In November 2018, we received a complaint from a data subject in relation to an access request for his personal data comprising CCTV footage for a particular time and date, made to a golf club, the data controller.

The data subject provided us with initial correspondence from the golf club asking him why he required the footage and subsequent correspondence informing him that it had discovered a problem with the CCTV system software and was unable to provide him with the requested footage .

This complaint was deemed potentially capable of being amicably resolved under Section 109 of the Data Protection Act 2018 .

As part of the amicable resolution process, we sought an explanation from the golf club as to why the requested CCTV could not be provided to the complainant . The golf club informed us that its CCTV system was not operational on the date for which the data subject had requested footage, and that this had only been discovered when it sought to comply with the access request . The DPC was not satisfied with the generality of this explanation and required a more detailed written explanation on the issues affecting the CCTV, which could also be shared with the complainant . In response to this request, we were supplied with a letter from the golf club’s security company that outlined the issues with the CCTV system, including the fact that the hard drive on the CCTV system had failed and that the system had not been in use for some time. The DPC was satisfied with the technical explanation provided and golf club agreed that this letter could be shared with the complainant. The complainant was satisfied with the explanation, leading to an amicable resolution.

Each year the DPC receives numerous queries and complaints from various individuals complaining specifically about the use of CCTVs in restroom areas by various organisations such as public houses, nightclubs, restaurants and transport depots. More particularly, the complaints allege that the cameras are pointing over specific areas in restrooms where there is an increased expectation of privacy, such as over cubicles or urinals.

While, the DPC has engaged with organisations on a one-to-one basis, the issue of the lawfulness of the processing of personal data by way of CCTVs in restrooms needs to be considered more generally. Consequently, the DPC has examined these issues further and updated its Guidance on CCTVs for Data Controllers by including a specific section on ‘The use of CCTV in areas of an increased expectation of privacy.

An individual raised a concern with their employer in the beauty industry regarding what they believed was excessive use of CCTV cameras in the workplace. The individual stated that they were not informed that the cameras were being installed and had concerns that the devices were capable of recording both audio and video. In response to their concerns, the organisation advised the individual that the cameras were installed for the safety of staff and that no audio was recorded.

The individual then submitted a complaint to the DPC as they were dissatisfied with the response received from the organisation. As part of its examination, the DPC queried the organisation on the alleged audio recordings via the CCTV cameras. The organisation provided the DPC with evidence in the form of a letter from the CCTV system supplier, which confirmed that the cameras did not have audio recording capability.

Regarding the background as to why the organisation made the decision to install CCTV cameras, the organisation informed the DPC that it initially installed the cameras following a series of security issues including incidents of theft. However, it also stated that the cameras were installed for the safety of staff when working alone. Whilst the individual claimed that they were unaware the cameras had been installed, the organisation stated that the cameras had been in place for three years prior to the individual making a complaint to the DPC and that the individual had provided training to the staff in relation to same.

The organisation cited a number of lawful basis for the processing of data in this manner, including Article 6(1)(d) of the GDPR as its lawful basis stating that the cameras are necessary to protect the vital interests of its staff. Article 6(1)(d) of the GDPR states that the processing of personal data shall be lawful if ‘processing is necessary in order to protect the vital interests of the data subject or of another natural person’. It further cited Article 6(1)(f) of the GDPR which states that processing shall be lawful if ‘processing is necessary for the purposes of the legitimate interests pursued by the controller...’ as the organisation has a legitimate interest in the security of the workplace, safety of staff and prevention of crime.

In response the DPC informed the organisation that Article 6(1)(d) of the GDPR may only be relied upon by an organisation where the processing of personal data is necessary to protect a person’s life or mitigate against a serious threat to a person. As such, the DPC advised the organisation that it could not rely on Article 6(1)(d) of the GDPR as its lawful basis for the use of CCTV cameras in the workplace. Regarding its reliance on Article 6(1)(f) of the GDPR, the organisation confirmed that it had conducted a legitimate interest balancing test prior to the installation of the CCTV cameras. The organisation further stated that the processing was limited to what is necessary and cited its requirement for safety purposes. It stated that footage was retained for a period of 20 days and had put in place access controls to the footage.

Following its examination of the complaint, the DPC found that the organisation had demonstrated a valid lawful basis for the processing of personal data by means of CCTV cameras under Article 6(1)(f) of the GDPR.

An individual contacted the DPC after an energy service provider further processed their personal data by sharing it with a third party (data processor), a debt collection agency. According to the individual, they had completed the contract with the service provider and had received their final invoice for the services provided. The individual disputed some of the charges on the invoice; however, they did not receive a response from the service provider and were subsequently contacted by a debt collection agency.

As part of the complaint handling process, the DPC contacted the service provider and questioned the lawful basis it was relying on under Article 6 of the GDPR for sharing the individual’s personal data the debt collection agency. The service provider stated that its lawful basis for processing the individual’s personal data was Article 6(1)(b) of the GDPR which states that processing shall be lawful if the ‘processing is necessary for the performance of a contract to which the data subject is party…’. The service provider further explained that the individual’s invoice dispute related to an ‘early exit fee’ which was applied to the invoice as the individual had cancelled the contract with the service provider prior to the agreed contract length. The service provider also advised that its terms and conditions stated that should a customer break the contract with the service provider, they would be charged an exit fee. The service provider further advised that the individual agreed to its terms and conditions when they registered with the service provider.

However, the service provider also informed the DPC that it had failed to record the individual’s dispute of the invoice. This failure to record the dispute resulted in the individual’s personal data being shared with a third party incorrectly. The service provider acknowledged that it had not followed its own internal procedures for dealing with disputed debts and that this was a result of human error.

Although the service provider would normally have a lawful basis for the processing of an individual’s personal data by sharing in the circumstances of this case, by not following the correct internal procedures, the service provider incorrectly processed the individual’s personal data by providing their details to the third party, the data processor.

Accordingly, the service provider failed to demonstrate its compliance with a key principle of the GDPR, processing personal data in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing, using appropriate technical or organisational measures, in accordance with Article 5(1)(f) of the GDPR (‘integrity and confidentiality’).

The service provider should have had regard to Article 25 of the GDPR (‘Data protection by design and default’), in ensuring that the appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed, are in fact followed by all staff members.

The DPC recommended to the service provider that where there is a live dispute on the account it should ensure that its staff are aware of the internal procedure to document the dispute so that accounts are not referred to a debt collection agency until the dispute is resolved or closed.

An individual submitted a Freedom of Information (‘FOI’) request to their former employer, a State Agency. Once in receipt of the response to the FOI request, the individual became aware that the State Agency had disclosed their financial data and special category personal data, namely health data, to a connected third party. The individual subsequently submitted a complaint to the DPC in relation to this disclosure.

The DPC was tasked with examining whether the State Agency had lawfully processed, in a non-excessive manner, the individual’s personal data when a staff member of the State Agency disclosed the individual’s health and financial data to a connected third party.

In the circumstance of this case, the individual had communicated with a member of the Human Resources (‘HR’) department in their official capacity, highlighting issues connected with the individual’s health, financial status and personal life. Due to issues connected to the individual’s health, they were regularly in contact with the HR staff member in their official capacity.

Following a meeting between the individual and the HR staff member, the HR staff member emailed a summary of what was discussed with a connected third party i.e. a member of the Civil Service Employee Assistance Service (‘CSEAS’). The CSEAS provides an internal Employee Assistance Programme to civil service staff, which employees can refer to by contacting the service. It is a shared service utilised by all State Agencies for the benefit of all employees, promoting employee wellness and organisational effectiveness.

During the examination of this complaint, the State Agency stated that the processing of the personal data, the sharing of the individual’s personal data by the HR staff member to the CSEAS member, was lawful as the individual shared the personal data freely with the HR staff member, accordingly they had consented to the processing; the overlapping services and consultation between the HR staff member and the CSEAS in relation to an employee would be normal; both the HR staff member and the CSEAS member operate under strict confidentially in the performance of their duties; and what the individual shared with the HR staff member was so concerning, that the HR staff member had to urgently disclose it to the CSEAS member in order to seek appropriate guidance, and support to assist the individual. Accordingly, the State Agency’s position was that there were no prohibitions on the disclosure.

Notwithstanding, the HR staff member had a genuine concern for the health and welfare of the individual, the DPC found that the circumstances did not fit the urgency associated with protecting life rather the processing occurred as the HR staff member sought direction and guidance from the CSEAS member to urgently deal with the issues raised by the individual.

The DPC also found that the State Agency could not rely on having obtained the consent of the individual to process their personal data in this manner, as although the individual shared the personal data freely with the HR staff member, they did not consent to the HR staff member disclosing this personal data to the CSEAS member.

The State Agency did not provide any other lawful bases for the processing. The DPC found that the State Agency did not have a lawful basis for the processing and accordingly, the processing was unlawful.

In consideration of the principles relating to processing of personal data the DPC found that the State Agency obtained the personal data for a specified, explicit and legitimate purpose, namely to provide the individual with HR assistance with the issues they had raised with HR. Similarly, considering the connected relationship between the HR staff member in their official capacity and the CSEAS member, the sharing of the individual’s personal data was not further processed in a manner that was incompatible with the purpose for which it was obtained, as it was disclosed in order to provide the individual with assistance regarding the issues raised, which included employee wellness.

However, the DPC found that the State Agency disclosed an excessive amount of personal data than what was required in order to seek, and provide, assistance to the individual. Accordingly, the State Agency did not adhere to the principle of data minimisation, and this was identified and accepted by the State Agency.

An individual contacted the DPC following the refusal of their erasure request by a health care provider. According to the individual, they had requested the erasure of all historic health records relating to them held by the health care provider, as the individual was of the opinion that the records were incorrect as they related to an alleged misdiagnosis.

As part of its examination of the complaint, the DPC requested that the health care provider set out its lawful basis for processing the individual’s health records, specifically in relation to Articles 6 and 9 of the GDPR. The health care provider advised that it was relying on Article 6(1)(e) of the GDPR for processing the individual’s personal data which states that processing shall be lawful if ‘processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller’.

In relation to Article 9 of the GDPR, the health care provider stated that it continues to process the health records under Articles 9(2)(h) and (i) of the GDPR. Article 9(2)(h) of the GDPR states, ‘processing is necessary for the purposes of preventive or occupational medicine, medical diagnosis…’. While Article 9(2)(i) of the GDPR states, ‘processing is necessary for reasons of public interest in the area of public health…’.

As part of their engagement with the health care provider, the individual provided them with a contradictory diagnosis from another health care provider, which the individual stated was evidence that proved the original diagnosis was incorrect. Having reviewed the documentation provided, the health care provider noted that a medical diagnosis is a medical opinion that is given at a point in time. Therefore, any medical opinion, given at a different point in time, cannot be accepted as evidence that a historic medical opinion was incorrect. The medical provider further advised that while a medical condition may change over time, it does not eradicate the fact that an individual was, at one point, treated for a particular illness or provided with a certain diagnosis.

The DPC noted that for the purposes of the GDPR, personal data is inaccurate if it is incorrect as to a matter of fact. However, based on the information available to the DPC, the personal data held on file by the health care provider, namely the original diagnosis, was not inaccurate as it was the original diagnosis at that point in time. On this basis, the DPC found that the health care provider had a lawful basis for the continued processing of the individual’s health records in accordance with Article 17(1)(a) of the GDPR.

In this regard, the processing of the personal data in the form of retaining the original diagnosis is still necessary in relation to the purposes for which the personal data was originally collected or otherwise processed. Further, the DPC found that the health care provider’s refusal to comply with the individual’s erasure request is consistent with Article 17(3)(c) of the GDPR in providing comprehensive medical assessment and treatment of the individual.

Following the engagement of the DPC, the health care provider added a supplementary statement on the individual’s medical record to include the documentation provided by the individual, which would inform any future readers of the individual’s medical file of the individual’s opinion, and the contradictory diagnosis in relation to the medical diagnosis.

Note: Article 17(1)(a) of the GDPR states that a data controller shall erase personal data that is no longer necessary for its original purposes. However, Article 17(3)(c) of the GDPR excludes the application of Article 17(1) in circumstances where the processing is necessary, ‘for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3).’.

An individual opened an online account with a bookmaker and deposited a sum of money to their account. Having attempted to download the application (‘app’) associated with the service, the individual quickly realised that the app was not compatible with their mobile phone. The following day the individual submitted an erasure request under Article 17 of GDPR to the bookmaker. The bookmaker refused to comply with the erasure request, stating that it had legal obligations to retain the personal data as a deposit and withdrawal of funds had taken place on the account, thus making them a ‘customer’. The individual was dissatisfied with this response as they did not agree that they were a ‘customer’ of the bookmaker, as they did not place any bets through the account, either online or through the app.

Following engagement with the DPC, the bookmaker advised that it could not erase the individual’s personal data as it was subject to Anti-Money Laundering legislation, under the Criminal Justice (Money Laundering and Terrorist Financing Acts 2010, which became applicable when the deposit and withdrawal of funds were made on the individual’s account.

The bookmaker outlined to the DPC that although it was legally obliged to retain the individual’s personal data it only retains the minimum amount that is necessary to fulfil this legal obligation in line with the principle of data minimisation as set out in Article 5(1)(c) of the GDPR.

Following its examination of the complaint, the DPC found that while the organisation had demonstrated a valid lawful basis for the ongoing retention of the personal data, the DPC issued recommendations to the organisation on its obligations to ensure that all processing is lawful and fair and that it is transparent about its processing activities.

This complaint concerned the alleged non-response to an erasure request made by an individual to a prospective employer pursuant to Article 17 of the GDPR.

Following receipt of the complaint, the DPC engaged with the individual and the prospective employer (controller) in order to establish the subject matter of the complaint and to commence with the amicable resolution process. Further to this engagement, the DPC established that the individual had since received a response from the controller. However, the individual informed the DPC that while the controller had erased their personal data, their job application ‘account’ was still active on the controller’s website.

Having established this was the case, the DPC contacted the controller, bringing their attention to the fact that information in relation to the account had not been erased. In their response, the controller acknowledged that the information had not been fully deleted, and advised that this was due to a technical error but that they would comply with the erasure request immediately.

Subsequently, the DPC was updated by the organisation concerned that they had since fully complied with the erasure request by deleting the account. The controller also advised that they had contacted the individual to confirm the action they had taken and apologised for the delay in removing the individual’s login credentials from their systems.

A prospective buyer initiated the facilitated purchase of a property through a real estate intermediary. Shortly after this, the vendor of the property withdrew from the sale. As part of the purchasing process, the prospective buyer had provided a copy of their ID, proof of address and bank details to the real estate intermediary. Following the breakdown in the process, the prospective buyer sought the erasure of their personal data pursuant to Article 17 of the GDPR.

The prospective buyer initially submitted this erasure request to the email address listed on the real estate’s privacy policy, but this ’bounced back’ as the email was not active. The prospective buyer then sent the request to the primary email address of the real estate intermediary.

As no response was received from the real estate intermediary, the individual made a complaint to the DPC. Following the intervention of the DPC, the real estate intermediary engaged with the individual concerning their erasure request. However, during the complaint handling process, the DPC established that the organisation concerned refused to comply with the erasure request. According to the organisation, it was relying on an obligation under the Property Services (Regulation) Act 2011, which created a legal requirement to retain the data for six years. The matter was referred to the Property Services Regulatory Authority for clarity, who advised that bank details were not covered by the wording of the Act and could be deleted on foot of an erasure request.

Following this confirmation, the DPC engaged with the real estate intermediary to ensure that the bank details were erased as part of the erasure request. The DPC informed the prospective buyer that certain other items of personal data, such as their name, address and contact details would not be erased as the real estate intermediary had a lawful basis to restrict the right of erasure in line with the Property Services (Regulation) Act 2011. The DPC also ensured that the real estate intermediary updated its privacy policy to accurately reflect the appropriate point of contact.