The DPC received a complaint via the One-Stop-Shop (OSS) mechanism related to an access request made to a large social media platform (Data Controller) pursuant to Article 15 GDPR. 

The individual noticed that their account with the Data Controller appeared to have been hacked and subsequently disabled by the Data Controller. The individual made an access request to the Data Controller in order to obtain a copy of their data. The Data Controller directed them to a set of self-service tools outlining how to access and download their data. 

However, the individual was unable to avail of the self-service tools due to the restriction placed on their account. Having raised this issue with the Data  Controller, the individual received further correspondence from the Data  Controller explaining that for security reasons it was unable to reinstate the account or provide a copy of the data and considered the case closed. Upon receipt of the complaint, the DPC commenced an examination of the complaint with the Data Controller pursuant to section 109 of the Data Protection Act. In response to the DPC’s examination, the Data Controller referred the account to its internal team for further investigation, which confirmed that the account showed signs of compromise and that the account had been disabled as a result of activity which occurred on the account during the period it was compromised. The Data Controller therefore agreed to reverse the disablement of the individual’s account and facilitate them in regaining access. Once they had regained full access to their account, the Data Controller advised how the individual could access the self-service tools to access and download a copy of their data if they still wished to do so.

In light of the above actions, the Data Subject subsequently confirmed to the 
DPC that they considered their complaint resolved.

An individual contacted a search engine company to request that a number of websites remove articles about them that contained their name, as they believed the articles were no longer relevant to their current life and circumstances. The search engine organisation replied to them and outlined that their requests did not fulfil the criteria for it to remove them. The individual was unhappy with this response and contacted the DPC to make a complaint. 

The DPC began its examination of the complaint by asking the company for the reasons why it believed that the individual’s Article 17 rights under the GDPR did not apply to the individual’s request. The company responded that it was under the understanding that only the links to articles that arise from a search of the individual’s full name can qualify for consideration when requests are made  under Article 17 of the GDPR. In other words, the search engine will separate the  automatic appearance of those URLs when the individual’s full name is searched for in its results listing.  However, the original articles remain online on the websites that posted them. 

When the individual had made their request to the company, they had listed a series of URLs that contained their full (first and last) name. However when the organisation performed a search of the individual’s full name the URLs they had specified did not appear in the results listing and therefore did not fall under the scope of Article 17 of the GDPR. In this instance after performing searches under the individual’s full name the DPC did not find the URLs that they had requested be delisted and therefore found that on this occasion the right to be forgotten under Article 17 of the GDPR was not applicable.

Under the Law Enforcement Directive (LED) as transposed into Irish law by Parts 5 & 6 (sections 69 to 104) of the Data Protection Act 2018 (the Act), there may be restrictions placed on an individual’s right of access to records containing personal data. 

An individual requested all personal data pertaining to themselves processed by An Garda Siochána (AGS).  AGS responded to the individual providing some documentation containing personal data. In its reply, AGS also advised that certain documents were being released in a redacted format and that further documents were being withheld, in their entirety.  The exemptions on which AGS were relying were sections 91(7) and 94(3)(a) of the Act.  Section 91(7) refers to data that includes personal data relating to another individual that would reveal,  or would be capable of revealing, the identity of the other individual while 94(3) (a) relates to data that would prejudice the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties.

As the individual was not satisfied with the response received from AGS, they made a complaint to the DPC. Upon receipt of the complaint, the DPC identified it as being a LED complaint as opposed to a GDPR complaint. As part of the DPC’s examination of the complaint, the DPC requested AGS to provide further detail in relation to its reliance on exemptions to withhold personal data in response to the access request. Upon receipt of the requested further detail from AGS, the DPC then requested to view all redacted and withheld personal data and attended at the AGS office to do so.

 
An on-site visit took place in which the DPC examined the documents in question. During this visit, the DPC engaged with AGS seeking clarification on the exemptions being applied to the documents that were being redacted and withheld in their entirety. Following this engagement, further personal data was identified for release. The outcome of this onsite visit resulted in the individual receiving their personal data and the AGS gained a greater understanding of the how the exemptions can be applied.

An individual submitted a complaint to the DPC after a medical facility disclosed their medical data to their employer. The individual attended the medical facility at the request of their employer, due to a long absence of sick leave from work. During the consultation at the medical facility, the individual was queried on
their past medical history, which was not directly related to their current illness. The medical facility furnished the individual’s employer with a full copy of their consultation notes, including their historical medical data.

In correspondence with DPC, the medical facility advised that it was standard practice for the medical facility to share medical data between medical professionals. However, only the minimum data necessary should be shared with an individual’s HR department, advising if an employee is either fit or unfit for work. In this instance, the medical facility shared the full medical data of the individual with the employer’s nurse practitioner, a medical professional, it also further processed this data by sharing the full medical data with the  HR department. 

The medical facility also detailed how the full medical report was incorrectly disclosed to the individual’s HR department. It advised that following a phone call with the individual’s employer, a manager within the HR department requested a copy of the medical report detailing the individual’s fitness to work. The medical facility stated it had incorrectly assumed consent had been given by the individual for this request and subsequently furnished the HR department with the full medical data.  

Medical data, or personal data concerning health, is considered a “special category of personal data” under Article 9 of the GDPR and is subject to specific rules, in recognition of its particularly sensitive nature and the particular risk to the fundamental rights and freedoms of data subjects, which could be created by the processing of such data. The processing of medical data is only permitted in certain cases as provided for in Article 9(2) of the GDPR, in conjunction with Article 6 of the GDPR. Furthermore, Article 5(1)(f) of the GDPR relates to the principle of integrity and confidentiality when processing personal data, to include protection against unlawful processing. In this instance, the medical facility advised the DPC that it had not informed the individual that their medical
data would be further processed or disclosed to their employer at the time of their consultation. 

As the medical facility failed to demonstrate a lawful basis for the processing,   the DPC determined the processing to be unlawful and not in compliance with
the requirements of the GDPR. 

Following the conclusion of the data protection complaint, the DPC engaged further with the medical facility in relation to its data protection practices  and policies.

Two individuals were employed by an organisation that provides services to primary schools. Upon arrival at work, one individual found their personal email account open on their shared computer. A few weeks later, the individual’s employment was terminated on foot of disciplinary proceedings. During the course of the proceedings, the individual was presented with printed copies of several emails from their personal email account. The second individual was also dismissed. It became apparent that a third party had been hired by the organisation to handle the disciplinary proceedings and this third party was provided with a copy of both individual’s emails addressed to each other.

The reason given for the termination was that both employees had been discussing a business plan that would make them a competitor to their then employer. The emails had been accessed and printed by the employer. Both individuals had also made access requests. Following the disciplinary proceedings and the dismissals, the individuals contacted the DPC and made their respective complaints.  Both complaints referred to the processing of their personal data from their email exchanges found in the personal email account that one individual had left open on the shared access computer and the subsequent processing of it to conduct disciplinary procedures that resulted in the termination of both staff members’ employment.  T

he DPC began a parallel but separate examination of the complaints by asking the organisation to provide its lawful basis for processing the individuals’ personal data from the personal email account and personal emails. The organisation responded that when searching the email account for client information it was noticed that it was a personal email account but it was also noticed that there were discussions between two employees regarding the setting up of a competing business. The organisation claimed it processed the individuals’ personal data for a legitimate interest in that it was an attempt to protect the  business and its other employees. The organisation also claimed that it had processed the personal data lawfully as the individuals had consented to the processing of any/all of their personal data. It argued that this consent had been provided when they had been provided with a copy of the company privacy notice that informed them it would process their personal data (including all IT equipment and assets) and was evident in their signed contracts of employment. 

In terms of the reliance on its employee contracts and its company policy and privacy notice to indicate that the individual had provided their consent for the company to use its personal data, the DPC noted that consent to process personal data from personal email accounts was not a valid lawful basis for processing in the circumstances. Additionally, in order for consent to be valid it must be freely given, specific, informed and unambiguous. The reliance on signing a contract of employment to indicate consent for processing does not meet the criteria required to utilise this lawful basis for processing. 

The DPC found that the individuals’ data protection rights were infringed by the organisation under Articles 5(1)(a),(b),(f) of the GDPR, which relate to the principles of lawfulness, fairness and transparency; purpose limitation; and integrity and confidentiality. Further, the initial accessing and viewing of the individual’s personal email account was conducted in breach of their data protection rights, contrary to Article 32(1) and 32(2) of the GDPR. 

The organisation implemented a number of security measures to ensure that such an incident would not occur again such as staff training on GDPR and IT, internet and email usage including computer log-in processes.

An individual submitted medical documentation to their employer’s disability officer in order to request reasonable accommodations that would support them in performing their work within a public sector organisation. The disability officer was the central point of contact and service provider for all staff with disabilities working for the organisation and the individual had occasionally had reason to contact the disability officer over the course of their employment. 

During the course of a particular meeting with the disability officer, the individual had discussed their health and other personal data relating to their finances and family circumstances, and their concerns regarding their options in the event that  they would no longer be able to continue to work. The individual subsequently discovered that following this meeting the disability officer had emailed a separate entity that provides support and assistance to employees across a number of similar organisations with regard to the meeting, including details of the individual’s personal data and the matters the individual had disclosed during the meeting in order to get advice from the disability officer. The individual was surprised to discover the extent of what was shared with the third party without their consent. 

Following receipt of a complaint from the individual, the DPC contacted the public sector organisation requesting it to identify the lawful bases under which it had shared the individual’s personal data with the third party. The public sector organisation responded that the third party it had shared the individual’s personal data with was an employee assistance service that provided support to employees on a range of topics. It maintained that the personal data, including special category data, had been processed under Articles 6(1)(d) and 9(2)(c) of the GDPR, “processing is necessary to protect the vital interests of the data subject” as the personal data had been shared with the third party in order to ask for guidance on how best to support the individual. 

“Vital interests” refers to tangible life and death situations where life is in immediate or imminent danger and requires assessment on a case-by-case basis by data controllers when seeking to rely on this lawful basis for processing. This lawful basis does not apply to processing that is performed in the data subject’s medium or long term best interests. Following the DPC’s examination of the information that was shared, it became apparent that the amount of the individual’s personal data that was shared was excessive in terms of the purpose it sought to serve. 

Data controllers are reminded that, even when acting in the best interests of the data subject, all processing of special category data requires enhanced measures
in terms of security and confidentiality that data controllers are obliged to meet. The use of vital interests as a lawful basis will only be valid under an immediate, demonstrable threat to life whereas no such threat existed in this case.   

In this instance, the public sector organisation initially considered that sharing this personal data with a third party service provider for the purposes of providing the best advice to the individual was compatible with the original purposes for which it was processed. However, on review of the personal data shared the public sector organisation conceded it had shared an excessive amount of un-redacted personal data in order to achieve its purposes.  An anonymised description of the individual’s circumstances could have achieved the same purpose without sharing the individual’s personal and special  category data. 

Furthermore, there was no evidence provided by the public sector organisation that demonstrated that the individual was made aware that their personal data could be shared with third parties in order to procure advice on their behalf at the time. Following on from the DPC’s examination of this complaint the public sector organisation revised its disability service information notices in order to fulfil its transparency requirements and engaged in appropriate training for staff to ensure that further unnecessary sharing of this type would not reoccur. 

An individual submitted an access request to their employer, a SME business-to-business service provider. Based on the documentation provided by the organisation to the individual  in response, the individual submitted a complaint to the DPC alleging that the organisation unlawfully disclosed their personal data, including special category data, to a third party, a Human Resources Service Provider (HR provider).

When examining the information provided it became apparent to the DPC that  the organisation had engaged the HR provider to investigate an allegation of bullying made by the individual against a co-worker. The organisation provided various categories of the individual’s personal data to the HR provider, including the individual’s personal contact details, medical data and a letter confirming the individual’s fitness to partake in the alleged bullying investigation.

The individual provided evidence to the DPC proving that they had asked the organisation not to disclose their personal data to a third party and claimed  that they were not informed that their personal data had been provided to  the third party. 

As part of the examination of the complaint, the DPC sought to establish if the organisation had a valid lawful basis for disclosing the individual’s personal data and special category data to the HR provider in line with Article 6 and Article 9  of the GDPR. The DPC also sought to establish whether the personal data disclosed to the HR provider was relevant and limited to what is necessary for  the purposes for which they were processed, in accordance with the principle  of data minimisation under Article 5(1)(c) of the GDPR.

From its responses to the DPC it appeared that the organisation relied on Articles 6(1)(b) (contract); 6(1)(c) (legal obligation) and; 6(1)(f) (legitimate interests) of the GDPR, as the lawful bases under which it disclosed the individual’s personal data to the HR provider. 

The organisation stated it had legitimate reasons to provide the personal data and medical data to the HR provider under the terms of the individual’s contract of employment and that the individual had consented to take part in the alleged bullying investigation. Further, the organisation stated that the HR provider requested it obtain from the individual a doctor’s letter to confirm that the individual was fit to take part in the alleged bullying investigation.

The DPC accepted that provision of certain categories of the individual’s personal data to the HR provider would be necessary under the terms of their  employment contract in line with Article 6(1)(b) of the GDPR. However, the  organisation failed to identify the legal obligation to which it stated it was subject to rely on under Article 6(1 (c) of the GDPR as a lawful basis for processing the personal data. The organisation also failed to provide evidence that it conducted a balancing test under Article 6(1)(f) of the GDPR prior to providing the individual’s personal data to the HR provider. Additionally, the organisation failed to identify a lawful basis for disclosing the individual’s medical data under Article 9 of  the GDPR.

The DPC engaged with the organisation further to ensure that going forward  it was aware of its obligations under the GDPR in relation to the lawful bases for processing.

An individual was owed a debt from the Estate of a deceased person. The individual wrote to the law firm representing the Estate of the deceased to relay that they were no longer interested in pursuing the debt owed to them by the Estate. The law firm subsequently shared this letter with third parties – the executors and other beneficiaries to the Estate. The individual became aware that a copy of their letter was shared and contacted the law firm asking why their letter was shared without their consent. The law firm replied that as the individual had voluntarily written to it to decline any claim on the Estate, it had assumed it had the individual’s consent to share with third parties for the purposes of disclosing the individual’s now defunct claim on the estate. It also advised that the individual had given their consent for their personal data to be shared with third parties, including their name and address as well as the letter itself. The individual was unhappy with this response and therefore contacted the DPC to make  a complaint.

The DPC requested the law firm to outline the lawful basis under which it shared the individual’s letter with third parties. It replied that it had shared the letter as part of its contract to administer the Estate of the deceased. Furthermore, the law firm claimed, the individual had voluntarily written the letter and therefore it had inferred consent for the processing of the individual’s personal data, as they were part of the claims on the Estate. It also claimed that it had been acting in the best interests of the individual by informing the third parties that they were no longer involved in the case.

Under Article 7(1) of the GDPR data controllers, when relying on consent as a lawful basis for processing personal data, must be able to demonstrate that the data subject has consented through a clear affirmative act in a freely given, specific, informed and unambiguous manner (as per Article 4(11) of the GDPR).  The law firm was unable to demonstrate that it had secured the individual’s consent for it to process their personal data in the manner described. 

The DPC engaged with the law firm further to ensure that going forward it was aware of its obligations under the GDPR in relation to the lawful bases for processing. In this case it was sufficient for the law firm to inform its clients and other third parties that the individual had relinquished their claim and therefore it was unnecessary to share the correspondence itself.

An individual was employed at a medical practice, which used CCTV footage ofthe waiting room to assess patient waiting times. When the medical practice was reviewing the CCTV footage, in the presence of the employee, the employee realised that their image had been recorded by the CCTV system throughout their employment without being aware of it. The individual tried to resolve the issue with the medical practice but was ultimately dissatisfied with the response they received and contacted the DPC to make a complaint. 

The DPC contacted the medical practice to enquire about its legal basis for processing personal data in this manner. The medical practice advised that it had a CCTV policy in place prior to the individual commencing employment with it and that the purpose of the CCTV system was to ensure the health and safety of staff and clients of the medical practice. Having requested a copy of the CCTV policy,  upon review the DPC noted that it was drafted prior to the introduction of the GDPR and had not been updated since. 

Having engaged with the individual, the DPC established that they had not been made aware that CCTV was in operation constantly, including the areas where they worked, when they first joined the practice. There was one small sign on the entrance door of the practice that stated CCTV was in operation but the sign did not specify that the CCTV cameras were recording within the practice building. 

During the course of the DPC’s examination of the complaint the medical practice adopted measures to restrict the recording by the system so that it would no longer be in operation during business hours.

In this instance, the DPC found that the medical practice did not provide a  valid lawful basis under Article 6 of the GDPR for this type of monitoring. Furthermore, the medical practice did not fulfil its transparency obligations  under Article 13 of the GDPR, as it did not inform individuals at any point that  the CCTV system would process their personal data, by recording their image, whilst in the practice. 

In light of the medical practice’s voluntary restriction of the CCTV cameras to operate outside of business hours only, the DPC engaged with the medical practice providing recommendations and guidance around the use of CCTV. On foot of this engagement, the medical practice increased the size, and the number of signs informing staff and patients of the use of CCTV and the  contact details of the data controller in compliance with its obligations. 

The DPC received a complaint from an individual who had made an access request to a transport company. They sought a copy of CCTV footage of an accident they were involved in with one of the transports company’s buses. The individual did not receive a response to this request.

The DPC contacted the Data Protection Officer (DPO) for the transport company and informed them of the complaint.

The DPC reminded the transport company of their GDPR obligations, drawing their attention to Article 12(3) of the GDPR, which states that organisations have an obligation to provide a response to an individual’s subject access request within the statutory timeframe. As part of the engagement, the DPC stipulated a timeline for the transport company to respond to the individual and provide them with a copy of the CCTV footage. The transport company complied with the DPC’s direction and the individual confirmed they received the requested personal data.