We received a complaint from an individual in November 2018 regarding unsolicited direct marketing emails from Just-Eat Ireland Limited. The complainant had unsubscribed from the company’s direct marketing emails but several days later received an unsolicited marketing email. During our investigation of this complaint, the company informed us that the complainant’s attempt to unsubscribe was unsuccessful due to a technical issue with its email platform. This issue affected 391 customers in Ireland.

As Just-Eat Ireland Limited had previously been warned by the DPC in 2013 on foot of complaints in relation to unsolicited direct marketing emails, we decided to initiate prosecution proceedings.

At Dublin Metropolitan District Court on 29 July 2019, Just-Eat Ireland Limited pleaded guilty to one charge in relation to sending an unsolicited direct marketing email. The court applied section 1(1) of the Probation of Offenders Act in lieu of a conviction and fine on the basis that the company donate €600 to the Peter McVerry Trust charity.

In April 2019, the DPC received two separate complaints from an individual who had received unsolicited direct marketing communications by text and by email from the mobile network operator Vodafone. The individual stated that Vodafone had ignored their customer preference settings, which recorded that they did not wish to receive such marketing.

During our investigation, Vodafone confirmed that the complainant had been opted-out of direct marketing contact but that communications were sent to them due to human error in the case of both the text message and the email marketing campaigns.

In the case of the SMS message, Vodafone confirmed that a text offering recipients the chance to win tickets to an Ireland verses France rugby match was sent to approximately 2,436 customers who had previously opted-out of receiving direct marketing by text. This was as a result of a failure to apply a marketing preferences filter to the SMS advertising campaign before it was sent.

In the case of the email received by the complainant, an application that was intended to be used to send direct marketing to prospective customers was used in error and the message was sent to existing Vodafone customers. While Vodafone was unable to definitively confirm the number of customers who were contacted by email contrary to their preference, the marketing email was sent to 29,289 existing Vodafone customers. The company confirmed that some 2,523 out of 7,615 of these were contacted in error. However, it was unable to link the remaining 21,674 customers who were sent the same email with their marketing preferences in Vodafone’s data warehouse to confirm the total number contacted in error.

The DPC had also received a separate complaint in February 2019 from another individual who was a former customer of Vodafone. This customer had ceased to be a Vodafone customer more than five years earlier and they still continued to receive promotional text messages. In the course of our investigation, Vodafone confirmed that the direct marketing messages were sent to the complainant in error. It said that in this exceptional case, the complainant’s mobile number was not removed from the platform used to send marketing communications when their number was no longer active on the network. As the DPC had previously prosecuted Vodafone in 2011, 2013 and 2018 in relation to direct electronic marketing offences, we decided to initiate prosecution proceedings in relation to these complaints.

At Dublin Metropolitan District Court on 29 July 2019, Vodafone pleaded guilty to five charges of sending unsolicited direct marketing communications in contravention of S.I. No. 336 of 2011 (‘the ePrivacy Regulations’). The company was convicted and fined €1,000 on each of three charges and convicted and fined €750 each in respect of the two remaining charges.

In April 2018, a customer of the bin-collection service provider, Panda, complained to us that he had received unsolicited marketing SMS and email messages to which he had not consented, advertising Panda’s electricity business. He stated that the messages did not provide an unsubscribe option.

During our investigation, we were informed by Panda that the complainant should not have received the marketing messages. It said that due to a human error, a staff member of the marketing department had incorrectly believed that the complainant had consented to receiving direct-marketing messages. It regretted the failure to include an opt-out on the messages and explained that its service provider for marketing emails had failed to act in accordance with its instructions to include an opt-out. In May 2018, we received a complaint from a customer of Greenstar, another bin-collection service provider. This individual had previously complained to us in 2011 about unsolicited marketing text messages sent to him without consent. We concluded that previous complaint by issuing a warning to Greenstar in September 2011. The complainant now reported to us that direct marketing from Greenstar by means of SMS messages had started aggressively once again.

In response to our enquiries, Greenstar informed us that given the lapse of time (which it acknowledged was absolutely no excuse) since the 2011 complaint, its records pertaining to the complainant were not what they should have been with respect to the complainant having previously opted out of receiving marketing from the company — that neither the complainant’s details nor details of the 2011 complaint were accurate and up-to-date, insofar as it should not have used the complainant’s mobile telephone number for marketing purposes.

In light of our previous warning, the DPC decided to prosecute Starrus Eco Holdings Limited, T/A Panda and Greenstar in respect of offences committed in both cases. At Dublin Metropolitan District Court on 24 October 2018, the company entered guilty pleas in relation to charges for contraventions of Regulation 13(1) of S.I. No. 336 of 2011 for the sending of unsolicited marketing SMS messages to the two complainants without their consent. Instead of a conviction and fine, the court ordered the company to make a charitable donation of €2,000 to the Peter McVerry Trust. The defendant company agreed to cover the prosecution costs of the DPC. Confirmation of the charitable donation was subsequently provided to the court on 15 November 2018 and the matter was struck out.

In May 2018, we received a complaint from an individual who stated he was receiving frequent unsolicited calls from Vodafone’s marketing team. He claimed that Vodafone initially called him on 10 May 2018, at which point he said he was not interested in their offer; since then the company had called him every day. He ignored the communications.

During our investigation, we confirmed that a recording of the marketing telephone call on 10 May 2018 included the complainant advising the calling agent that he was not interested in Vodafone’s broadband service. Vodafone told us that the agent should have then removed the telephone number from the marketing campaign by using an appropriate code when closing the call. Human error had led to the phone call being closed with an incorrect code for a call-back — meaning the complainant’s phone number remained, leading to the further calls.

We received a separate complaint in July 2018 from a Vodafone customer. He reported that he had received an unsolicited marketing telephone call from Vodafone in June 2018 despite having opted out of receiving marketing telephone calls during a previous unsolicited marketing telephone call in May 2018, confirmation of which had been sent to him by email shortly afterwards.

In response to our enquiries, Vodafone referred to a data-breach report that it had submitted to the DPC on 21 June 2018. This report notified the DPC that several customers who had opted out of marketing between 18 May and 11 June 2018 had erroneously received marketing communications due to difficulties in the implementation of system changes as part of its GDPR-compliance programme. This resulted in recently changed marketing preferences not being read clearly on all its systems and, accordingly, the customers concerned were wrongly included in marketing campaigns.

The DPC decided to prosecute Vodafone in relation to both cases. At Dublin Metropolitan District Court on 22 October 2018, the company entered guilty pleas in relation to two charges for contraventions of Regulation 13(6) (a) of S.I. No. 336 of 2011 for the making of unsolicited marketing telephone calls to the mobile telephones of the two complainants without their consent. The court convicted Vodafone on the two charges and imposed fines of €1,000 in respect of each of the two charges (a total fine of €2,000). Vodafone agreed to cover the prosecution costs of the DPC.

DSG Retail Ireland Limited operates under various trading names and registered business names such as Dixons, Currys, PC World and Currys PC World. In November 2017, we received a complaint from a woman who had purchased a television from Currys a year previously. She informed us that she gave her email address to the company for the purposes of receiving a receipt and that she did not consent to receiving marketing emails. She stated she had unsubscribed from receiving further emails but the unsolicited emails continued.

During our investigation, the company told us that the customer had successfully unsubscribed from its mailing list in November 2016. However, when she made a new purchase in January 2017 and once again opted out of receiving marketing communications, a duplicate record was created following the customer’s second transaction. According to the company, this duplicate record, coupled with a system bug arising during an update to its systems in May 2017, resulted in an error regarding the recording of the customer’s marketing preferences. As a result, there was a period between August and November 2017 during which marketing emails were sent to her.

As we had previously issued a warning to the company in November 2014 on foot of a previous complaint from a member of the public concerning an alleged contravention of the regulations in relation to unsolicited marketing emails, the DPC decided to prosecute the company in respect of the latest suspected contravention. 

At Dublin Metropolitan District Court on 22 October 2018 the company entered a guilty plea in relation to a charge for contravention of Regulation 13(1) of S.I. No. 336 of 2011 for the sending of an unsolicited marketing email to the complainant without her consent. In lieu of a conviction and fine, the court ordered the company to make a charitable donation of €1,500 to the Peter McVerry Trust. The defendant company agreed to cover the prosecution costs of the DPC. Confirmation of the charitable donation was subsequently provided to the court on 26 November 2018 and the matter was struck out.

In November 2017, we received a complaint from an individual who received a marketing email from the Kilkenny Group. The email, which was personally addressed to him, promoted a pre- Christmas sale and informed him that there was up to 50% off and that everything was reduced. The complainant informed us that he did not believe that he had opted into receiving marketing emails.

During our investigation, it emerged that a previous marketing email had been sent to the same complainant one year earlier, in November 2016, inviting him to a corporate event in the company’s Cork store. The complainant subsequently advised us that he recalled replying to that email, asking that his email address be deleted. In September 2012, arising from our investigation of a complaint about unsolicited marketing text messages sent by the Kilkenny Group to a different complainant, we had issued a warning to the company. In light of that, the DPC decided to prosecute the company in respect of the 2017 complaint.

The matter came before Tralee District Court on 15 October 2018. The defendant faced a total of four charges. Two related to alleged contraventions of Regulation 13(1) of S.I. No. 336 of 2011 for the sending of unsolicited marketing emails to the complainant in November 2016 and November 2017 without his consent. Two further charges related to alleged contraventions of Regulation 13(12) (c) of S .I . No . 336 of 2011. This regulation provides that a person shall not send electronic marketing mail that does not have a valid address to which the recipient may send a request that such a communication shall cease. As guilty pleas were not entered to any of the charges, the matter went to a full hearing involving three defence witnesses and two prosecution witnesses, including the complainant. At the end of the proceedings, the court found the facts were proven in relation to two contraventions of Regulation 13(1) in relation to the sending of two marketing emails without consent. On the understanding that the defendant would discharge the prosecution costs of €1,850, the court applied Section 1(1) of the Probation of Offenders Act in respect of both charges instead of a conviction and fine. The court dismissed the two charges in respect of Regulation 13(12)(c).

In April 2017, we received a complaint from a business owner regarding unsolicited marketing emails that the business email address was receiving from Viking Direct (Ireland) Limited. The complainant indicated that she had previously contacted the company to ask for her business email address to be removed from the marketing list but, despite this, further marketing emails continued to be sent.

During our investigation, Viking Direct (Ireland) Limited confirmed that the complainant had asked to be removed from its mailing list several times. It explained that the internal processes of moving the data to the suppression list had failed and the data remained on the mailing list. The company stated that the systems had now been corrected and tested, such that the situation should not recur. It apologised for any inconvenience caused to the complainant. Our investigation found evidence of three opt-out requests sent by the complainant to Viking Direct (Ireland) Limited by email between 30 March 2017 and 11 April 2017.

Viking Direct (Ireland) Limited had been the subject of an investigation in 2012 on foot of a complaint made to the DPC about unsolicited marketing emails. At that time, we concluded that investigation with a warning to the company. In light of that warning, the DPC decided to prosecute the company in respect of the 2017 complaint.

At Dublin Metropolitan District Court on 14 May 2018, the company entered a guilty plea to one charge of sending an unsolicited marketing email to a business email address in contravention of Regulation 13(4) of S.I. No. 336 of 2011. Under this regulation, it is an offence to send an unsolicited direct-marketing communication by electronic mail to a subscriber (which includes business subscribers) where that subscriber has notified the sender that it does not consent to the receipt of such a communication. The case was adjourned for sentencing until 11 June 2018. At the sentencing hearing, the court applied Section 1(1) of the Probation of Offenders Act in lieu of a conviction and fine. The company agreed to cover the prosecution costs incurred by the DPC.

The DPC received a complaint from the parent of a child whose health data was mistakenly disclosed to an unknown third party. The data was contained in a document attached to a misaddressed email that had been sent by an employee of a public body.

The child was the subject of a health-related assessment by a therapist employed by the public body. The therapist prepared a draft report, which was to be sent to a senior professional . Before sending it, the therapist decided to ask a colleague for a second opinion. The colleague was not in the office, so the therapist chose to send the draft report to the colleague’s personal email address . Soon after doing so, the therapist realised that the email address was incorrect. The public body’s IT service was not able to recall the misaddressed email. The recipient’s email service provider confirmed that the recipient’s account was active, but emails from the public body asking the recipient to delete the misaddressed email were not answered. The public body contacted the parent by telephone, in person and in writing to inform them of the error and apologise for it. It also notified the DPC of a personal data breach. The parent subsequently lodged a complaint with the DPC.

As part of its examination of the complaint, the DPC asked the public authority to explain the steps taken to secure deletion of the misaddressed email, its policy concerning the sending of work-related emails to staff members’ personal addresses, and the measures being adopted to prevent a recurrence of the breach.

In its response, the public body confirmed the sequence of events described above, including its attempts to recall the email and its interactions with the email service provider. It advised the DPC that it had reissued a copy of its data protection policy to all members of the team on which the therapist worked, and wrote to it reminding it that it is not permitted to send any information to personal email addresses, regardless of whether they were asked to do so. It was made clear that this included reports and other work-related documentation. Data protection was added as a fixed item on the agenda of the team’s bi-monthly meetings, and all team members were scheduled for data protection awareness training. In assessing the matter, the central issue identified by the DPC was the obligation of a data controller to take appropriate security measures against risks including unauthorised disclosure of personal data. Appropriate security measures were to be identified having regard to factors including the technology available, the harm that could be caused by disclosure, and the nature of the data. Further, controllers must take all reasonable steps to ensure that their employees are aware of and comply with those measures.

The DPC’s view was that sending a draft report to a personal email address was clearly inappropriate having regard to the required level of security, and was contrary to the public body’s own data protection policies. However, the mere existence of those policies was not enough to satisfy the obligation to take reasonable steps to ensure its employees were aware of and complied with them. The public body had done so only after the breach had occurred.

A data subject issued a complaint to the Data Protection Commission (DPC) against their owner management company (data controller) regarding the disclosure of their personal data under the General Data Protection Regulation (GDPR). The data subject explained to the DPC that an email containing their personal data was circulated by a property management company on behalf of an owner management company (OMC) and contained information regarding the payment of annual services charges.

Before contacting the DPC the data subject contacted the OMC to address their concerns of the disclosure of their personal data. The OMC responded that its policy was to include such personal data in emails to all clients. The data subject confirmed that it had not seen, nor signed this policy.

Following the engagement of the DPC the data controller cited a clause in its OMC Memorandum of Association, which allowed for the disclosure of payment or non-payment of service charges to other unit owners.

The DPC provided both parties with guidance from this office for consideration, “Data Protection Consider- ations Relating to Multi-Unit Developments and Owners’ Management Companies”. The guidance indicated that the disclosure must be justified as both necessary and proportionate to achieve a specific, explicit and legitimate purpose, in accordance with data protection law.

The data controller informed the DPC that a balancing test was conducted and highlighted that the processing of the personal data was necessary to achieve the legitimate interest of the management company to obtain payment of service charges.

Under section 109(5)(c) of the 2018 Act the DPC advised that the data controller had not been able to provide an adequate lawful basis for the processing of personal data as outlined in the complaint.

The outcome reminded the data controller of their obligations as a data controller under Articles 5, 6 and 24 of the GDPR and under section 109(5)(f) of the 2018 Act, the DPC recommended that the data controller review their Memorandum of Association to ensure compliance with the DPC guidance; consider alternative methods to resolve the non-payment of service charges and consider and balance any legal obligation or legitimate interest against the rights and interests of the data subject.

A data subject provided their personal and financial data to an organisation (the data controller) as part of their relative’s application for a scheme. The application was unsuccessful and the applicant was issued with a refusal letter, which included a breakdown of the data subject’s personal and financial data. The data subject made a complaint to the Data Protection Commission (DPC) regarding the lack of transparency in the application process and the disclosure of their personal and financial data to their relative. The data subject requested the return of their personal data from the data controller. The data subject also requested that their personal data be erased by the data controller under Article 17 of the General Data Protection Regulation (GDPR), and if erasure was not an option, their legal basis for retaining their data.

Prior to the commencement of an examination by the DPC, the data subject made suggestions to amicably resolve their complaint, which included, among other things, a ‘goodwill gesture’ from the data controller. However, due to the role of the organisation, the data controller was not in a position to facilitate this request.

As part of its examination, the DPC engaged with the data controller and requested a response to the data subject’s complaint. The data controller stated that while it is part of their procedure to inform applicants of their reasons for refusal, only a partial disclosure should be made in their decision letters where information was gathered from a third party. With regards to the data subject’s erasure request, the data controller advised that the personal data provided would be retained for the lifetime of the applicant plus 10 years. The data controller explained that the data is retained for this period as the data in question may affect any future applications by the applicant.

Subsequently the data subject’s erasure request was refused by the data controller as they advised they are relying on Article 17(3)(b) of the GDPR, which restricts the obligations on data controllers to erase personal data where the personal data is required for compliance with a legal obligation. Also, the data controller relied on Article 23(1)(e) of the GDPR, which states that a data subject’s rights may be restricted for: “Important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, including monetary, budgetary and taxation a matters, public health and social security.”

An apology was issued to the data subject by the data controller, as a result of the disclosure of their personal data in the refusal letter issued to their relative, the applicant. The data subject queried if this disclosure was reported to the DPC as a breach. Under Article 33 of the GDPR, a data controller is required to report a personal data breach to the relevant competent authority without undue delay, unless the data breach is unlikely to result in a risk to the rights and freedoms of natural persons. A data breach is described in Article 4(12) of the GDPR as: “A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”. The DPC found that the disclosure was a result of human error and not identified as a systemic issue.

Through its examination, the DPC found that the refusal letter which resulted in the disclosure of the data subject’s personal data, could be distinguished from other records retained by the data controller as it did not directly follow their guidelines. As such, the DPC invited the data controller to erase or redact the data subject’s personal data from the decision letter held on file. In addition, an amended letter could be issued to the applicant redacting the data subject’s personal data. The data controller advised they would reissue the refusal letter and request the applicant return the initial letter sent. The data controller also advised they would delete the initial letter from their records.

Under section 109(5)(c) of the 2018 Act, the DPC advised the data subject that the explanation put forward by the data controller in the circumstances of their complaint was reasonable. While the data controller acknowledged the disclosure of the data subject’s personal data to their relative, the applicant, they issued an apology for same, and indicated that the original refusal letter will be amended on their system, while an updated letter will issue to the applicant.

Further, under section 109(5)(f) of the 2018 Act, the DPC recommended the data controller provide updated training to their staff regarding their guidance for decision letters.