First Floor, Victoria Buildings, 8, Triq l-Għenieq,Naxxar NXR3622, Malta

GDPR – An Introduction – We should have been ready

by Dr Edric Micallef Figallo – Associate

The following is the first article in a series of articles delving into the GDPR, intended to give an overview of the main aspects of the provisions it introduced, retained and updated in the data privacy law regime of the European Union, and its legislative implementation in Malta.

REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter in this series referred to as “GDPR”, was published on the Official Journal of the European Union on the 4th May 2016.

By virtue of Article 99(1) thereof it came into force “on the twentieth day following that of its publication in the Official Journal of the European Union.”

At law, the GDPR came into force in 2016, meaning that its provisions were binding according to EU law since way back in May 2016.

The general public, interested parties, legal practitioners and even public officers might have become disoriented by the tragic date of the 25th May 2018 when the GDPR became applicable according to Article 99(2) thereof. One could notice quite a few publications and discussions in which the latter date was indicated as the date in which the law came to bear its force on mostly confused, unprepared and ill-equipped persons and bodies.

What should be startling was the fact that the GDPR was published relatively long ago and likewise came into force, while giving, through force of law itself, practically a two-year period for adequate preparation, information, training et cetera. Most of those concerned, at least from what one can gather by simply interacting with most controllers and processors as a consumer or resident in Malta and without being overly analytical from a professional perspective, are oblivious to this.

It is the humble opinion of the author that supervisory authorities (the Information and Data Protection Commissioner in Malta – in the least could have done much more to bring the effects of the full application of the GDPR to the knowledge of the general public. Likewise, with data controllers and processors, especially so in relation to public bodies. Having experience in the public service and public sector, it is quite safe to assume that the supervisory authority itself might not be to blame for the situation. As it often happens in a micro-state which ventured in a supranational bloc and by its sovereign will tasked itself with the implementation of a one size fits all legislation, the supervisory authority might not have been equipped accordingly with adequate resources to function optimally (and that is being kind on those responsible for ensuring adequate resourcing and financing).

In fact, as per the GDPR there were numerous obligations that had to be complied with by the 25th May 2018. These could be dealt, as relevant, within other articles in this series. If anything, by law and not by an overly strict interpretation thereof, the 25th May 2018 was the date in which the competent authorities had to start enforcing, inclusive of sanctioning, data controllers and processors which were not GDPR compliant.

This article is meant to provoke, and in such manner introduce the rest of the articles in the series. The second article in the series will briefly consider the previous EU data privacy law regime which was repealed by the GDPR, and briefly highlight the main changes brought about by the GDPR.

Disclaimer: This article is not to be considered as legal advice, and is not to be acted on as such. Should you require further information or legal assistance, please do not hesitate to contact Dr Edric Micallef Figallo on