Data breach in Malta: 65.000 € fine for C-Planet
Following a complaint by noyb, the Information & Data Protection Commissioner (IDPC) imposed a fine of 65 000 € on the IT company C-Planet. The company had illegally collected data of 98% of Maltese voters, including political preferences and failed to take appropriate data-protection measures. C-Planet notified neither the users nor the data protection authority about the data breach.
Download: Decision of the IDPC against C-PLANET
Complaint filed in 2020. In November 2020, noyb filed a complaint against C-Planet IT Solutions, the company responsible for huge leaked database of voter’s data in Malta. The leaked personal information included telephone numbers, dates of birth and, voting intentions and party leanings of over 330,000 individuals affected.
No lawful basis. The IDPC found that the data were processed without any valid legal basis under Article 6 and 9 GDPR. The decision Commissioner concluded that the numerical identifier in the database referred to the political opinions of the affected data subjects. This category of data is sensitive and can only be processed in very exceptional circumstances under the GDPR. These conditions were not met.
Data-source unknown. C-Planet alleged that the data was provided to them by one of their clients, however, the client in question rejected the allegations. The name of this client was also redacted from the IDPC’s decision that does not determine the origins of the data.
“Whereas the decision shows that the gravity of the case was taken seriously, what is concerning is that we still do not know how and why an IT Company is collecting and storing this type of data. There is no guarantee that this will not happen again.” Romain Robert, program director at noyb.
Guilty negligence. The IDPC concluded that C-Planet had failed to implement technical and organisational measures appropriate to the risk, which led to the data breach. The decision also confirms that C-Planet failed to notify the personal data breach to the IDPC in due time and to inform the affected individuals.
Fine of 65 000 €. The IDPC issued a fine of 65 000 €, taking also into account the potential severe impact on the individuals and the high risk to their rights and freedoms. The IDPC also ordered C-Planet to erase all personal data that was processed unlawfully. A collective action against C-Planet, initiated by the Daphne Foundation and Repubblika, is still ongoing.
“This case shows the importance of data protection for democracy and people’s freedoms. Collecting and processing voting intentions of the population is not only illegal, but also dangerous, especially in times where online political manipulation is such a hot topic.” Romain Robert, program director at noyb.