Political data breach in Malta: C-Planet refuses right to access and information

Apr 29, 2022

Political data breach in Malta: C-Planet refuses right to access and information

Today, noyb filed a second complaint before the Information & Data Protection Commissioner (IDPC) against the Maltese IT company C-Planet. In January, the company received a €65 000 fine by the IDPC for illegal collection and leak of personal information including political preferences on nearly every Maltese voter. However, C-Planet still did not give the name of the person from whom they received the data, and Maltese citizens are still left in the dark about the origin of the collected data. noyb is now explicitly asking the IDPC to order C-Planet to provide information about the original source of the data.

Complaint filed in 2020. In November 2020, noyb filed a complaint against C-Planet IT Solutions, the company responsible for a leaked database of voter’s data in Malta. The leaked personal information included telephone numbers, dates of birth and, voting intentions and political leanings of over 330,000 individuals affected.

First decision of the IDPC. In January 2022, the IDPC adopted a decision and concluded that C‑Planet did not implement appropriate security measures to protect the database, and failed to notify the data breach to the IDPC in due time. The IDPC also found that the data were processed without any valid legal basis under the GDPR. Political data is sensitive and can only be processed in very exceptional circumstances under the GDPR. These conditions were not met. For these reasons, the IDPC issued a fine of €65 000 against C-Planet.

Source unknown. C-Planet alleged that the data was provided to them by one of their clients, however, the client in question rejected the allegations. While the name of this client was redacted from the IDPC’s decision, the Times of Malta recently published an article naming Untours, a travel agency owned by the General Workers' Union, as said client. However, according to the decision, C-Planet stated that the actual source of the data was a “specific individual” who no longer works for the client.

It is astounding that even after a complete investigation by a DPA, a full IT audit of C-Planet, a decision of 84 pages, and 106 complaints, the Maltese citizens are left in the dark regarding the way the data about their political opinions were collected” – Romain Robert lawyer at noyb

Data subjects have a right to know the source. After the redacted decision, Maltese voters still do not know who originally compiled their personal and political data, and shared it with C-Planet. A data subject subsequently filed an access request, in order for C-Planet to provide any information on the original source of the data. C-Planet refused to provide an answer. To find out the real source and in order to uphold Maltese voters’ rights to access, noyb filed a second complaint before the IDPC today, demanding C-Planet to disclose the source of the illegally processed voter data.