IDPC (Malta) - CDP/DBN/31/2020
IDPC (Malta) - CDP/DBN/31/2020 | |
---|---|
Authority: | IDPC (Malta) |
Jurisdiction: | Malta |
Relevant Law: | Article 5(1)(f) GDPR Article 6(1) GDPR Article 9(1) GDPR Article 9(2) GDPR Article 14 GDPR Article 32 GDPR Article 33 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 17.01.2022 |
Published: | 17.01.2022 |
Fine: | 65000 EUR |
Parties: | C-PLANET |
National Case Number/Name: | CDP/DBN/31/2020 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | English |
Original Source: | IDPC (in EN) |
Initial Contributor: | n/a |
The Maltese DPA imposed a fine of 65 000 € on the IT company C-Planet, for lack of notification of a data breach and lack of appropriate technical measures (violation of Articles 5(1)(f), 33 and 34 GDPR). The data breach also revealed that the personal and special categories of data were processed without proper legal basis (article 6 and 9) and without information of the data subjects (article 14 GDPR).
English Summary
Facts
On 1 April 2020, the media reported an alleged personal data breach suffered by C_PLANET, wherein a database containing the personal data of Maltese voters bas been exposed. The media reported that the political opinions of 335000 voters has been exposed. The IDPC opened an ex officio investigation, and noyb filed a complaint on behalf of several Maltese citizens on 12 November 2020.
Holding
On the controllership
The IPDC concluded that C-Planet was the controller of the data base, considering that no factual elements could substantiate the view of C-PLANET that the third party (name redacted) was the controller of this specific database.
On the lawfulness of the processing
1. Publicly available data
The IDPC concluded that these data were collected from the Electoral Register. However, a proper legal basis under 6(1) GDPR is still needed. That also stems from Article 5(1)(b) GDPR.
2. Personal data that is not publicly available
Thee second group of data relates to the data subjects ballot box number, voting document number, district, date of birth, phone number and sex.
According to the General Elections Act, this data are only made available to the political parties. The Electoral Commisison confirmed that this data was not made available to the party delegates mentioned in the investigation.
3. Special categories of data
This catgory is not processed by the Electroal Commission. The data base contains numerical identified from 1 to 4, which the IDPC confirmed that they were referring to the political opinions of the data subjects.
This data received particular protection under Article 9(1) GDPR. None of the exception of Article 9(2) was applicable.
Therefore, the IDPC confirmed that the controller infringed article 9(1) GDPR.
Obligation to provide information to the sata subjects
The IDPC confirms thatarticle 14 is particularly important since the data is obtained from third party sources. In this regard, the controller is obliged to to inform the data subjects of the details of the processing operations, which is a condition sine qua non for ensuring the transparency, fairness and anabling the data subjects to exercise control over their personal data.
The IDPC confirms that the controller did not inform the affected data subjects in the manner prescribed by the GDPR, thus infringing Article 14.
Obligation to notify the data breach (Article 33 and 34)
The IDPC considers that there was a high risk fo rindividuals considering the following elements: - sensitive data was involved - the breach affected large volume of data - the risk of harm for individuals - ease of identification of individuals - the severity of consequences for the affected individuals - number of affected individuals
Therefore, the controller should - have notified the IDPC no later than 72 hours after becoming aware of the breach and - communciated the breach to the data subjects.
No exception to this obligation to notify the DPA and the data subjects was applicable.
On the technical and organisational measures.
According to article 32(1) of the Regulation, controllers and processors shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. Article 32(1) of the Regulation provides a non-exhaustive list of those measures.
The detailed report of the auditor concluded that technical measures were lacking, especially considering the nature of the data and the risk involved.
The IDPC also took into account the large-scale nature of the database, and the fact that the data at stake was matched or combined with other data.
The IDPC consideres that the controller did not even evaluate the risk at stake and the impact of the processing activities. It was therefore impossible to manage a risk that was not previously identified.
Therefore, the controller did not implement the appropriate technical and organisational measures to ensure a level of security appropriate to the risk and violated Article 32 GDPR.
On the corrective measure
Based on the criteria of Article 83 GDPR, the ICDP decides to impose a fine of 65000 euros against C)Planet, and orders the controller to erase with immediate effect the personal data contained in the databse file stored on the compromised server and provide the Commissioner with evidence therefore.
Comment
noyb filed a complaint on the same and was notified of the decision in this context.
it is still surprising that:
- noyb was never heard during the procedure. Only C PLANET and the ”third party” (probably the "labour party”) could share their submissions and noyb could not send further submissions on the case neither access the file
- The IPDC decided that C-PLANET was the only controller (and not the "third party") and therefore was the only entity responsible for the breach and the processing
- It was never determined by the IPDC where the data was collected in the first place even though it is recognized that the data were not available to the public
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
In April 2020, the Commissioner was informed about a security incident encountered by C-Planet (IT Solutions) Limited and an investigation was immediately initiated pursuant to article 58 of the General Data Protection Regulation. Following a thorough technical and legal analysis of the case, in the context of which, the Commissioner duly assessed the evidence gathered during the course of investigation, it was established that C-Planet, in its capacity as controller, was processing the personal and special categories of data, that were impacted by the breach, in violation of articles 6(1), 9(1) and (2), 14 and 5(1)(f) of the Regulation. The Commissioner further concluded that C-Planet failed to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk This led to the incident to materialise. Additionally, the Commissioner established that the controller failed to notify the personal data breach to his office within the deadline stipulated by law and to communicate the same to the effected data subjects. In his legally-binding decision, the Commissioner considered the gravity and nature of the infringements, the fact that the controller is a microenterprise and its annual turnover, and consequently, imposed an effective, proportionate, and dissuasive administrative fine of sixty-five thousand Euro (€65,000.00). Further to that, the Commissioner ordered C-Planet to erase the personal data which had been processed in an unlawful manner. C-Planet has cooperated fully with this Office during the course of the entire investigation.