A public sector health service provider notified the DPC that a number of files containing patient medical information had been found in a storage cabinet on a hospital premises which was no longer occupied.

The records were discovered by a person who had gained illegally accessed a restricted premises and subsequently posted photographs of the cabinet containing the files on social media . The public sector organisation in question informed the DPC that, having become aware of the breach, a representative of the organisation was sent to locate and secure the files. The files were removed from the premises and secured .

This breach highlights the importance of having appropriate records management policies; including mechanisms for tracking files, appropriate secure storage facilities and full procedures for the retention or deletion of records . The DPC issued a number of recommendations to the organisations to improve their personal data processing practices .

The data controller, a public body, notified the Data Protection Commission (DPC) about an incident involving the transportation of hard-copy legal files containing special-category personal data and risked the personal data falling into the hands of unauthorised individuals.

The controller had contracted a courier company to transport the files to another department but the files went missing in transit . It transpired that the controller did not retain a backup of the original files, resulting in a loss of personal data. The controller did not have sufficient procedures in place for the secure removal and storage of hard-copy files that contained special-category personal data . The breach could have been prevented had the organisation properly considered its requirements when transporting such materials to another location and the inherent risks involved in such activities, and implemented more secure measures to ensure the protection of personal data .

A private sector (educational) data controller reported an incident of phishing, where a staff member had clicked on a suspicious website link and entered their credentials resulting in their email account becoming compromised.

The data controller had not enabled multi-factor authen- tication on its email accounts . Had this technical measure and appropriate cyber security training been in place from the outset this data breach may have been preventable .

An employee of the data controller, a public-sector body, lost an unencrypted USB device containing personal information belonging to a number of colleagues and service users.

The public controller had the appropriate policy and procedures in place prohibiting the removal and storage of personal data from its central IT system by way of unencrypted devices . However, it lacked the appropriate oversight and supervision necessary to ensure that its rules were complied with, and the employee appeared not to have been aware of the policy regarding the use of unencrypted devices . The breach could have been prevented had the organisation fully implemented the policy and made staff aware of it.

In February 2021, a data subject lodged a complaint pursuant to Article 77 GDPR with the Data Protection Commission concerning an Irish-based data controller. The DPC was deemed to be the competent authority for the purpose of Article 56(1) GDPR.

The details of the complaint were as follows:

a . The data subject emailed the data controller in January 2021 to request erasure of his personal data .

b . The data subject did not receive any response from the data controller

Following a preliminary examination of the material referred to it by the complainant, the DPC considered that there was a reasonable likelihood of the parties concerned reaching informal resolution of the subject matter of the complaint within a reasonable timeframe .

The DPC engaged with both the data subject and the data controller in relation to the subject matter of the complaint . Further to that engagement, it was established that during the week in which the data subject sent his erasure request by email to the controller a new process to better manage erasure requests was implemented by the controller . The data controller informed the DPC that it was in a transition period during the week the email came in and it appears a response was missed . New personnel were being trained on how to manage these types of requests during this transition period . The data controller stated that it was an oversight, possibly due to the technical transition or human error, and it regretted the error . In the circumstances, the data controller agreed to take the following actions:

1 . The data controller agreed to comply with the erasure request; and

2 . The data controller sincerely apologised for the error

In January 2022, the DPC informed the data subject by email of the final outcome of its engagement with the data controller . When doing so, the DPC noted that the actions now taken by the data controller appeared to adequately deal with the concerns raised in his complaint . In the circumstances, the DPC asked the data subject to notify it, within two months, if he was not satisfied with the outcome so that the DPC could consider the matter further .

On the following day the data subject informed the DPC by email that he agreed with the informal resolution given his concerns regarding the data controller were now satisfied. The DPC was subsequently informed by the data controller that the erasure request was completed and that the personal data of the data subject had been erased.

For the purposes of the GDPR consistency and cooperation procedure, the DPC communicated a draft of the outcome which confirmed that:

• The complaint, in its entirety, had been amicably re- solved between the parties concerned;
• The agreed resolution was such that the object of the complaint no longer existed .

No relevant and reasoned objections were received from the concerned supervisory authorities concerning the draft and the DPC subsequently closed the file in this case.

This case study concerns a complaint the DPC received via the One Stop Shop (OSS) mechanism created by the GDPR from an individual regarding an erasure request made by them to MTCH Technology Services Limited (Tinder). As way of background, the individual’s account was the subject of a suspension by Tinder. Following this suspension, the individual submitted a request to Tinder, under Article 17 of the GDPR, seeking the erasure of all personal data held in relation to them. When contacting Tinder, the individual also raised an issue with the lack of a direct channel for contacting Tinder’s DPO. As the individual was not satisfied with the response they received from Tinder, they made a complaint to the Greek Supervisory Authority.

The individual asserted that neither their request for erasure nor their concerns about accessing the DPO channels, had been properly addressed by Tinder . As the DPC is the Lead Supervisory Authority (LSA) for Tinder, the Greek Supervisory Authority forwarded the complaint to the DPC for handling . The DPC intervened to seek a swift and informal resolution of the matter in the first instance. The DPC put the substance of the complaint to Tinder and engaged with it . In response and by way of a proposed amicable resolution, Tinder offered to conduct a fresh review of the ban at the centre of this case . Following this review, Tinder decided to lift the ban . The lifting of a ban by Tinder allows an individual to be then in a position to access their account on the platform . The individual can then decide if they wish to use the self-delete tools to erase their account from within the Tinder platform . In addition to the above, Tinder provided information for the individual in relation to its retention policies .

In relation to the matter of individuals being able to contact its DPO, on foot of the DPC’s engagement with Tinder, the platform agreed to strengthen its existing processes by posting a dedicated Frequently Asked questions (FAq) page on its platform . This page now provides enhanced information to individuals on specific issues relating to the processing of personal data and exercising those rights directly with Tinder’s DPO . Through the Greek Supervisory Authority, the DPC informed the individual of the actions taken by Tinder . In their response the individual confirmed that they were content to conclude the matter and, as such, the matter was amicably resolved pursuant to section 109(3) of the Data Protection Act 2018 (the Act), and the complaint was deemed to have been withdrawn.

During 2021, GDPR Article 61 mutual assistance requests were received by the DPC from the Dutch and the French data protection authorities. Each of these requests sought the DPC to further investigate a number of concerns relating to TikTok’s processing of its users’ personal data, particularly child users.

The authorities concerned had been investigating TikTok prior to the company locating its main establishment (EU headquarters) in Ireland in July 2020, following which in December 2020 the DPC assumed the role of TikTok’s lead supervisory authority once other EU supervisory authorities had satisfied themselves TikTok was main- established in Ireland .

As a result, the Dutch and French authorities concluded that they no longer had competence to investigate TikTok and accordingly transferred their investigation files, requesting the DPC to investigate further . These investi- gations coupled with the DPC’s own identification of key concerns through active engagement with TikTok in 2021 led the DPC to commence two own-volition inquiries pursuant to Section 110 of the Data Protection Act 2018 in relation to TikTok compliance with requirements of the GDPR .

The DPC received a complaint in March 2021 from the Bavarian data protection authority on behalf of a Bavarian complainant against Yahoo EMEA Limited. Under the One Stop Shop (OSS) mechanism created by the GDPR, the location of a company’s main EU establishment dictates which EU authority will act as the lead supervisory authority (LSA) in relation to any complaints received. Once the lead authority is established, the authority that received the complaint acts as a concerned supervisory authority (CSA). The CSA is the intermediary between the LSA and the individual. In this case, the DPC is the LSA, as the company complained of has its main establishment in Ireland.

The complainant in this matter had lost access to his email account following an update on his computer . The complainant noted that he had engaged with Yahoo in order to regain access and was asked for information relating to the account in order to authenticate his ownership of it . The complainant asserted that he had provided this information . However, Yahoo informed the complainant that it could not verify his identity with the use of the information that it had been provided .

The complainant was unclear which information he had provided was not correct and thus continued to give the same answers to the security questions . As Yahoo could not authenticate the complainant’s ownership of the account, it recommended that he create a new email account .

The complainant was not satisfied with this solution and made a complaint to his local supervisory authority, who referred the complaint on the DPC in its role as Lead Supervisory Authority for Yahoo .

This complaint was identified as potentially being capable of amicable resolution under Section 109 of the Data Protection Act 2018, with both the individual and data controller agreeing to work with the DPC to try to amicably resolve the matter .

The DPC contacted Yahoo on the matter, and Yahoo took a proactive approach and immediately noted its desire to reach out to the complainant directly to seek to resolve the issue as soon as possible . Yahoo thereafter quickly confirmed to the DPC that its member services team made contact with the complainant, who provided alternative information that enabled Yahoo to success- fully validate identity of the requester and subsequently restore their account access .

The DPC received a complaint in September 2020, via its complaint webform, against Google Ireland Limited (YouTube). The complaint was made by a parent acting on behalf of their child and concerned a YouTube channel/account. The YouTube channel/account had been set up when the child was ten years old and at a time when they did not appreciate the consequences of posting videos online.

Although the complaint was made directly to the DPC by an Irish resident, upon assessment it was deemed to constitute a cross-border complaint because it related to YouTube’s general operational policies and, as YouTube is available throughout the EU, the processing complained of was therefore deemed to be of a kind “which substan- tially affects or is likely to substantially affect data subjects in more than one Member State” (as per the definition of cross-border processing under Article 4(23) of the GDPR) .

According to the complainant, the child no longer had control over the account as they had lost their passwords and the account was no longer in use . However, classmates of the child had discovered the videos, previously posted by the child which were now the subject of embarrassment to the child . The parent of the child had engaged in extensive correspondence with Google, seeking inter alia the erasure of the account from the YouTube platform . The parent had provided the URL for a specific video on the account and for the account itself . The parent was informed by Google, on a number of occasions, that it had taken action and removed the content from the platform . However, the parent repeatedly followed up to note that the content had not in fact been removed and was still available online . As she considered that the complaint had not been appropriately addressed she raised the matter with the DPC .

This complaint was identified as potentially being capable of amicable resolution under Section 109 of the Data Protection Act 2018, with both the individual and Data Controller agreeing to work with the DPC to try to amicably resolve the matter . The DPC investigated the background to the complaint and noted that it appeared that Google had removed a specific video from the account, for which the URL had been provided, but it had not removed the account in its entirety, with the result that further videos remained online .

The DPC communicated with Google on the matter and informed Google of the particular background of the complaint . Google immediately took action and removed the YouTube account in its entirety. Google confirmed that a misunderstanding had arisen as its support team had incorrectly assessed the URL for a specific video provided by the complainant, rather than the entire account .

The DPC informed the parent of the outcome and it proposed an amicable resolution to the complaint . The parent thereafter informed the DPC that she had recently become aware of another YouTube channel that her child had created, which again was no longer in use, and the child wanted deleted . The DPC corresponded further with Google and Google confirmed it had taken immediate action to remove the account and informed the parent of the actions it had taken .

The DPC received a complaint in September 2020 relating to a request for access (under Article 15 of the GDPR), that the complainant had made to Airbnb Ireland UC (“Airbnb”). The complaint was made directly to the DPC, from an individual based in Malta. Upon assessment by the DPC, the complaint was deemed to be a cross border one because it related to Airbnb’s general operational policies and, as Airbnb is available throughout the EU, the processing complained of was therefore deemed to be of a kind “….which substantially affects or is likely to substantially affect data subjects in more than one Member State” (as per the definition of cross-border processing under Article 4(23) of the GDPR). The complainant submitted an access request to Airbnb . Airbnb facilitated this access request by providing the complainant with a link to an access file containing his personal data . However, when the complainant tried to use the link, it was not operational . In addition, the complainant was frustrated with the difficulty they faced in contacting Airbnb in relation to this matter . The complainant submitted their complaint to the DPC on this basis .

The DPC contacted Airbnb and asked that it facilitate the complainant’s request. The DPC specified that Airbnb should ensure any links it sends to complainants are fully tested and operational .

In reply, Airbnb explained that once it was informed that the initial link it sent to the complainant was not operational, it sent a renewed link to the complainant and was unaware that the complainant had had any difficulty in accessing this second link. Nonetheless, in the interests of amicably resolving the complaint, Airbnb agreed to provide an additional link to an access file to the complainant and for an encrypted file to be sent to the complainant via secure email .

As a result, the matter was amicably resolved pursuant to section 109(3) of the Data Protection Act 2018 (“the Act”), and under section 109(3) of the Act the complaint was deemed to have been withdrawn . This case study demon- strates the benefits — to individual complainants — of the DPC’s intervention by way of the amicable resolution process .

In this case, the DPC’s involvement led to the complainant being able to access his data.