IDPC Starts Probe into SVPR’s “Personal Data Breach”

Since the GDPR became law in May 2018, a number of data breach incidents mainly relating to the unauthorized disclosure and access to personal data, have taken place in Malta. The first made known to the public was the Malta Lands Authority case. During the recently held GDPR – One Year On Conference, organised by 21 Law and 21 Academy, the IDPC announced that in the first year since GDPR came into force it received a total of 148 breach notifications.  A relatively high incidence of breaches per capita of 3 per 10,000 inhabitants compared to the EEA’s average of 2 per 100,000 persons.

*Data Breaches reported to the IDPC per month (source IDPC)


Now The Times of Malta reported that the St Vincent De Paul Residence suffered a data breach. Apparently the data breach was two-fold:

  • First, the St Vincent De Paul Residence website contained a serious flaw which gave the general public access to a significant amount of personal data – including names, ID card numbers, dates of birth, addresses and information on when and how they were admitted and the ward they were in; and
  • Second, an electronic file containing the personal data of hundreds of residents at home was ‘mistakenly’ e-mailed to all employees at the elderly people’s home.

Later on, the authorities at St Vincent De Paul Residence confirmed the breach and described it as “an incident” whilst confirming that the Information and Data Protection Commissioner (IDPC) was notified of the breach on Thursday, 6th June 2019.  The IDPC has also confirmed receiving the data breach notification and has launched an investigation to establish the facts.

Should both or any of the breaches be confirmed the residence will most probably be found to have infringed Article 32 of the GDPR which expects “The controller and the processor [to] implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk…”

According to the IDPC the primary information given in the notification is only about the file containing personal data of the residents that was mistakenly e-mailed to all employees and not about the personal data of the residents available online. If the IDPC establishes during the investigation that the St Vincent De Paul Residence website gave the general public access to personal data of the inmates, this would make the matter more serious.

Under data protection laws, personal data breaches are classified in different categories depending on their nature and gravity.

On the other hand it is pertinent to note that the GDPR narrates that “each Member State may set forth the rules on whether and to what extent GDPR fines may be levied on public authorities and bodies established in that Member State”. For this very reason, the levels of administrative fines levied on public authorities and bodies vary throughout the European Union. In Malta, in the case of an infringement by a public authority or body, the IDPC may impose an administrative fine of up to €25,000 for each violation and may additionally levy a daily fine of €25 for each day such infringement continues. The law also allows such a fine to be doubled in the event of more serious breach, i.e. a €50,000 fine for each violation and a daily payment of €50 for each day such violation continues. The fines levied depend on the provisions of the law which have been violated by the authority.