IDPC (Malta) - CDP/DBN/31/2020: Difference between revisions

From GDPRhub
No edit summary
No edit summary
Line 60: Line 60:
}}
}}


The Maltese DPA imposed a fine of  €65,000 on the IT company C-Planet, for lack of notification of a data breach and lack of appropriate technical measures in violation of Article 5(1)(f) GDPR, Article 33 GDPR and 34 Article GDPR.  The data breach also revealed that personal and special categories of data were processed without a proper legal basis under Article 6 GDPR and Article 9 GDPR, and that the information required under Article 14 GDPR was not provided to the data subjects.  
The Maltese DPA imposed a fine of  €65,000 on the IT company C-Planet, for lack of notification of a data breach and lack of appropriate technical measures in violation of [[Article 5 GDPR#1f|Article 5(1)(f)]], [[Article 33 GDPR]] and [[34 Article GDPR]].  The data breach also revealed that personal and special categories of data were processed without a proper legal basis under [[Article 6 GDPR]] and [[Article 9 GDPR]], and that the information required under [[Article 14 GDPR]] was not provided to the data subjects.  


== English Summary ==
== English Summary ==
Line 87: Line 87:
This category is not processed by the Electoral Commission. The data base contains numerals identified from 1 to 4, which the IDPC confirmed were referring to the political opinions of the data subjects.
This category is not processed by the Electoral Commission. The data base contains numerals identified from 1 to 4, which the IDPC confirmed were referring to the political opinions of the data subjects.


This data is subject to particular protection under [[Article 9 GDPR#1|Article 9(1) GDPR]]. The IDPC confirmed that none of the exceptions under Article 9(2) GDPR were applicable to lawfully process this data, therefore violating the aforementioned Article 9(1) GDPR.  
This data is subject to particular protection under [[Article 9 GDPR#1|Article 9(1) GDPR]]. The IDPC confirmed that none of the exceptions under [[Article 9 GDPR#2|Article 9(2)]] were applicable to lawfully process this data, therefore violating the aforementioned [[Article 9 GDPR#1|Article 9(1)]].  


==== Obligation to provide information to the sata subjects ====
==== Obligation to provide information to the sata subjects ====
The IDPC established that Article 14 GDPR was particularly relevant, since the data was obtained from third party sources. In this regard, the controller is obliged to inform the data subjects of the details of the processing operations, which is a condition sine qua non for ensuring the transparency and fairness of the processing, as well as enabling the data subjects to exercise control over their personal data.  
The IDPC established that [[Article 14 GDPR]] was particularly relevant, since the data was obtained from third party sources. In this regard, the controller is obliged to inform the data subjects of the details of the processing operations, which is a condition sine qua non for ensuring the transparency and fairness of the processing, as well as enabling the data subjects to exercise control over their personal data.  


The IDPC confirmed that the controller did not inform the affected data subjects in the manner prescribed by Article 14 GDPR, and hence violated this provision.  
The IDPC confirmed that the controller did not inform the affected data subjects in the manner prescribed by [[Article 14 GDPR]], and hence violated this provision.  


==== Obligation to notify the data breach (Article 33 and 34) ====
==== Obligation to notify the data breach ([[Article 33 GDPR]] and [[Article 34]]) ====
The IDPC considered that the breach entailed a high risk for individuals considering the following elements:
The IDPC considered that the breach entailed a high risk for individuals considering the following elements:


Line 107: Line 107:


==== On the technical and organisational measures ====
==== On the technical and organisational measures ====
According to Article 32(1) GDPR, controllers and processors should implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, and a non-exhaustive list of these measures is provided. A detailed report by an auditor concluded that technical measures were lacking, especially considering the nature of the data and the risk involved.
According to [[Article 32 GDPR#1|Article 32(1) GDPR]], controllers and processors should implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, and a non-exhaustive list of these measures is provided. A detailed report by an auditor concluded that technical measures were lacking, especially considering the nature of the data and the risk involved.


The IDPC also took into account the large-scale nature of the database, and the fact that the data at stake was matched or combined with other data. The IDPC noted that the controller did not even evaluate the risk at stake and the impact of the processing activities, and hence made it impossible for them to manage a risk that had not even been previously identified. Therefore, the IDPC held that the controller violated [[Article 32 GDPR]] by not implementing the appropriate technical and organisational measures to ensure a level of security appropriate to the risks involved.  
The IDPC also took into account the large-scale nature of the database, and the fact that the data at stake was matched or combined with other data. The IDPC noted that the controller did not even evaluate the risk at stake and the impact of the processing activities, and hence made it impossible for them to manage a risk that had not even been previously identified. Therefore, the IDPC held that the controller violated [[Article 32 GDPR]] by not implementing the appropriate technical and organisational measures to ensure a level of security appropriate to the risks involved.  


==== On the corrective measure ====
==== On the corrective measure ====
Based on the criteria of Article 83 GDPR, the IDPC decided to impose a fine of €65,000 against C-Planet, and ordered the controller to erase the personal data contained in the database file stored on the compromised server with immediate effect, and provide the IDPC with evidence thereof.  
Based on the criteria of [[Article 83 GDPR]], the IDPC decided to impose a fine of €65,000 against C-Planet, and ordered the controller to erase the personal data contained in the database file stored on the compromised server with immediate effect, and provide the IDPC with evidence thereof.  
   
   
== Comment ==
== Comment ==

Revision as of 15:57, 18 January 2022

IDPC (Malta) - CDP/DBN/31/2020
LogoMT.jpg
Authority: IDPC (Malta)
Jurisdiction: Malta
Relevant Law: Article 5(1)(f) GDPR
Article 6(1) GDPR
Article 9(1) GDPR
Article 9(2) GDPR
Article 14 GDPR
Article 32 GDPR
Article 33 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 17.01.2022
Published: 17.01.2022
Fine: 65000 EUR
Parties: C-PLANET
National Case Number/Name: CDP/DBN/31/2020
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): English
Original Source: IDPC (in EN)
Initial Contributor: n/a

The Maltese DPA imposed a fine of €65,000 on the IT company C-Planet, for lack of notification of a data breach and lack of appropriate technical measures in violation of Article 5(1)(f), Article 33 GDPR and 34 Article GDPR. The data breach also revealed that personal and special categories of data were processed without a proper legal basis under Article 6 GDPR and Article 9 GDPR, and that the information required under Article 14 GDPR was not provided to the data subjects.

English Summary

Facts

On 1 April 2020, the media reported an alleged personal data breach suffered by C-PLANET, wherein a database containing the personal data of Maltese voters had been exposed. The media reported that the political opinions of 335,000 voters has been exposed. The IDPC opened an ex officio investigation, and noyb filed a complaint on behalf of several Maltese citizens on 12 November 2020.

Holding

On the controllership

The IPDC concluded that C-Planet was the controller of the data base, considering that no factual elements could substantiate the view of C-PLANET that a third party (name redacted) was the controller of this specific database.

On the lawfulness of the processing

1. Publicly available data

The IDPC concluded that although these data were collected from the Electoral Register, a proper legal basis under 6(1) GDPR was still needed in this case, which also stems from Article 5(1)(b) GDPR.

2. Personal data that is not publicly available

The second group of data relates to data subjects' ballot box number, voting document number, district, date of birth, phone number and sex.

According to the General Elections Act, this data is only made available to political parties. The Electoral Commission confirmed that this data was not made available to the party delegates mentioned in the investigation.

3. Special categories of data

This category is not processed by the Electoral Commission. The data base contains numerals identified from 1 to 4, which the IDPC confirmed were referring to the political opinions of the data subjects.

This data is subject to particular protection under Article 9(1) GDPR. The IDPC confirmed that none of the exceptions under Article 9(2) were applicable to lawfully process this data, therefore violating the aforementioned Article 9(1).

Obligation to provide information to the sata subjects

The IDPC established that Article 14 GDPR was particularly relevant, since the data was obtained from third party sources. In this regard, the controller is obliged to inform the data subjects of the details of the processing operations, which is a condition sine qua non for ensuring the transparency and fairness of the processing, as well as enabling the data subjects to exercise control over their personal data.

The IDPC confirmed that the controller did not inform the affected data subjects in the manner prescribed by Article 14 GDPR, and hence violated this provision.

Obligation to notify the data breach (Article 33 GDPR and Article 34)

The IDPC considered that the breach entailed a high risk for individuals considering the following elements:

  • sensitive data was involved
  • the breach affected large volume of data
  • the risk of harm for individuals
  • ease of identification of individuals
  • the severity of consequences for the affected individuals
  • number of affected individuals

Therefor, the IDPC held that the controller should have notified the IDPC no later than 72 hours after becoming aware of the breach, and should have also communicated the breach to the data subjects, as no exception to these obligations were applicable.

On the technical and organisational measures

According to Article 32(1) GDPR, controllers and processors should implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, and a non-exhaustive list of these measures is provided. A detailed report by an auditor concluded that technical measures were lacking, especially considering the nature of the data and the risk involved.

The IDPC also took into account the large-scale nature of the database, and the fact that the data at stake was matched or combined with other data. The IDPC noted that the controller did not even evaluate the risk at stake and the impact of the processing activities, and hence made it impossible for them to manage a risk that had not even been previously identified. Therefore, the IDPC held that the controller violated Article 32 GDPR by not implementing the appropriate technical and organisational measures to ensure a level of security appropriate to the risks involved.

On the corrective measure

Based on the criteria of Article 83 GDPR, the IDPC decided to impose a fine of €65,000 against C-Planet, and ordered the controller to erase the personal data contained in the database file stored on the compromised server with immediate effect, and provide the IDPC with evidence thereof.

Comment

noyb filed a complaint on this case, and was notified of the decision in this context.

It is surprising that:

  • noyb was never heard during the procedure. Only C-PLANET and the ”third party” (probably the "Labour Party”) were able to share their submissions, while noyb could not send any further submissions on the case, nor was it able to have access to the file.
  • The IPDC decided that C-PLANET was the only controller (and not the "third party") and therefore was the only entity responsible for the breach and the processing.
  • The IPDC never determined where the data was collected in the first place, even though it recognized that some of the data was not available to the public.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.

In April 2020, the Commissioner was informed about a security incident encountered by C-Planet (IT Solutions) Limited and an investigation was immediately initiated pursuant to article 58 of the General Data Protection Regulation.
Following a thorough technical and legal analysis of the case, in the context of which, the Commissioner duly assessed the evidence gathered during the course of investigation, it was established that C-Planet, in its capacity as controller, was processing the personal and special categories of data, that were impacted by the breach, in violation of articles 6(1), 9(1) and (2), 14 and 5(1)(f) of the Regulation.
The Commissioner further concluded that C-Planet failed to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk This led to the incident to materialise. Additionally, the Commissioner established that the controller failed to notify the personal data breach to his office within the deadline stipulated by law and to communicate the same to the effected data subjects.
In his legally-binding decision, the Commissioner considered the gravity and nature of the infringements, the fact that the controller is a microenterprise and its annual turnover, and consequently, imposed an effective, proportionate, and dissuasive administrative fine of sixty-five thousand Euro (€65,000.00). Further to that, the Commissioner ordered C-Planet to erase the personal data which had been processed in an unlawful manner.
C-Planet has cooperated fully with this Office during the course of the entire investigation.