Access request redactions

The DPC received a complaint from an individual who had submitted an access request under Article 15 of the GDPR to their former employer (a public health
organisation), who provided services in Home Support.

Data Controller vs Data Processor obligations

An individual made an access request under Article 15 of the GDPR to an organisation they believed to be processing their personal data. Upon receipt of this request, the organisation notified the individual that it was not the data controller in this instance. The organisation advised the individual that it had referred the request to the actual data controller in line with its obligations under Article 28(3)(e) of the GDPR to assist “…the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller’s obligation to respond to requests for exercising the data subject’s rights”. With the individual was not satisfied with the response and submitted a complaint to  the DPC.

Failure to respond to an Access Request

The DPC received a complaint with regard to an individual who made an access request under Article 15 of the GDPR to a public/state hospital for a copy of all personal information held concerning them. The response from the hospital remained outstanding after more than a month, whereas information provided to the DPC indicated that due the health of the individual this matter required urgent attention.

Incomplete organisational search in response to an Access Request

The DPC received a complaint from an individual who had submitted an access request under Article 15 of the GDPR to a property management company. The individual was seeking access to any personal data processed by the organisation in relation to them. The organisation responded to the access request explicitly stating to the individual that it did not process any personal data in relation to the individual at the time the access request was made or any time before that. 

Refusal of Access Request of a non-customer

The DPC received a complaint from an individual in relation to an access request made to an internet service provider. According to the individual, they rang the company regarding the possibility of switching broadband services and considered that the level of service received from the customer service agent was unsatisfactory. As a result, they made an access request for a copy of their personal data processed by the company.  

Requesting Data relating to a Vehicle

An individual raised a query with the DPC about gaining access to information held by a garage detailing the history of the vehicle the individual now owned, including details of damages assessed, recommended repairs, and an engineer’s report conducted towards the end of a particular year. The individual submitted an access request under Article 15 of the GDPR to the garage for all data related to the vehicle. The garage refused the request. As they were dissatisfied with the response received from the garage, they contacted the DPC to raise their concerns. 

Seeking access to deceased siblings medical records

An individual contacted the DPC inquiring about how to access the medical records of their late sibling, who had tragically passed away as an infant many
years previously. Since both parents had also passed away several years ago, the individual was unable to obtain information about the circumstances surrounding the death of their sibling.

Withholding of records containing personal data

The DPC received a complaint from an individual regarding the withholding of records containing personal data in response to an access request. The individual had made an access request under Article 15 of the GDPR to a financial service provider, following the sale of the individual’s mortgage to the organisation. 

Access Request Complaint where a fee was requested

The DPC received a complaint from an individual in relation to a subject access request made to a medical centre for a copy of their personal data. According to the individual, the medical centre had requested a fee to process the access request. Before contacting the DPC, the individual had already advised the medical centre that access to a copy of personal data is free under the GDPR and queried if the letter seeking a fee may have issued in error.

Access request seeking third party data

An individual submitted a subject access request to their former employer. This individual then raised a concern with the DPC querying whether the company was obliged to provide them with the names of all of the employees who had been involved in compiling the response to the subject access request.

Enforcement Notice issued due to an incomplete response to an access request

The DPC received a complaint in which the complainant’s representative indicated that they wished to make a formal complaint regarding the delay by Tusla to release records containing their client’s personal data on foot of a subject access request. The representative further stated that a full response to the complainant’s access request had not been provided and they had been receiving the records containing personal data in a piecemeal fashion for the previous two years. It was unclear to the complainant’s representative the amount of personal data outstanding in relation to their client’s access request.

Failure to respond to an Access Request

The DPC received a complaint from an individual who had made a subject access request to a state hospital for a copy of all information held concerning them. The individual did not receive a response to this request.

Article 60 decision concerning Airbnb Ireland UC — Delayed response to an Access Request and an Erasure Request

A complaint was lodged with the Berlin Commissioner for Data Protection and Freedom of Information (“Berlin DPA”) against Airbnb Ireland UC (“Airbnb”) and was thereafter transferred to the DPC to be handled in its role as lead supervisory authority.

Exemptions applied to CCTV footage

The DPC received a complaint from an individual regarding an access request made to the data controller, a retailer. The solicitors acting for the individual in relation to a personal injury claim had submitted the access request relating to a two-week period when the alleged incident had taken place. They were seeking records of the incident to include CCTV footage.

Failure to respond to an Access Request

The DPC received a complaint from an individual regarding a subject access request made by him to an organisation (the data controller) for a copy of all information held regarding his engagement with the data controller. The individual did not receive a response to this request. The DPC intervened to see if the matter could be informally resolved.

Obligation to give reasons when refusing to provide access to personal data

This complainant previously owned a property in a development managed by a management company. The complainant made a data access request to the management company but was of the view that the data controller failed to provide all of the complainant’s personal data in its response.

Request for footage from online meeting

An individual participated in a Zoom meeting that was recorded by the data controller. The individual made an access request for a copy of this recording. The data controller refused the request stating that it did not fall within the remit of GDPR. 

Access to CCTV footage

This complaint concerned an alleged incomplete response to a subject access request for CCTV footage made by the complainant to an educational institution. The complainant advised that they were the victim of an alleged attempted assault. The complainant requested access to CCTV footage from the time the alleged assault happened, in particular in relation to a specific identified time period from two different camera angles.

Failure to respond fully to an access request

This complaint concerned an access request made by the complainant. The complainant was dissatisfied that his request for access to a copy of any information kept about the complainant by the data controller in electronic and in manual form was refused by the data controller, a County Council. The data controller instead advised the complainant that the requested files were available online or for viewing at the data controller’s premises.

Confidential expressions of opinion and subject access requests

This complainant made a data subject access request to their employer. However, the complainant alleged that their employer omitted certain communications from its response, wrongfully withheld data on the basis that it constituted an opinion given in confidence and did not respond to the request within the required timeframe as set out in the legislation.

Access requests and legally privileged material

This complaint concerned an alleged incomplete response to a data subject access request. The background to this complaint was that the complainant had submitted an access request to the trustees of a pension scheme (the “Trustees”). As part of its response to the access request, the Trustees referred to a draft letter relating to the complainant; however, this draft letter was not provided to the complainant.

Access to information relating to a bank’s credit assessment

The complainant in this complaint made a request to a bank under data protection legislation to supply the complainant with a copy of all personal data relating to them held by the bank. The complainant alleged, in particular, that the bank had failed to provide them with any internal analyses which used the complainant’s personal data to assess the amount of credit the bank would extend to them.

Disclosure, withdrawing consent for processing and subject access request

A data subject brought a complaint to the Data Protection Commission (DPC) against their former employer (the data controller). The data subject had a number of data protection concerns namely:

1 . The disclosure of their personal email address in a group email by being included in the Carbon Copy (CC) field,

2 . The inclusion of their image on the data controllers social media,

3 . The data subject was not satisfied to the response received from the data controller regarding a subject access request .

Legal basis for processing and security of processing

A data subject lodged a complaint with the DPC against a data controller following a delayed response to a subject access request. The data subject was concerned about the processing of their personal data between the data controller and a third party, a HR investigator (investigator). Such concerns related to the legal basis for processing the data subject’s personal data and the security of processing the personal data, as the investigator was using a Gmail account during the course of the examination.