A data subject submitted a complaint to the Data Protection Commission (DPC) regarding the publication of their historical image in a newspaper (data controller). The data subject explained to the DPC that the article was published without their knowledge and without their consent. Before contacting the DPC the data subject contacted the data controller to address their concerns that they felt their personal data had been unlawfully processed and requesting erasure of the image from the newspaper under Article 17 of the General Data Protection Regulation (GDPR); however, the data controller rejected all elements of the data subject’s request.

As part of its examination, the DPC engaged with the data controller and asked for a lawful basis under Article 6 of the GDPR for processing the data subject’s personal data in the manner outlined in this complaint . The data controller informed the DPC that it is not relying on Article 6 of the GDPR for processing the data subject’s personal data and it advised that it is relying on section 43 of the Data Protection Act 2018, (the 2018 Act), (data processing and freedom of expression and information), namely that processing of personal data for the purpose of exercising the right to freedom of expression and information, including processing for journalistic purposes for for the purposes of academic, artistic or literary expression, shall be exempt . The data controller further explained that the data subject was not the subject of the news article in question, that a significant number of years have passed since the photograph was taken and as such, the data subject was not readily identified.

In relation to the data subject’s erasure request, the data controller relied on Section 43 of the 2018 Act as their basis for refusing to erase the image from the article .

Having considered all the elements of this complaint, the DPC found that the newspaper had a lawful basis under Section 43 of the 2018 Act and Article 85 of the GDPR to publish the data subject’s historical image in a news article .

The DPC notes that the journalistic exemption does not exempt a data controller from the whole of the GDPR and data protection acts . A data controller must have consid- eration for their remaining obligations under the GDPR and the 2018 Act . The DPC found the processing of the data subject’s personal data by the data controller to be proportionate, considering that the image in question is a historical image in which it can be reasonably assumed that the data subject is no longer readily identifiable from same . The DPC acknowledges that a third party is the main person of interest and directly quoted within the article and therefore the data subject is not the subject of discussion .

The DPC advised the data subject under section 109(5) (c) of the 2018 Act that the explanation put forward by the data controller concerning the processing of their personal data in the circumstances of this complaint was reasonable .

Following their trip to a leisure facility (the data controller), a data subject submitted a complaint to the Data Protection Commission (DPC) as they were unhappy with how the data controller processed their personal data. The data subject also wanted to exercise their rights under Article 17 of the General Data Protection Regulation (GDPR) and have their, and their families, data deleted by the organisation. Prior to contacting the DPC, the data subject requested the erasure of their data directly from the data controller and this request was refused.

The data subject explained to the DPC that, during their stay at the leisure facility, they believed their personal data was processed unlawfully as they were repeatedly asked to provide details of their booking to staff, in order to gain access to facilities on site such as restaurants and activities . The data subject believed this to be excessive processing and stated at the time they were not given a choice to object to such processing or they could not receive full access to the facilities .

In line with their examination of the complaint, the DPC contacted the data controller and shared the details of the data subject’s complaint . The data controller advised the DPC that their lawful basis for processing personal data is Article 6(1)(f) of the General Data Protection Regulation (GDPR) also commonly referred to as, legitimate interest . The data controller further explained that they request customer’s details prior to accessing facilities or making a purchase in order “to understand patterns and to improve the range of services and facilities available to guests” . This is also detailed in their privacy policy, which is available on their website .

On foot of the data subject’s complaint, the data controller reviewed their policies and identified a training gap with their staff. Following this identification, the data controller briefed their staff to ensure that they were aware that customers were not obliged to provide details of their booking when accessing certain facilities . The data controller also advised that they updated their Data Protection Regulation Department Operating Procedure to reflect this procedure more clearly.

In regards to the data subject’s erasure request, the data controller advised the DPC that they have removed the data subject for all direct marketing communications . However, they were unable to erase any other personal data relating to the data subject, and their family, as it is held in accordance with their retention policy . The data controller’s retention policy states that all personal data is held on file as it may be required in defence of a legal claim and only deleted after the youngest member of the booking reaches the age of 21 years, in accordance with statutory limitation periods . Under section 109(5)(f) of the 2018 Act the DPC recommended that the data controller continue to provide training to all its employees on its obligations and the rights of data subjects under data protection legislation and to keep this training up to date .

The DPC further recommended under section 109(5)(f) of the 2018 Act that the data controller delete all personal data in accordance with their retention period .

The DPC did not consider any further action necessary at the time of issuing the outcome as they noted that the data controller had retrained all staff, apologised to the data subject and offered them compensation as a result of their complaint .

The complainant in this case had made a loan application to a bank. The complainant subsequently withdrew the loan application and wrote to the bank stating that they were withdrawing consent to the processing of any personal data held by the bank relating to the loan application and requesting the return of all documents containing the complainant’s personal data. In response, the bank informed the complainant that it had stopped processing all of the complainant’s personal data, with the exception of data contained in records which the bank stated it was required to retain and process under the Central Bank of Ireland’s Consumer Protection Code. The complainant was not satisfied with this response, and argued, in their complaint to this Office, that in circumstances where the bank had obtained the complainant’s personal data on the basis of the complainant’s consent, the bank was not permitted to continue to process these data on a different legal basis (i.e. processing which is necessary for compliance with a legal obligation to which the bank is subject). The complainant also argued that the continued processing by the bank of their personal data was for a purpose which was not compatible with the purpose for which the data were originally obtained, in contravention of data protection legislation.

This office established that the bank was identified as the relevant data controller in relation to the complaint, as it controlled personal data, which the complainant had provided to the bank when making a loan application . The data in question were personal data relating to the complainant (consisting of, amongst other things, a completed loan application form and supporting docu- mentation) as the complainant could be identified from it and the data related to the complainant as an individual . This office was therefore satisfied that the complaint should be investigated to determine if a breach of data protection legislation had occurred.

During the course of the investigation of this complaint, this office reviewed the bank’s loan application form, which provided that, by signing the form, a person consented to the bank storing, using and processing their personal data for a range of purposes, including to process applications for credit or financial services. However, this office noted that the purposes for which the complainant had given their consent did not include processing for the purpose of compliance with the bank’s legal obligations generally, and specifically did not include the processing of the complainant’s personal data for the purpose of compliance with the Consumer Protection Code . Accordingly, this office considered that at the time of collection of the complainant’s personal data the bank did not claim to rely on consent as the legal basis for the collection and processing of the complainant’s personal data in order to comply with its legal obligations. Rather, this office considered that the bank could validly rely on the lawful basis that the processing was necessary in order to take steps at the request of the data subject prior to entering into a contract .

This office noted that where a loan application is subsequently withdrawn or unsuccessful and the bank does not enter into a contract with the applicant, the retention of personal data relating to the loan application can no longer be on the basis that the processing was necessary in order to take steps at the request of the data subject prior to entering into a contract, as there is no longer the possibility of entering into a contract with the data subject . As such, the bank identified a separate legal basis for the retention of the complainant’s personal data relating to the loan application, namely that this processing was necessary for compliance with a legal obligation to which the bank was subject .

This office noted that the Consumer Protection Code obliged regulated entities to retain details of “individual transactions” for six years after the date on which the particular transaction is discontinued or complete . This Office considered, however, that a loan application which is subsequently withdrawn or ultimately unsuccessful is not a ‘transaction’ for the purpose of the Consumer Protection Code. This office then noted that the Consumer Protection Code also obliged regulated entities to retain “all other records” for six years from the date on which the regulated entity ceased to provide any product or service to the consumer, including potential consumer, concerned. However, this office did not consider that records relating to a loan application which is subsequent- ly withdrawn to fall within the scope of this requirement under the Consumer Protection Code either . Accordingly, this office considered that it was not necessary for the bank to retain personal data relating to the complainant’s withdrawn loan application for the purpose of compliance with its legal obligations under the Consumer Protection Code, and considered that the bank had not identified a lawful basis under data protection legislation for the retention of the complainant’s personal data relating to their loan application .

A data subject had contacted the DPC as they were not satisfied with the responses to a data subject access request and erasure request. This case was against a debt collector and the data subject raised concerns about how their personal data was obtained. The data subject explained that the debt had been cleared but they still received a letter from a debt collector. This letter referred to an outstanding amount owed to a third party.

The data subject outlined to the DPC that their subject access request was made through an online platform . The data subject did not receive a response to their Article 15 Access request or their erasure request under Article 17 of the General Data Protection Regulation (GDPR) . Prior to the DPC involvement, both parties engaged directly . In their correspondence to the data subject, the debt collector explained that the personal data was obtained from a third party . The personal data was then uploaded to their online system and a letter was issued to the data subject .

As part of its examination, the DPC engaged with the debt collector and requested that they outline their relationship with this third party . The debt collector informed the DPC they were acting as a data processor on behalf of the third party and that a data processor agreement, in line with Article 28(3) of the GDPR, was in place at the time they processed this personal data . The debt collector advised the DPC that this contract was now terminated and they would not be acting on behalf of the third party going forward. The DPC accepted this response and identified the debt collector as a data processor and the third party as the data controller . The data processor, stated that debt collection is in the public interest and as such they had a legitimate interest to process personal data where a data subject’s account has been legally assigned to them, or when they are acting under a legal contract . The data processor stated that the processing of the data subject’s personal data was necessary to collect the debt and is allowed even where the data subject does not consent to the processing; meaning the data processor relied on Articles 6(1)(b) and 6(1)(f) of the GDPR for processing the personal data .

The data processor in this case accepted that the data subject may have paid the outstanding debt but stated they could not be held responsible if the data subject pays the data controller directly and the data controller fails to notify the data processor to close the outstanding debt on their systems . The DPC highlighted that there appeared to be an error in the letter the data subject received . In this correspondence the debt collector referred to themselves as a data controller . The debt collector accepted this error and stated it should have read data processor, this error was caused by an oversight when using a template letter .

With regard to the subject access request, due to their data processor relationship they did not respond directly to the data subject’s access request but did share this with the third party, the data controller . In terms of the erasure request, the data processor informed the data subject that they would be required to retain the personal data for six months for taxation/financial/auditing purposes. The six months had passed prior to the DPC involvement and the data processor assured the DPC that the personal data had now been erased . The data processor apologised directly to the data subject and offered a payment as a gesture of good will.

 The DPC advised the data subject under section 109(5) (c) of the 2018 Act that the data processor and data controller had a legitimate interest to collect debts and disclose personal data in order to collect the debts . The DPC acknowledged the errors in the correspondence provided to the data subject and under section 109(5)(f) of the 2018 Act recommended that the data processor engage in regular testing of organisational and technical processes to ensure compliance with the GDPR in order to comply with Article 28 of the GDPR .

Following an unsuccessful application for a credit card, the data subject in this case sought to have their personal data erased under Article 17 of the General Data Protection Regulation (GDPR). When the erasure request was refused by the data controller, the data subject raised concerns with the DPC that their personal data was being unlawfully retained. The DPC engaged with the data controller in order to assess the reasoning for such refusal.

In response to the data subject’s initial erasure request, the data controller stated in line with provision 11 .6 of the Consumer Protection Code 2012 and their Privacy Policy and Cookies Statement they had a legal obligation to retain the information provided . The data controller went further to explain that the personal data provided in the application would be retained for a period of six years from the date on which the service was provided .

As part of its examination, the DPC engaged with the data controller and requested a response to the complaint. The data controller stated that they were relying on Article 6(1)(c) of the GDPR to retain the personal data whereby processing is necessary for compliance with a legal obligation to which the data controller is subject . The data controller in this case was also subject to the Consumer Protection Code 2012 (CPC) . On this basis, the data controller relied on this lawful basis for the refusal of the erasure request . Under Article 17(3)(b) of the GDPR, a data subject’s right to erasure does not apply and may be restricted where the processing is necessary for compliance with a legal obligation.

For reference, the CPC is a set of rules and principles that all regulated financial services firms must follow when providing financial products and services to consumers and was published by the Central Bank of Ireland in compliance with section 117 of the Central Bank Act 1989 . Under section 117(4) of the Central Bank Act 1989, it is an offence for a regulated financial firm to fail to provide the Central Bank with information to demonstrate compliance with the CPC.

Provisions 11 .5 and 11 .6 of the CPC require data controllers to retain the records of a consumer for six years after the date on which a particular transaction is dis- continued or completed . The required records include but are not limited to: all documents required for consumer identification; the consumer’s contact details; all corre- spondence with the consumer; all documents completed or signed by the consumer . The data subject contested this reliance as no service was provided, therefore they were of the view they were not a consumer and as such felt the data controller had no legal right to maintain the personal data. The CPC defines a consumer and includes where appropriate, a potential consumer . In addition to this, the data controller stated when the data subject applied for a credit card, the consideration of the application and subsequent decision was deemed a service.

Under section 109(5)(c) of the 2018 Act, the DPC advised the data subject that within the meaning of the CPC they were classified as a potential consumer. As a result the data controller is legally obliged to retain the personal data for a period of six years . The DPC did not consider any further action necessary at the time of issuing the outcome .

This complaint concerned the alleged non- response to an erasure request made by the complainant to a data controller pursuant to Article 17 GDPR.

Following receipt of the complaint from the complainant, the DPC engaged with both parties in relation to the subject matter of the complaint . Further to this engagement, it was established that, during the week in which the complainant sent their erasure request by email to the data controller, a new process to manage personal data erasure requests was being implemented by the data controller .

The data controller informed the DPC that it was during this transitional period from the old system to the new system that the erasure request was received from the data subject . The data controller further advised that while new personnel were being trained on how to manage these types of requests during this period, it appeared a response to the erasure request was missed . The data controller stated that this was an oversight, possibly due to a technical issue or human error and that it regretted the error .

In the circumstances, the data controller agreed to comply with the erasure request and sincerely apologised for the error. The data controller also subsequently confirmed to the DPC that it had deleted the complainant’s personal data .

The DPC informed the complainant of the outcome of its engagement with the data controller, noting that the positive actions taken by the data controller appeared to deal with the concerns raised in their complaint .

The complainant subsequently confirmed to the DPC that they agreed to the amicable resolution of their complaint as their concerns were now resolved and that their complaint was now withdrawn .

In this circumstance, the complaint was deemed to be amicably resolved and withdrawn, in accordance with section 109 of the Data Protection Act 2018.

The DPC received a complaint from an individual regarding an erasure request made by them to a data controller, a platform for booking accommodation, pursuant to Article 17 GDPR. The complainant had begun creating an account on the data controller’s platform but chose to abandon the process before it was complete. The complainant then communicated his erasure request to the data controller by email and telephone. In response to the erasure request, the data controller informed the complainant that they required an identity document in order to comply with the erasure request.

The complaint was identified as potentially being capable of amicable resolution under Section 109 of the Data Protection Act 2018, and the data controller agreed to work with the DPC to attempt to amicably resolve the complaint . The data controller provided the DPC with its replies to the complainant relating to the matters raised in the complaint thus far, and confirmed that, in response to the complainant’s erasure request, the data controller had requested an identity document .

In the course of the DPC’s investigation of the complaint, the data controller also confirmed that the account in question had never been used to book or host accommodation or to use the service in any way. Following intervention by the DPC, the data controller undertook to delete the complainant’s account without requesting that the complainant provide any additional documentation.

The DPC communicated these developments to the complainant. The complainant responded by confirming that they accepted the proposed action and that erasure of the account would resolve their complaint . The DPC engaged further with the data controller, which provided confirmation to the DPC that it had erased the com- plainant’s account . The data controller also conveyed this erasure confirmation to the complainant directly.

The complaint was amicably resolved in accordance with section 109 of the Data Protection Act 2018 . This case study demonstrates the benefits, to individuals, of the DPC’s intervention by way of the amicable resolution process . In particular, this case study brings to the fore the manner in which the DPC can assist a complainant through the amicable resolution process . This includes explaining the complainant’s individual concerns to the data controller, where initial engagement between them and data controller has not led to a resolution of their concerns . In this case, the DPC’s involvement resulted in deletion of the complainant’s personal data by the data controller, in accordance with Article 17, without requiring any further action on the part of the individual .

This complaint concerned an initial refusal by the data controller to comply with an erasure request made by the complainant, pursuant to Article 17 GDPR. The complainant first lodged their complaint via the Spanish Data Protection Authority, the AEPD, who then transferred the complaint to the DPC as the Lead Supervisory Authority.

The complainant stated that they were named, and therefore identified, in a negative review relating to their place of employment . The review, accompanied by a partial image of the complainant, had been posted online . The complainant had sought the removal of their name and any associated images from the review. During its engagement with the DPC on the matter, the data controller advised that they had reviewed the content in question in the context of their own privacy guidelines for the removal of content from the website and that they considered the content did not infringe upon same .

The DPC requested that the data controller review the matter again, in the spirit of amicably resolving the complaint . The data controller subsequently reverted to advise that after a further assessment of the content in question they had made the decision to remove the review posting in its entirety .

This case study demonstrates the benefits, to individual complainants, of the DPC’s intervention by way of the amicable resolution process . In this case, this led to the complainant being able to affect their right of erasure over their personal data, as afforded to individuals under Article 17 of the GDPR .

The complaint concerned the individual’s dissatisfaction with Microsoft Ireland’s (data controller) response to their right to be forgotten request pursuant to Article 17 GDPR. The individual requested to have seven URLs delisted from being returned in a search against their name on the data controller’s search engine. The individual stated that their National Identity number was contained in the URLs returned and raised concerns that the availability of their National Identity number increased the risk of identity theft.

The DPC intervened on behalf of the complainant. The data controller originally refused the delisting request, stating that the URLs contained information of public relevance, and that the information was published in an official bulletin of a government body; in this case, the Spanish Government . The DPC corresponded with the Spanish Data Protection Authority in relation to the information published in the URLs . The Spanish Data Protection Authority stated that due to the introduction of the GDPR, the Spanish Data Protection law was modified and the Government is no longer permitted to disclose citizens’ complete National Identification number alongside their name and surnames when publicising administrative acts. Following clarification from the Spanish Data Protection Authority, the DPC informed the data controller of the change in the Spanish Data Protection law. The data controller stated that based on the update in Spanish Data Protection law, it would delist all requested URLs from being returned against the individual’s name in accordance with Article 17 GDPR . This case highlights the importance of communicating with other supervisory authorities during the complaint resolution process. In these circumstances, the DPC was provided with clarification on how Spain has adapted its national legislation to comply with the GDPR . It also allowed the data controller to adapt its current procedure to ensure that requests involving the delisting of URLs containing full National Identity numbers are handled in accordance with the updated national legislation.

The complaint concerned the individual’s dissatisfaction with Pinterest Europe’s (data controller) response to his access and erasure requests pursuant to Article 15 GDPR and Article 17 GDPR, respectively. The individual submitted his requests following the suspension of his account, in order to obtain a copy of all of his personal data and to have it deleted from the data controller’s systems. The individual’s account was suspended due to a violation of the data controller’s policies regarding spam.

The data controller responded to the requests via automated response which stated that it had reviewed the account and decided not to reactivate it because it noticed activity that violated its spam policy. As a result, the individual was no longer able to access his personal data stored on their account. The individual maintained that this information could not be correct as they seldom used their account and sought a more substantial response to their access and erasure requests.

The DPC took up the complaint with Pinterest. The DPC outlined the individual’s concerns in relation to his access and erasure requests and requesting that the data controller address those concerns more substantively.

The DPC also requested that the data controller indicate whether the individual was provided with an opportunity to appeal his account suspension and, if so, describe the procedure for such appeals . The data controller responded to the DPC stating that it had investigated then matter and explained that once an account is suspended on the basis of a spam violation, all correspondence is automatically directed to its Spam Operations team. The data controller further explained the appeal process and noted that the individual corresponded with the Spam Operations team in relation to the appeal of their suspension . The Spam Operations team failed to identify that the correspondence also included the individual’s access and erasure requests and therefore this was not addressed in its response . The data controller’s response also noted that, although the Spam Operations tea had rejected the individual’s appeal of their account suspension, it had since carried out another review in light of its updated spam policies . Following this review, the data controller re-activated the individual’s account.

The data controller also acknowledged the delay in responding to the individual and confirmed that it had since taken steps to ensure that such delays would not occur in responding to future requests . The data controller confirmed that it had actioned the individual’s access and erasure requests. It also confirmed that it had reached out to the individual to inform him of the steps it had taken in response to the DPC’s correspondence and provided the individual with the explanations set out above . The actions taken and explanations given by the data controller were also outlined to the individual by the DPC . The individual informed the DPC that they were satisfied with the actions taken by the data controller in response to the DPC’s correspondence as it allowed him to download his data and delete his account . This case study illustrates how often simple matters — such as a complaint being forwarded to the wrong unit in an organisation — can become data protection complaints if the matter is not identified appropriately.