The Malta Independent 19 May 2022, Thursday

Company responsible for personal data breach of 337,000 voters fined €65,000 by Data Commissioner

Albert Galea Monday, 17 January 2022, 15:48 Last update: about 5 months ago

The IT company responsible for a personal data breach of 337,384 Maltese voters has been found guilty of breaking a number of data protection laws and subsequently fined €65,000.

C-Planet (IT Solutions) Ltd was in the crosshairs after a mammoth tract of personal data was leaked from its servers in 2020.

The company left a large database file which contained personal details of 337,384 voters – including their names, addresses, ID card details, date of brith, fixed and mobile phone numbers, and a reference to their political orientation or voting preferences – on an exposed server, meaning that it was freely accessible to anyone with a web browser.

A complaint with the Data Protection Commissioner was opened by independent candidate Arnold Cassola soon after the leak became apparently.

“As the result of a thorough technical and legal analysis of the case, the Commissioner established that C-Planet, in its capacity as controller, was processing the personal and special categories of data, that were impacted by the breach, in violation of articles 6(1), 9(1) and (2), 14 and 5(1)(f) of the Regulation,” the commissioner’s office told Cassola in an email on Monday.

“The Commissioner further concluded that C-Planet failed to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. This led to the incident to materialise. Additionally, it was established that the controller failed to notify the personal data breach to the Commissioner within the deadline stipulated by law and to communicate the same to the affected data subjects,” the email continues.

The Commissioner’s office said that after considering the gravity and nature of the infringements, the fact that the controller is a microenterprise and its annual turnover, the Commissioner exercised its corrective powers by imposing on the controller an effective, proportionate, and dissuasive administrative fine of €65,000.

C-Planet was also ordered to erase the personal data which had been processed in an unlawful manner.

C-Planet is owned by Philip Farrugia, who is a former production director at One Productions – the Labour Party’s TV house – and is also the brother-in-law of Stefan Zrinzo Azzopardi, a Labour Party MP, the Parliamentary Secretary for EU Funds, and the former president of the Labour Party.

Its clients include the Office of the Prime Minister, the Health Ministry, the Home Affairs Ministry, the Ministry for Transport, the Building Construction Agency, ARMS, the Foundation for Medical Services, the Public Health Regulation Department.

A class action lawsuit with over 600 claimants led by the Daphne Caruana Galizia Foundation and the NGO Repubblika is also ongoing.

  • don't miss