IDPC (Malta) - CDP/DBN/31/2020: Difference between revisions

From GDPRhub
No edit summary
 
(15 intermediate revisions by 5 users not shown)
Line 60: Line 60:
}}
}}


The Maltese DPA imposed a fine of 65 000 on the IT company C-Planet, for lack of notification of a data breach and lack of appropriate technical measures (violation of Articles 5(1)(f), 33 and 34 GDPR).  The data breach also revealed that the personal and special categories of data were processed without proper legal basis (article 6 and 9) and without information of the data subjects (article 14 GDPR).  
The Maltese DPA imposed a fine of €65,000 on the IT company C-Planet for not notifying a data breach and not implementing appropriate technical measures to prevent the breach in violation of [[Article 5 GDPR#1f|Article 5(1)(f)]], [[Article 33 GDPR|Article 33]] and [[Article 34 GDPR]].  The data breach also revealed that personal and special categories of data were processed without a proper legal basis under [[Article 6 GDPR|Article 6]] and [[Article 9 GDPR]], and that the information required under [[Article 14 GDPR]] was not provided to the data subjects.  


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
On 1 April 2020, the media reported an alleged personal data breach suffered by C_PLANET, wherein a database containing the personal data of Maltese voters bas been exposed. The media reported that the political opinions of 335000 voters has been exposed.  
On 1 April 2020, the media reported an alleged personal data breach suffered by C-PLANET, wherein a database containing the personal data of Maltese voters had been exposed.
The IDPC opened an ex officio investigation, and noyb filed a complaint on behalf of several Maltese citizens on 12 November 2020.  
 
The media reported that the political opinions of 335,000 voters has been exposed.
 
The Maltese DPA (IDPC) opened an ex officio investigation, and noyb filed a complaint on behalf of several Maltese citizens on 12 November 2020.  


=== Holding ===
=== Holding ===


==== On the controllership ====
==== On the controllership ====
The IPDC concluded that C-Planet was the controller of the data base, considering that no factual elements could substantiate the view of C-PLANET that the third party (name redacted) was the controller of this specific database.  
The IDPC concluded that C-Planet was the controller of the data base, considering that no factual elements could substantiate the view of C-PLANET that a third party (name redacted) was the controller of this specific database.  


==== On the lawfulness of the processing ====
==== On the lawfulness of the processing ====
1. Publicly available data
The IDPC concluded that although some of the data was collected from the Electoral Register, a proper legal basis under [[Article 6 GDPR#1|Article 6(1) GDPR]] was still needed in this case, which also stems from [[Article 5 GDPR#1b|Article 5(1)(b) GDPR]].  
 
The IDPC concluded that these data were collected from the Electoral Register. However, a proper legal basis under 6(1) GDPR is still needed. That also stems from [[Article 5 GDPR#1b|Article 5(1)(b) GDPR]].
 
2. Personal data that is not publicly available
 
Thee second group of data relates to the data subjects ballot box number, voting document number, district, date of birth, phone number and sex.
 
According to the General Elections Act, this data ar eonly made available to the political parties. The Electoral Commisison confirmed that this data was not made available to the party delegates mentioned in the investigation.
 
3. Special categories of data
 
This catgory is not processed by the Electroal Commission. The data base contains numerical identified from 1 to 4, which the IDPC confirmed that they were referring to the political opinions of the data subjects.
 
This data received particular protection under [[Article 9 GDPR#1|Article 9(1) GDPR]]. None of the exception of Article 9(2) was applicable.
 
Therefore, the IDPC confirmed that the controller infringed article 9(1) GDPR.  


==== Obligation to provide information to the sata subjects ====
The IDPC also considered the processed personal data which was not publicly available such as data subjects' ballot box number, voting document number, district, date of birth, phone number and sex. According to the General Elections Act, this data is only made available to political parties. The Electoral Commission confirmed that this data was not made available to the party delegates mentioned in the investigation.
The IDPC confirms thatarticle 14 is particularly important since the data is obtained from third party sources. In this regard, the controller is obliged to to inform the data subjects of the details of the processing operations, which is a condition sine qua non for ensuring the transparency, fairness and anabling the data subjects to exercise control over their personal data.  


The IDPC confirms that the controller did not inform the affected data subjects in the manner prescribed by the GDPR, thus infringing Article 14.  
Finally, a reference was made to special categories of data since the database contained numerals identified from 1 to 4, which the IDPC confirmed to be referring to the political opinions of the data subjects. This category, which was not processed by the Electoral Commission, is subject to particular protection under [[Article 9 GDPR#1|Article 9(1) GDPR]]. The IDPC confirmed that none of the exceptions under [[Article 9 GDPR#2|Article 9(2) GDPR]] were applicable to lawfully process this data. This therefore amounted to a violation of [[Article 9 GDPR#1|Article 9(1)]].


Obligation to notify the data breach (Article 33 and 34)
==== Obligation to provide information to the data subjects ====
The IDPC established that [[Article 14 GDPR]] was particularly relevant, since the data was obtained from third party sources. In this regard, the controller is obliged to inform the data subjects of the details of the processing operations, which is an essential condition for ensuring the transparency and fairness of the processing, as well as enabling the data subjects to exercise control over their personal data. The IDPC confirmed that the controller did not inform the affected data subjects in the manner prescribed by [[Article 14 GDPR]], and hence violated this provision.


The IDPC considers that there was a high risk fo rindividuals considering the following elements:  
==== Obligation to notify the data breach ([[Article 33 GDPR|Article 33]] and [[Article 34 GDPR]]) ====
- sensitive data was involved
The IDPC considered that the breach entailed a high risk for individuals considering the following elements: the sensitivity of the data involved, the large volume of data within the breach, the risk of harm for individuals, the ease with which individuals could be identified, the severity of consequences for the affected individuals, and the number of affected individuals.
- the breach affected large volume of data
- the risk of harm for individuals
- ease of identification of individuals
- the severity of consequences for the affected individuals
- number of affected individuals


Therefore, the controller should  
Therefore, the IDPC held that the controller should have notified the IDPC no later than 72 hours after becoming aware of the breach, and should have also communicated the breach to the data subjects, as no exception to these obligations were applicable, therefore violating [[Article 33 GDPR|Article 33]] and [[Article 34 GDPR]].
- have notified the IDPC no later than 72 hours after becoming aware of the breach and  
- communciated the breach to the data subjects.  


No exception to this obligation to notify the DPA and the data subjects was applicable.  
==== On the technical and organisational measures ====
According to [[Article 32 GDPR#1|Article 32(1) GDPR]], controllers and processors should implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, and a non-exhaustive list of these measures is provided. A detailed report by an auditor concluded that technical measures were lacking, especially considering the nature of the data and the risk involved.


==== On the technical and organisational measures. ====
The IDPC also took into account the large-scale nature of the database, and the fact that the data at stake was matched or combined with other data. The IDPC noted that the controller did not even evaluate the risk at stake and the impact of the processing activities, and hence made it impossible for them to manage a risk that had not even been previously identified. Therefore, the IDPC held that the controller violated [[Article 32 GDPR]] by not implementing the appropriate technical and organisational measures to ensure a level of security appropriate to the risks involved.  
According to article 32(1) of the Regulation, controllers and processors shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. Article 32(1) of the Regulation provides a non-exhaustive list of those measures.
 
The detailed report of the auditor concluded that technical measures were lacking, especially considering the nature of the data and the risk involved.
 
The IDPC also took into account the large-scale nature of the database, and the fact that the data at stake was matched or combined with other data.  
 
The IDPC consideres that the controller did not even evaluate the risk at stake and the impact of the processing activities. It was therefore impossible to manage a risk that was not previously identified.  
 
Therefore, the controller did not implement the appropriate technical and organisational measures to ensure a level of security appropriate to the risk and violated [[Article 32 GDPR|Article 32 GDPR]].


==== On the corrective measure ====
==== On the corrective measure ====
Based on the criteria of Article 83 GDPR, the ICDP decides to impose a fine of 65000 euros against C)Planet, and orders the controller to erase with immediate effect the personal data contained in the databse file stored on the compromised server and provide the Commissioner with evidence therefore.  
Based on the criteria of [[Article 83 GDPR]], the IDPC decided to impose a fine of €65,000 against C-Planet, and ordered the controller to erase the personal data contained in the database file stored on the compromised server with immediate effect, and provide the IDPC with evidence thereof.  
 
 
 
 
 
 
== Comment ==
== Comment ==
noyb filed a [https://noyb.eu/sites/default/files/2020-11/Maltese%20DPA%20-%20C-Planet%20Data%20Breach%20-%20noyb%20-%20C-031_blackened.pdf complaint] on the same and was notified of the decision in this context.  
noyb filed a [https://noyb.eu/sites/default/files/2020-11/Maltese%20DPA%20-%20C-Planet%20Data%20Breach%20-%20noyb%20-%20C-031_blackened.pdf complaint] on this case, and was notified of the decision in this context. It is noteworthy that noyb was never heard during the procedure. Only C-PLANET and the ”third party” (probably the "Labour Party”) were able to share their submissions. noyb, on the other hand, could not send any further submissions on the case, nor was it able to have access to the file.
 
it is still surprising that:
 
-         noyb was never heard during the procedure. Only C PLANET and the ”third party” (probably the "labour party”) could share their submissions and noyb could not send further submissions on the case neither access the file
 
-         The IPDC decided that C-PLANET was the only controller (and not the "third party") and therefore was the only entity responsible for the breach and the processing


-         It was never determined by the IPDC where the data was collected in the first place even though it is recognized that the data were not available to the public
Additionally the IPDC decided that C-PLANET was the only controller (and not the "third party") and therefore was the only entity responsible for the breach and the processing. However, the IPDC never determined where the data was collected in the first place, even though it recognized that some of the data was not available to the public.


== Further Resources ==
== Further Resources ==

Latest revision as of 12:13, 24 March 2022

IDPC (Malta) - CDP/DBN/31/2020
LogoMT.jpg
Authority: IDPC (Malta)
Jurisdiction: Malta
Relevant Law: Article 5(1)(f) GDPR
Article 6(1) GDPR
Article 9(1) GDPR
Article 9(2) GDPR
Article 14 GDPR
Article 32 GDPR
Article 33 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 17.01.2022
Published: 17.01.2022
Fine: 65000 EUR
Parties: C-PLANET
National Case Number/Name: CDP/DBN/31/2020
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): English
Original Source: IDPC (in EN)
Initial Contributor: n/a

The Maltese DPA imposed a fine of €65,000 on the IT company C-Planet for not notifying a data breach and not implementing appropriate technical measures to prevent the breach in violation of Article 5(1)(f), Article 33 and Article 34 GDPR. The data breach also revealed that personal and special categories of data were processed without a proper legal basis under Article 6 and Article 9 GDPR, and that the information required under Article 14 GDPR was not provided to the data subjects.

English Summary

Facts

On 1 April 2020, the media reported an alleged personal data breach suffered by C-PLANET, wherein a database containing the personal data of Maltese voters had been exposed.

The media reported that the political opinions of 335,000 voters has been exposed.

The Maltese DPA (IDPC) opened an ex officio investigation, and noyb filed a complaint on behalf of several Maltese citizens on 12 November 2020.

Holding

On the controllership

The IDPC concluded that C-Planet was the controller of the data base, considering that no factual elements could substantiate the view of C-PLANET that a third party (name redacted) was the controller of this specific database.

On the lawfulness of the processing

The IDPC concluded that although some of the data was collected from the Electoral Register, a proper legal basis under Article 6(1) GDPR was still needed in this case, which also stems from Article 5(1)(b) GDPR.

The IDPC also considered the processed personal data which was not publicly available such as data subjects' ballot box number, voting document number, district, date of birth, phone number and sex. According to the General Elections Act, this data is only made available to political parties. The Electoral Commission confirmed that this data was not made available to the party delegates mentioned in the investigation.

Finally, a reference was made to special categories of data since the database contained numerals identified from 1 to 4, which the IDPC confirmed to be referring to the political opinions of the data subjects. This category, which was not processed by the Electoral Commission, is subject to particular protection under Article 9(1) GDPR. The IDPC confirmed that none of the exceptions under Article 9(2) GDPR were applicable to lawfully process this data. This therefore amounted to a violation of Article 9(1).

Obligation to provide information to the data subjects

The IDPC established that Article 14 GDPR was particularly relevant, since the data was obtained from third party sources. In this regard, the controller is obliged to inform the data subjects of the details of the processing operations, which is an essential condition for ensuring the transparency and fairness of the processing, as well as enabling the data subjects to exercise control over their personal data. The IDPC confirmed that the controller did not inform the affected data subjects in the manner prescribed by Article 14 GDPR, and hence violated this provision.

Obligation to notify the data breach (Article 33 and Article 34 GDPR)

The IDPC considered that the breach entailed a high risk for individuals considering the following elements: the sensitivity of the data involved, the large volume of data within the breach, the risk of harm for individuals, the ease with which individuals could be identified, the severity of consequences for the affected individuals, and the number of affected individuals.

Therefore, the IDPC held that the controller should have notified the IDPC no later than 72 hours after becoming aware of the breach, and should have also communicated the breach to the data subjects, as no exception to these obligations were applicable, therefore violating Article 33 and Article 34 GDPR.

On the technical and organisational measures

According to Article 32(1) GDPR, controllers and processors should implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, and a non-exhaustive list of these measures is provided. A detailed report by an auditor concluded that technical measures were lacking, especially considering the nature of the data and the risk involved.

The IDPC also took into account the large-scale nature of the database, and the fact that the data at stake was matched or combined with other data. The IDPC noted that the controller did not even evaluate the risk at stake and the impact of the processing activities, and hence made it impossible for them to manage a risk that had not even been previously identified. Therefore, the IDPC held that the controller violated Article 32 GDPR by not implementing the appropriate technical and organisational measures to ensure a level of security appropriate to the risks involved.

On the corrective measure

Based on the criteria of Article 83 GDPR, the IDPC decided to impose a fine of €65,000 against C-Planet, and ordered the controller to erase the personal data contained in the database file stored on the compromised server with immediate effect, and provide the IDPC with evidence thereof.

Comment

noyb filed a complaint on this case, and was notified of the decision in this context. It is noteworthy that noyb was never heard during the procedure. Only C-PLANET and the ”third party” (probably the "Labour Party”) were able to share their submissions. noyb, on the other hand, could not send any further submissions on the case, nor was it able to have access to the file.

Additionally the IPDC decided that C-PLANET was the only controller (and not the "third party") and therefore was the only entity responsible for the breach and the processing. However, the IPDC never determined where the data was collected in the first place, even though it recognized that some of the data was not available to the public.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.

In April 2020, the Commissioner was informed about a security incident encountered by C-Planet (IT Solutions) Limited and an investigation was immediately initiated pursuant to article 58 of the General Data Protection Regulation.
Following a thorough technical and legal analysis of the case, in the context of which, the Commissioner duly assessed the evidence gathered during the course of investigation, it was established that C-Planet, in its capacity as controller, was processing the personal and special categories of data, that were impacted by the breach, in violation of articles 6(1), 9(1) and (2), 14 and 5(1)(f) of the Regulation.
The Commissioner further concluded that C-Planet failed to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk This led to the incident to materialise. Additionally, the Commissioner established that the controller failed to notify the personal data breach to his office within the deadline stipulated by law and to communicate the same to the effected data subjects.
In his legally-binding decision, the Commissioner considered the gravity and nature of the infringements, the fact that the controller is a microenterprise and its annual turnover, and consequently, imposed an effective, proportionate, and dissuasive administrative fine of sixty-five thousand Euro (€65,000.00). Further to that, the Commissioner ordered C-Planet to erase the personal data which had been processed in an unlawful manner.
C-Planet has cooperated fully with this Office during the course of the entire investigation.