The Commissioner issues the decision on the personal data breach suffered by C-Planet (IT Solutions) Ltd

Press release 

Sliema, 17 January 2022

In April 2020, the Commissioner was informed about a security incident encountered by C-Planet (IT Solutions) Limited and an investigation was immediately initiated pursuant to article 58 of the General Data Protection Regulation.

Following a thorough technical and legal analysis of the case, in the context of which, the Commissioner duly assessed the evidence gathered during the course of investigation, it was established that C-Planet, in its capacity as controller, was processing the personal and special categories of data, that were impacted by the breach, in violation of articles 6(1), 9(1) and (2), 14 and 5(1)(f) of the Regulation.

The Commissioner further concluded that C-Planet failed to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk and this led to the incident to materialise. Additionally, the Commissioner established that the controller failed to notify the personal data breach to his office within the deadline stipulated by law and to communicate the same to the effected data subjects.

In his legally-binding decision, the Commissioner considered the gravity and nature of the infringements, the fact that the controller is a microenterprise and its annual turnover, and consequently, imposed an effective, proportionate, and dissuasive administrative fine of sixty-five thousand Euro (€65,000.00). Further to that, the Commissioner ordered C-Planet to erase the personal data which had been processed in an unlawful manner.

C-Planet has cooperated fully with this Office during the course of the entire investigation.