A data subject lodged a complaint with the DPC against a data controller following a delayed response to a subject access request. The data subject was concerned about the processing of their personal data between the data controller and a third party, a HR investigator (investigator). Such concerns related to the legal basis for processing the data subject’s personal data and the security of processing the personal data, as the investigator was using a Gmail account during the course of the examination.

Upon review of the personal data received, the data subject raised concerns in relation to the processing of their personal data between the data controller and the investigator. As part of its examination, the DPC engaged with the data controller on this matter. The data controller citied section 46 of the Data Protection Act 2018 (the 2018 Act) and Articles 6(1)(c) and Article 9(2)(b) as their lawful basis for processing the personal data. In addition to this, the data subject was in fact an employee, as such the data controller highlighted their legal obligations under the Safety, Health and Welfare at Work Act 2005 as set out in their Employee Handbook. The data subject challenged this lawful basis as they were not previously made aware of such.

With regard to the investigator the data subject explained that no consent was sought for processing the personal data between the data controller and the investigator . The data controller explained that consent was not the only lawful basis under GDPR and stated Article 6(1)(b) as their lawful basis. The data subject contested this lawful basis stating the processing of personal data by the investigator was not necessary for compliance with the employment contract. The data subject also raised transparency concerns as when signing the employment contract they would not have anticipated the processing of their personal data by an investigator. When questioned on the use of a Gmail account by the investigator, the data controller stated the email would be encrypted between the data controller and the Gmail account and that no evidence was available of the data subject’s personal data being compromised.

During the examination of the complaint the issue arose about whether the investigator was a joint controller or a data processor. The data subject took the view that the investigator was a data processor while the data controller stated the investigator was a data controller in their own right and as a result there were no requirements under Article 28 of the GDPR. The DPC examined the facts in this complaint and established that the investigator was provided a list of individuals to interview in order to compile this report and from the terms of reference, interviews are listed as the primary means of gathering information to compile their report. The DPC also noted the investigator was precluded from deciding on or implementing any sanction arising from the findings of the report. Based on this information, the DPC found the investigator as a data processor on behalf of the data controller and noted that the data controller failed to provide a contract between them and the investigator as required under Article 28(3) of the GDPR.

Due to the failure of the data controller to comply with the one-month obligation under Article 12(3) of the GDPR, the DPC reminded the data controller of their obligations under Article 24 to implement appropriate technical and organisational measures to ensure compliance with the GDPR. In doing so the data controller should also ensure they only provide personal data relevant to the subject access request at hand and redact the personal data of third parties. Secondly, with regard to the lawful basis relied upon by the data controller the DPC were satisfied that such lawful basis were reasonable; however recommended they inform staff members in their staff data protection policies that they may rely on section 46 of the 2018 Act and Articles 6(1)(c) and 9(2)(b) of the GDPR for the processing of staff personal data. In addition to this, under section 109(5)(f) of the 2018 Act the DPC recommended the data controller ensures there is a contract in place when an investigator is involved, that they engage in regular testing of organisational and technical processes, and lastly provide the investigator with an organisation email address.