Filletti & Filletti Advocates is a leading law firm based in Malta offering a wide range of legal services. 

​​​Filletti  &  Filletti  Advocates

GDPR - A Data Privacy Compliance Overview

Introducing the GDPR

 Following years of discussion, Regulation 2016/679, which is better known as the ‘General Data Protection Regulation’ or ‘GDPR’, was enacted by both the European Parliament and by the Council of the European Union.

The main aims and functions of the newly adopted GDPR are to:

  • achieve uniformity and harmonisation of data protection and privacy legislation across the European Union Member States;
  • endow European Union citizens with adequate data privacy protection required in their daily interactions;
  • regulate the processing of EU citizens’ data by organisations, companies and corporations.

Currently, data protection in enforced throughout the EU via the Data Protection Directive 95/46/EC, also known as ‘DPD’. Each member state implemented the DPD in their own distinct way with the unfortunate result of having divergent, and at times, conflicting rights across various EU member states.

Following the 25th of May 2018, the GDPR will come into effect. As a result:

  • the DPD will be repealed;
  • any domestic law currently implementing the DPD in any EU member state will also be repealed; and
  • Data protection legislation will be harmonised across the EU.

In practice this means that the current legislation with regards to Data Protection will be repealed and replaced by the GDPR on the 25th of May 2018.

You may at this point ask, “How does this affect me and my business? What are my envisaged obligations in terms of the GDPR?”

The GPDR shall have various effects on the sphere of data protection legislation and it shall have also tangible effects on the daily running of your business. The most important ways the GDPR could affect your business is due to its:

  • increased territorial scope;
  • increased rights granted to data subjects; and
  • the financial loss as a result of a breach of the GDPR.

Increased Territorial Scope

Possibly the most significant change to the data privacy implementation is the extended jurisdiction of the GDPR. This is due to the fact that the GDPR will be applicable to all companies processing personal data of data subjects residing in the EU, regardless of the company’s location.

Therefore, the fact that an organisation is based outside the territorial borders of the EU is irrelevant if said organisation processes data of residents of the EU. On the contrary, such an organisation would be obliged to appoint a representative to this effect within the EU.


Increased Data Subject Rights

Organisations will have to grant data subjects access to any personal data held by them. This should be done by giving the data subject a readable and easily accessible copy of all personal data held by the organisation.

Organisations must also implement the right of a data subject to be forgotten. Personal data must be erased in cases where the data subject revokes his or her consent or when said data is no longer needed for its original purpose.


Privacy by Design

Organisations must have data protection as a corner stone of any design of business systems. Therefore, data protection must not be seen as an afterthought to a project but as an essential part of the foundations.


The concept of consent is cardinal to the GDPR. The days of interminable terms and conditions littered with unintelligible clause are over. Terms and conditions must be concise and understandable by the common user.

The GDPR also obliges organisations to provide data subjects with an easily accessible method of withdrawing ones consent should they wish to do so.

Data Breach Notification

Following the 25th of May 2018, should an organisation suffer a serious data breach which is highly likely to “result in a risk for the rights and freedoms of individuals”, they will be obliged to immediately notify the Data Protection Commissioner within 3 days from becoming aware of said breach.

In cases of high risk breaches the GDPR also obliges the organisation that suffered such a breach, to inform the data subjects concerned.


Any organisation found to be in breach of the GDPR can be liable to an administrative fine of up to €20,000,000 or 4% of its annual global turnover, whichever is greater.

This excludes any civil claims that a data subject may institute against said organisation making any breach possibly even more expensive for any organisation that may be found to be in breach of the GDPR.

Concluding Remarks

 We at Filletti & Filletti Advocates understand that this reform is far reaching and game-changing. That is precisely where we come in. We are available to discuss any of the queries you may have with regards to the GDPR, and to guide you through this seemingly interminable maze that is the GDPR with the ultimate objective of ensuring your Data Protection compliance.