The complainant was involved in a workplace investigation arising out of allegations made by the complainant against a colleague. The complainant’s employer appointed an independent consultancy firm to carry out the investigation and the findings of the consultancy company were subject to a review by an independent panel.

After the conclusion of the workplace investigation, the complainant made a data access request to their employer and a number of documents were provided in response to this request . However, the complainant was of the view that the request was not responded to fully. For example, the complainant claimed that the witness statements (that had been taken during the investigation) that were provided to the complainant were factually incorrect and that certain documents were not provided to the complainant (such as access logs to the complainant’s personnel files). The complainant further alleged that their employer had disclosed details of the complainant’s work performance, sick leave arrangements and copies of the complainant’s pay slips to the complainant’s colleagues. Finally, the complainant claimed that their employer had failed to comply with the complainant’s requests for rectification of the witness statements (which the complainant alleged were factually incorrect) .

It was established that the complainant’s employer was the data controller as it controlled the complainant’s data in the context of the workplace investigation. The data in question consisted of the complainant’s payroll information, information relating to the complainant’s sick leave and witness statements relating to the complainant. The data was personal data because it related to the complainant as an individual and the complainant could be identified from it.

In response to the complainant’s allegation that their access request was not responded to fully, the data controller stated that, in relation to the witness statements, the complainant was provided with the copies of the original witness statements that were held on the complainant’s file. In relation to the access logs, the data controller was of the view that these did not constitute personal data (because they tracked the digital movement of other employees on the data controller’s IT systems).

In relation to other miscellaneous documents that the complainant alleged had not been received, the data controller indicated that, if the complainant could specify details of these documents, it would consider the complainant’s allegation further.

Regarding the complaint that the data controller had disclosed details of the complainant’s work performance to colleagues of the complainant, the data controller argued that the complainant’s performance would have been discussed with the complainant’s managers and therefore was disclosed for legitimate business reasons. Regarding the complaint around disclosure of details regarding the complainant’s sick leave, the data controller noted that was not aware of any such disclosure. Finally, in relation to the allegation that the complainant’s payslips were disclosed, the data controller argued that they were provided to an employee of the data controller to be reviewed in the context of a separate case taken by the complainant.

The complainant also made a request for rectification of witness statements, which the complainant alleged, were factually incorrect. However, the data controller advised that what was recorded in the witness statements represented the views of the people involved and, on this basis, refused to amend the witness statements.

The DPC was of the view that there were five issues to be examined by it in relation to the complaint. The DPC’s view on each of these issues is summarised below (under headings representing each of the five issues).

Access request

The DPC noted that the complainant had made a valid access request. However, having considered the matter, on balance, the DPC was of the view that there was no evidence available to suggest that the data controller unlawfully withheld information. The DPC noted, however, that the complainant’s data access request had not been dealt with in the timeframe required under the legislation. In this regard, the data controller had committed a data protection breach .

Under Article 12(3) of the GDPR, a data subject has a right to obtain from a data controller access to personal data concerning him or her, which are being processed. The data controller must respond to a subject access request without undue delay and in any event within one month of receipt of the request.

Alleged unauthorised disclosure of the complainant’s personal data

Controllers must have a lawful basis, under data protection legislation to process personal data, including the disclosure of that data to a third party. In relation to the disclosure of details regarding the complainant’s work performance, the DPC was of the opinion that such processing was lawful as it was for legitimate business reasons. Regarding the issue of disclosure of sick leave details, the DPC concluded that it did not have sufficient information relating to the alleged incident in order to determine whether a breach of the legislation had occurred. In relation to the disclosure of the complainant’s payslips, the DPC was of the view that the disclosure was lawful. This was because the payslips were disclosed in order to assist the data controller in defending a separate legal claim brought by the complainant, against it.

Under Article 6 of the GDPR, a data controller is required to have a legal basis for processing (including disclosing) any personal data. The available legal bases for processing include (a) that the data subject has given consent, (b) that the processing is necessary for the performance of a contract to which the data subject is a party, (c) that the processing is necessary for compliance with a legal obligation to which the data controller is subject, (d) that the processing is necessary in order to protect the vital interests of an individual, (e) that the processing is necessary for the performance of a task carried out in the public interest, or (f) that the processing is necessary for the purposes of legitimate interests pursued by the data controller or by a third party.

Fair processing

There is an obligation on data controllers to process personal data fairly. During the course of its investigation, the DPC asked the data controller to confirm how it complied with its obligations to process the complainant’s data in a fair manner, in relation to each of the alleged disclosures of the complainant’s personal data. The data controller failed to provide the information required and in these circumstances, the DPC considered that the data controller failed to process the complainant’s data, in line with fair processing obligations.

Under the GDPR, personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject. That principle requires that the data subject be provided with certain information under Articles 13 and 14 of the GDPR in relation to the existence of the processing operation and its purposes. Data subjects should be made aware of risks, rules, safeguards and tights in relation to the processing of their personal data. Where personal data can be legitimately disclosed to another recipient, data controllers should inform the data subject when the personal data are first disclosed of the recipient or categories of recipients of the personal data.

Right to rectification

Under Data Protection legislation, there is a right to rectification of incorrect personal data . However, here the data controller had confirmed that what was recorded in the witness statements represented the views of the people involved . The view was taken that where an opinion is correctly recorded and where the opinion is objectively based on matters that the person giving the opinion, would reasonably have believed to be true, the right to rectification does not apply.

Under Article 5 of the GDPR, personal data being processed must be accurate and, where necessary, kept up to date and data controllers are required to ensure that every reasonable step is taken to ensure that personal data that are inaccurate, having regard to the purpose for which they are processed, are erased or rectified without delay. Under Article 16 of the GDPR, a data subject has the right to obtain from a data controller without undue delay the rectification of inaccurate personal data concerning him or her. However, under section 60 of the Data Protection Act 2018, this right is restricted to the extent that the personal data consist of an expression of opinion about the data subject by another person given in confidence or on the understanding that it would be treated as confidential to a person who has a legitimate interest in receiving the information.

Retention of the complainant’s personal data

The DPC asked the data controller to outline the legal basis for the retention (i.e. processing) of the complainant’s personal data relating to the workplace investigation. The data controller advised that this data was being retained in order to deal with the complainant’s requests and appeals under various statutory processes. On this basis, the DPC was of the view that the retention of the complainant’s personal data was lawful as it was for legitimate business reasons.

Under the GDPR, not only must a data controller have a lawful basis for initially obtaining an individual’s personal data, but it must also have an ongoing legal basis for the retention of those data in accordance with Article 6, as set out above. Under Article 5(1)(e) of the GDPR, personal data which is in a form permitting the identification of data subjects must be kept for no longer than is necessary for the purposes for which they are processed.

This complaint concerned an alleged incomplete response to a data subject access request. The background to this complaint was that the complainant had submitted an access request to the trustees of a pension scheme (the “Trustees”). As part of its response to the access request, the Trustees referred to a draft letter relating to the complainant; however, this draft letter was not provided to the complainant.

It was established that the Trustees were the data controller as they controlled the contents and use of the complainant’s personal data for the purposes of the complainant’s pension. The data in question consisted of (amongst other things) information about the complainant’s employment and pension and was personal data because it related to the complainant as an individual and the complainant could be identified from it.

The data controller sought to argue that the draft letter was legally privileged and that therefore the data controller was not required to provide it to the complainant . The DPC sought further information from the data controller regarding the claim of legal privilege over the draft letter . In response, the data controller did not clarify the basis on which privilege was asserted over the draft letter, however, it agreed to provide the data to the complainant.

It was decided therefore that the data controller had failed to establish an entitlement to rely on the exemption in respect of legally privileged data. Accordingly, the letter should have been provided to the complainant in response to the complainant’s access request within the timeframe set out in the legislation.

Under Article 15 of the GDPR, a data subject has a right to obtain from a data controller access to personal data concerning him or her, which are being processed . The data controller must respond to a data subject access request without undue delay and in any event within one month of receipt of the request . However, the right of access to one’s personal data does not apply to personal data processed for the purpose of seeking, receiving or giving legal advice or personal data in respect of which a claim of privilege could be made for the purpose of or in the course of legal proceedings . Where a data controller seeks to assert privilege over information sought by a data subject under Article 15, the DPC, examining a complaint in relation to the refusal, will require the data controller to provide considerable information, including an explanation as to the basis upon which the data controller is asserting privilege, so that the validity of the claim can be properly evaluated .

This complainant made a data subject access request to their employer. However, the complainant alleged that their employer omitted certain communications from its response, wrongfully withheld data on the basis that it constituted an opinion given in confidence and did not respond to the request within the required timeframe as set out in the legislation.

The complainant’s employer was the data controller as it controlled the contents and use of the complainant’s personal data for the purposes of managing the complainant’s employment. The data in question consisted of the complainant’s HR file and data regarding the administration of the complainant’s employment . The data was personal data because the complainant could be identified from it and the data related to the complainant as an individual.

During the course of the examination of the complaint, the data controller identified additional documents containing the complainant’s personal data and provided these to the complainant . In relation to the document, which the data controller had asserted constituted an opinion given in confidence, during the course of the investigation of this complaint, the individual who had expressed the opinion in question consented to the release of the document to the complainant, and so the document was provided by the data controller to the complainant .

Data protection legislation provides a right of access for a data subject to their personal data and, further, that access must be granted within a certain timeframe . Having investigated the complaint, the DPC was satisfied that the data controller had carried out appropriate searches and had provided the complainant with all the personal data, which the complainant was legally entitled to receive.

The documents provided by the data controller to the complainant during the course of the examination of this complaint should have been furnished to the complainant within the timeframe provided for in the legislation .

This complainant previously owned a property in a development managed by a management company. The complainant made a data access request to the management company but was of the view that the data controller failed to provide all of the complainant’s personal data in its response.

The management company was determined to be the data controller, as it controlled the contents and use of the complainant’s personal data for the purposes of its role as a management company in respect of a development in which the complainant had owned a property . The data in question consisted of (amongst other things) the complainant’s name and address. The data was personal data as the complainant could be identified from it and it related to the complainant as an individual.

During the course of the DPC’s examination of the complaint, the data controller provided a description of a document containing the complainant’s personal data that was being withheld on the basis that it was legally privileged. This document had not been referred to in the data controller’s response to the complainant’s access request . It was noted that the data controller should have referred to this document and the reason(s) for which it was refusing to provide the document to the complainant in its response to the complainant’s access request.

The DPC also considered whether the data controller had supplied the complainant with all of their personal data, as required by legislation. The DPC noted that the complainant had provided specific and detailed descriptions of data they believed had not been provided . In response, the data controller stated that it did not retain data relating to matters that it considered to be closed and had provided the complainant with all of their personal data held by the data controller at the date of the access request. The office was of the view that it was credible that the data controller would not retain personal data on an indefinite basis. The DPC was satisfied that the data controller had provided the complainant with all of their personal data (with the exception of the document over which the data controller had asserted legal privilege, as set out above). For that reason, no further contravention of the legislation had occurred.

Under Article 15 of the GDPR, a data subject has a right to obtain from a data controller access to personal data concerning him or her which are being processed.

However, this right does not apply to personal data processed for the purpose of seeking, receiving or giving legal advice, or to personal data in respect of which a claim of privilege could be made for the purpose of or in the course of legal proceedings (Section 60(3)(a)(iv) of the Data Protection Act 2018). Where a data controller refuses to comply with a request for access to personal data, however, it is required under Article 12 of the GDPR to inform the data subject without delay of the reasons for this refusal.

This complaint concerned an alleged incomplete response to a subject access request for CCTV footage made by the complainant to an educational institution. The complainant advised that they were the victim of an alleged attempted assault. The complainant requested access to CCTV footage from the time the alleged assault happened, in particular in relation to a specific identified time period from two different camera angles.

In response to the request by the organisation, a select number of stills from the CCTV footage relating to one camera were provided to the complainant. The complainant requested to be provided with a still for every second of the recording in which the complainant’s image appeared. The response received from the educational institution was that all “significant” footage, in the opinion of the controller, had been provided and as the CCTV cameras were on a 30-day recording cycle, the footage had since been recorded over. The controller clarified that it did not store any footage unless there was a ”lawful requirement” to do so.

The DPC noted that, when a valid access request is made to a data controller, the request must be complied with by the data controller with a certain period . (Under Article 12(3) of the GDPR, this is generally set at one month) . The right of access to personal data is one of the key fundamental rights provided for in data protection legislation . In the context of access requests to CCTV footage, the data controller’s obligation to provide a copy of the requester’s personal data usually requires providing a copy of the CCTV footage in video format . Where this is not possible, such as where the footage is technically incapable of being copied to another device, or in other exceptional circumstances, it may be acceptable to provide a data subject with stills as an alternative to video footage . However, in such circumstances where stills are provided, the data controller should provide the data subject with a still for every second of the recording in which the data subject’s image appears and an explanation of why the footage cannot be provided in video format . The controller should also preserve all footage relating to the period specified until such time as the requester confirms that they are satisfied with the response provided.

As the data controller had not provided the complainant with either the CCTV footage requested or a complete set of the stills relating to the specified period, the data controller failed to comply with its obligations in relation to the right of access, both from a time perspective (Article 12(3)) and regarding the provision of a full and complete set of personal data processed by the controller (Article 15).

During the course of the investigation of this complaint, the complainant alleged that the files made available to the complainant by the data controller at its premises did not constitute all the personal data concerning the complainant that was held by the data controller .

However, the data controller was of the view that the access request made by the complainant was limited to personal data held in relation to two planning applications due to the reference numbers for the planning applications being quoted by the complainant on the com- plainant’s access request . Accordingly, the data controller sought to distinguish between personal data relating to the publicly available planning files, which were supplied to the complainant at a public viewing, and personal data created following the refusal of the complainant’s planning application, which the data controller considered to be outside the scope of the access request .

While the complainant mentioned two specific planning applications, the access request was expressed in general terms and sought access to “any information you keep about me electronically or in manual form” . Accordingly, it was considered that the personal data sought by the complainant included all data that arose in the context of the complainant’s engagement with the data controller prior to submitting the two identified planning applications and all data that arose after those applications were refused .

The data controller, due to the specific circumstances of the case, contravened its data protection obligations when it failed to supply the complainant with a complete copy of the complainant’s personal data in response to the access request within the statutory period . Under GDPR, Article 15 relates to the right of access by the data subject to personal data relating to them that the controller holds . Article 12(3) sets out the condition under which a controller must provide said personal data . There is an onus on a controller to provide information on the action taken under such a request without undue delay and in any event within one month of receipt of the request .There are also conditions set out in this article that provide for this timeframe to be extended .

The DPC received a complaint from an individual regarding a subject access request made by him to an organisation (the data controller) for a copy of all information held regarding his engagement with the data controller. The individual did not receive a response to this request. The DPC intervened to see if the matter could be informally resolved.

The complainant was in particular not satisfied with the fact that certain documents had not been provided in response to his access request. The position of the data controller was that the documents were not provided as the personal data had been provided “in another format”. Data protection access rights are not about access to documents per se. They are about access to personal data. An access request may be fulfilled by providing the individual with a full summary of their data in an intelligible form. The form in which it is supplied must be sufficient to allow the applicant to become aware of the personal data being processed, check they are accurate and being processed lawfully . Having examined what data the controller did provide in this case, the DPC was satisfied to advise the complainant that he had been provided with all of the data to which he was entitled under data protection legislation.

The DPC received a complaint from an individual regarding an access request made to the data controller, a retailer. The solicitors acting for the individual in relation to a personal injury claim had submitted the access request relating to a two-week period when the alleged incident had taken place. They were seeking records of the incident to include CCTV footage. Data was released but the individual identified that the CCTV footage, the accident report form and witness statements had not been released. In responding to the individual’s query in relation to these items, the data controller advised they were restricting access to the items as it was necessary to avoid any obstruction or impairment of the legal proceedings and/or operation of legal privilege.

This complaint was identified as potentially being capable of amicable resolution under Section 109 of the Data Protection Act 2018, with both the complainant and data controller agreeing to work with the DPC to try to amicably resolve the matter.

The DPC advised the data controller to prepare a list, which would document any items which the organisation was applying an exemption to, while also documenting the exemption on which they were relying. On receipt of the list, the DPC probed the exemptions being used and looked for the organisation to demonstrate how they had ensured the restriction was necessary and proportionate. The DPC also looked for samples of the documents to be released so we could examine how the exemptions were being applied.

Upon investigation, the DPC identified that the documents did contain some personal data of the individual and requested the data controller to release them with relevant redactions . In relation to the CCTV footage, the DPC stated that the primary reason for capturing the data was for security purposes and not for the defence of litigation claim and therefore requested the footage be released to the individual with relevant redactions. The DPC accepted the remaining exemptions were being validly applied as provided by the legislation.

An individual participated in a Zoom meeting that was recorded by the data controller. This was the sporting club’s Annual General Meeting (AGM). The individual made an access request for a copy of this recording. The data controller refused the request stating that it did not fall within the remit of GDPR. The individual believed the data contained in the recording was their personal data. The data controller stated the video recordings of the AGM were no longer accessible due to corruption while saving and the inexperience of the data controller in employing this remote video hosting software. However, they stated the minutes of the meeting would be available for viewing within a space of weeks.

At this time, the DPC proposed the conclusion of this case in light of the apparent inaccessibility of videos sought by the individual, but the individual did not agree with this approach, stating that video conferencing used during the AGM had been common practice for the data controller for some time and so it seemed unlikely to the individual that the difficulties described by the data controller would have occurred . Upon further questioning by the DPC, the data controller confirmed that video footage was in fact available, but advanced Article 15(4) of GDPR as a reason for its restriction . The data controller was now stating that the video footage of third parties visible in the recording could be considered third-party data and the individual was not entitled to this . However, they were willing to provide written transcripts of the footage to the individual . The DPC contested this, coming to the opinion that, in light of the public nature of the original recordings, as they were part of an AGM, they were made with the participant’s understanding that they could be considered accessible at a later date .

Further issues arose when the individual received written transcripts of the video . The individual claimed that the transcripts were inaccurate and did not reflect the contents of the original video .

In light of this, the DPC contacted the data controller once again, both highlighting the DPC’s opinion regarding the advancement of Article 15(4) and seeking sight of the video from which the transcript had been made . The data controller provided the audio of the video only . Upon assessment, it was clear that the transcript was an accurate reflection of the video’s audio content. The DPC recommended that in order to facilitate an amicable resolution at this stage the data controller should release the same audio content, previously provided to the DPC, to the individual . The data controller complied, but the individual was still not satisfied, once again restating their request for sight of the video content . Upon further request by the DPC to state the exemption it relied on to restrict access to the video content, it was decided by the data controller to release the full video content to the individual . The DPC did not receive copy of the full video content, and so was unable to directly assess whether there was any disparity between it and the audio provided . However, upon confirmation of its receipt, the individual stated they were satisfied with its content and thus this matter was concluded amicably .

The above case involved extensive communication between the DPC, the data controller and the individual . This matter could have been resolved by the data controller if they had released the requested video footage on receipt of the access request . If the data controller was aware of its obligations under GDPR in the first instance then this case would not have been lodged with the DPC.

A complaint was received from an individual who had submitted an access request to a hotel (the data controller) for a copy of all information relating to them. The hotel asked the requester to provide a copy of a utility bill and a copy of photo ID verified by An Garda Síochána. The DPC asked the data controller to set out the particular concerns it had regarding the identity of the requester in circumstances where the postal address and email address being used by the requester were the same as those provided by them during the booking and check-in process at the hotel. The data was subsequently released to the requester

In relation to the general approach to requesting ID where data subjects seek to exercise their rights, controllers should only request the minimum amount of further information necessary and proportionate in order to prove the requester’s identity . Seeking proof of identity would be less likely to be appropriate where there was no real doubt about identity; but where there are doubts, or the information sought is of a particularly sensitive nature, then it may be appropriate to request proof .

Bearing in mind the general principle of data minimisation, seeking more information than that already held as a means of proving identity is likely to be disproportionate . A request for official ID is only likely to be proportionate to validate identification where the category of information relating to that individual is sensitive in nature and where the information on the official ID can be corroborated with the personal data already held by the data controller such as a photo, address or date of birth .

The categories of personal data held and the likelihood of the risks associated with its release should be considered on a case-by-case basis to determine the minimum level of information required . Where no special category personal data is held, confirmation of address may be sufficient.