IDPC (Malta) - CPD/COMP/282/2024
| IDPC - CPD/COMP/282/2024 | |
|---|---|
 | |
| Authority: | IDPC (Malta) |
| Jurisdiction: | Malta |
| Relevant Law: | Article 5(1)(a) GDPR Article 5(1)(d) GDPR Article 6(1) GDPR Article 14 GDPR Article 16 GDPR Article 37(1)(c) GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | |
| Published: | 07.04.2025 |
| Fine: | 20,000 EUR |
| Parties: | An unnamed health care provider |
| National Case Number/Name: | CPD/COMP/282/2024 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | English |
| Original Source: | IDPC (in EN) |
| Initial Contributor: | cci |
The DPA fined a health care provider €20,000 for unlawfully collecting a patient’s address from the electoral registry and for failing to update it despite the data subject’s requests which led to medical examinations being sent to an outdated address.
English Summary
Facts
In 2024 a patient (the data subject) contacted a health care provider (the controller) in order to undergo a medical examination. In this context, she provided the controller with her residential address.
The data subject later realized that the controller stored and processed a different address. Specifically, the controller processed the data subject’s older address, which was outdated by almost 20 years and which she never provided to the controller. The data subject asked the controller how it collected her outdated home address. The controller replied that he collected it from the database of the hospital where it provided its services.
Furthermore, the data subject repeatedly requested the controller to rectify her personal data. The controller failed to do so. As a result, the controller later sent the results of the data subject's medial examination to the outdated address.
The data subject later filed a complaint with the DPA. The DPA's investigation revealed that the controller actually collected the data subject’s address from the Electoral Register (and provided the data subject with incorrect information in this regard). The DPA also found that the controller did not appoint a DPO.
Holding
The DPA held that the controller collected the data subject’s personal data from the Electoral Register without a legal basis and without providing information to the data subject. Therefore, the controller violated Articles 5(1)(a), 6(1), and 14 GDPR. In this regard, the DPA pointed out that controllers need a legal basis to collect personal data from the Electoral Register, even though the Register is public.
Additionally, the DPA found that the controller violated Articles 5(1)(d) and 16 GDPR, by failing to grant the data subject’s request for rectification, and by failing to take reasonable steps to keep the data subject’s address up to date.
Finally, the DPA held that the controller violated Article 37(1)(c) GDPR by failing to appoint a DPO- as required under the GDPR when processing health data on a large scale
The DPA fined the controller for a total of €20,000:
- €12,500 for violating Articles 5(1)(a), 6(1), and 14(2)(f) GDPR;
- €2,500 for violating Article 16 GDPR;
- and €2,500 for violating Article 37 GDPR.
Additionally, the DPA ordered the controller to rectify the data subject’s address, to erase all personal data unlawfully collected from the Electoral Register, and to appoint a DPO.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
Complaint regarding the unlawful processing and disclosure of personal data 07 April 2025 The Commissioner received a complaint regarding the unlawful processing and disclosure of personal data by the controller. The complainant alleged that the controller failed to update her residential address, resulting in the disclosure of her sensitive health data to third parties. She also questioned how the controller accessed her personal data despite having no prior relationship with her. Following an investigation, the Commissioner found that the controller had collected and processed the complainant’s personal data from the Electoral Register without a legal basis and without informing her of its source, violating article 5(1)(a), article 6(1) and article 14 GDPR. Additionally, despite multiple notifications, the controller failed to rectify the complainant’s personal data, breaching article 16 GDPR. It also neglected to take reasonable steps to ensure the accuracy of the data, as required under article 5(1)(d) GDPR. Furthermore, as a healthcare provider processing large-scale special category data, the controller was obligated to appoint a Data Protection Officer under article 37(1)(c) GDPR but failed to do so. In light of these findings, the Commissioner issued a reprimand pursuant to article 58(2)(b) GDPR, for the unlawful processing of personal data obtained from a publicly available source, the failure to rectify inaccurate data in a timely manner and failure to take every reasonable step to ensure compliance with the accuracy principle, and the lack of compliance with the requirement to appoint a Data Protection Officer. Furthermore, the Commissioner issued corrective measures under article 58(2)(d) GDPR, ordering the controller to rectify the complainant’s personal data without undue delay, to erase all personal data that had been unlawfully obtained from the Electoral Register and to appoint a Data Protection Officer in line with GDPR obligations. Additionally, the Commissioner imposed three administrative fines under article 58(2)(i) GDPR, amounting to a total of €20,000. Specifically, a fine of €12,500 was issued for the breach of article 5(1)(a), article 6(1) and article 14; a fine of €5,000 was imposed for the violation of article 16 GDPR; and a further fine of €2,500 for the failure to appoint a Data Protection Officer as required under article 37(1)(c) GDPR. To read more about this decision click here
