The Office of the Information and Data Protection Commissioner ('IDPC') published, on 17 January 2022, its decision to issue a fine of €65,000 to C-Planet (IT Solutions) Limited, for violations of Articles 5(1)(f), 6(1), 9(1), 9(2), and 14 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), following an investigation into an alleged data breach.

Background to the decision

In particular, the IDPC initiated the investigation, pursuant to Article 58 of the GDPR, following reports of a security incident in the form of a data breach encountered by C-Planet.

Findings of the IDPC

Further to the above, the IDPC found that C-Planet, in its capacity as the data controller, processed personal and special categories of data that were impacted by the breach, failed to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, and failed to notify the personal data breach to the IDPC, as well as to the affected data subjects within the deadline stipulated by the law.

In addition, in reaching the decision, the IDPC considered the gravity and nature of the infringements, the fact that C-Planet is a microenterprise, and its annual turnover when determining a proportionate and dissuasive enforcement action against C-Planet.

Outcome

Consequently, the IDPC ordered C-Planet to erase the personal data which had been processed in an unlawful manner and issued the fine of €65,000.

You can read the press release here.