IDPC (Malta) - CDP/DBN/31/2020
IDPC (Malta) - CDP/DBN/31/2020 | |
---|---|
Authority: | IDPC (Malta) |
Jurisdiction: | Malta |
Relevant Law: | Article 5(1)(f) GDPR Article 6(1) GDPR Article 9(1) GDPR Article 9(2) GDPR Article 14 GDPR Article 32 GDPR Article 33 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 17.01.2022 |
Published: | 17.01.2022 |
Fine: | 65000 EUR |
Parties: | C-PLANET |
National Case Number/Name: | CDP/DBN/31/2020 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | English |
Original Source: | IDPC (in EN) |
Initial Contributor: | n/a |
The Maltese DPA imposed a fine of €65,000 on the IT company C-Planet for not notifying the DPA of a data breach and not implementing appropriate technical measures to prevent the breach in violation of Article 5(1)(f), Article 33 and Article 34 GDPR. The data breach also revealed that personal and special categories of data were processed without a proper legal basis under Article 6 and Article 9 GDPR, and that the information required under Article 14 GDPR was not provided to the data subjects.
English Summary
Facts
On 1 April 2020, the media reported an alleged personal data breach suffered by C-PLANET, wherein a database containing the personal data of Maltese voters had been exposed.
The media reported that the political opinions of 335,000 voters has been exposed.
The IDPC opened an ex officio investigation, and noyb filed a complaint on behalf of several Maltese citizens on 12 November 2020.
Holding
On the controllership
The IPDC concluded that C-Planet was the controller of the data base, considering that no factual elements could substantiate the view of C-PLANET that a third party (name redacted) was the controller of this specific database.
On the lawfulness of the processing
1. Publicly available data
The IDPC concluded that although these data were collected from the Electoral Register, a proper legal basis under Article 6(1) GDPR was still needed in this case, which also stems from Article 5(1)(b) GDPR.
2. Personal data that is not publicly available
The second group of data relates to data subjects' ballot box number, voting document number, district, date of birth, phone number and sex.
According to the General Elections Act, this data is only made available to political parties. The Electoral Commission confirmed that this data was not made available to the party delegates mentioned in the investigation.
3. Special categories of data
This category is not processed by the Electoral Commission. The data base contains numerals identified from 1 to 4, which the IDPC confirmed were referring to the political opinions of the data subjects.
This data is subject to particular protection under Article 9(1) GDPR. The IDPC confirmed that none of the exceptions under Article 9(2) GDPR were applicable to lawfully process this data, therefore violating the aforementioned Article 9(1).
Obligation to provide information to the data subjects
The IDPC established that Article 14 GDPR was particularly relevant, since the data was obtained from third party sources. In this regard, the controller is obliged to inform the data subjects of the details of the processing operations, which is a condition sine qua non for ensuring the transparency and fairness of the processing, as well as enabling the data subjects to exercise control over their personal data.
The IDPC confirmed that the controller did not inform the affected data subjects in the manner prescribed by Article 14 GDPR, and hence violated this provision.
Obligation to notify the data breach (Article 33 and Article 34 GDPR)
The IDPC considered that the breach entailed a high risk for individuals considering the following elements:
- sensitive data was involved
- the breach affected large volume of data
- the risk of harm for individuals
- ease of identification of individuals
- the severity of consequences for the affected individuals
- number of affected individuals
Therefore, the IDPC held that the controller should have notified the IDPC no later than 72 hours after becoming aware of the breach, and should have also communicated the breach to the data subjects, as no exception to these obligations were applicable, therefore violating Article 33 and Article 34 GDPR.
On the technical and organisational measures
According to Article 32(1) GDPR, controllers and processors should implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, and a non-exhaustive list of these measures is provided. A detailed report by an auditor concluded that technical measures were lacking, especially considering the nature of the data and the risk involved.
The IDPC also took into account the large-scale nature of the database, and the fact that the data at stake was matched or combined with other data. The IDPC noted that the controller did not even evaluate the risk at stake and the impact of the processing activities, and hence made it impossible for them to manage a risk that had not even been previously identified. Therefore, the IDPC held that the controller violated Article 32 GDPR by not implementing the appropriate technical and organisational measures to ensure a level of security appropriate to the risks involved.
On the corrective measure
Based on the criteria of Article 83 GDPR, the IDPC decided to impose a fine of €65,000 against C-Planet, and ordered the controller to erase the personal data contained in the database file stored on the compromised server with immediate effect, and provide the IDPC with evidence thereof.
Comment
noyb filed a complaint on this case, and was notified of the decision in this context.
It is surprising that:
- noyb was never heard during the procedure. Only C-PLANET and the ”third party” (probably the "Labour Party”) were able to share their submissions, while noyb could not send any further submissions on the case, nor was it able to have access to the file.
- The IPDC decided that C-PLANET was the only controller (and not the "third party") and therefore was the only entity responsible for the breach and the processing.
- The IPDC never determined where the data was collected in the first place, even though it recognized that some of the data was not available to the public.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
In April 2020, the Commissioner was informed about a security incident encountered by C-Planet (IT Solutions) Limited and an investigation was immediately initiated pursuant to article 58 of the General Data Protection Regulation. Following a thorough technical and legal analysis of the case, in the context of which, the Commissioner duly assessed the evidence gathered during the course of investigation, it was established that C-Planet, in its capacity as controller, was processing the personal and special categories of data, that were impacted by the breach, in violation of articles 6(1), 9(1) and (2), 14 and 5(1)(f) of the Regulation. The Commissioner further concluded that C-Planet failed to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk This led to the incident to materialise. Additionally, the Commissioner established that the controller failed to notify the personal data breach to his office within the deadline stipulated by law and to communicate the same to the effected data subjects. In his legally-binding decision, the Commissioner considered the gravity and nature of the infringements, the fact that the controller is a microenterprise and its annual turnover, and consequently, imposed an effective, proportionate, and dissuasive administrative fine of sixty-five thousand Euro (€65,000.00). Further to that, the Commissioner ordered C-Planet to erase the personal data which had been processed in an unlawful manner. C-Planet has cooperated fully with this Office during the course of the entire investigation.