Category: GDPR

Posted on

The Employee’s “Personal Data” Boundaries

Categories Employment, GDPR, E&S Group, Regulation, Data Protection

The Employee’s “Personal Data” Boundaries

The case of the former CEO of the European Union Programmes Agency, Doreen Camilleri, set a precedent that confirmed that a corporate email address with an individual’s name should be considered as “personal data”.

After her job was terminated, the agency requested a password change for her corporate email address, however Ms Camilleri was not informed of this and she was blocked out of her account. A few days later, Ms Camilleri found out that her e-mail address was still in use, but she could not access it herself. The concern that the emails could still be sent on her behalf was a reason to file a complaint.

In reaching this decision, the Court of Appeal held that the legal basis for processing personal data must be carefully determined (by data controllers) and it must adhere to the law and circumstances.

The password communicated to the user must be changed immediately upon receipt. In default of such action, the user assumes liability for all activity logged with the unchanged password once this notice is communicated, without prejudice to any other liability incurred by the user for activity logged on the account from the time the password is changed.

In the employment context, any computer hardware and access to any electronic communication and networking service, including but not limited to electronic mail, internet, internal servers and archive folders are considered to be the property of the employer who regulates their use for the ultimate legitimate interest of the business and administrative activity.

Even though the email account of the employee is his property, the IT manager might have access to it for a short period of time. This does not necessarily mean that every time the inbox is checked, processing of personal data of said employee had taken place.

If one must use some logic, the employee is to be cordially asked to give a handover, which in turn would initiate the process of archiving of emails that are on the former employee`s account.

While business continuity is a crucial aspect when dealing with handovers, employees’ rights should not be breached in the process.


Read More
Posted on

Can the new GDPR law effect ledger technology Operation?

Categories Blockchain, Cryptocurrency, GDPR, DLT

Can the New GDPR Law Effect Ledger Technology Operation?

With Malta’s three blockchain and cryptocurrency related Acts due to come into force in the coming days, many are unsure how blockchain and the EU GDPR will work with each other. The underlying attraction of blockchain and crypto is that it is anonymous, immutable, and decentralized, whereas the GDPR is designed to decrease the power that businesses have over personal data of individuals and clients. It seems on paper that the new laws laid down by the GDPR are in direct conflict with the core operations of blockchain technology.

The main bone of contention between the two is  one of the primary benefits of blockchain – the fact that once data is uploaded, it is immediately available to everyone else using the network. Whilst this is great for efficiency, it goes against the right to be forgotten and the right to rectification that are core elements of the GDPR.

The right to be forgotten

Under the new rules, individuals have the right to have their data permanently deleted from businesses records within a timely period, or to have the data edited to reflect the truth. If the information is stored on the blockchain, it is not possible to comply with these requirements.

Using the example of accountancy firms operating a centralized database system, it should be quite straightforward to remove an entry. When it comes to blockchain entries, this is not the case. Deleting an entry on the blockchain would cause significant logistical issues by breaking the chain and the predicament about replicating the deletion across all nodes of the network.

A centralized back-end

One possible solution for blockchain is  to change the way it works. It could develop a centralized back-end which would allow information and data to be anonymized without breaking any chains. Whilst this would solve the issue, it would require a lot of work and a big overhaul of how the platform works.

We must also take into account the fact that the GDPR refers to data controllers and processors. As the blockchain is just the platform over which data is transacted, it does not technically fall under the scope of the GDPR, rather it would be the responsibility of the businesses that are using it.

From the above, it is clear to see that blockchain and GDPR are somewhat at odds, but that doesn’t mean that either is doomed to fail. The focus now needs to be on the companies that are using personal data and how they manage their responsibilities. As GDPR becomes a bigger part of day to day life, we hope to see it evolve and adapt until it reaches a place where it is fully compliant with EU and national laws.


E&S Group is a leading corporate & law firm offering various services with regards to ICOs. Feel free to contact us directly on +356 20103020 or by email at [email protected] to find out how E&S can help you in ‘making things happen’.

For more information click the link.

Read More
Posted on

What’s changed since GDPR?

Categories European Commission, GDPR, Technology, DLT, Privacy, Compliance

What’s changed since GDPR?

The European Union’s General Data Protection Regulation came into force on May the 25th and since then many things of changed. The regulations were designed to provide a much-needed update to the previous legislation that was designed for a time that did not include the internet as we know it today. But what has really changed in the last three months?

Fewer emails

The majority of email users noticed a dramatic increase in the number of emails they were receiving, prior to May 25th. This was due to the last ditched attempts of a number of businesses to receive the permission they required from the user to continue emailing them after the GDPR was introduced. Most people ignored these emails and on the morning of the 25th of May, they awoke to empty inboxes, much to the delight of many.

Less snail mail

There has also been a significant drop in the number of letters being sent via traditional mail. The Royal Mail in the UK noticed an 8% immediate drop in revenue from “snail mail”, due to the fact that companies are no longer allowed to send marketing materials and others to recipients on their mailing lists.

Longer privacy policies

Have you ever read a privacy policy? Whilst most people don’t take the time to read the privacy policy of a website they visit, if they were to read it, the chances are that it will have increased in length by up to 25%. This is due to having to cover more stringent requirements and standards than before.

Higher levels of compliance

Lack of infrastructure or a solid knowledge of how to become compliant resulted in a situation where many companies did not know how to go about adhering to the new rules. Fortunately, it seems that businesses are starting to work on this with a recent TrustArc survey showing that 53% of businesses are in the implementation stage and 20% consider that they are compliant. Full compliance with the GDPR is expected by 93% of all businesses by the end of 2019.

You are not sure if your business is adhering to the rules? Failure to comply with the GDPR can result in crippling fines and restrictions. E&S Group can help you to ensure that all of your processes are in order and that your business practices and operations are in full compliance with EU and local privacy laws. Send us an email on [email protected]


Read More
Posted on

Why is data the new currency?

Categories Blockchain, Cryptocurrency, GDPR, Technology, Payments, Bitcoin, Data Protection, Ethereum

Why is data the new currency?

The EU GDPR came into force at the end of May 2018, and since then our data has become a currency. We now have the ability to earn money from our own data and this has to lead many to call it the “new oil”.

Before the GDPR, companies such as Facebook and Google-owned all of our data, so essentially they owned our currency. Now, this is no longer the case. The concept of Vendor Relationship Management has been around for some time, fuelled by the ambitions of those at places such as Harvard who believe that the internet giants use of our own private data is wrong.

All of our data has value and as the customer and owner of it, we should receive its value. Whether you are browsing for new clothes, a holiday, or cinema tickets, you should be able to publicise this fact and wait for the offers to come to you.

Killi is a new application owned by Freckle IoT which allows this to happen. Since its launch, big names such as Staceys, McDonald’s, and GM have already signed up and are paying money to people for the things that they sell them. Whilst Killi has its limitations, it is most definitely a step in the right direction.

Issues such as connecting to other sites through APIs that can be changed without warning can be overcome, and whilst it may not be paying out big bucks at the moment, this is just the beginning. The idea needs appropriate scale, and like the fax machine, it is useless if there is only one other person with the app. Whilst Killi has 70,000 subscribers and counting, it needs a lot more users before it will have any real value.

This is great news for those that were shaken by the Cambridge Analytica scandal or the fact that all internet companies have been shamelessly harvesting our user data without telling us.

What is really interesting about this concept, however, is the fact that it all takes place on the IoT via a blockchain platform. This is a great example of a real-world use case for both bits of tech and shows how easy it is to disappear this technology into everyday life. What’s more is, this is a great example of a company doing something sensible about the privacy issue rather than just writing an angry article or vowing to delete Facebook.


To learn more about ICO Legal Services in Malta please follow this link.

Contact us directly on +356 20103020 or by email at [email protected] to find out more.

Read More
Posted on

EU warns that the GDPR could cause a headache for DLT innovation

Categories Blockchain, Cryptocurrency, ICOs, European Commission, GDPR, Smart Contracts, Technology

EU warns that the GDPR could cause a headache for DLT innovation

An EU body – the Blockchain Observatory and Forum has issued a warning that the recently introduced GDPR could cause a significant delay in blockchain innovation.

Due to the lack of legal clarity surrounding blockchain technology as well as exactly how the GDPR will impact its underlying ethos, it has not yet been established how blockchain can exist in compliance with the new laws.

Blockchain in Europe

The report, entitled “Blockchain Innovation in Europe” states that: “As long as the legal framework around personal data and blockchain remains unclear, entrepreneurs and those designing and building blockchain-based platforms and applications in Europe face massive uncertainty. That can put a brake on innovation.”

One of the main issues highlighted in the report arises from the fact that the very essence of the GDPR is the empowerment of individuals to have control over who has their data and to amend it as they wish. Under some circumstances, the GDPR even allows individuals to have their information deleted as and when they choose- this goes completely against the grain when you consider blockchains immutability.

Protection of rights

Another key point of the GDRP is that individual’s data rights are protected and that one single central body can be held accountable when things go wrong. But, when it comes to an open and permissionless blockchain, information is processed across all nodes of the network, therefore there is no centralised data controller.

Lastly, the GDPR states that data is only allowed to be transmitted out of the EEA, if the data protection rules in the jurisdiction it is being transferred to are of the same or a higher level. With open, permissionless blockchains it is not possible to choose where data ends up as the database is replicated on all nodes, regardless of where they are located.

The report states: “The law was conceived and written before blockchain technology was widely known, and so was fashioned with an implicit assumption that a database is a centralized mechanism for collecting, storing and processing data.”

Encouragingly, however, the report does note that blockchain technology is still in its early stages of development and it could yet evolve to help GDPR attain its ultimate goal of data sovereignty.

“Blockchain could, in theory, make it easier for platforms and applications to have this compliance ‘baked in’ to the code, supporting data protection by design.”

If you have any questions in relation to ICOs, please contact us on [email protected]

Read More
Posted on

Blockchain paves the smart road forward for B2B e-commerce

Categories Blockchain, Cryptocurrency, GDPR, Smart Contracts, Technology, Financial Institutions

Blockchain paves the smart road forward for B2B e-commerce

By now, the chances are that you know what blockchain is and that it is set to have a dramatic input on many areas of our lives. One such area is the world of B2B e-commerce.

At its most basic level, blockchain technology is a distributed ledger that is shared across a P2P networking. This network contains and stores the records of secure transactions which makes them accessible and visible to multiple participants. These records keep track of entire transaction histories and they are able to be individually verified via means of sophisticated cryptography.

By using what is known as a cryptographic signature, the blockchain is immune to fraud which makes blockchain based transfers amongst the most secure and safe of all online transactions. This security is a big selling point and it is beginning to pique the interest of a huge number of financial institutions and authorities who are beginning to explore the possibilities that blockchain and cryptocurrency have.

Back in November 2017, a lifetime ago in terms of crypto, Visa Inc announced that they intended to pilot a blockchain-based B2B payments system called B2B Connect. This system was designed to increase the security, speed, and efficiency of B2B transactions.

But the potential applications of blockchain go far beyond just Bitcoin and financial transactions. For B2B businesses, blockchain is able to handle a myriad of different tasks such as the transfer of financial securities, mobile minutes, energy credits, and even air miles. The technology even has the ability to reduce traditional fictitious elements of making high-value, high-volume orders that involved multiple layers of suppliers, vendors, and distributors. This is also not forgetting the use of smart contracts which can facilitate the reduction of inefficiencies at almost all stages of a deal-making process.

Stats released by the World Economic forum have estimated that blockchain technology could account for around 10% of the global GDP by as soon as 2027- bearing that in mind, why should you invest in blockchain and how can you get it working for you?

Most B2B merchants carry out their transactions via cheque, wire transfer, or automated clearing house systems which are known for being slow, costly and subject to fraud and human error. A survey carried out in 2017 by the AFP showed a huge increase in B2B payment fraud since 2015. In fact, over 75% of companies said they suffered check fraud in 2016 alone, an increase of 4% from the previous year and 74% said they had fallen victim to a business email compromise scam.

The average organisation loses around 5% of its annual revenue to fraud and this amounts to trillions and trillions of dollars lost, every year. But how to protect yourself? This is where crypto and blockchain come in.

Smart Contracts

A Smart Contract has huge potential when it comes to B2B businesses. These contracts take the form of lines of code that create a digital agreement between two or more parties. These contracts are self-executing and do not require a third party to oversee any stage of the process.

Transparent Fees

For businesses that take credit card payments, the process can be costly, laborious and involve up to four parties. A simple purchase can involve the merchant, the credit card company, the cardholder’s bank, and the individual cardholder. Having these many people involved results in delays, a slow process and fees that are incurred by at least two out of the four parties. If you can eliminate these, through the use of a direct P2P transaction, then fewer parties are involved and fewer institutions need to be paid.

International Business

If your company is involved in cross-border business then you will know that foreign transaction fees can be immeasurable, particularly for large or frequent transactions. DHL Logistics conducted a survey recently where they found that such fees would reach a total of $1.2 trillion in the next five years. A traditional wire transfer costs anywhere between $22 and $50 and that is not including any applicable currency exchange fees. Bitcoin on the other hand and Coinbase charge a flat rate of 1% to convert BTC into a local fiat currency.

Secure Supply Chain

When it comes to conducting businesses across borders, there are lots of opportunities for friction to occur. Relying on the timely communication of information between third, fourth, and even fifth parties can seriously complicate transactions that in turn leads to delays in supplier payments and reconciliations.

According to IBM, using blockchain technology allows for a much faster and auditable B2B interaction between all stakeholders. It is assumed that blockchain technology even has the power to replace paper-based and manual purchase orders as well as other trade documents- with smart contracts. By providing real-time visibility into the supply chain and trading data can result in much smarter decisions regarding inventory, procurement, investments, and even the financial position of the company.

That said, blockchain doesn’t necessarily hold the key to solving all of the B2B transaction world’s problems. There are many obstacles in the way such as the current regulatory environment, lack of legal framework, and even the lack of its synergy with the recently enforced EU GDPR. Whilst there is a lot of investment and consideration needed to overcome these, many believe that it could be the most important technologies to shape the infrastructure of the next generation of financial instruments.


To know more about ICO legislation in Malta please follow this link.

Contact us directly on +356 20103020 or by mail at [email protected] to find out more.

Read More
Posted on

The Importance of Legal Advisors in ICOs and Blockchain Projects

Categories Blockchain, Cryptocurrency, ICOs, Law, GDPR, Tokenomics, Tokens, Guest Post, White Paper, Know Your Customer, Anti Money Laundering

The Importance of Legal Advisors in ICOs and Blockchain Projects



Legal advisors are like the internet connection. When you have it, you forget about the importance of it. Once you lose it you find out all the things you can’t do without it. It is easy to forget about the importance of a good legal advice, so let’s try and recollect all the important things legal advisors do for an ICO.

Setting up an ICO is not an easy task. There can be a lot of bumps down the road so it is essential to make sure that everything runs as smooth as possible. Roadblocks in the legal area are one of the main problems most ICOs encounter. Any legal issue that ICO encounters is a huge red flag for potential investors. Because of that, the best ICOs have a legal department on point.


World of ICOs and Blockchain is still pretty unregulated, because of that, it is easy to damage the reputation of an ICO. This can happen for a wide variety of reasons – from false scam accusations to the unclear roadmap, or token use. Having an experienced legal advisor can save you from these issues.

The legal advisor should be familiar with and present in every key aspect of an ICO, starting from the whitepaper. First, you need to decide terms and conditions of your whitepaper. Every piece of content in the white paper has to get the green light from the legal advisor. Keep in mind that courts, investors, and regulators rely on the whitepaper to understand how the project will work.

Token Model

The token itself needs to be verified by the legal advisor. With your legal team, you will need to decide whether your token will be considered a payment token, utility token or asset token. This is a very important decision and different choices can lead to different outcomes in terms of the project compliance with the regulations.

KYC/AML Evaluation

When all of that has been done, you will need to make sure that your ICO complies with all the possible regulations. The most important ones are KYC/AML (Know Your Customer/Anti Money Laundering) regulations which help ensure that your project is safe and secure from potential scams. It is not an easy work; it takes a lot of knowledge in order for everything to run smoothly. The Blockchain industry regulations are just starting to kick in, so it is best to have an experienced legal advisor on the team.

Intellectual Property Protection

Imagine that you prepared everything for the start of an ICO campaign. Suddenly someone accuses you that you stole their logo. You should worry about the project, but now you are stuck in the legal labyrinth. This is a disaster! Because of this, legal advisors are essential. They will make sure that all your domain names, trademarks, copyrights, trade secrets and patents will be protected and will be acknowledged as your intellectual property. These are not the thing you want to worry about when preparing an ICO launch.


GDPR (General Data Protection Regulation) is another thing your ICO will need to comply with. Without this, your ICO can’t reach its full potential. Having a GDPR protocol is now considered a standard in the world of ICOs. All of this is in the realm of your legal advisors.


Getting a legal advice might be the best first step of every ICO project. It will ensure that everything is protected and in sync with the regulations. The creative potential of the founders will not be held back by unnecessary legal troubles that may pop up. Everybody involved in the project can focus on what they do best and not worry about regulations.

If you are looking for a legal advice for your ICO, the best time to get one was yesterday, the next best time is right now. If you have any questions please contact us at [email protected] or phone us on +356 2010 3020. Visit this link for further information regarding our ICO Legal Services. We are here for you!

Read More
Posted on

Understanding the GDPR: General Data Protection Regulation

Categories Law, GDPR, E&S Group, European Parliament, Regulation, Data Protection, Data Protection Officer

Understanding the GDPR: General Data Protection Regulation

Guest Post by Tenfold.


The GDPR–or General Data Protection Regulation–is a regulation passed by the European Union on April 27, 2016, with an effective start date of May 25, 2018. Officially classified as regulation 2016/679, the GDPR expands upon and replaces the Data Protection Directive 95/46/EC of 1995. It serves as the EU’s effort to synchronize and harmonize laws on citizen and resident data privacy throughout its member states.

GDPR is based on Privacy by Design/Default, a set of user-centric principles that bequeath a sacred status to user privacy from the get-go rather than as an afterthought. Piggybacking on that is ability of users to sue organizations under the GDPR who might mishandle personal data. To accomplish this, the GDPR mandates new user-oriented information-handling processes to which EU companies will soon find themselves beholden, not to mention subject to significant penalties in the event of a violation.

The complete text of the GDPR legislation clocks in at 88 pages. There exist within it 173 recitals and 99 articles, each one applying universally to all EU member states. The key provisions of this sweeping legislation are provided below, and constitute the essence of what the law entails and how it affects data storage and retrieval for all related EU entities.

Who the Law Protects

There is a slight bit of confusion when it comes to just who falls under the protective auspices of the GDPR measure. The term “natural person” appears frequently throughout the text, and while this indeed refers to EU citizens, it actually extends further to those merely residing in the EU.

To wit, a natural person in EU nomenclature is any human possessing “legal personality”. That’s a very law-like definition that essentially boils down to a person who acts on their own behalf rather than in the interests of a business entity (sometimes known as a “legal entity”) or a government entity (or “public entity”).

To simplify matters, all humans native to or residing inside the EU with data to protect are blanketed under the term “data subject”. The rights of these data subjects to control and even extensively delete their private data is at the heart of the GDPR.

How GDPR Defines Personal Data

The GDPR defines personal data quite simply: Information (“data”) that can be used to identify a natural person (“data subject”). This seems self-evident on its surface, and indeed, certain identity-related elements fall naturally within this definition, such as name, ID number, home address, and more. But in the current era of sophisticated online data tracking technology, the amount of transmittable, personally identifiable data has ballooned (at least in the EU’s opinion), and with it, the number of privacy touch points potentially available to corporate and government bodies.

This massive list includes, but is not limited to, online identifiers such as IP addresses, social media accounts, email addresses, accounts numbers, browser cookies, and more. Constituent to this are direct identifiers and indirect identifiers, both of which establish the data subject’s identity by degrees. For instance, a direct identifier is a name, ID number, home address, and so on. Indirect identifiers include date of birth, location, or even title, and while they don’t pinpoint data subjects directly, they can nevertheless unmask a person’s identity when used in concert.

Personal Data vs Sensitive Personal Data: What’s the Difference?

In short, sensitive personal data is more or less a subset of personal data. However, as the name implies, sensitive personal data is information that is not as objectively verified as standard personal data. For instance, a data subject’s home address or date of birth can be independently and objectively verified. Under the GDPR, this is personal data, but it’s not “sensitive”. Another way to think of sensitive data is as “privileged” information, i.e. data that must be communicated by the subject themselves.

Some examples of sensitive personal data include:

  • Racial or ethnic origin
  • Religious beliefs
  • Genetic data
  • Trade union membership
  • Biometric data
  • Health data
  • Sexual orientation
  • Data pertaining to the subject’s sex life

The GDPR’s aim is not to restrict the processing of personal data altogether, only to eliminate those instances where data might be processed without the full and clear consent of the data subject. In any respect, the GDPR dictates that data must be processed transparently and equitably at all times. This sounds simples on the surface, but unfortunately for the controllers handling personal data, there are a number of requisites in the GDPR that reveal the attendant difficulty involved.

At least one of the following requisites must be met for lawfully processing personal data:

  • Direct consent from the data subject
  • Execution of an agreed-upon contract or as a preliminary step thereof
  • Legal compliance on the controller’s behalf
  • Protection of the subject’s vital interests or those of another person
  • Tasks performed in the public interest or as an extension of the controller’s official authority
  • Tasks performed in the controller’s legitimate interests or that of a third party unless superseded by the rights and natural protections of the subject, especially children

While not exceedingly divergent from the above, the standards for lawfully processing sensitive personal data are nonetheless more tightly confined to at least one of the following (some of which are duplicated from personal data):

  • Explicit consent of the subject
  • Necessary for obligations to employment, social protection and social security laws, and collective agreements
  • Protection of subject’s interests when subject is incapable of consent, whether physically or legally
  • Processing of data belonging to members or former members of and by a not-for-profit entity with a political, philosophical, religious, or trade union affiliation; strictly prohibited from divulging said data to third parties
  • Data made public by subject
  • Necessary for legal claims
  • Tasks performed in the public interest
  • Administering preventative or occupational medicine, assessing subject’s working capacity, medical diagnosis, health or social care
  • Public health as a public interest, including protection against cross-border health threats or to guarantee quality healthcare, medicine, or medical devices
  • For purposes of data storage, inquiry, and statistics

What Is a Controller?

According to GDPR lingo, a controller is the entity–natural person, legal entity, public agency, authority, or similar–that makes the decision on why personal data is being processed. They specify whose data will be collected, which categories of data to include, the length of time needed to store the data, and more. Not only that, but a controller determines if the data subject needs to be alerted that their personal data is about to be processed or if the subject’s consent is needed prior.

In that same vein, controllers are most often with whom data subjects will directly come in contact. As the public “face” of the data processing endeavor, controllers are the ones responsible for ensuring tight controls on how the subject’s information is managed. Aside from protecting the trust and privacy of the subject, the controller must ensure compliance with the GDPR at every turn.

But just as the data subject need not be an EU citizen, neither must the controller be based in the EU. Controllers can originate anywhere across the globe; so long as they engage in the processing of data for natural persons currently in the EU, they are bound by GDPR guidelines. The best examples of this come by way of social media giants such as Facebook and Twitter; search engines like Yahoo!, Bing, and Google; or retail outlets like Amazon, eBay, and more. Despite being headquartered within the US, these companies must regardless fulfill the requirements of the GDPR or risk non-compliance.

To make matters slightly more complicated, controllers not originating within the EU must designate a representative from inside the EU to help process data in a way that satisfies the GDPR. The representative accomplishes this by coordinating with that nation’s governmental body in charge of overseeing GDPR compliance, also known as the supervisory authority. It’s more or less a checks and balance system to prevent non-EU nations from roguish data processing.

What Is a Processor?

While controllers oversee the whys and whats of personal data processing, processors are the entities designated by the controller to perform the processing itself. The processor may be a natural person, a legal entity, public agency, authority, or similar, and as with controllers, they may also originate outside the EU. No matter the location or the type of entity, the bottom line remains the same: as long as the processor is managing personal data belonging to a natural person within an EU member state, GDPR still applies.

Rather than micromanaging every processing-related task, controllers may choose to rely on the processor’s systems and data security. However, controllers are the ones ultimately responsible for making sure this happens.

What is a Supervisory Authority?

Each member of the EU is required by GDPR to arrange a supervisory authority whose chief duty involves monitoring whether the regulation is being faithfully applied. The GDPR states in no uncertain terms that the regulation must be enforced consistently within every EU member state. To make this a reality, supervisory authorities are mandated to cooperate with one another when it comes to the free flow of data. Member nations are allowed to arrange for multiple supervisory authorities, but one must be chosen as a representative before the European Data Protection Board (EDPB). The same supervisory authority is also required to guarantee that the other supervisory authorities are following GDPR.

What is a Data Protection Officer?

A Data Protection Officer (DPO) is required under GDPR rules to manage and implement an organization’s data protection policies. This applies to any entity that archives extreme levels of personal data. And it doesn’t necessarily apply only to customers or users; any organization with a significant data burden even for its own employees is obligated to elect a DPO. The definition of who constitutes a data subject are far-reaching in the GDPR.

Each DPO will be in charge of educating its parent entity from top to bottom in the requirements for satisfying the regulation. He or she also conducts training for staff members who are directly involved in processing personal data, routinely audit the organization’s data security, and recommend fixes accordingly. In addition, DPOs also liaison with supervisory authorities and enforce the entity’s compliance not only with the GDPR, but with member state laws as well.

Data subjects may interact with DPOs as their main point of contact, too. As the public “face” of the data processing operation, DPOs carry a host of responsibilities, all with the goal of remaining as open, transparent, and subject-focused as possible. These include:

  • Inform subjects for which purposes their data is being processed
  • Provide access to their data
  • Explain the safeguards enacted by the company to secure their data
  • Disclose the involvement of third parties
  • Disclose the duration that their data will be archived
  • Respect the subject’s right to have their data deleted
  • Fulfill all data requests from subjects with timeliness and/or inside of one month from receiving the request

Take, for instance, a security firm that utilizes closed-circuit TV to surveil and monitor either communal areas or private businesses. Because their core activities constitute a public task, this firm would need to elect a DPO. The same is true for any processor that engages in minimal data retrieval or processing such as call centers. By contrast, entities that provide ancillary support, including payroll and IT support, need not install a DPO.

Exactly who can serve as DPO is left largely to the entity’s discretion. The DPO may be “in-house” or external, and they may perform other tasks for the company as well. However, they may do so with the proviso that their work for the company and their work as DPO does not create a conflict of interest.

While the role of DPO will look different from company to company, there are a few qualifications that the DPO must meet as outlined in the GDPR. These include:

  • Expertise in data protection law, both national and European
  • In-depth knowledge of the GDPR
  • Comprehensive understanding of the organization’s data processing structure
  • Ethics and integrity
  • Free to carry out their tasks independently

Data Breaches

We tend to think of “data breach” in rigid terms connoting the theft of confidential information from within the confines of an otherwise guarded data security system. With the GDPR, however, a data breach does not begin or end at theft but instead is defined much more broadly. It can include accidental or illegal destruction, loss, change, unauthorized access to or disclosure of personal data whether processed or archived. Once a breach occurs, controllers must notify the supervisory authority without “undue delay” or inside of 72 hours. This deadline holds true whether the breach was discovered by the processor or by the controller, although it is the controller’s responsibility, not the processor’s, for notifying the supervisory authority.

Controllers must then notify the data subject that their data has been compromised, otherwise known as an individual notification. Despite the thoroughness of the GDPR’s overall coda, it does not mandate individual notifications if certain conditions have been met. These include:

Regarding that last condition, the entity or controller is still required to alert data subjects through public means.

The Right to Erasure

The right to erasure is EU parlance for the right to be forgotten, or the right for a data subject to have their personal data comprehensively deleted. A data subject may invoke their right to erasure under four primary scenarios:

  • The initial purpose for archiving the personal data no longer applies
  • The subject removes their consent
  • The subject requests erasure in the event of non-compliance with GDPR guidelines or breach of data security
  • Legal reasons

Data Minimization

Data minimization is one of the more important Privacy by Design/Default principles mandated by the GDPR, and as the name suggests, it’s all about minimizing the amount of data that is collected, processed, and archived. Controllers are duty-bound to gather only as much personal data as is needed to perform the required task and reserve said data exclusively for the task in question, i.e. no migrating personal data from Task A over to Task B unless the data subject has consented.

Keeping with similar principles laid out elsewhere in the GDPR, data minimization requires controllers to limit the processing of a subject’s personal data according to certain stipulations. More specifically, this means only data that is relevant, adequate, and necessary to the purpose for which it was originally collected. Anything beyond this violates the GDPR and opens the entity to fines.

Right to Rectification

Privacy by design/default may be at the heart of the GDPR as a whole, but part-and-parcel therein is the right of data subjects to contest the processing of inaccurate or incomplete data. They may do so by requesting that the controller in question rectify their associated data, whether correcting false information, filling in missing data, or amending data with a clarifying statement. Controllers must respond to such requests in a timely manner or no later than one month from receipt. 

Consequences for Failure To Comply

The consequences for failing to comply with the GDPR vary depending upon the transgression and can be divided between administrative fines and fines for breaches, whether a data breach or breach of consent, privacy, and the like. For failure to comply with administrative or preparedness standards, entities may be fined the greater of 2% annual global turnover or 10 million euros. Fines for breaches are double at 4% of annual turnover and 20 million euros, whichever is greater.


Without a doubt, the GDPR poses many new risks and challenges for data processing entities across the world who traffic in the personal data of EU residents. Perhaps even scarier is that the stress on collection, processing, and record keeping systems won’t be entirely calculable until after the regulation has actually gone into effect, leaving controllers and processors doing their best to tread water, so to speak, and avoid fines for non-compliance. The trade-off for successfully implementing the regulation, however, is worth it. Users’ personal data will be much less prone to abuse, translating to renewed confidence and trust on the part of data subjects, and greater engagement between all parties involved.


This article was originally published by Tenfold

Read More
Posted on

Can blockchain and GDPR coexist?

Categories Blockchain, GDPR, Regulation

Can blockchain and GDPR coexist?

If you didn’t know what the GDPR was a few weeks ago, I can guarantee that you know what it is now. The GDPR came into force on the 25th of May and it has totally overhauled privacy for EU citizens. But do some of these regulations have the capacity to cut some of the benefits of blockchain technology? Or will DLT actually increase the effectiveness of the new laws?

According to many, the answer is “a little bit of both”. In many ways, the blockchain can actually reinforce the need for individual privacy when it comes to online transactions as GDPR and blockchain actually have a few goals in common. A traditional centralised database doesn’t give individuals much control over their data and how it is managed or disclosed. DLT means that they can freely decide the scope of the data that is shared, as well as its recipients. It also allows users to mitigate certain security risks regarding the sharing of personal information.

Challenges and requirements

A recent paper from a student at the University of Zurich addressed some of the potential challenges and requirements that are involved in preparing blockchain networks for the enforcement of the GDPR. It was suggested that blockchain and torrent technologies could be a part of a new foundation for decentralised platforms that will help to provide safe and secure data storage as well as processing that allows users to retain full control over every aspect of their data.

The blockchain will allow any shared data to be fully encrypted and then validated on the network and by including a Personal Certificate Authority, this means that users can limit data sharing to specific recipients, ensuring GDPR compliance.

There are, however, some DLT arrangements that may need to be rethought and tweaked accordingly. Any entity that employs or exchanges data with European customers or partners is subject to the rules, even if they are not based in the EU. The rules are designed to harmonise the data protection laws in the EU which were very out of date, as well as providing more protection and empowerment for EU citizens data privacy.

Points to be addressed

To ensure that a blockchain meets the requirements that are imposed by GDPR, the following points need to be addressed and considered.

The blockchains public nature: If both the public key and the hashed transaction data can be linked to an individual person then they are both considered as personal data and as such would fall under the scope of GDPR.

Immutability: The fact that DLTs are immutable is not in harmony with the GDPR as the right to be forgotten is one of its core points. Contrast this with the fact that one of the selling points of blockchain is that data entered into it cannot be edited, changed, or removed and it presents a problem. Whilst this can be addressed through fully migrating the blockchain, this is an expensive and long-winded effort.

Transferring data out of the EU: DLTs and blockchains are built on nodes that are then distributed across globe-spanning networks- the complete opposite of what the GDPR is trying to achieve. However, on the public blockchain, each node should contain an exact copy of the complete ledger and can, therefore, be considered as a controller of personal data under the scope of the GDPR.

Anonymisation vs pseudonymisation: Whilst steps can be taken to avoid storing personal information on the blockchain, or keeping it completely anonymous, with GDPR the threshold for data anonymisation is very high. Methods such as encryption, hashing, and tokenisation don’t usually provide anonymisation but rather pseudonymisation and encrypted data can often still be traced back to an individual.

In terms of GDPR, a user is considered to be safe when they have full power over the data that is shared on the platform. This is a rather ambitious goal to achieve but in a time when user trust in how companies handle their data is at an all-time low, ensuring compliance with GDPR would help to restore confidence. By decentralising data ownership via the use of the blockchain, it means that every user has a small chunk of the data which does make it much harder to pack and obtain personal information through illegitimate means.


Are you looking for ICO Legal Advice? Click this link to know more.

Read More
Posted on

Maltese Gaming companies can follow specific GDPR guidelines presented by MGA.

Categories iGaming, Regulatory, Malta, GDPR

Maltese Gaming companies can follow specific GDPR guidelines presented by MGA.

Last Friday 4th May, the MGA released a document with specific guidelines on the new General Data Protection Regulation (GDPR) directive which will come to effect on May 25th, 2018 by the European Data Protection Board.

The EU Commission will enforce the GDPR directive for all EU states to follow. In effect, GDPR will be the catalyst to protect EU citizens from data privacy, thus guiding organisations across the region to observe data protection laws more seriously.

What will GDPR protect?

Previously, the EU has already passed a law on the data protection act across all EU countries. However, with the advancement of technology and scandals on big corporations stealing clients’ data from social media websites, the EU has come up with better and strict laws to protect its citizens.

The GDPR law has continued to build more specific laws on to the previous legislation which holds organisations accountable for the use and retention of personal data, enhancing individual’s rights to data privacy.

MGA guidance to GDPR

As an authority, the MGA acknowledges the Gaming industry concern about GDPR – compliance and how it can impact the industry. The MGA has presented a document to the gaming industry guiding them how to proceed. Before publishing the report, MGA has consulted with the Office of the Information and Data Protection Commissioner (IDPC), the supervisory authority responsible for regulating the application of data protection legislation. However, the MGA licensees are highly accountable to ensure all gaming companies are compliant with the GDPR and the gaming regulatory framework.

The authority expects that gaming companies will use these guidelines in par with the GDPR law. These guidelines will continuously be updated through a time when practical issues might arise. Gaming companies need to also take into consideration the legal requirements required to observe by the Maltese gaming laws without bypassing the current regulation. Also, the MGA guidelines and interpretations will not harm the Commissioner decision regarding complaints and other specific data protection issue.

The MGA has concluded the interpretations which are without prejudice for other guidelines or opinions which might be subjected by the Article 29 Data Protection Working Party.

Are you looking for services with regards to the gaming industry in Malta? Click this link for further information.


Read More