The DPC received a complaint from an individual against their employer relating to a data breach. The breach occurred when a HR folder, which contained the individual’s personal data, was placed on an open drive that was accessible to third party individuals. 

Having reviewed the information provided, the DPC noted that the employer had notified the breach to the DPC. As part of its notification, it advised that, due to human error, a folder, which contained the personal data of a number of employees, was accidently transferred to a common internal shared drive. It further advised that this folder was not accessible to anyone outside of the organisation. Once the employer became aware of this breach, it took immediate action to secure the files affected. The Human Resources folders were secured by removing them from the shared drive and relocating them to the appropriate local HR drive. 

The employer investigated this incident and confirmed that no further processing of personal data occurred in this instance. The employer informed the affected individuals of this breach and provided various updates regarding same via email. The employer subsequently provided the individual with a detailed list of the categories of personal data which were involved in this data breach. 

The DPC conducted an inspection at the employer’s premises. Having assessed the breach notification, the complaint received and the information established during the inspection, the DPC reminded the employer of its obligations under Article 5(1)(f) and Article 24 of the GDPR. The employer has since confirmed to the DPC the technical measures put in place to prevent a recurrence of such an incident in the future. 

In May 2019, the DPC received a complaint from an individual who said they had been receiving direct marketing text messages from Littlewoods since March. The complainant stated that they had followed the instructions to unsubscribe by texting the word ‘STOP’ on five occasions to a designated number known as a short code, but they had not succeeded in opting out and they continued to get marketing text messages.

In the course of our investigations, Shop Direct Ireland Limited (t/a Littlewoods Ireland) confirmed it had a record of the complainant’s opt-out from direct marketing texts submitted through their account settings on the Littlewoods website on 8 May 2019. It did not, however, have a record of their attempts to opt-out of direct marketing texts on previous occasions using the SMS short code. This was due to human error in setting up the content for the SMS marketing messages. The company said that the individual responsible for preparing and uploading content relating to marketing texts had mistakenly included the opt-out keyword ‘STOP’ instead of ‘LWISTOP’ at the end of the marketing texts.

Shop Direct Ireland Limited had previously been prosecuted by the DPC in 2016 in relation to a similar issue, which resulted in a customer attempting, without success, to unsubscribe from direct marketing emails. On that occasion, the court outcome resulted in the company making a donation of €5,000 to charity instead of a conviction and fine.

The DPC decided to prosecute the company in respect of direct electronic marketing offences in relation to the May 2019 complaint.

At Dublin Metropolitan District Court on 29 July 2019, Shop Direct Ireland Limited (t/a Littlewoods Ireland) entered guilty pleas to two charges relating to sending unsolicited direct marketing text messages. The court ruled that the company would be spared a conviction and fine if it donated €2,000 each to the Peter McVerry Trust and the Little Flower Penny Dinners charities and section 1(1) of the Probation of Offenders Act was applied.

In May 2018, we received a complaint against the online fashion retailer Cari’s Closet from an individual who had in the past placed an online order with the company. The complaint concerned the receipt of three unsolicited direct marketing emails. The same person had previously complained to the DPC in January 2018 about unsolicited emails from that company. On that occasion, the complainant said they had received over forty marketing emails in one month alone. The person had attempted, without success, to unsubscribe on a couple of occasions.

Cari’s Closet attributed the failure to properly unsubscribe the complainant from emails to a genuine mistake on its behalf.

As the DPC had issued a warning in April 2018 in relation to the earlier complaint, we decided to initiate prosecution proceedings against the company.

At Dublin Metropolitan District Court on 29 July 2019, Cari’s Closet pleaded guilty to one charge of sending an unsolicited direct marketing email to the complainant. Instead of a conviction and fine, the court applied section 1(1) of the Probation of Offenders Act on the basis that the company donate €600 to the Little Flower Penny Dinners charity.

We received a complaint from an individual in November 2018 regarding unsolicited direct marketing emails from Just-Eat Ireland Limited. The complainant had unsubscribed from the company’s direct marketing emails but several days later received an unsolicited marketing email. During our investigation of this complaint, the company informed us that the complainant’s attempt to unsubscribe was unsuccessful due to a technical issue with its email platform. This issue affected 391 customers in Ireland.

As Just-Eat Ireland Limited had previously been warned by the DPC in 2013 on foot of complaints in relation to unsolicited direct marketing emails, we decided to initiate prosecution proceedings.

At Dublin Metropolitan District Court on 29 July 2019, Just-Eat Ireland Limited pleaded guilty to one charge in relation to sending an unsolicited direct marketing email. The court applied section 1(1) of the Probation of Offenders Act in lieu of a conviction and fine on the basis that the company donate €600 to the Peter McVerry Trust charity.

In April 2019, the DPC received two separate complaints from an individual who had received unsolicited direct marketing communications by text and by email from the mobile network operator Vodafone. The individual stated that Vodafone had ignored their customer preference settings, which recorded that they did not wish to receive such marketing.

During our investigation, Vodafone confirmed that the complainant had been opted-out of direct marketing contact but that communications were sent to them due to human error in the case of both the text message and the email marketing campaigns.

In the case of the SMS message, Vodafone confirmed that a text offering recipients the chance to win tickets to an Ireland verses France rugby match was sent to approximately 2,436 customers who had previously opted-out of receiving direct marketing by text. This was as a result of a failure to apply a marketing preferences filter to the SMS advertising campaign before it was sent.

In the case of the email received by the complainant, an application that was intended to be used to send direct marketing to prospective customers was used in error and the message was sent to existing Vodafone customers. While Vodafone was unable to definitively confirm the number of customers who were contacted by email contrary to their preference, the marketing email was sent to 29,289 existing Vodafone customers. The company confirmed that some 2,523 out of 7,615 of these were contacted in error. However, it was unable to link the remaining 21,674 customers who were sent the same email with their marketing preferences in Vodafone’s data warehouse to confirm the total number contacted in error.

The DPC had also received a separate complaint in February 2019 from another individual who was a former customer of Vodafone. This customer had ceased to be a Vodafone customer more than five years earlier and they still continued to receive promotional text messages. In the course of our investigation, Vodafone confirmed that the direct marketing messages were sent to the complainant in error. It said that in this exceptional case, the complainant’s mobile number was not removed from the platform used to send marketing communications when their number was no longer active on the network. As the DPC had previously prosecuted Vodafone in 2011, 2013 and 2018 in relation to direct electronic marketing offences, we decided to initiate prosecution proceedings in relation to these complaints.

At Dublin Metropolitan District Court on 29 July 2019, Vodafone pleaded guilty to five charges of sending unsolicited direct marketing communications in contravention of S.I. No. 336 of 2011 (‘the ePrivacy Regulations’). The company was convicted and fined €1,000 on each of three charges and convicted and fined €750 each in respect of the two remaining charges.

In April 2018, a customer of the bin-collection service provider, Panda, complained to us that he had received unsolicited marketing SMS and email messages to which he had not consented, advertising Panda’s electricity business. He stated that the messages did not provide an unsubscribe option.

During our investigation, we were informed by Panda that the complainant should not have received the marketing messages. It said that due to a human error, a staff member of the marketing department had incorrectly believed that the complainant had consented to receiving direct-marketing messages. It regretted the failure to include an opt-out on the messages and explained that its service provider for marketing emails had failed to act in accordance with its instructions to include an opt-out. In May 2018, we received a complaint from a customer of Greenstar, another bin-collection service provider. This individual had previously complained to us in 2011 about unsolicited marketing text messages sent to him without consent. We concluded that previous complaint by issuing a warning to Greenstar in September 2011. The complainant now reported to us that direct marketing from Greenstar by means of SMS messages had started aggressively once again.

In response to our enquiries, Greenstar informed us that given the lapse of time (which it acknowledged was absolutely no excuse) since the 2011 complaint, its records pertaining to the complainant were not what they should have been with respect to the complainant having previously opted out of receiving marketing from the company — that neither the complainant’s details nor details of the 2011 complaint were accurate and up-to-date, insofar as it should not have used the complainant’s mobile telephone number for marketing purposes.

In light of our previous warning, the DPC decided to prosecute Starrus Eco Holdings Limited, T/A Panda and Greenstar in respect of offences committed in both cases. At Dublin Metropolitan District Court on 24 October 2018, the company entered guilty pleas in relation to charges for contraventions of Regulation 13(1) of S.I. No. 336 of 2011 for the sending of unsolicited marketing SMS messages to the two complainants without their consent. Instead of a conviction and fine, the court ordered the company to make a charitable donation of €2,000 to the Peter McVerry Trust. The defendant company agreed to cover the prosecution costs of the DPC. Confirmation of the charitable donation was subsequently provided to the court on 15 November 2018 and the matter was struck out.

In May 2018, we received a complaint from an individual who stated he was receiving frequent unsolicited calls from Vodafone’s marketing team. He claimed that Vodafone initially called him on 10 May 2018, at which point he said he was not interested in their offer; since then the company had called him every day. He ignored the communications.

During our investigation, we confirmed that a recording of the marketing telephone call on 10 May 2018 included the complainant advising the calling agent that he was not interested in Vodafone’s broadband service. Vodafone told us that the agent should have then removed the telephone number from the marketing campaign by using an appropriate code when closing the call. Human error had led to the phone call being closed with an incorrect code for a call-back — meaning the complainant’s phone number remained, leading to the further calls.

We received a separate complaint in July 2018 from a Vodafone customer. He reported that he had received an unsolicited marketing telephone call from Vodafone in June 2018 despite having opted out of receiving marketing telephone calls during a previous unsolicited marketing telephone call in May 2018, confirmation of which had been sent to him by email shortly afterwards.

In response to our enquiries, Vodafone referred to a data-breach report that it had submitted to the DPC on 21 June 2018. This report notified the DPC that several customers who had opted out of marketing between 18 May and 11 June 2018 had erroneously received marketing communications due to difficulties in the implementation of system changes as part of its GDPR-compliance programme. This resulted in recently changed marketing preferences not being read clearly on all its systems and, accordingly, the customers concerned were wrongly included in marketing campaigns.

The DPC decided to prosecute Vodafone in relation to both cases. At Dublin Metropolitan District Court on 22 October 2018, the company entered guilty pleas in relation to two charges for contraventions of Regulation 13(6) (a) of S.I. No. 336 of 2011 for the making of unsolicited marketing telephone calls to the mobile telephones of the two complainants without their consent. The court convicted Vodafone on the two charges and imposed fines of €1,000 in respect of each of the two charges (a total fine of €2,000). Vodafone agreed to cover the prosecution costs of the DPC.

DSG Retail Ireland Limited operates under various trading names and registered business names such as Dixons, Currys, PC World and Currys PC World. In November 2017, we received a complaint from a woman who had purchased a television from Currys a year previously. She informed us that she gave her email address to the company for the purposes of receiving a receipt and that she did not consent to receiving marketing emails. She stated she had unsubscribed from receiving further emails but the unsolicited emails continued.

During our investigation, the company told us that the customer had successfully unsubscribed from its mailing list in November 2016. However, when she made a new purchase in January 2017 and once again opted out of receiving marketing communications, a duplicate record was created following the customer’s second transaction. According to the company, this duplicate record, coupled with a system bug arising during an update to its systems in May 2017, resulted in an error regarding the recording of the customer’s marketing preferences. As a result, there was a period between August and November 2017 during which marketing emails were sent to her.

As we had previously issued a warning to the company in November 2014 on foot of a previous complaint from a member of the public concerning an alleged contravention of the regulations in relation to unsolicited marketing emails, the DPC decided to prosecute the company in respect of the latest suspected contravention. 

At Dublin Metropolitan District Court on 22 October 2018 the company entered a guilty plea in relation to a charge for contravention of Regulation 13(1) of S.I. No. 336 of 2011 for the sending of an unsolicited marketing email to the complainant without her consent. In lieu of a conviction and fine, the court ordered the company to make a charitable donation of €1,500 to the Peter McVerry Trust. The defendant company agreed to cover the prosecution costs of the DPC. Confirmation of the charitable donation was subsequently provided to the court on 26 November 2018 and the matter was struck out.

In November 2017, we received a complaint from an individual who received a marketing email from the Kilkenny Group. The email, which was personally addressed to him, promoted a pre- Christmas sale and informed him that there was up to 50% off and that everything was reduced. The complainant informed us that he did not believe that he had opted into receiving marketing emails.

During our investigation, it emerged that a previous marketing email had been sent to the same complainant one year earlier, in November 2016, inviting him to a corporate event in the company’s Cork store. The complainant subsequently advised us that he recalled replying to that email, asking that his email address be deleted. In September 2012, arising from our investigation of a complaint about unsolicited marketing text messages sent by the Kilkenny Group to a different complainant, we had issued a warning to the company. In light of that, the DPC decided to prosecute the company in respect of the 2017 complaint.

The matter came before Tralee District Court on 15 October 2018. The defendant faced a total of four charges. Two related to alleged contraventions of Regulation 13(1) of S.I. No. 336 of 2011 for the sending of unsolicited marketing emails to the complainant in November 2016 and November 2017 without his consent. Two further charges related to alleged contraventions of Regulation 13(12) (c) of S .I . No . 336 of 2011. This regulation provides that a person shall not send electronic marketing mail that does not have a valid address to which the recipient may send a request that such a communication shall cease. As guilty pleas were not entered to any of the charges, the matter went to a full hearing involving three defence witnesses and two prosecution witnesses, including the complainant. At the end of the proceedings, the court found the facts were proven in relation to two contraventions of Regulation 13(1) in relation to the sending of two marketing emails without consent. On the understanding that the defendant would discharge the prosecution costs of €1,850, the court applied Section 1(1) of the Probation of Offenders Act in respect of both charges instead of a conviction and fine. The court dismissed the two charges in respect of Regulation 13(12)(c).

In April 2017, we received a complaint from a business owner regarding unsolicited marketing emails that the business email address was receiving from Viking Direct (Ireland) Limited. The complainant indicated that she had previously contacted the company to ask for her business email address to be removed from the marketing list but, despite this, further marketing emails continued to be sent.

During our investigation, Viking Direct (Ireland) Limited confirmed that the complainant had asked to be removed from its mailing list several times. It explained that the internal processes of moving the data to the suppression list had failed and the data remained on the mailing list. The company stated that the systems had now been corrected and tested, such that the situation should not recur. It apologised for any inconvenience caused to the complainant. Our investigation found evidence of three opt-out requests sent by the complainant to Viking Direct (Ireland) Limited by email between 30 March 2017 and 11 April 2017.

Viking Direct (Ireland) Limited had been the subject of an investigation in 2012 on foot of a complaint made to the DPC about unsolicited marketing emails. At that time, we concluded that investigation with a warning to the company. In light of that warning, the DPC decided to prosecute the company in respect of the 2017 complaint.

At Dublin Metropolitan District Court on 14 May 2018, the company entered a guilty plea to one charge of sending an unsolicited marketing email to a business email address in contravention of Regulation 13(4) of S.I. No. 336 of 2011. Under this regulation, it is an offence to send an unsolicited direct-marketing communication by electronic mail to a subscriber (which includes business subscribers) where that subscriber has notified the sender that it does not consent to the receipt of such a communication. The case was adjourned for sentencing until 11 June 2018. At the sentencing hearing, the court applied Section 1(1) of the Probation of Offenders Act in lieu of a conviction and fine. The company agreed to cover the prosecution costs incurred by the DPC.