Twitter Logo Youtube Circle Icon LinkedIn Icon

Publishing firms

Legal Developments worldwide

Significant Number of Personal Data Breaches Reported to the Maltese Supervisory Authority Post GDPR

May 2019 - TMT ( Technology, Media & Telecoms). Legal Developments by Mamo TCV Advocates.

More articles by this firm.

There have been more than 100 personal data breaches notified to the Maltese IDPC post GDPR. 17 GDPR fines have been imposed. Click below to learn more about the situation across the EU.

Mamo TCV Advocates has recently contributed to an EU-wide survey carried out by DLA Piper focusing on the number of personal data breaches notified to regulators as well as the first fines issued under the new EU General Data Protection Regulation (GDPR) regime for the period from 25 May 2018 to International Data Protection Day on 28 January 2019.

The survey, published on 6 February 2019, reveals that across Europe, following the coming into effect of the GDPR, more than fifty-nine thousand (59,000) personal data breaches were reported to local supervisory authorities with a total of 91 'GDPR fines' being imposed (not all relating to data breaches). In Malta, over one hundred (100) personal data breaches were notified to the Maltese Information and Data Protection Commissioner (IDPC) with seventeen (17) GDPR fines being imposed by the same. Per capita, the Maltese figures are significant.

The GPDR makes it mandatory to notify certain data breaches. As a rule, and as far as Malta is concerned, data controllers must report a data breach to the IDPC within 72 hours of becoming aware of it. By way of exception to the general rule above, breach notification to the IDPC is not required where the data breach is unlikely to result in a risk to the rights and freedoms of natural persons.

The GDPR also obliges data controllers to notify affected data subjects without undue delay in the event of a data breach which is likely to result in a high risk to the rights and freedoms of natural persons. Notification to the data subjects is not generally required when:

The risk of harm is remote because the personal data are protected;

The data controller has taken measures to protect against the harm;

Notification would require disproportionate efforts (but here, a public communication or similar measure would be required).

To read the full 'DLA Piper GDPR data breach survey' please visit https://www.dlapiper.com/en/uk/insights/publications/2019/01/gdpr-data-breach-survey/

For more information about the GDPR please visit www.gdprmalta.com