IDPC (Malta) - CPD/COMP/280/2023
From GDPRhub
| IDPC - CPD/COMP/280/2023 | |
|---|---|
 | |
| Authority: | IDPC (Malta) |
| Jurisdiction: | Malta |
| Relevant Law: | Article 5(1)(f) GDPR Article 32(1)(b) GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | 01.03.2023 |
| Decided: | 24.07.2023 |
| Published: | |
| Fine: | n/a |
| Parties: | n/a |
| National Case Number/Name: | CPD/COMP/280/2023 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | English |
| Original Source: | IDPC (in EN) |
| Initial Contributor: | nho23 |
The Maltese DPA decided that a controller, sending personal schoolwork to a data subject's personal email adress with other people in the "cc", is an infringement of Article 5(1)(f) and 32(1)(b) GDPR.
English Summary
Facts
A data subject filed a complaint with the Maltese DPA because a lecturer (working for the controller) sent personal school materials via the data subject's personal email address. The emails sent by the controller to the data subject included colleagues of the data subject in the "cc". Thus, the personal email address of the data subject was disclosed to unauthorized third parties.
Because of this, the data subject requested the controller to use "bcc" when sending her personal emails. The controller stated that this was not possible because their way of communication was by group. The controller instead requested the data subject to provide them with an alternative email address.
Holding
The DPA mentioned that a person's email address, that consists of one's first and surname, constitutes personal data according to Article 4(1) GDPR. Therefore, the controller is subject to Article 5(2) GDPR and has to demonstrate and be responsible for compliance with GDPR provisions. The controller has to ensure appropriate safeguards according to Article 5(1)(f) GDPR. This is further regulated in Article 32(1) GDPR. The controller did not prove that they implemented appropriate safeguarding measures, only saying that it is not possible. The DPA held that the controller's processing constitutes an infringement of Article 32 (1)(b) GDPR.
Therefore, the DPA upheld the data subject's claim.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
Information and Data Protection Commissioner
CDP/COMP/280/2023
VS
COMPLAINT
1. On the 1" March 2023, (the "complainant") lodged a complaint with the
Information and Data Protection Commissioner (the "Commissioner") pursuant to article
77(1) of the General Data Protection Regulation' (the "Regulation"), alleging that a lecturer
working for (the "controller" or the
64 .") continued to send Microsoft Teams' links and classwork on her personal email
address, without using the 'blind carbon copy', and as a result, disclosed her email address to
unauthorised third parties.
INVESTIGATION
Request for submissions
2. Pursuant to article 58(1)(a) of the Regulation, the Commissioner provided with a copy
of the complaint, including the documentation attached thereto, and requested it to put forward
its submissions in order to defend itself against the allegations raised by the complainant. By
means of an email dated 12th April 2023, submitted the following principal arguments
for the Commissioner to consider in his legal analysis of the case:
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection
of natural persons with regard to the processing of personal data and on the free movement of such data, and
repealing Directive 95/46/EC (General Data Protection Regulation).
Page 1 of 6
�
idpc.
i. that in an email dated 28' February 2023 sent to the controller, the complainant noted
that she had two lectures, one on Monday and the other on Wednesday, during which
the lecturer teaching her on Wednesdays consistently sent personal emails, including
all other group colleagues in 'CC '. The complainant expressed her concern that this
practice amounted to a data breach, stating that there should be a method to send
Microsoft Teams' links and information without divulging personal email addresses;
ii. that on the same day, the complainant sent another email to 's general email
address , wherein she informed that "Non-
users are now using this as a thread with all in copy to my personal email. I
did not consent for my personal details to be used in this way. Can this practice please
be reviewed?". Moreover, in this email, she attached a list of her colleagues' emails as
evidence to substantiate her claim;
iii. that the complainant also attached a reply (dated 22nd February 2023) that she received
from her lecturer on this subject, stating that "I am very sorry but the way we send
communication is as a group. Kindly send email that we can use in the group to
admin explaining the situation";
iv. that the complainant's lecturer a part-timer at , with an eight-week contract to
teach , and she admitted to being fully aware of the ' Data
Protection Policy & Procedure;
v. that the lecturer confirmed the following points:
▪ that the complainant, along with all other class colleagues, were informed prior
to their registration for the course that Microsoft Teams served as the designated
learning-teaching platform;
■ that the lecturer requested the complainant to provide an alternative email, she
failed to do so;
■ that Microsoft Teams was the designated platform for this module, which was
adopted during the Covid era when learning shifted from face-to-face to online,
and therefore all the participants' emails were required for communication
purposes. Technically, the system could not be altered or modified as it
Page 2 of 6
�
idpc.
constitutes an integral part of Microsoft Teams. It was further noted that the
Director for Student Services also corroborated all the aforementioned
testimonies.
3. In line with the Commissioner's complaint-handling procedure, on the l 9th April 2023, the
Commissioner provided the complainant with the opportunity to rebut the arguments made by
the controller. On the same day, the complainant rebutted the arguments made by the controller
and submitted the following salient points:
that the complainant upheld that "[m]y complaint isn't about teams as I log in with the
email provided by
ii. that "[m]y complaint is the fact that lecture material was distributed via my personal email
through cc. I had requested bcc as I didn't want my email shared with the people on the
course, and it was not just limited to my group-.
LEGAL ANALYSIS AND DECISION
4. During the course of the investigation, the Commissioner established that 's lecturer
sent various school-related emails to various recipients using the 'to' field instead of the 'blind
carbon copy' field. The complainant's personal email address was included in this
communication and, as a result, disclosed to the other recipients.
5. The Commissioner notes that an email address which contains the name and surname' of a
natural personal constitutes "personal data" within the meaning of article 4(1)3 of the
Regulation. In this context, recital 26 of the Regulation states that a person may still be
identifiable after taking into account "all the means reasonably likely to be used, such as
singling out, either by the controller or by another person to identify the natural person
directly or indirectly" [emphasis has been added].
2 This has been confirmed by the Court of Appeal in Doreen Camilleri vs Kummissarju ghall-lnformazzjoni u l-Protezzjoni
tad-Data, Appeal No. 63/17.
3 Article 4(1) of the Regulation defines 'personal data' as any information relating to an identified or identifiable natural
person ('data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by
reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors
specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;'
Page 3 of 6
�
id c.•-11.11.11 we eraLL
6. Accordingly, the controller is obliged to ensure that its processing activities are carried out in a
manner that ensure appropriate security of the personal data, including protection against
unauthorised disclosure of, or access to, personal data. By virtue of the principle of
accountability held under article 5(2) of the Regulation, the controller is responsible for, and
must be able to demonstrate compliance with the principles of data processing, specifically the
principle of integrity and confidentiality pursuant to article 5(1)(0 thereof.
7. The principle of integrity and confidentiality is further reflected in article 32(1) of the
Regulation, which is more prescriptive and sets out the obligations to which the controller is
subject, in terms of data security. In this respect, article 32(1) of the Regulation obliges the
controller to implement appropriate technical and organisational measures to ensure a level of
security appropriate to the risk, taking into account the state of the art, the costs of
implementation and the nature, scope, context and purposes of processing as well as the risk of
varying likelihood and severity for the rights and freedoms of natural persons.
8. The Commissioner stresses that the controller should select the appropriate security measures
which are necessary to effectively protect the personal data prior to the processing activity.
This, therefore, obliges the controller to put in place proactive measures to ensure compliance
with the provisions of the Regulation.
9. The obligation of personal data security should therefore be construed as an obligation to
guarantee a "level of security appropriate to the risk". In this aspect, article 32(2) of the
Regulation stipulates that "in assessing the appropriate level of security account shall be taken
in particular of the risks that are presented by processing, in particular from accidental or
unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data
transmitted, stored or otherwise processed".
10. After thoroughly examining the submissions furnished by the controller, particularly those
presented on the 12' April 2023, wherein it was stated that, "I am very sorry but the way we
send communication is as a group", and taking into account the surrounding circumstances that
led to the unauthorised disclosure of the complainant's personal data, the Commissioner
determined that the controller did not adequately prove that it had implemented the appropriate
technical and organisational measures to ensure a level of security appropriate to the risk.
Page 4 of 6
�
idpc.
In light of the foregoing, the Commissioner hereby decides that the controller infringed article
32(1)(b) of the Regulation, when it failed to implement the appropriate technical and
organisational measures to ensure the ongoing confidentiality of the complainant's personal data,
including the principle of integrity and confidentiality pursuant to article 5(1)(f) of the
Regulation.
In terms of article 58(2)(d) of the Regulation, the controller is hereby being ordered to implement
the appropriate technical and organisational measures to ensure the ongoing confidentiality of
the processing of personal data when sending bulk emails to multiple recipients.
Furthermore, the controller is being advised that school-related emails should be sent to the email
address provided by , unless the controller obtains written consent, by virtue of which
they assent to the use of their private email for such purposes.
Digitally signed
Ian by Ian DEGUARA
DEGUARA (Signature)
(Signature) 1D3a .t0e5: 25 09 2+30. 0270. 204:
Ian Deguara
Information and Data Protection Commissioner
Page 5 of 6
