The new DPC website is currently under construction. Our latest guidance in relation to GDPR, which comes into effect on 25th May, 2018, can be found at gdprandyou.ie and via pages on this website starting with "NEW" as per the navigation pane on the left. All other material on this site relates to the previous legislative regime under the Data Protection Acts 1988-2003 ("the Acts"). While the Acts may continue to apply in some circumstances, as of 25th May, 2018 the GDPR is the primary piece of legislation governing data protection.

Data Protection Commission


Case Study 1/99 Mass Circulation Questionnaire
I received several complaints from persons who had received a "lifestyle" questionnaire through the post. The questionnaire, which appeared to be for purposes of "national research", sought very detailed information regarding the recipient's hobbies, shopping habits and household finances. The complainants were concerned that the questionnaire, which was a commercial information-gathering exercise, sought to mimic the style of official Government surveys and was at the very least a breach of the spirit of data protection legislation.
view more

Case Study 2/99 Life Insurance Company
The complainant was a long-standing customer of a particular life insurance company. One of the company's representatives, who had in the past been dealing with the customer's affairs, left the company to join a different company in the same line of business.
view more

Case Study 3/99 Vehicle Registration Unit
He received a letter from the motor distributor advising him of a technical fault and offering to repair the fault for him. The letter indicated that the distributor was able to contact him directly through the co-operation of the Vehicle Registration Unit (VRU) of the Department of the Environment and Local Government.
view more

Case Study 4/99 State Agency
The complainant had dealings with a State agency. He made an access request under section 4 of the Data Protection Act to be provided with a copy of all data held by the agency relating to him. The agency responded by providing him with some records.
view more

Case Study 5/99 Voluntary Organisation
A small number of voluntary organisations were authorised by a State body to assist in the administration of an official scheme. The scheme was designed to benefit a certain category of individuals, many of whom would be represented by the voluntary organisations. Applications for participation in the scheme were made through the voluntary organisations, and in this context applicants were asked to supply their Revenue and Social Insurance (RSI) number.
view more

Case Study 6/99 Financial Institution
The complainants in this case were refused a loan from two financial institutions. They made an access request under the Data Protection Act to a credit bureau to see their credit records. The records indicated that they had in the past taken out three loans with a third financial institution ("Institution A").
view more

Case Study 7/99 Debt Collection Service
The two complaints in this case study arose from the actions of a hospital and a debt collection company. The first complainant, an elderly man, attended the hospital on a number of occasions for medical treatment. The hospital subsequently sent him a bill for the treatment. He paid some of the outstanding amount, but he did not pay the full amount straight away. After a period, he was contacted at home on his unlisted telephone number by a debt collection service. The debt collection service said it was acting to recover the hospital's money.
view more

Case Study 8/99 Telecommunications Company
A telecommunications company transferred the database of its telephone subscribers to a subsidiary company, which was tasked with arranging for publication of a telephone directory. The subsidiary published the directory in paper format and also in electronic format as a CD-ROM and, later, published the electronic directory on the Internet as well. Several individuals complained about the data protection implications of the electronic publication of the telephone directory.
view more

Case Study 9/99 Government Department
A Government Department issued a request for tenders in connection with the administration of an official scheme. Included with the documentation issued by the Department was an extract from an administration database, giving a list of names of individuals who had benefited from the scheme, the county where each individual lived, and the amounts of money received by each individual. One of the persons who received the documentation was concerned about the data protection implications involved, and brought the matter to my attention for investigation. As this person was not an individual directly affected by the apparent disclosure of personal data by the data controller, I was not obliged to investigate the matter as provided for under section 10(1)(b)(i) of the Data Protection Act.
view more

Case Study 10/99 Identification of the Data Controller
A number of individuals from a voluntary organisation ("V") contacted my Office to complain that another organisation ("S") was using V's database without authorisation. The database included names, addresses and highly sensitive personal information. The complainants, who were all data subjects on the database in question, requested that I immediately stop the allegedly unauthorised use of the data. ,
view more