A third level institution reported a data breach to the DPC relating to the storage of student medical certificates for a particular course. A student had discovered medical certificates relating to other students when attempting to upload their own certificate to the institutions Virtual Learning Environment (VLE).  The institution immediately informed the DPO and their IT department  removed the files. 

The DPC assessed the notification and, given the nature of the special category (health) data involved, requested further information from the organisation. The investigation by the organisation determined that human error had led to a misconfiguration on the VLE, which meant that medical certificates were displayed to a group of students, rather than solely to the course coordinator/lecturer. 

The breach was originally deemed high risk by the organisation but following a review of the breached data and the risks posed to the rights and freedoms of the affected individuals, it was deemed to of lesser risk than originally assessed. The organisation decided to notify the impacted individuals about the breach out of an abundance of caution.  

In order to prevent a recurrence of this situation, the institution issued an email to all staff to remind them not to use the VLE for the submission of personal data. The institution also added messages to the VLE platform to remind both staff and students of their data protection obligations when using the system.

The organisation engaged with the provider of the VLE to introduce measures to ensure that personal data is stored and processed securely, and security settings configured appropriately.

An organisation operating in the broadcasting sector notified a data breach to the DPC relating to an employee who had fallen victim to a phishing email. The email, purporting to be an advertisement for an internal vacancy, requested that the employee input their email and data storage platform credentials as well as their Multifactor Authentication (MFA) Authenticator Prompt. Having obtained this information from the employee, the bad actor who sent the phishing email was then able to gain access to this employee’s email and data storage platform account. 

Categories of personal data that were potentially accessed by the bad actor included names, email address, photos/videos, financial data and special category data (health data). The affected individuals included employees within the organisation and third party contacts who had engaged with the broadcaster. The organisation became aware of the breach when the employee reported issues logging into their email and data storage platform. The organisation’s phishing detection systems had disabled the phished account automatically after 17 minutes, but the account was then manually reactivated by their in-house IT team in error. A manual review of audit logs showed suspicious logins attempted from different locations leading to the account being reset and the bad actor being locked out permanently.  

The DPC reminded the organisation of its obligations as a data controller. On foot of this, the organisation implemented preventative measures in order to mitigate against a recurrence of this breach. These measures included spam/ phishing filters, reminders to all staff to exercise caution opening external emails, increased training and staff awareness exercises, and new guidelines in relation to the reactivation of suspended user accounts. 

In February 2024, the DPC received notification from an individual of an alleged unsolicited email communication from Thérapie Clinic. The individual had provided the DPC with a copy of their marketing preferences and a copy of an unsolicited email communication. 

Subsequent to further investigation, Thérapie Clinic confirmed to the DPC that the complainant was a client of theirs and had not given consent to receive marketing communications. Thérapie Clinic conducted an internal investigation, which found that the email message, which was the subject of the complaint,  had been sent manually by a member of staff in one of their clinics. 

The email was not a system-generated message, and therefore no opt-out mechanism had been included in the communication. As such, the individual  had received an unsolicited marketing email message without an option to optout of receiving further marketing messages. As the DPC had issued a warning in February 2023 to Thérapie Clinic in regards to a previous complaint, the DPC decided to prosecute arising from this complaint case.

On 25 October 2024, Thérapie Clinic was prosecuted for sending unsolicited emails to a customer who had previously opted out of receiving marketing communications. The company was found to have violated Regulation 13(12) (c) and Regulation 13(13)(a)(i) of S.I. No. 336/2011 - European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011. In lieu of a conviction and fine, the Dublin Metropolitan District Court ordered the company to make a donation of €325 to the Little Flower Penny Dinners charity and to pay the DPC’s legal costs.

In November 2023, the DPC received notification from an individual of alleged unsolicited marketing communications via telephone from Google Ireland Limited. The individual in question had received three separate phone calls in the space of a 4-hour period from individuals identified as sales representatives on behalf of Google Ireland Limited. The DPC launched an investigation, during the course of which Google Ireland Limited confirmed that a third-party contractor had disregarded the individual’s previous request to opt-out of marketing communications, resulting in a number of calls being made to the individual. 

The DPC had previously issued a warning to Google Ireland Limited in July 2023 concerning unsolicited phone calls made without consent to the same individual. As part of this warning, Google Ireland Limited was notified that if the individual was to receive further phone calls, Google Ireland Limited may face prosecution. Google Ireland Limited breached the rules governing unsolicited marketing phone calls, as the company continued to make marketing phone calls after the individual had explicitly withdrawn their consent.

At Dublin Metropolitan District Court on 25 October 2024, Google Ireland Limited pleaded guilty to two charges of making unsolicited marketing telephone calls under Regulation 13 of S.I. No. 336/2011 - European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011. Dublin Metropolitan District Court directed the company to contribute €1,500 to the Little Flower Penny Dinners charity and to pay the DPC’s legal costs in lieu of a conviction and fine.

An individual made an access request under Article 15 of the GDPR to an organisation they believed to be processing their personal data. Upon receipt of this request, the organisation notified the individual that it was not the data controller in this instance. The organisation advised the individual that it had referred the request to the actual data controller in line with its obligations under Article 28(3)(e) of the GDPR to assist “…the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller’s obligation to respond to requests for exercising the data subject’s rights”. With the individual was not satisfied with the response and submitted a complaint to  the DPC.

The DPC requested documentary evidence from the organisation (data processor) which would support its assertion that it was not the data controller in this instance. The organisation provided the DPC with a copy of a data protection agreement, which explicitly detailed the organisation as the data processor and the other party as the data controller in relation to the personal data being processed in this instance. This agreement outlined in specific detail that the organisation only processed personal data upon instruction from the data controller. The DPC examined this agreement and affirmed that the organisation to which the individual submitted the access request was the data processor in this instance.

The DPC accepted that the organisation was the data processor for the personal data which had been requested in this instance and that it had complied with its obligations under both Article 15 and Article 28(3)(e) of the GDPR.

An individual raised a query with the DPC about gaining access to information held by a garage detailing the history of the vehicle the individual now owned, including details of damages assessed, recommended repairs, and an engineer’s report conducted towards the end of a particular year. The individual submitted an access request under Article 15 of the GDPR to the garage for all data related to the vehicle. The garage refused the request. As they were dissatisfied with the response received from the garage, they contacted the DPC to raise their concerns. 

In response, the DPC reviewed the request and provided relevant information, advising that under GDPR, “personal data” is defined in Article 4(1) as any information relating to an identified or identifiable natural person. While a vehicle’s registration plate could be considered personal data, the condition of the vehicle itself prior to a person’s ownership did not relate to the individual as a natural person. Consequently, the DPC considered that data protection law did not apply in this case, and the concerns raised fell outside its remit.

In August 2023, the DPC received a complaint from an individual regarding alleged unsolicited marketing SMS messages received from Supermac’s Ireland Limited. The DPC launched an investigation, in the course of which Supermac’s Ireland Limited explained that the individual had registered for their online ordering system in 2018 and had ticked the box to receive SMS and email marketing communications. The individual subsequently placed an online order in 2023 and was added to an active marketing list for SMS purposes. 

The DPC requested that the individual’s details be removed from the active marketing list in August 2023. Supermac’s Ireland Limited confirmed to the DPC that the opt-out had been successful and the individual had been removed from their marketing list. However, the individual contacted the DPC again in October 2023 to inform the DPC that they had received a further marketing SMS from Supermac’s Ireland Limited, despite assurances that they had been removed from marketing lists. Upon further investigation, Supermac’s Ireland informed the DPC that, due to a technical error by their subcontractor, the individual’s phone number had not been removed properly. 

The DPC’s investigation of this complaint established that Supermac’s Ireland Limited did not have valid consent to send electronic marketing communications to the individual concerned. As the DPC had issued a warning to the company in February 2023 with regards to a previous complaint, the DPC decided to prosecute the case. 

On 3 September 2024 before Judge Fahy in Galway District Court, Supermac’s Ireland Limited pleaded guilty to five charges of sending unsolicited marketing SMS messages under Regulation 13(7) and Regulation 13(13)(a)(i) of S.I. No. 336/2011 - European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011. Galway District Court ordered the company to make a contribution of €3,500 to the Galway Simon Community and Cope  Galway, in lieu of a conviction and fine. The company was also required to discharge the DPC’s legal costs.

In October 2023, the DPC received notification from an individual regarding unsolicited marketing SMS messages received from Pulse Gym, trading as Energie Fitness Dublin 8. An investigation was launched during which Pulse Gym explained that when a member signed up online, they agreed to Pulse Gym’s terms and conditions, which included a reference to giving consent to receive marketing materials by electronic means. 

The DPC requested a copy of the consent referred to under Article 7 of the GDPR, but Pulse Gym was unable to provide such a copy. The DPC highlighted that consent for marketing is required to be “freely given, specific, informed and unambiguous”, and that Pulse Gym was not permitted to “bundle” consent for processing of individuals’ personal data for different purposes. 

Pulse Gym also confirmed during the investigation that the opt-out attempts made by the individual had been unsuccessfully implemented as there was a  fault in the service provider’s software. 

A warning had previously been issued to Pulse Gym following an investigation of a similar complaint in July 2023. As part of this warning, the DPC had made Pulse Gym aware of their requirements to ensure that their mailing list only contained details of individuals who had explicitly consented to receive marketing communications and to ensure their opt-out function was operational and opt out requests were respected. However, upon receipt of this further complaint in October 2023, it became apparent that not all changes identified in the DPC’s warning letter had been implemented. As a result, the DPC decided to move to prosecution proceedings in this instance.

Pulse Gym pleaded guilty to one charge of sending unsolicited marketing SMS messages at Dublin Metropolitan District Court on 27th May 2024 under Regulation 13 of S.I. No. 336/2011 - European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011. In lieu of a conviction and fine, Judge Halpin applied the Probation Act and the company was instructed to make a donation of €700 to the Little Flower Penny Dinners charity and to pay the DPC’s legal  costs in full.

An individual flew with an airline to a destination in Europe. When undertaking their return flight, the individual encountered a situation when their luggage was misplaced. After reporting the issue at the airport, they received a missing luggage slip that contained the name of a different individual but correctly listed the details of their missing luggage.

The individual promptly raised their concerns with the airline, seeking a resolution to ensure their luggage was properly tracked and identified. However, despite the customer’s efforts, the airline was unable to provide a satisfactory resolution, and refused to issue a new ticket reflecting their correct name on the luggage slip. This lack of resolution prompted the individual to escalate the matter further by filing a complaint with the DPC.

In response, the DPC liaised with the airline’s DPO to address the issue of the recording of incorrect personal data. The DPC emphasised the importance of accurate data handling and the implications of data errors on customer experiences. Through this intervention, the DPO worked swiftly to rectify the situation, ensuring that the individual received an updated luggage slip that included their correct name.

This updated slip was crucial for this individual as it allowed them to file a claim with their insurance provider for the lost luggage. The case highlights the importance of effective data management practices and serves as a reminder for organisations to prioritise accurate record-keeping and responsive customer service, especially in situations involving personal belongings.

A charity contacted the DPC seeking advice on a query they had received from a parent asking whether they could request the erasure of their child’s personal data. The data in question dated back several years when the child was a minor. However, the child was now an adult, and the parent, who was their guardian at the time, wanted to know if they could still request that the data be erased.

The DPC advised the charity that, under section 29 of the Data Protection Act 2018, a child is defined as an individual under the age of 18. This meant that, as the individual was now over 18, they were considered an adult and, therefore, had the full legal capacity to exercise their own data protection rights, including the right to request erasure of their personal data.

The DPC also clarified that while the parent could no longer directly request  the erasure of the data on behalf of the now-adult child, the affected individual could choose to provide their parent with a signed letter of authority. This was an option that could be drawn to the attention of the now-adult child and their parent. Such a letter of authority would allow the parent to act on their behalf in making the data erasure request. The DPC reminded the charity that it was their responsibility to verify and ensure that any such request was valid under the circumstances.

The charity thanked the DPC for their response and confirmed that they would share the information with the individual who had initially contacted them. This guidance helped to ensure that both the individual’s rights and the role of the charity were clearly understood, while also acknowledging the potential complexities involved in handling requests from parents of adult children.