On February 18 2019, the Maltese Information and Data Protection Commissioner ('IDPC') issued his decision to the Lands Authority ('the Authority') following the investigation by the IDPC of the data breach which was brought to the IDPC's attention by the local press on 23rd November 2018. In the said journalistic piece, it was alleged that the Authority's website contained a serious flaw allowing significant amounts of personal data to be made available to the general public (via search engines). Over the course of his investigation, the Commissioner noted that the Authority's online portal indeed lacked the necessary technical and organisational measures to ensure that personal data were processed securely. As a result, the Authority was found to have breached Article 32 of the General Data Protection Regulation ('GDPR'), which lays down obligations relating to the security of processing and was served by the Commissioner with an administrative fine of €5,000.
It should be noted that generally speaking, under Article 21 of the Maltese Data Protection Act (Chapter 586 of the Laws of Malta) – 'DPA', the Commissioner may impose an administrative fine on a public authority or body of up to €25,000 for each violation and an additional €25 for each day during which such violation persists, which fine shall be determined and imposed by the Commissioner in accordance with the procedure stipulated in Article 26 of the DPA for an infringement under Article 83(4) of the GDPR. The fine that the Commissioner may impose on a public authority or body for an infringement of Article 83(5) or (6) of the GDPR (in accordance with the same procedure under Article 26 of the DPA) cannot exceed €50,000 for each violation and additionally €50 for each day during which such violation persists.