IDPC (Malta) - CDP/COMP/344/2022

From GDPRhub
Revision as of 09:56, 13 November 2023 by (talk)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
IDPC - CDP/COMP/344/2022
Authority: IDPC (Malta)
Jurisdiction: Malta
Relevant Law: Article 4(7) GDPR
Article 5(2) GDPR
Article 12(1) GDPR
Article 12(3) GDPR
Article 15(1) GDPR
Article 15(3) GDPR
Article 24(1) GDPR
Article 24(2) GDPR
Article 38(1) GDPR
Article 38(1) GDPR
Article 39(1) GDPR
Type: Complaint
Outcome: Upheld
Fine: 2500 EUR
Parties: n/a
National Case Number/Name: CDP/COMP/344/2022
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): English
Original Source: IDPC (in EN)
Initial Contributor: Sainey Belle

The Maltese DPA fined a school €2,500 for failing to respond to an access request within the time frame and having no appropriate internal measures to handle personal data.

English Summary


The complainant submitted an access request under Article 15 GDPR on behalf of her son (the data subject). The data subject attended a school which provides therapy sessions. As part of the curriculum, the therapists would assess the data subject at the beginning of the year and set goals for them. At the end of the year, these goals are reviewed and a report is then created which is stored on the data subjects file.

Intending to access the report, the complainant submitted the access request directly to the therapists. A response was not received from either therapist. Over the next few weeks, the complainant encountered a number of delays from the school, including back and forth emails with the school’s Director, which culminated in the report being provided 5 weeks after the initial request was made.

The following complaints were submitted to the DPA:

  • The data subject request was not adhered to within the 30 day timeframe.
  • The controller’s privacy policy was not easily accessible and contained a number of shortcomings.
  • It was not clear whether the Director was a controller under Article 4(7)GDPR.
  • There is no process outlining how the controller handles data subject rights requests.


The DPA decided that the school (the controller) had failed to adhere to the 30 day deadline. As per the complainant, the request was made on 24.05.2022 to the therapist. The DPA dismissed the controller's argument that the request was made on 10.06.22, which is when the complainant got in touch with the director requesting a follow up. As per the EDPB guidance 01/2022 on the exercise of data subject rights, a controller may not be required to respond to a request made to an employee who is not involved in the processing of requests concerning data subjects if they have clearly provided the data subject with an appropriate communication channel. However, the request is not considered random if they contact an employee who has been assigned to them as their regular contact person, which was the case here.

The DPA agreed that the privacy policy did not contain the minimum information needed under Article 13 GDPR. The policy lacked clarity on the categories of personal data processed, the legal basis or purpose of processing, how a data subject can request access and data retention timelines (the policy only made reference to an internal guideline which was not published on the controllers website).

The DPA held the Director should be considered a controller within the meaning of Article 4(7) GDPR. The DPA analysed the requirements under Article 4(7) GDPR and Article 5(2) GDPR, together with the EDPB guidelines. A specifically appointed natural person (such as a director) is considered to be acting on behalf of the legal entity (the school) which is responsible in case of infringement.

Lastly, there were no internal policies on the appropriate handling of personal data contrary to Article 24(1)-(2) GDPR and Article 32(4) GDPR. The controller did not have an adequate training procedure in place for all employees responsible for handling personal data. Due to the lack of internal processes, the therapists, contrary to Article 38(1) GDPR, failed to involve the DPO in the initial request.

The controller was ordered to revise the data protection policy on its website to be compliant with Article 13 GDPR and establish an internal data protection policy per Article 24 GDPR. The Commissioner also imposed a fine of €50,000 with - with an additional €50 each day for which the violation persists.


This case touches on a lot of important data protection concepts that tend to be overlooked by controllers and processors. Data protection should not be an afterthought, in addition DPOs are not a simple formality - their role is of particular importance to an organisation.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.