14th October 2020

Just as the Deputy Information Data Commissioner, Ian Deguara, had announced during our GDPR – 2 years on Conference held last June, the office of the Information and Data Protection Commissioner (IDPC) has started making public the decisions issued by the IDPC.

The decisions do not disclose the details of the involved parties but give enough information on the type of infringement as well as the corrective action demanded by the IDPC. Out of the 26 decisions taken so far in 2020, the highest fine imposed was that of €20,000 with the second highest being that of €15,000.

11 out of the 26 cases resulted in the application of an administrative fine while only 1 case resulted in no corrective action being ordered. While 14 of the cases investigated and decided upon by the IDPC were Personal Data Breaches the other cases were investigated following a Data Protection Complaint.

In the highest fined case so far “Personal data undergoing processing was partially provided following a right of access request. Privacy Policy not satisfying the transparency requirements.” In other words, the right of access was partially fulfilled, and the controller did not give the data subject/s a copy of all their personal data as well as other supplementary information. It is also evident that the IDPC was not happy with the controller’s privacy policy which seems that it was lacking information on how the personal data was being processed.

The second highest fined case, which was appealed by the controller, included “Unsolicited sending of numerous direct marketing electronic communications without consent and right to object request ignored.” Evidently the IDPC found that the controller did not provide evidence of consent by the data subject/s and it also seems that despite the data subject/s objecting to the processing of their data, the controller still ignored their request.

Two cases landed with a €5,000 administrative fine. In one of the cases, which again involved an access request, the controller “failed to provide information following a right of access request and failed to inform the data subject about a restriction”. The other case involved the “Unauthorized disclosure of the complainant’s confidential data to an external client.”

The above implies that access requests must be taken seriously and it is advisable that you have a policy and procedure in place to deal with such requests. Also, do not send unsolicited emails and do not ignore those who ask you be forgotten from your marketing list.