IDPC (Malta) - CDP/COMP/577/2023

From GDPRhub
IDPC - CDP/COMP/577/2023
Authority: IDPC (Malta)
Jurisdiction: Malta
Relevant Law: Article 4(1) GDPR
Article 77 GDPR
Type: Complaint
Outcome: Rejected
Fine: n/a
Parties: n/a
National Case Number/Name: CDP/COMP/577/2023
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): English
Original Source: IDPC (in EN)
Initial Contributor: Sainey Belle

The Maltese DPA rejected a complaint due to a lack of concrete evidence from the data subject.

English Summary


On the 14th of May 2023 a data subject lodged a complaint with the Maltese DPA. He complained that when terminating his employment, his employer (the controller) accessed his work emails and failed to provide him with a right to clear his mailbox. The data subject highlighted that he had personal documents on the account such as electricity bills.

The controller defended himself against these allegations to the DPA under when given the opportunity under Article 58(1)(a) GDPR. The controller stated that the access to the account had been granted desppite the termination of employment. This access had been granted because the data subject had highlighted the personal documents contained on the account. The controller submitted an email of this grant of access as evidence. The data subject was informed that after he had accessed what he required, the account would be deleted permanently.

The data subject rebutted these claims by only claiming that he was 'suspicious' that the government has already 'snooped' into all his mail.

The controller was given one final chance to rebutt the data subject's arguments. The controller gave evidence that at no point had they accessed the data subject's personal data within his work email. In fact, when they did access it in order to delete it, they noted that everything had already been erased within the account. This fact was confirmed by the data subject himself in an email.


The DPA dismissed the complaint.

As a preliminary point, the DPA noted that the work email account contained the data subjects personal data, as defined in Article 4(1) GDPR. Consequently, processing operations by the contoller must be GDPR compliant.

As to whether the controller accessed the data subject's work account, the DPA noted that the data subject failed to put forward any concrete evidence to support their claim that third parties accessed his mailbox. The Commissioner held here that a mere suspicion that someone has infringed your rights is not enough to lodge a complaint under Article 77 GDPR. Other than the deletion of the account, it cannot be proved that any other person accessed his email accounts.

The DPA analysed the evidence given by the controller. They noted that the data subject himself admitted that he had been given access to delete information on the account.

On the above basis, the Commissioner found no grounds to unequivocally state that the controller infringed the GDPR and dismissed the complaint.


Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.