The Office for Information and Data Protection Commissioner of Malta (DPA) have been considering a complaint against an IT company. They received a complaint against the company from advocacy group None of Your Business on behalf of several data subjects.
The DPA had already opened an investigation after being notified of a data breach that affect the data of around 335,000 eligible voters. Following this data breach None of Your Business requested access to personal data on behalf of a data subject. They requested to know what personal data the company help and what was the source of the data. The request was in compliance with GDPR.
The company responded to the request that they no longer had possession of the leaked data as it was with the Maltese Police and DPA. They invoked Article 23 of the GDPR to limit a data subject’s right to access on the grounds that there was an ongoing criminal investigation and civil action. Following this, None of Your Business filed a complaint against the company that they had violated Article 15 of the GDPR.
Under Article 15 of the GDPR a data subject has the right to obtain confirmation of whether personal data about them is being processed. Following this request the controller needs to provide:
- Purposes for processing
- Categories of personal data concerned
- Recipients or categories of recipients to whom the personal data will be or have been disclosed to.
The aim of Article 15 is to ensure transparency and allow data subjects to exercise their rights. Within this, a controller must provide concrete reasons for denying access to a data subject.
With regards to this case the company only stated that the request was denied due to the ongoing investigations. It did not specify any reasons in which fulfilling the request would jeopardize them. The DPA said that the restrictions invoked by the company do not respect the essence of the fundamental rights and freedoms of the data subject and do not constitute a necessary or proportionate measure.
Subsequently, the company have been ordered to fully comply with the request and been served with a reprimand. The company has 20 days to comply with the request.
Value Privacy’s experts are on hand to make sure that you and your company aren’t caught out by new or existing privacy laws.
You can find out more about the services we offer or just get in touch with us directly with any questions you have about how privacy laws impact you.