IT Company Linked To Labour Party’s Voter Leak Fined €65,000 For Violation Of GDPR
The local IT company linked to a data leak of over 300,000 voters and their political preferences has been fined €65,000 for violating GDPR laws.
Apart from the fine, the Information and Data Protection Commissioner also ordered the company to immediately erase a database of voter information.
Back in March 2020, the personal details of over 300,000 Maltese voters were exposed as part of a massive data breach from a local IT company, C-Planet Ltd (IT Solutions), owned by Philip Farrugia, a former production director at One Productions, the media wing of the Labour Party.
The data leak was said to have originated from the Labour Party and had involved a list of over 330,000 voters along with their details such as ID card numbers and voting preferences.
The Daphne Caruana Galizia Foundation and Repubblika had then filed a court case against C-Planet, for breaching data protection laws in place, with more than 600 people joining the legal action.
“The company was the subject of a major scandal back in April 2020 when a database stored on its servers, containing 337,384 records of Maltese voters’ personal information, including voting preferences determined by a 1-4 orientation field, was leaked online,” the Daphne Caruana Galizia Foundation said in a press release.
Apart from storing the personal data without consent, “C-Planet also delayed notifying the Commissioner of the leak and did not inform the data subjects that the leak had occurred, as was its legal obligation”.
“The Commissioner established that C-Planet “did not act promptly to rectify a situation which was likely to pose a risk to the rights and freedoms of the data subjects”. C-Planet had also failed to implement the relevant security measures to protect the data on its servers,” it continued.
The IDPC finally found that there was no legal basis for C-Planet to have processed and stored sensitive personal data, including that of voting preferences, on its servers.
It also found that the company breached the law when it did not in due time, notify the Commissioner or the data subjects about the breach.
“The Commissioner determined that, since the volume of the dataset was so significant, “the potential impact of the breach upon the affected data subject was severe”.
However, several questions still remain unanswered in this case, such as who was behind the compilation of the 1-4 political orientation field in the database, or who had provided the initial copy of the database to C-Planet.
The purpose for the processing of the database has also not been outlined, as well as who had requested it and for who it was requested. The specific individual who informed C-Planet of the hole in its server has also not been revealed.
What do you make of the consequences faced?
READ NEXT: Don't Look Now, But Miriam Dalli Is Either Selling PS5s On Twitter, Or She's Been Hacked
