C-Planet fined €65,000 for data breach and ordered to erase data

17 January 2022

The Information & Data Protection Commissioner has fined C-Planet (IT Solutions) Ltd €65,000 for violating data protection laws. The case concerns a database held on company servers which contained the personally identifiable information of anyone who had the right to vote in Malta’s 2013 local and general elections, including sensitive information such as voting intentions or party leanings. Over 330,000 private individuals were affected.

We reported the data breach to the Commissioner on 1 April 2020. Following a technical and legal investigation, the Commissioner established that C-Planet, in its capacity as data controller, was in violation of articles 6(1), 9(1) and (2), 14 and 5(1)(f) of the General Data Protection Regulation.

Article 6(1) of the Regulation concerns processing personal data without any valid lawful basis. Article 9(1) concerns processing of person data revealing political opinions. The IDPC found that none of the exemptions listed in article 9(2) of the Regulation applied in this case. Furthermore, the Commissioner concluded that the numerical identifier from (a figure from 1 to 4) that was included in the database, referred to the political opinions of the affected data subjects.

C-Planet said in its evidence to the Commissioner that the data was provided to them by a financial services company, a client of C-Planet. The name of the company is redacted from the Commissioner’s report provided to complainants. The third-party company denied that it provided the data and the Commissioner’s report is inconclusive regarding the origin. A Times of Malta report had identified the governing Labour Party as the source.

The Commissioner determined that the potential impact on the affected data subjects is severe and likely to result in a high risk to the rights and freedoms of natural persons, as C-Planet itself had indicated to the IDPC in April 2020.

The Commissioner concluded that C-Planet had failed to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, which then led to the data breach. The investigation found that the company, as data controller, had failed to notify the personal data breach to the Commissioner within the deadline stipulated by law and had failed to communicate the breach to the affected data subjects.

In addition to the fine, the Commissioner ordered C-Planet to erase the personal data which had been processed unlawfully.

The collective action proceedings against C-Planet, initiated by the Foundation and Repubblika, are separately ongoing.