In January 2022, the DPC received two complaints from two individuals regarding unsolicited marketing emails received from Guerin Media Limited. In response to the DPC’s investigation of the complaints, Guerin Media Limited explained that the two individuals’ email contact details had previously been removed from all marketing lists held by the company with the exception of a Gmail contact list that it maintain. It stated that due to human error and the fact that their details remained on the Gmail contact list, both individuals were sent marketing emails from Guerin Media Limited that should not have occurred.

The DPC had previously prosecuted Guerin Media in 2019 for breaching Regulation 13 of the ePrivacy Regulations in relation to previous complaints regarding similar incidents of unsolicited email marketing. Accordingly, the DPC decided to proceed to another prosecution arising from these complaint cases. At Naas District Court on 5 December 2022, Guerin Media Limited pleaded guilty to three charges under Regulation 13(1) of the ePrivacy Regulations. The District Court convicted Guerin Media Limited on all three charges and it imposed fines totalling €6,000. Guerin Media Limited agreed to pay €1,000 towards the DPC’s legal costs.

The DPC received a notification from a statutory body tasked with investigating complaints about the professional conduct of experts. The breach occurred during the course of a public hearing, which was held remotely, when access permissions were incorrectly provided to attendees including journalists. 

This error made visible documents revealing personal data, that members of the public were not entitled to view as they did not form part of the hearing. The personal data, which was unintentionally disclosed during the hearing was subsequently published by journalists in numerous media outlets. 

The breach was assessed as high risk because the data subject’s location which was published could be inferred from the data disclosed. 

By way of mitigation, the statutory body confirmed removal of the personal data by the media outlets. In addition, the organisation updated their technical and organisational measures to restrict access to personal data. 

A medical General Practitioner (‘GP’) who operated his practice from his own home was moving work premises. The GP stated they had 4000 patients attending the practice over time and operated both digital storage and paper files. The GP engaged a local delivery van to transport the paper medical files connected with the practise. The medical files were put into boxes and placed in the private delivery van. 

The breach was discovered during a system audit which followed the move. A box containing medical files, which had been transported, was missing. The van driver confirmed that he had deposited all the boxes in the reception area of the new premises. The GP reported the loss of the box of files to the local Garda Station. It was established that the box, which contained over 2000 medical files, could not be located and the GP confirmed that there was no backup of these records. The missing files related to medical diaries and timesheets, vaccination records and clinical records pertaining to the assessment and treatment of private patients. 

The DPC engaged with the GP and established that the GP did not intend to notify affected individuals. The GP advised that he was liaising with the HSE on the matter and that they had aligned their practises with the HSE policy on record keeping (HSE Standards and Recommended Practices for Healthcare Records Management, QPSD-D-006-3 V3). The GP initially stated that the risk was low as the missing data was not incomplete. 

Following further engagement, the DPC drew the GP’s attention to the obligations under Article 34 of the GDPR to notify the affected individuals without undue delay. Following this engagement, the GP confirmed that he had sent a notification to every affected patient or minor patient’s parent or guardian by either email or by postal letter. 

The personal data in question encompassed both Article 4 and 9 GDPR. Some of the personal data included names, address, dates of birth, PPSNs and vaccination details. 

The GP engaged with the HSE on the management of medical records. New measures have since been introduced by the GP to digitise the remaining medical records held. 

In line with the obligations set out under Article 5(1)(f) GDPR and Article 32 GPDR to implement appropriate technical and organisational measures appropriate to any risk, practical steps such as having an individual in attendance to receive any medical records being transported have also been introduced. 

It was noted that the GP had operated from their home for over 20 years and while he used secure filing cabinets, appropriate measures were not taken when transporting the files. 

The DPC engaged with the GP and issued recommendations regarding the GP’s obligations as a controller under Article 24 GDPR and directed him towards the guidance provided on the DPC Website. The DPC further referred the GP to the data protection guidance published by the Irish College General Practitioners (ICGP). 

In August 2019, March and September 2020, the DPC received three complaints from individuals regarding unsolicited marketing telephone calls, text messages and emails they had received from Vodafone Ireland Limited. In response to the DPC’s investigation of the first complaint, Vodafone Ireland Limited explained that the former customer had called Vodafone Ireland Limited on seven separate occasions to try to opt-out of receiving marketing phone calls to their mobile phone. On each occasion the agent they spoke to did not follow proper procedures and this resulted in the former customer not being opted out of marketing and receiving further marketing calls. The complainant closed his account with Vodafone Ireland Limited and switched to another operator due to the marketing phone calls he received.

In the other two cases, the complainants are existing customers of Vodafone Ireland Limited. In one case, the customer received a marketing call to their mobile phone number in February 2019 and during that call the customer told the caller that they did not want to receive further marketing calls. Despite this request, Vodafone Ireland Limited subsequently made a further twelve marketing phone calls to the complainant’s mobile phone as its agent did not take any action to change the complainant’s marketing preferences.

In the other case, the complainant completed a transfer of ownership form on which they clearly set out their marketing preferences not to receive any marketing communications from Vodafone Ireland Limited. The agent handling the transaction failed to follow a process to input the customer’s marketing preferences. As a result, the customer subsequently received a further 14 unsolicited marketing messages — seven emails and seven text messages.

The DPC had previously prosecuted Vodafone Ireland Limited in 2019, 2018, 2013 and 2011 for breaching Regulation 13 of the ePrivacy Regulations in relation to previous complaints. Accordingly, the DPC decided to proceed to another prosecution arising from these complaint cases.

At Dublin Metropolitan District Court on 6 September 2021, Vodafone Ireland Limited pleaded guilty to seven charges under Regulation 13(1) and 13(6)(a) of the ePrivacy Regulations. The District Court convicted Vodafone Ireland Limited on seven charges and imposed fines totalling €1,400. Vodafone Ireland Limited agreed to discharge the DPC’s legal costs.

The breach concerned an organisation who has a function in conducting independent reviews. The organisation was returning documents following the completion of their review process. The organisation normally encourages the use of a file transfer system for the transfer of subject records but also facilitates the sending of hard copies. In this instance, the sending organisation requested that the copies of records it had sent in hard copy be returned to it. The organisation returned these documents by post and the envelope was reinforced and secure when it left the organisation. However, it was stated that it was not sent by registered post, which was the normal policy for the organisation when requesting hard copies from organisations to support the appeal / assessment process. When the envelope arrived back to the sending organisation the envelope had all of the seams split and badly torn and three pages were missing from the package. 

The documents contained details related to vulnerable individuals, the nature and category of data related to Article 4(1) GDPR and while it did not contain any medical data, certain medical information could be inferred from the fact that the service user had engaged with the sending organisation. 

The organisation had engaged with the postal service used when returning the details to the requesting organisation and as part of its investigation into the missing three pages, it was established that the envelope was received undamaged by the postal service, however it was not sent as registered post and so postal tracking was not available. 

The organisation has committed to enforcing the use of registered post and updating its policy to direct staff that when returning hard copies to the data controller, that steps are taken in line with Article 5(1)f GDPR and Article 32 GPDR to implement appropriate technical and organisational measures such as ensuring the correspondence is registered with the postal service and that appropriate reinforced envelopes are used to ensure a level of security and protection appropriate to any risk. 

It was noted that the organisation had engaged with the postal service as part of its investigation into the missing three pages and had established that the envelope was received undamaged by the postal service. However as it was not sent as registered post the tracking of the envelope was not available. 

It also identified that while the policy in use by the organisation did call out the use of registered post as the preferred method of postage it was only mentioned in relation to the receipt of hard copies from the sending organisations. The organisation recognised this as an oversight within its own policies. 

The DPC engaged and advised the organisation to update its policy on the returning of hard copies to organisations and that it should include this in staff training and awareness campaigns. 

In February 2021, the DPC received one complaint from an individual concerning unsolicited marketing electronic mail they had received from the telecommunications company Three Ireland (Hutchison) Limited. The complainant opted out of receiving marketing emails in mid-February 2021.

In response to the DPC’s investigation, Three Ireland (Hutchison) Limited explained that when it attempted to execute the opt-out request an issue arose from a scenario of two records getting sent simultaneously and losing sequence, resulting in its system not being updated correctly. As a result, three further marketing emails were sent to the complainant in the following weeks. Three Ireland (Hutchison) Limited stated that it remedied the matter by implementing a script to resolve differences between permissions data. It also set up an email alert to monitor the script and raise an alert should the script stop working.

The DPC had previously prosecuted Three Ireland (Hutchison) Limited in 2020 and 2012 for breaching Regulation 13 of the ePrivacy Regulations in relation to previous complaints. Accordingly, the DPC decided to proceed to another prosecution arising from this complaint case.

At Dublin Metropolitan District Court on 6 September 2021, Three Ireland (Hutchison) Limited pleaded guilty to two charges under Regulation 13(1) of the ePrivacy Regulations. The District Court applied the Probation of Offenders Act 1907, on the basis of a charitable donation of €3,000 to Little Flower Penny Dinners. Three Ireland (Hutchison) Limited agreed to discharge the DPC’s legal costs.

A customer of a restaurant lost their belongings while in the premises. They then requested that a staff member provide them with access to the restaurant CCTV footage to assist in finding out what happened to their belongings. 

The staff member, using their phone, took a photo of the footage and then allowed the customer to view the image however: 

1. They did not prevent the customer from using their mobile phone to take a copy of the image.
2. Did not log the customers contact details should the need arise to make contact relating to the image.

Having become aware of the incident, the restaurant manager submitted the breach as low risk, however following a DPC risk analysis the risk level was increased to high due to the lack of internal controls and policies in place. 

When the owner/occupier of a premises installs a CCTV system, having justified it as a necessary and proportionate measure, they as a data controller must give due consideration to the safe storage of personal data and the implementation of appropriate security measures. Data controllers are obliged to implement technical and organisational measures to ensure that personal data are kept secure from any unauthorised or unlawful processing and accidental loss, destruction or damage. In this case, the staff member should not have allowed the individual take a photo of the image. 

The restaurant was not able to mitigate the risks associated with this breach, as it was unable to contact the customer to request/ confirm the deletion of the image from all locations. 

The DPC engaged and advised the restaurant that it should review CCTV Policies and Procedures. In particular, it drew its attention to risk factors around: 

1. Authorisation of access to CCTV footage.
2. Restrictions and logging of any duplication of CCTV footage.
3. Awareness training for staff of the risks involved in the sharing of the CCTV footage. This should be clearly called out in its CCTV usage policy.

The DPC received a number of queries regarding new or existing customers being requested by Vodafone to produce their employment details and work phone number as a requirement for the provision of service by that company.

The concerns arising were that the requests were excessive and contrary to the Article 5 principle of lawful, fair and transparent collection as the processing of data relating to their employment status was entirely unrelated to the product or service that they were receiving from the telecommunications company, which was for their personal or domestic use only.

Second, there were concerns that the mandatory request for a customer’s occupation/place of work/work phone number was not adequate, relevant or necessary under the “data minimisation” requirement and did not meet the purpose limitation principle as set out in Article 5 of GDPR. Third, there were also concerns amongst customers that the company’s data protection/privacy notice did not comply with the transparency requirement of GDPR Article 13(1).

Following engagement with the DPC, Vodafone admitted that it had made an error in the collection of this information. The company stated that the problems were caused by a legacy IT system that had not been updated to remove this requirement and that any access to the data was exceptionally limited and was not used for any additional processing purposes by them. Vodafone immediately commenced a plan to remediate the problems caused and, on the insistence of the DPC, published on its website the details of what had occurred, so that customers would be aware of the issue.

The DPC received a breach notification from a school in relation to a bad actor who accessed and infiltrated a school’s ICT systems, including the email system, for an unknown length of time. The bad actor gathered information before sending a phishing email and tricked the administrator for financial accounts into directing payments into a fraudulent account. 

The bad actor sent an email to the accounts administrator, pretending that it had come from the email of the school principal. This practise is referred to as spoofing and has the appearance of being from a trusted individual and being a valid request. This email contained fraudulent duplicates of invoices relating to legitimate work performed in the school. However the bank account details were manipulated by the bad actor to redirect the payment to an unknown recipient and the school, who were unaware of this, carried out the transaction. 

The breach was discovered when the legitimate supplier reported that they had not been paid. 

The DPC engaged with the school and recommended that the school take a number of actions to recover from the breach and mitigate against a recurrence including the implementation of Multifactor Authentication, ongoing monitoring and reminders on its email usage policy. 

The DPC became aware of a breach which had occurred at a data processor when eighteen (18) organisations (data controllers) operating in the charities sector used a data processor based outside of the DPC’s jurisdiction. The organisations provided services largely aimed at supporting vulnerable individuals and are not for profit with many of their personnel working on a volunteer basis. 

The breach occurred when a bad actor gained access to the data processor’s network. The data processor was unable to confirm how long the bad actor may have infiltrated its systems before the discovery of the breach. This resulted in the exfiltration of some data, the deletion of a database that held the data and a ransom note demanding payment. The bad actor made direct contact with the data processor and provided evidence of the exfiltrated data. 

The data processor did not pay the ransom and stated that it had restored its systems from backup. However, the exfiltrated data remained a risk. 

Only eight of the eighteen organisations were able to confirm having an existing Breach Incident Response Plan, which is a plan to respond to data breaches. Many of the data controllers demonstrated a lack of IT experience in any form and did not appear to recognise the extent of their Article 24 GDPR obligations (appropriate technical and organisational methods). 

Most of the organisations had varying degrees of understanding of the personal and special category data which they held and a number were not able to confirm the categories of data held. 

Most of the organisations did not have in place a controller – processor contract pursuant to Article 28(3) GDPR. Instead, these data controllers relied on a Software as a Service Subscription Agreement, which appear to favour the data processor in terms of obligations to respond or provide information related to a security incident. 

A number of the organisations did not conduct a Data Protection Impact Assessment (DPIA) despite the nature of the organisation and the clients for whom they cater. Some organisations stated the inability to perform a DPIA due to the data processor’s refusal to supply information about its systems and the breach. 

The DPC engaged with the Data Protection Authority in the country where the processor was located to gather and share information. The DPC further engaged with the organisations, both from a regulatory and supervisory capacity. The DPC provided a number of recommendations, which emphasised the organisations obligations in the areas of awareness on the categories of personal data they processed pursuant to Article 4(1) and Article 9 GDPR. The DPC also emphasised the importance of vetting any third party they were choosing to engage with prior to permitting the processing of personal data (Article 28(1) GDPR), as well as their obligation to ensuring that a processing agreement is in place setting out clearly the responsibilities of both parties (Article 28(2) GDPR) and is tested regularly.