability of relevant laws, the MCCAA ensures that the retention periods are set proportionately to fulfill the obligations of the MCCAA while safeguarding the rights of the data subject. Once the purpose of the personal data held by the MCCAA and its four entities ceases to exist, the data will either be permanently deleted or anonymised, on a case by case basis.
The Data Protection Officer of the MCCAA may be contacted on firstname.lastname@example.org or by telephone on 23952615. You may also wish to submit a written complaint to:
‘Data Protection Officer’,
Malta Competition and Consumer Affairs Authority,
Blata l-Bajda, HMR9010,
The Information and Data Protection Commissioner
The Information and Data Protection Commissioner may be contacted at:
Level 2, Airways House,
Sliema SLM 1549