C-PLANET – €65,000 Fine (Malta, 2022)

On 1 April 2020, the media reported an alleged personal data breach suffered by C-PLANET, wherein a database containing the personal data of Maltese voters had been exposed. The media reported that the political opinions of 335,000 voters has been exposed. The Maltese DPA (IDPC) opened an ex officio investigation, and noyb filed a complaint on behalf of several Maltese citizens on 12 November 2020. = The IDPC concluded that C-Planet was the controller of the data base, considering that no factual elements could substantiate the view of C-PLANET that a third party (name redacted) was the controller of this specific database. = The IDPC concluded that although some of the data was collected from the Electoral Register, a proper legal basis under Article 6(1) GDPR was still needed in this case, which also stems from Article 5(1)(b) GDPR. The IDPC also considered the processed personal data which was not publicly available such as data subjects' ballot box number, voting document number, district, date of birth, phone number and sex. According to the General Elections Act, this data is only made available to political parties. The Electoral Commission confirmed that this data was not made available to the party delegates mentioned in the investigation. Finally, a reference was made to special categories of data since the database contained numerals identified from 1 to 4, which the IDPC confirmed to be referring to the political opinions of the data subjects. This category, which was not processed by the Electoral Commission, is subject to particular protection under Article 9(1) GDPR. The IDPC confirmed that none of the exceptions under Article 9(2) GDPR were applicable to lawfully process this data. This therefore amounted to a violation of Article 9(1). = The IDPC established that Article 14 GDPR was particularly relevant, since the data was obtained from third party sources. In this regard, the controller is obliged to inform the data subjects of the det