IDPC (Malta) - CDP/DBN/31/2020

From GDPRhub
IDPC (Malta) - CDP/DBN/31/2020
Authority: IDPC (Malta)
Jurisdiction: Malta
Relevant Law: Article 5(1)(f) GDPR
Article 6(1) GDPR
Article 9(1) GDPR
Article 9(2) GDPR
Article 14 GDPR
Article 32 GDPR
Article 33 GDPR
Type: Complaint
Outcome: Upheld
Decided: 17.01.2022
Published: 17.01.2022
Fine: 65000 EUR
Parties: C-PLANET
National Case Number/Name: CDP/DBN/31/2020
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): English
Original Source: IDPC (in EN)
Initial Contributor: n/a

The Maltese DPA imposed a fine of €65,000 on the IT company C-Planet for not notifying a data breach and not implementing appropriate technical measures to prevent the breach in violation of Article 5(1)(f), Article 33 and Article 34 GDPR. The data breach also revealed that personal and special categories of data were processed without a proper legal basis under Article 6 and Article 9 GDPR, and that the information required under Article 14 GDPR was not provided to the data subjects.

English Summary


On 1 April 2020, the media reported an alleged personal data breach suffered by C-PLANET, wherein a database containing the personal data of Maltese voters had been exposed.

The media reported that the political opinions of 335,000 voters has been exposed.

The Maltese DPA (IDPC) opened an ex officio investigation, and noyb filed a complaint on behalf of several Maltese citizens on 12 November 2020.


On the controllership

The IDPC concluded that C-Planet was the controller of the data base, considering that no factual elements could substantiate the view of C-PLANET that a third party (name redacted) was the controller of this specific database.

On the lawfulness of the processing

The IDPC concluded that although some of the data was collected from the Electoral Register, a proper legal basis under Article 6(1) GDPR was still needed in this case, which also stems from Article 5(1)(b) GDPR.

The IDPC also considered the processed personal data which was not publicly available such as data subjects' ballot box number, voting document number, district, date of birth, phone number and sex. According to the General Elections Act, this data is only made available to political parties. The Electoral Commission confirmed that this data was not made available to the party delegates mentioned in the investigation.

Finally, a reference was made to special categories of data since the database contained numerals identified from 1 to 4, which the IDPC confirmed to be referring to the political opinions of the data subjects. This category, which was not processed by the Electoral Commission, is subject to particular protection under Article 9(1) GDPR. The IDPC confirmed that none of the exceptions under Article 9(2) GDPR were applicable to lawfully process this data. This therefore amounted to a violation of Article 9(1).

Obligation to provide information to the data subjects

The IDPC established that Article 14 GDPR was particularly relevant, since the data was obtained from third party sources. In this regard, the controller is obliged to inform the data subjects of the details of the processing operations, which is an essential condition for ensuring the transparency and fairness of the processing, as well as enabling the data subjects to exercise control over their personal data. The IDPC confirmed that the controller did not inform the affected data subjects in the manner prescribed by Article 14 GDPR, and hence violated this provision.

Obligation to notify the data breach (Article 33 and Article 34 GDPR)

The IDPC considered that the breach entailed a high risk for individuals considering the following elements: the sensitivity of the data involved, the large volume of data within the breach, the risk of harm for individuals, the ease with which individuals could be identified, the severity of consequences for the affected individuals, and the number of affected individuals.

Therefore, the IDPC held that the controller should have notified the IDPC no later than 72 hours after becoming aware of the breach, and should have also communicated the breach to the data subjects, as no exception to these obligations were applicable, therefore violating Article 33 and Article 34 GDPR.

On the technical and organisational measures

According to Article 32(1) GDPR, controllers and processors should implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, and a non-exhaustive list of these measures is provided. A detailed report by an auditor concluded that technical measures were lacking, especially considering the nature of the data and the risk involved.

The IDPC also took into account the large-scale nature of the database, and the fact that the data at stake was matched or combined with other data. The IDPC noted that the controller did not even evaluate the risk at stake and the impact of the processing activities, and hence made it impossible for them to manage a risk that had not even been previously identified. Therefore, the IDPC held that the controller violated Article 32 GDPR by not implementing the appropriate technical and organisational measures to ensure a level of security appropriate to the risks involved.

On the corrective measure

Based on the criteria of Article 83 GDPR, the IDPC decided to impose a fine of €65,000 against C-Planet, and ordered the controller to erase the personal data contained in the database file stored on the compromised server with immediate effect, and provide the IDPC with evidence thereof.


noyb filed a complaint on this case, and was notified of the decision in this context. It is noteworthy that noyb was never heard during the procedure. Only C-PLANET and the ”third party” (probably the "Labour Party”) were able to share their submissions. noyb, on the other hand, could not send any further submissions on the case, nor was it able to have access to the file.

Additionally the IPDC decided that C-PLANET was the only controller (and not the "third party") and therefore was the only entity responsible for the breach and the processing. However, the IPDC never determined where the data was collected in the first place, even though it recognized that some of the data was not available to the public.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.

In April 2020, the Commissioner was informed about a security incident encountered by C-Planet (IT Solutions) Limited and an investigation was immediately initiated pursuant to article 58 of the General Data Protection Regulation.
Following a thorough technical and legal analysis of the case, in the context of which, the Commissioner duly assessed the evidence gathered during the course of investigation, it was established that C-Planet, in its capacity as controller, was processing the personal and special categories of data, that were impacted by the breach, in violation of articles 6(1), 9(1) and (2), 14 and 5(1)(f) of the Regulation.
The Commissioner further concluded that C-Planet failed to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk This led to the incident to materialise. Additionally, the Commissioner established that the controller failed to notify the personal data breach to his office within the deadline stipulated by law and to communicate the same to the effected data subjects.
In his legally-binding decision, the Commissioner considered the gravity and nature of the infringements, the fact that the controller is a microenterprise and its annual turnover, and consequently, imposed an effective, proportionate, and dissuasive administrative fine of sixty-five thousand Euro (€65,000.00). Further to that, the Commissioner ordered C-Planet to erase the personal data which had been processed in an unlawful manner.
C-Planet has cooperated fully with this Office during the course of the entire investigation.