C-Planet – Complaint Upheld (Malta, 2023)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Malta's data protection authority found that C-Planet mishandled personal data of about 335,000 voters. The company didn't have a legal reason to process the data and failed to inform people about it. This case highlights the importance of having a clear legal basis and transparency when handling personal information.
What happened
C-Planet mishandled personal data of approximately 335,000 voters without a valid legal basis and failed to inform them properly.
Who was affected
The affected individuals were eligible voters in Malta whose personal data was processed without proper legal grounds.
What the authority found
The Maltese authority ruled that C-Planet violated GDPR by lacking a legal basis for processing data and failing to inform data subjects.
Why this matters
This decision emphasizes the need for companies to have a valid legal basis and clear communication with individuals about data processing. It serves as a reminder to businesses to review their data handling practices to avoid similar issues.
GDPR Articles Cited
In April 2020, after being notified by the IT company C-Planet (the controller), the Maltese DPA opened an ex officio investigation into the a personal data breach of approximately 335,000 eligible voters on the island. That same year, noyb filed a complaint on behalf of several data subjects affected by the data breach (CDP/DBN/31/2020). Following this complaint, the DPA ruled that C-Planet, in its capacity as controller, infringed several provisions of the GDPR. In particular, the DPA found that: a) the processing of personal data, including special categories, lacked a legal basis, in breach of Articles 6(1) and 9(1) GDPR; b) the controller failed to adequately inform data subjects about the processing of their data, in violation of Article 14 GDPR; c) the controller failed to notify the DPA within 72 hours, in violation of Articles 33; d) the controller failed to implement sufficient technical and organisational measures to ensure a level of security appropriate to the risks involved, violating Article 32 GDPR. In January 2022, noyb, on behalf of a data subject, request access to personal data, asking the controller to inform what personal data it held and what was the source of these data, pursuant to Article 15(1)(g) GDPR. In response, the controller stated that it was no longer in possession of the leaked data, which was now with the Maltese Police and DPA. Furthermore, it invoked Article 23 GDPR to limit the data subject's right to access on the grounds that there was an ongoing criminal investigation and civil action. In April 2022, noyb filed the present complaint (COMP/138/2022), claiming that the controller refused to inform that data subject about the source of the data it processed without having collected it directly from them. According to noyb, the controller violated Article 15 GDPR. In the procedure before the DPA, the controller maintained its position. Initially, the DPA emphasized that it had already been well established in its previous d
Outcome
Complaint Upheld
A data subject complaint that was upheld by the DPA.
Related Enforcement Actions (0)
No other enforcement actions found for C-Planet in MT
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. C-Planet - Malta (2023). Retrieved from cookiefines.eu
Last updated: