CDP/COMP/307/2025

[REDACTED]

vs

[REDACTED]

The Complaint

1. Reference is made to the complaint which was lodged on the 5th of June 2025 by REDACTED with the Information and Data Protection Commissioner (the “Commissioner”) pursuant to article 77(1) of the General Data Protection Regulation1 (the “Regulation”), against REDACTED, where the complainant made the following allegations, which have been set out in chronological order:
   • a. that on the 21st of August 2019, the complainant made a subject access request with the controller pursuant to article 15 of the Regulation, and the controller responded informing her that the personal data which she requested was not undergoing processing. The complainant further alleged that certain records containing her personal data which were omitted from the controller’s response to her access request made in 2019 were subsequently provided in the response to the access request which she made years later, in 2025, demonstrating that such records “were clearly available in 2019 and should have been shared”; and
   • b. that on the 1st of May 2025, the complainant made a new subject access request with the controller, in which she requested access to all of her personal data currently undergoing processing. The complainant explained that the controller acknowledged receipt of her access request on the 8th of May 2025, and responded to her request by providing copies of certain records containing her personal data

---

1 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

on the 1st of June 2025. However, the complainant alleged that the controller's response was "only partial" and "omitted key categories of personal data, namely:

• i. Internal and external correspondence naming or referring to me;
• ii. Employment-related communications with third parties, including the [REDACTED]
• iii. Records related to salary progression, classification, and conditions of work;
• iv. Any data reviewed or used in ongoing Industrial Tribunal proceedings."

The complainant further alleged that, during the course of the ongoing Industrial Tribunal proceedings which she instituted against the controller, the controller was able to produce a legal file which it used during the proceedings. The complainant argued that this demonstrated the controller's "clear capacity to locate and process such data".

1. As supporting documentation, the complainant provided the Commissioner with copies of a number of emails exchanged between herself and the controller in relation to each of her subject access requests.

The Assessment of the Contents of the Complaint

The allegations pertaining to the complainant's access request made on the 21st of August 2019

1. The Commissioner noted that the complainant's earliest access request was made on the 21st of August 2019, yet the present complaint was lodged nearly six (6) years later, on the 5th of June 2025. In this regard, the Commissioner noted that, if the complainant was dissatisfied with the controller's response to her 2019 access request, it was ultimately her responsibility to lodge a complaint with the Commissioner within a reasonable period of time. The nearly six-year delay between the events complained of and the lodging of the present complaint meant that it was not possible to determine with the necessary degree of certainty what personal data were being processed by the controller at the time. Furthermore, the significant lapse of time materially impairs the Commissioner's ability to conduct a fair and effective investigation of the complainant's allegations, and undermines the evidential basis upon which findings can be made. Thus, to ensure procedural fairness and to safeguard the integrity of the Commissioner's investigative procedure, the scope of the investigation of the complaint shall not extend to the complainant's access request made on the 21st of August 2019, and shall instead be limited to the complainant's most recent access request, namely, that made on the 1st of May 2025.

The allegations pertaining to the complainant's access request made on the 1st of May 2025

1. As a preliminary consideration, the Commissioner noted that in order to be in a position to conduct an efficient, effective, and procedurally fair investigation, the complainant must clearly and precisely set out the subject-matter of the complaint, as well as the personal data believed to be omitted from the controller's response to the request, at the time of lodging the complaint. In the present case, the complainant had already specified, by means of an exhaustive list, the personal data which she believed was omitted, "namely:
   • i. Internal and external correspondence naming or referring to me;
   • ii. Employment-related communications with third parties, including the
   • iii. Records related to salary progression, classification, and conditions of work;
   • iv. Any data reviewed or used in ongoing Industrial Tribunal proceedings."

Accordingly, the Commissioner determined that the scope of the investigation of the present case would be conducted on the basis of the exhaustive list provided by the complainant. Consequently, any new allegations raised, or new lists submitted during the course of the investigation, expanding on or otherwise modifying what was set out in the original complainant, shall not be considered within the scope of the Commissioner's investigation.

1. When the controller was requested to put forward its submissions in relation to the complaint, the controller made inter alia the following pertinent submissions - with regard to the requested personal data which fell within the scope of the complainant's access request, but which the complainant alleged was omitted from the controller's response to her access request:
   • a. that "the retrieval process of personal data has been carried out to the fullest extent possible, with the assistance of [the controller's] IT Department";
   • b. that "following previous correspondence regarding the complainant's data subject access request, additional correspondence was retrieved. These were retrieved after specific occurrences were highlighted in the complainant's recent communications"; and
   • c. that "upon further review, it was understood that initial searches did not include correspondence associated with [...] the former Head of School. Once this was

brought to attention, a further specific search was conducted, and the relevant documents have since been provided”.

Additionally, with regard to the legal file of the controller, which the complainant alleged demonstrated that the controller had further personal data of the complainant in its possession:

• d. that “[the controller] does not know what papers are contained in the file which the lawyer carried with him on the date of the hearing, and with respect, the complainant’s comment is merely an assumption without basis”;*
  • e. that “furthermore, even if the lawyer’s file contained material appertaining to the case in question, such file is covered by legal privilege and thus is not open to scrutiny”; and*
  • f. that “in this context, the [controller] has engaged in exchanges - primarily but not exclusively - with its legal advisors and has generated documentation for the purpose of defending its position. These communications are considered confidential and legally privileged”.*
• 6. Upon examining the controller’s submissions, the Commissioner noted that following the controller’s initial response to the access request, the controller conducted further searches and was able to retrieve from its systems additional records containing the complainant’s personal data, including correspondence concerning the complainant. Although the controller disclosed these additional records to the complainant, there was still a discrepancy between the personal data provided thus far by the controller, and the personal data which the complainant maintained was omitted. Accordingly, the Commissioner requested further clarification from the controller, namely, to clearly specify (i) the categories of personal data concerning the complainant that are undergoing processing by the controller, and (ii) from those categories of personal data, what requested personal data had already been provided to the complainant in response to her access request.
• 7. In response, the controller submitted that the following categories of personal data concerning the complainant are undergoing processing by the controller:

QUOTE

• a. Identification data: Name and surname, identity card number, folio (administrative) number.*

• b. Employment records: School where employed, grade, and approval/s issued by Government.*

• c. Financial data: Gross salary, allowances, bonuses and other contributions as per respective Collective Agreement in force from time to time, legislative requirements and as arising from the Approval issued by Government.*

• d. Qualifications data: Qualifications making individual eligible for the grade and for any applicable allowance.*

• e. Leave and absence records: All paid and unpaid leave availed of by the individual that may affect progression (and/or eligibility into a grade in the case of designated promotional posts).*

• f. Communication [data]: Correspondence, generally via email, related to individuals, including routine processing of the above listed categories and possibly specific issues as in the case of the complainant. In less common cases, unrelated to the specific complainant, such communication may also be related to alleged or proven offences by individuals especially if within the domain of safeguarding of minors (whereby we abide by specific ecclesial and national policies aligned with local legislation on the protection of minors).*

END QUOTE

With reference to this list, the controller further clarified that it provided the complainant with all of the identification data, employment data, financial data, qualifications data, as well as leave and absence data concerning the complainant and falling within the scope of her access request, which is in its possession. With regard to the communications concerning the complainant, the controller clarified that these have been provided to the best of the controller's abilities. Specifically, the controller explained that extensive searches were carried out, together with the controller's I.T. officer, to locate communications concerning the complainant in relevant mailboxes. However, the controller stated that “we cannot exclude that amongst the thousands of communications we entertain and/or subjected to, there may be other correspondence related to the complainant.”

• 8. Following a meeting which was held with the complainant on the 5th of February 2026 in connection with her complaint, the complainant stated that she believed the controller to be in possession of further correspondence and records in which she was referred to, specifically, in

relation to her parental/maternity leave and her career break. The complainant maintained that the controller failed to disclose them in its response to her access request. Accordingly, the Commissioner explicitly requested the controller to clarify whether copies of such correspondence and records, in the event that they exist and are currently undergoing processing by the controller, have been provided to the complainant, and if this is not the case, to specify this accordingly. In response, the controller submitted that:

“[...] as had been stated in earlier replies whatever relevant data is at [the controller] in relation to [the complainant] has already been communicated at the best of our knowledge.”

1. The Commissioner noted that the right of access pursuant to article 15 of the Regulation is a crucial right afforded to data subjects, which enables individuals to have control over their personal data, and to be aware of and verify the lawfulness of the processing of their personal data. This right aligns with the overarching objective of the Regulation, as articulated in recital 10 of the Regulation, that is to ensure a consistent and high level of protection of natural persons within the European Union. Indeed, pursuant to article 15 of the Regulation, the data subject has the right to obtain confirmation from the controller as to whether personal data concerning him or her is undergoing processing, and where it is, the data subject also has the right to obtain access to the personal data, including to “a copy of the personal data undergoing processing”. (emphasis has been added). While the controller is expected to handle the access request in a manner that ensures the most effective realisation of the right, in line with its obligation to facilitate the exercise of data subject rights, the controller’s responsibility is limited to providing the data subject with access to, and a copy of, the personal data which is actually being processed by the controller. Accordingly, and in light of the controller’s statement, the Commissioner sought to establish with certainty that there is no further personal data concerning the complainant which is in the controller’s possession beyond that already provided.
2. To this end, pursuant to article 58(1)(a) of the Regulation, the Commissioner requested the controller to submit a sworn declaration, confirming on oath that there is no further personal data concerning the complainant which is undergoing processing, beyond that which has already been provided to the complainant in response to her access request made on the 1st of May 2025. The sworn declaration, in which the controller confirmed that the personal data disclosed to the complainant reflects all of the personal data that the controller could reasonably ascertain, was signed by the controller’s Director General on the 5th of March 2026, and was received by the Commissioner on the 6th of March 2026. In this regard, the Commissioner considered it pertinent to draw the controller’s attention to article 22 of the Data Protection Act

(Chapter 586 of the Laws of Malta), which provides that any person who knowingly provides false information to the Commissioner shall be guilty of an offence and shall, upon conviction, be liable to a fine (multa) or to imprisonment, or to both such fine (multa) and imprisonment.

1. Finally, the Commissioner referred to the “data reviewed or used in ongoing Industrial Tribunal proceedings” which were requested by the complainant, and to the complainant’s allegation that the legal file used by the lawyer representing the controller during the ongoing Industrial Tribunal proceedings demonstrated that the controller had further personal data concerning the complainant in its possession which should be disclosed. In this regard, the Commissioner considered that in its submissions, the controller confirmed that it provided the complainant with access to her personal data which fell within the scope of her request, save for legally privileged materials, which were not disclosed. The Commissioner noted that, indeed, any communications or other documents prepared in the course of providing legal advice are protected by legal professional privilege, in accordance with article 588(1) of the Code of Organisation and Civil Procedure (Chapter 12 of the Laws of Malta). Therefore, any of the complainant’s personal data contained therein is not subject to disclosure.

On the basis of the foregoing considerations, the Commissioner is deciding that, taking into consideration the facts established during the investigation of the complaint, as well as the sworn declaration of the controller confirming that the personal data provided to the complainant reflects all of the personal data in the controller’s possession, he is satisfied that there is no further personal data concerning the complainant which is undergoing processing by the controller.

Nevertheless, in light of the fact that the controller was not able to retrieve and disclose all of the requested personal data in its initial response to the complainant’s access request, which led to further personal data being disclosed at a later date during the course of the investigation, the Commissioner strongly advises that the controller to undertake a thorough review of its existing record-keeping systems and processes, for the purpose of ensuring that personal data is maintained in an organised, structured, and readily retrievable manner, which would therefore enables the controller to respond efficiently and completely to any data subject requests it may receive under Chapter III of the Regulation.

Ian

DEGUARA

(Signature)

Digitally signed

by Ian DEGUARA

(Signature)

Date: 2026.03.30

15:09:51 +02'00'

Ian Deguara

Information and Data Protection Commissioner

Right of Appeal

You are hereby being informed that in terms of article 26(1) of the Data Protection Act (Chapter 586 of the Laws of Malta), any person to whom a legally binding decision of the Commissioner is addressed shall have the right to appeal to the Information and Data Protection Appeals Tribunal within twenty (20) days from the service of the said decision as provided in article 23 thereof.2

An appeal to the Tribunal shall be made in writing and addressed to “The Secretary, Information and Data Protection Appeals Tribunal, 158, Merchants Street, Valletta”.

---

2 Further information is available on the IDPC’s portal at the following hyperlink: https://idpc.org.mt/appeals-tribunal/