IDPC (Malta) - COMP/138/2022: Difference between revisions

IDPC - COMP/138/2022
Authority:	IDPC (Malta)
Jurisdiction:	Malta
Relevant Law:	Article 15(1) GDPR Article 15(3) GDPR
Type:	Complaint
Outcome:	Upheld
Started:	29.04.2022
Decided:	16.05.2023
Published:	17.05.2023
Fine:	n/a
Parties:	C-Planet
National Case Number/Name:	COMP/138/2022
European Case Law Identifier:	n/a
Appeal:	Unknown
Original Language(s):	English
Original Source:	IDPC (in EN)
Initial Contributor:	Bernardo Armentano

xxx

English Summary

Facts

In April 2020, after being notified by the IT company C-Planet, the Maltese DPA opened an ex officio investigation into the leakage of personal data of approximately 335,000 eligible voters on the island. That same year, noyb filed a complaint on behalf of several data subjects affected by the leak (CDP/DBN/31/2020). Following this complaint, the DPA ruled that C-Planet, in its capacity as controller, infringed several provisions of the GDPR.

In particular, DPA found that: a) the processing of personal data, including special categories, lacked a legal basis, in breach of Articles 6(1) and 9(1) GDPR; b) the controller failed to adequately inform data subjects about the processing of their data, in violation of Article 14 GDPR; c) the controller failed to notify DPA within 72 hours, in violation of Articles 33 and 34 GDPR; d) the controller failed to implement sufficient technical and organisational measures to ensure a level of security appropriate to the risks involved, violating Article 32 GDPR.

In January 2022, noyb exercised the right of access on behalf of a data subject, asking the controller to inform what personal data it held and what was the source of these data, pursuant to Article 15(1)(g) GDPR. In response, the controller stated that all leaked data was in the possession of the Maltese police and DPA. Furthermore, it invoked Article 23 GDPR to limit the data subject's right to access on the grounds that there was an ongoing criminal investigation and civil action.

In April 2022, noyb filed a second complaint (COMP/138/2022), claiming that the controller refused to inform that data subject about the source of the data it processed without having collected it directly from her, violating Articles 15 and 15(1) GDPR. In the procedure before the DPA, the controller maintained its position.

Holding

Initially, the DPA emphasized that it had already been well established that C-Planet acted in its capacity of a controller within the meaning of article 4(7) GDPR in relation to the leaked personal data. Furthermore, it highlighted that it is the controller and not the processor who can invoke Article 23 GDPR to restrict a data protection right. Similarly, the DPA understood that the controller, by invoking this article, admited to still be in possession of the data, since it would not be possible to restrict the right of access to data that he does not have.

Then, the DPA clarified that Article 15 GDPR must be interpreted in light of the fundamental right guaranteed by the Charter, in connection with the spirit and scope of the law, which are specifically intended to provide a high level of protection of personal data. In this sense, CJEU case-law established that this provision is intended to ensure transparency thereby enabling data subjects to exercise their rights. Therefore, it stated that the controller should provide a copy of the personal data it held, including any information in relation to the source of these data.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.

File history
Click on a date/time to view the file as it appeared at that time.
Date/TimeDimensionsUserComment
current11:33, 17 May 2023 (371 KB)Ba (talk | contribs)
You cannot overwrite this file.File usage
There are no pages that use this file.