In August 2019, March and September 2020, the DPC received three complaints from individuals regarding unsolicited marketing telephone calls, text messages and emails they had received from Vodafone Ireland Limited. In response to the DPC’s investigation of the first complaint, Vodafone Ireland Limited explained that the former customer had called Vodafone Ireland Limited on seven separate occasions to try to opt-out of receiving marketing phone calls to their mobile phone. On each occasion the agent they spoke to did not follow proper procedures and this resulted in the former customer not being opted out of marketing and receiving further marketing calls. The complainant closed his account with Vodafone Ireland Limited and switched to another operator due to the marketing phone calls he received.

In the other two cases, the complainants are existing customers of Vodafone Ireland Limited. In one case, the customer received a marketing call to their mobile phone number in February 2019 and during that call the customer told the caller that they did not want to receive further marketing calls. Despite this request, Vodafone Ireland Limited subsequently made a further twelve marketing phone calls to the complainant’s mobile phone as its agent did not take any action to change the complainant’s marketing preferences.

In the other case, the complainant completed a transfer of ownership form on which they clearly set out their marketing preferences not to receive any marketing communications from Vodafone Ireland Limited. The agent handling the transaction failed to follow a process to input the customer’s marketing preferences. As a result, the customer subsequently received a further 14 unsolicited marketing messages — seven emails and seven text messages.

The DPC had previously prosecuted Vodafone Ireland Limited in 2019, 2018, 2013 and 2011 for breaching Regulation 13 of the ePrivacy Regulations in relation to previous complaints. Accordingly, the DPC decided to proceed to another prosecution arising from these complaint cases.

At Dublin Metropolitan District Court on 6 September 2021, Vodafone Ireland Limited pleaded guilty to seven charges under Regulation 13(1) and 13(6)(a) of the ePrivacy Regulations. The District Court convicted Vodafone Ireland Limited on seven charges and imposed fines totalling €1,400. Vodafone Ireland Limited agreed to discharge the DPC’s legal costs.

The breach concerned an organisation who has a function in conducting independent reviews. The organisation was returning documents following the completion of their review process. The organisation normally encourages the use of a file transfer system for the transfer of subject records but also facilitates the sending of hard copies. In this instance, the sending organisation requested that the copies of records it had sent in hard copy be returned to it. The organisation returned these documents by post and the envelope was reinforced and secure when it left the organisation. However, it was stated that it was not sent by registered post, which was the normal policy for the organisation when requesting hard copies from organisations to support the appeal / assessment process. When the envelope arrived back to the sending organisation the envelope had all of the seams split and badly torn and three pages were missing from the package. 

The documents contained details related to vulnerable individuals, the nature and category of data related to Article 4(1) GDPR and while it did not contain any medical data, certain medical information could be inferred from the fact that the service user had engaged with the sending organisation. 

The organisation had engaged with the postal service used when returning the details to the requesting organisation and as part of its investigation into the missing three pages, it was established that the envelope was received undamaged by the postal service, however it was not sent as registered post and so postal tracking was not available. 

The organisation has committed to enforcing the use of registered post and updating its policy to direct staff that when returning hard copies to the data controller, that steps are taken in line with Article 5(1)f GDPR and Article 32 GPDR to implement appropriate technical and organisational measures such as ensuring the correspondence is registered with the postal service and that appropriate reinforced envelopes are used to ensure a level of security and protection appropriate to any risk. 

It was noted that the organisation had engaged with the postal service as part of its investigation into the missing three pages and had established that the envelope was received undamaged by the postal service. However as it was not sent as registered post the tracking of the envelope was not available. 

It also identified that while the policy in use by the organisation did call out the use of registered post as the preferred method of postage it was only mentioned in relation to the receipt of hard copies from the sending organisations. The organisation recognised this as an oversight within its own policies. 

The DPC engaged and advised the organisation to update its policy on the returning of hard copies to organisations and that it should include this in staff training and awareness campaigns. 

In February 2021, the DPC received one complaint from an individual concerning unsolicited marketing electronic mail they had received from the telecommunications company Three Ireland (Hutchison) Limited. The complainant opted out of receiving marketing emails in mid-February 2021.

In response to the DPC’s investigation, Three Ireland (Hutchison) Limited explained that when it attempted to execute the opt-out request an issue arose from a scenario of two records getting sent simultaneously and losing sequence, resulting in its system not being updated correctly. As a result, three further marketing emails were sent to the complainant in the following weeks. Three Ireland (Hutchison) Limited stated that it remedied the matter by implementing a script to resolve differences between permissions data. It also set up an email alert to monitor the script and raise an alert should the script stop working.

The DPC had previously prosecuted Three Ireland (Hutchison) Limited in 2020 and 2012 for breaching Regulation 13 of the ePrivacy Regulations in relation to previous complaints. Accordingly, the DPC decided to proceed to another prosecution arising from this complaint case.

At Dublin Metropolitan District Court on 6 September 2021, Three Ireland (Hutchison) Limited pleaded guilty to two charges under Regulation 13(1) of the ePrivacy Regulations. The District Court applied the Probation of Offenders Act 1907, on the basis of a charitable donation of €3,000 to Little Flower Penny Dinners. Three Ireland (Hutchison) Limited agreed to discharge the DPC’s legal costs.

A customer of a restaurant lost their belongings while in the premises. They then requested that a staff member provide them with access to the restaurant CCTV footage to assist in finding out what happened to their belongings. 

The staff member, using their phone, took a photo of the footage and then allowed the customer to view the image however: 

1. They did not prevent the customer from using their mobile phone to take a copy of the image.
2. Did not log the customers contact details should the need arise to make contact relating to the image.

Having become aware of the incident, the restaurant manager submitted the breach as low risk, however following a DPC risk analysis the risk level was increased to high due to the lack of internal controls and policies in place. 

When the owner/occupier of a premises installs a CCTV system, having justified it as a necessary and proportionate measure, they as a data controller must give due consideration to the safe storage of personal data and the implementation of appropriate security measures. Data controllers are obliged to implement technical and organisational measures to ensure that personal data are kept secure from any unauthorised or unlawful processing and accidental loss, destruction or damage. In this case, the staff member should not have allowed the individual take a photo of the image. 

The restaurant was not able to mitigate the risks associated with this breach, as it was unable to contact the customer to request/ confirm the deletion of the image from all locations. 

The DPC engaged and advised the restaurant that it should review CCTV Policies and Procedures. In particular, it drew its attention to risk factors around: 

1. Authorisation of access to CCTV footage.
2. Restrictions and logging of any duplication of CCTV footage.
3. Awareness training for staff of the risks involved in the sharing of the CCTV footage. This should be clearly called out in its CCTV usage policy.

The DPC received a number of queries regarding new or existing customers being requested by Vodafone to produce their employment details and work phone number as a requirement for the provision of service by that company.

The concerns arising were that the requests were excessive and contrary to the Article 5 principle of lawful, fair and transparent collection as the processing of data relating to their employment status was entirely unrelated to the product or service that they were receiving from the telecommunications company, which was for their personal or domestic use only.

Second, there were concerns that the mandatory request for a customer’s occupation/place of work/work phone number was not adequate, relevant or necessary under the “data minimisation” requirement and did not meet the purpose limitation principle as set out in Article 5 of GDPR. Third, there were also concerns amongst customers that the company’s data protection/privacy notice did not comply with the transparency requirement of GDPR Article 13(1).

Following engagement with the DPC, Vodafone admitted that it had made an error in the collection of this information. The company stated that the problems were caused by a legacy IT system that had not been updated to remove this requirement and that any access to the data was exceptionally limited and was not used for any additional processing purposes by them. Vodafone immediately commenced a plan to remediate the problems caused and, on the insistence of the DPC, published on its website the details of what had occurred, so that customers would be aware of the issue.

The DPC received a breach notification from a school in relation to a bad actor who accessed and infiltrated a school’s ICT systems, including the email system, for an unknown length of time. The bad actor gathered information before sending a phishing email and tricked the administrator for financial accounts into directing payments into a fraudulent account. 

The bad actor sent an email to the accounts administrator, pretending that it had come from the email of the school principal. This practise is referred to as spoofing and has the appearance of being from a trusted individual and being a valid request. This email contained fraudulent duplicates of invoices relating to legitimate work performed in the school. However the bank account details were manipulated by the bad actor to redirect the payment to an unknown recipient and the school, who were unaware of this, carried out the transaction. 

The breach was discovered when the legitimate supplier reported that they had not been paid. 

The DPC engaged with the school and recommended that the school take a number of actions to recover from the breach and mitigate against a recurrence including the implementation of Multifactor Authentication, ongoing monitoring and reminders on its email usage policy. 

The DPC became aware of a breach which had occurred at a data processor when eighteen (18) organisations (data controllers) operating in the charities sector used a data processor based outside of the DPC’s jurisdiction. The organisations provided services largely aimed at supporting vulnerable individuals and are not for profit with many of their personnel working on a volunteer basis. 

The breach occurred when a bad actor gained access to the data processor’s network. The data processor was unable to confirm how long the bad actor may have infiltrated its systems before the discovery of the breach. This resulted in the exfiltration of some data, the deletion of a database that held the data and a ransom note demanding payment. The bad actor made direct contact with the data processor and provided evidence of the exfiltrated data. 

The data processor did not pay the ransom and stated that it had restored its systems from backup. However, the exfiltrated data remained a risk. 

Only eight of the eighteen organisations were able to confirm having an existing Breach Incident Response Plan, which is a plan to respond to data breaches. Many of the data controllers demonstrated a lack of IT experience in any form and did not appear to recognise the extent of their Article 24 GDPR obligations (appropriate technical and organisational methods). 

Most of the organisations had varying degrees of understanding of the personal and special category data which they held and a number were not able to confirm the categories of data held. 

Most of the organisations did not have in place a controller – processor contract pursuant to Article 28(3) GDPR. Instead, these data controllers relied on a Software as a Service Subscription Agreement, which appear to favour the data processor in terms of obligations to respond or provide information related to a security incident. 

A number of the organisations did not conduct a Data Protection Impact Assessment (DPIA) despite the nature of the organisation and the clients for whom they cater. Some organisations stated the inability to perform a DPIA due to the data processor’s refusal to supply information about its systems and the breach. 

The DPC engaged with the Data Protection Authority in the country where the processor was located to gather and share information. The DPC further engaged with the organisations, both from a regulatory and supervisory capacity. The DPC provided a number of recommendations, which emphasised the organisations obligations in the areas of awareness on the categories of personal data they processed pursuant to Article 4(1) and Article 9 GDPR. The DPC also emphasised the importance of vetting any third party they were choosing to engage with prior to permitting the processing of personal data (Article 28(1) GDPR), as well as their obligation to ensuring that a processing agreement is in place setting out clearly the responsibilities of both parties (Article 28(2) GDPR) and is tested regularly. 

The DPC received a complaint from an individual against their employer relating to a data breach. The breach occurred when a HR folder, which contained the individual’s personal data, was placed on an open drive that was accessible to third party individuals. 

Having reviewed the information provided, the DPC noted that the employer had notified the breach to the DPC. As part of its notification, it advised that, due to human error, a folder, which contained the personal data of a number of employees, was accidently transferred to a common internal shared drive. It further advised that this folder was not accessible to anyone outside of the organisation. Once the employer became aware of this breach, it took immediate action to secure the files affected. The Human Resources folders were secured by removing them from the shared drive and relocating them to the appropriate local HR drive. 

The employer investigated this incident and confirmed that no further processing of personal data occurred in this instance. The employer informed the affected individuals of this breach and provided various updates regarding same via email. The employer subsequently provided the individual with a detailed list of the categories of personal data which were involved in this data breach. 

The DPC conducted an inspection at the employer’s premises. Having assessed the breach notification, the complaint received and the information established during the inspection, the DPC reminded the employer of its obligations under Article 5(1)(f) and Article 24 of the GDPR. The employer has since confirmed to the DPC the technical measures put in place to prevent a recurrence of such an incident in the future. 

In May 2019, the DPC received a complaint from an individual who said they had been receiving direct marketing text messages from Littlewoods since March. The complainant stated that they had followed the instructions to unsubscribe by texting the word ‘STOP’ on five occasions to a designated number known as a short code, but they had not succeeded in opting out and they continued to get marketing text messages.

In the course of our investigations, Shop Direct Ireland Limited (t/a Littlewoods Ireland) confirmed it had a record of the complainant’s opt-out from direct marketing texts submitted through their account settings on the Littlewoods website on 8 May 2019. It did not, however, have a record of their attempts to opt-out of direct marketing texts on previous occasions using the SMS short code. This was due to human error in setting up the content for the SMS marketing messages. The company said that the individual responsible for preparing and uploading content relating to marketing texts had mistakenly included the opt-out keyword ‘STOP’ instead of ‘LWISTOP’ at the end of the marketing texts.

Shop Direct Ireland Limited had previously been prosecuted by the DPC in 2016 in relation to a similar issue, which resulted in a customer attempting, without success, to unsubscribe from direct marketing emails. On that occasion, the court outcome resulted in the company making a donation of €5,000 to charity instead of a conviction and fine.

The DPC decided to prosecute the company in respect of direct electronic marketing offences in relation to the May 2019 complaint.

At Dublin Metropolitan District Court on 29 July 2019, Shop Direct Ireland Limited (t/a Littlewoods Ireland) entered guilty pleas to two charges relating to sending unsolicited direct marketing text messages. The court ruled that the company would be spared a conviction and fine if it donated €2,000 each to the Peter McVerry Trust and the Little Flower Penny Dinners charities and section 1(1) of the Probation of Offenders Act was applied.

In May 2018, we received a complaint against the online fashion retailer Cari’s Closet from an individual who had in the past placed an online order with the company. The complaint concerned the receipt of three unsolicited direct marketing emails. The same person had previously complained to the DPC in January 2018 about unsolicited emails from that company. On that occasion, the complainant said they had received over forty marketing emails in one month alone. The person had attempted, without success, to unsubscribe on a couple of occasions.

Cari’s Closet attributed the failure to properly unsubscribe the complainant from emails to a genuine mistake on its behalf.

As the DPC had issued a warning in April 2018 in relation to the earlier complaint, we decided to initiate prosecution proceedings against the company.

At Dublin Metropolitan District Court on 29 July 2019, Cari’s Closet pleaded guilty to one charge of sending an unsolicited direct marketing email to the complainant. Instead of a conviction and fine, the court applied section 1(1) of the Probation of Offenders Act on the basis that the company donate €600 to the Little Flower Penny Dinners charity.