On May 16, 2023, the Maltese Office of the Information and Data Protection Commissioner (IDPC) issued a reprimand against C-Planet (IT Solutions) Limited for violation of Article 15(1) and 15(3) of the General Data Protection Regulation (GDPR), following a complaint. 

Background to the decision 

On April 1, 2020, C-Planet notified the IDPC of a data security breach concerning a database that included the personal data of over 335,000 eligible voters. In connection with the incident, a complaint was later lodged before the IDPC by None of your business (NOYB), on behalf of a complainant, alleging that the company had refused to provide the complainant with information on the source of the personal data it processed that had not been collected directly from them. 

Notably, following the breach and notification thereof, the IDPC issued a decision against C-Planet for several violations of the GDPR, which noted that C-Planet was obliged to inform data subjects of its processing activities under Article 14 of the GDPR, including the source from where the personal data originated and whether it came from publicly accessible sources. However, the complainant had never received the aforementioned information. Importantly, the complainant had attempted to exercise their right of access, requesting the above-mentioned information pursuant to Article 15(1)(g) of the GDPR, which C-Planet had refused to facilitate, in reliance on Article 23 of Subsidiary Legislation 586.09 citing the ongoing criminal proceedings with regard to its breach as a justification. C-Planet also argued that it had not been a data controller with regard to the processing of the complainant's personal data, thereby restricting the complainant's right to access.

Findings of the IDPC 

The IDPC stated that C-Planet had incorrectly relied on the Subsidiary Legislation 586.09 to restrict the complainant's right of access and that C-Planet was indeed a data controller in relation to the processing of the complainant's personal data. As such, the IDPC found that C-Planet had infringed Articles 15(1) and 15(3) of the GDPR when it failed to provide the complainant with a copy of their personal data and the information concerning the source of such data. 

Outcomes

The IDPC issued a reprimand against C-Planet for its breach of Article 15(1) and 15(3) of the GDPR and ordered it to fully comply with the complainant's request to exercise their right to access pursuant to Article 15 of the GDPR. The IDPC specified that C-Planet has 20 days from the date of receipt of its decision to comply with the order, failure of which will lead to an administrative fine. 

You can read the decision here.