IDPC (Malta) - COMP/138/2022

From GDPRhub
IDPC - COMP/138/2022
Authority: IDPC (Malta)
Jurisdiction: Malta
Relevant Law: Article 15(1) GDPR
Article 15(3) GDPR
Type: Complaint
Outcome: Upheld
Started: 29.04.2022
Decided: 16.05.2023
Published: 17.05.2023
Fine: n/a
Parties: C-Planet
National Case Number/Name: COMP/138/2022
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): English
Original Source: IDPC (in EN)
Initial Contributor: Bernardo Armentano

Following a complaint by noyb, the Maltese DPA ordered C-Planet to comply with an access request and to inform about the source of the personal data. In the case at hand the data had been exposed in a breach involving the political opinions of 335,000 voters on the island.

English Summary


In April 2020, after being notified by the IT company C-Planet (the controller), the Maltese DPA opened an ex officio investigation into the a personal data breach of approximately 335,000 eligible voters on the island. That same year, noyb filed a complaint on behalf of several data subjects affected by the data breach (CDP/DBN/31/2020). Following this complaint, the DPA ruled that C-Planet, in its capacity as controller, infringed several provisions of the GDPR.

In particular, the DPA found that: a) the processing of personal data, including special categories, lacked a legal basis, in breach of Articles 6(1) and 9(1) GDPR; b) the controller failed to adequately inform data subjects about the processing of their data, in violation of Article 14 GDPR; c) the controller failed to notify the DPA within 72 hours, in violation of Articles 33; d) the controller failed to implement sufficient technical and organisational measures to ensure a level of security appropriate to the risks involved, violating Article 32 GDPR.

In January 2022, noyb, on behalf of a data subject, request access to personal data, asking the controller to inform what personal data it held and what was the source of these data, pursuant to Article 15(1)(g) GDPR. In response, the controller stated that it was no longer in possession of the leaked data, which was now with the Maltese Police and DPA. Furthermore, it invoked Article 23 GDPR to limit the data subject's right to access on the grounds that there was an ongoing criminal investigation and civil action.

In April 2022, noyb filed the present complaint (COMP/138/2022), claiming that the controller refused to inform that data subject about the source of the data it processed without having collected it directly from them. According to noyb, the controller violated Article 15 GDPR. In the procedure before the DPA, the controller maintained its position.


Initially, the DPA emphasized that it had already been well established in its previous decision that C-Planet acted in its capacity of a controller within the meaning of article 4(7) GDPR in relation to the personal data breach. Moreover, it highlighted that it is the controller and not the processor who can invoke Article 23 GDPR to restrict a data protection right. The DPA found that, by invoking this article, C-Planet acknowledges being the controller and admits to still being in possession of the data, as it would not be possible to restrict the right of access to data that it does not have.

Then, the DPA clarified that Article 15 GDPR must be interpreted in light of the fundamental right guaranteed by the Charter, in connection with the spirit and scope of the law, which are specifically intended to provide a high level of protection of personal data. It referred to CJEU case-law to point out that the aim of this provision is to ensure transparency and, thus, allow data subjects to exercise their rights. Therefore, it stated that the controller should provide a copy of the personal data it held, including any information in relation to the source of these data.

Finally, the DPA recognized that data protection is not an absolute right. However, in accordance with CJEU case-law, limitations to this fundamental right must be provided for by law, respect the essence of rights and freedoms, and be necessary and proportionate to genuinely satisfy objectives of general interest or the need to protect the rights and freedoms from others. Pursuant to Article 5(2) GDPR, the controller must provide concrete reasons for restricting a fundamental right (in the case at hand, denying access to a data subject). In present case, the DPA found that the controller only referred to criminal investigations and pending legal proceedings, without specifying the reasons why the disclosure of personal data would jeopardize them. For this reason, the DPA concluded that the restrictions invoked by the controller did not respect the essence of the fundamental rights and freedoms of the data subject and do not constitute a necessary and proportionate measure.

On the basis of the foregoing considerations, the DPA held that the controller infringed Articles 15(1) and 15(3) GDPR by failing to provide the data subject with a copy of her personal data. As a result, it issued a reprimand and ordered the controller to fully comply with the request under penalty of being fined.


Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.

File history
Click on a date/time to view the file as it appeared at that time.
current11:33, 17 May 2023 (371 KB)Ba (talk | contribs)
You cannot overwrite this file.File usage
There are no pages that use this file.