Data Protection Commission publishes 2019 Annual Report

20th February 2020

Commissioner for Data Protection, Helen Dixon, today launched the Irish Data Protection Commission’s Annual Report for 2019, detailing the work of the DPC for the first full calendar year since the introduction of the General Data Protection Regulation (GDPR). 

Highlights of the 2019 Annual Report include:

  • 7,215 complaints were received in 2019 representing a 75% increase on the total number of complaints (4,113) received in 2018.
  • 5,496 complaints in total were concluded in 2019.
  • 6,069 valid data security breaches were notified representing a 71% increase on the total number of valid data security breaches (3,542) recorded in 2018.
  • Almost 48,500 contacts were received through the DPC’s Information and Assessment Unit, including 22,200 telephone calls and 22,300 emails.
  • On 31 December 2019, the DPC had 70 statutory inquiries on hand, including 49 domestic inquiries.
  • Six statutory inquiries were opened in relation to multinational technology companies’ compliance with the GDPR, bringing the total number of cross-border inquiries to 21.
  • 457 cross-border processing complaints were received by the DPC through the One-Stop-Shop mechanism.
  • 165 new complaints were investigated under S.I. No. 336 of 2011 in respect of various forms of electronic direct marketing: 77 related to email marketing; 81 related to SMS (text message) marketing; and seven related to telephone marketing. Prosecutions were concluded against four entities in respect of a total of nine offences under the E-Privacy Regulations.
  • The DPC published its findings on certain aspects of the Public Services Card (PSC) following a lengthy investigation. The published findings were targeted at two key issues, namely the legal basis under which personal data is processed and transparency. 
  • The DPC carried out an extensive consultation on the processing of children’s personal data, yielding 80 responses. The feedback from the consultation will be used to develop guidance on the processing of children’s personal data, which is a DPC priority for 2020.
  • The DPC received 712 new Data Protection Officer notifications, bringing the total number to 1,596 at year end.
  • Staffing numbers increased from 110 at the end of 2018 to 140 at the end of 2019, including two additional Deputy Commissioners.

The Commissioner for Data Protection, Helen Dixon, commented: “2019 has been the first full calendar year of the GDPR. There have been many positive changes, including organisations across Ireland appointing Data Protection Officers who can assist the public in exercising their data protection rights and also an increased awareness on the part of individuals and organisations alike as to the importance of protecting personal data.

“At the Data Protection Commission, we have been busy during 2019 issuing guidance to organisations, resolving individuals’ complaints, progressing larger-scale investigations, reviewing data breaches, exercising our corrective powers, cooperating with our EU and global counterparts and engaging in litigation to ensure a definitive approach to the application of the law in certain areas.”

Looking forward, Ms Dixon commented: “Much more remains to be done in terms of both guiding on proportionate and correct application of this principles-based law and enforcing the law as appropriate. But a good start is half the battle and the DPC is pleased at the foundations that have been laid in 2019. We are already expanding our team of 140 to meet the demands of 2020 and beyond.”   

DPC 2019 Annual Report