The new DPC website is currently under construction. Our latest guidance in relation to GDPR, which comes into effect on 25th May, 2018, can be found at gdprandyou.ie and via pages on this website starting with "NEW" as per the navigation pane on the left. All other material on this site relates to the previous legislative regime under the Data Protection Acts 1988-2003 ("the Acts"). While the Acts may continue to apply in some circumstances, as of 25th May, 2018 the GDPR is the primary piece of legislation governing data protection.

Data Protection Commission


Case Study 1/01 Bank and Insurance Company
The complainant received a letter from his insurance company, informing him of their new credit card, and enclosing an explanatory booklet and application form. The complainant duly completed and returned the application form. Subsequently, he was contacted by a bank in connection with his credit card application.
view more

Case Study 2/2001 Major Charitable Organisation
Disclosure of donors' details to a financial institution – pro-active investigation – unfair obtaining – consent Members of the public alerted a national “phone-in” radio show to the fact that they had been receiving mailings from a financial institution, which appeared to be aware that the individuals had made donations to Concern, a respected national charitable organisation.
view more

Case Study 3/2001 Employee Performance Ratings Disclosed
Employee performance ratings disclosed to other staff – inadequate security. I received a letter of complaint from a number of employees within a particular company. It appeared that the company had created a computer file setting out performance assessment reports for individual members of staff. The file – of which staff members had been unaware – was accessible throughout the company to a wide range of line managers, including managers who had no role in relation to the staff members in question.
view more

Case Study 4/01 Credit Card Transaction
Use of details from a previous transaction without consent – fair obtaining – transparency - retention period A customer of a car rental company alleged that the company had used his credit card data – obtained in a previous transaction – to process a disputed charge without his consent, and in spite of his objections to the charge.
view more

Case Study 5/01 MBNA Bank
Unwanted direct marketing – mailings and telemarketing – failure to delete details from direct marketing databases – Eircom – the practice of 'teleappending' – fair processing – incompatible purpose A number of individuals contacted my Office to complain about the receipt of direct marketing contacts from MBNA Bank, a financial institution specialising in credit cards.
view more

Case Study 6/01 Legal Firm
Identification of source of personal data – lack of co-operation – issue of enforcement notice This case study provides a useful example of a matter which could have been disposed of easily at the outset, but which was protracted due to lack of cooperation from a data controller – in this case a solicitor. The case also demonstrates that, where I consider that an important issue is at stake, I am prepared to have full recourse to my legal powers until I reach a satisfactory conclusion.
view more

Case Study 7/01 Ryanair
The complainant booked an airline ticket from Ryanair, a major 'low-cost' carrier, on the internet using her credit card. However, the charge did not appear on her subsequent credit cards bills. Over ten months later, however, she booked another flight with the same airline. Her next credit card bill included two charges.......
view more

Case Study 8/01 Victim Support
Victim Support is a voluntary organisation which provides support, comfort and counselling to people who have been the victims of crime. The organisation receives funding from the Department of Justice, Equality and Law Reform to assist in its invaluable work; but, as an independent legal entity, it is not an agent of that Department or of An Garda Sνochαna.
view more

Case Study 9/01 Legal Firm
A person complained to me that a law firm, which had processed sensitive personal data relating to her mental health, was not duly registered under section 16 of the Data Protection Act, 1988. She complained that the firm was therefore committing offences against her under the Act, and she was anxious that the firm should delete all sensitive personal data relating to her from their computer systems.
view more