During 2024, the DPC received 157 complaints from individuals regarding the use of recording devices, for example domestic CCTV systems and smart doorbells by private individuals to protect their homes and property.  

In examining these complaints, the DPC’s focus is whether the processing of personal data by these devices comes within the scope of the GDPR or not. This is because of the household exemption under Article 2(2) (c) of the GDPR, which applies where personal data is processed by a natural person in the course of a purely personal or household activity.  In the sphere of CCTV and smart doorbells, this would generally mean that as long as the images captured are within the perimeter of an individual’s own home and are only used for their personal purposes, the domestic exemption is likely to apply. However, where a device operates in such a way as to capture images of people outside the perimeter of a home (in public spaces or in neighbouring property), individuals are no longer able to avail of the domestic exemption. In those circumstances, either the camera operation must change the way the device captures images to limit this to only within their property or they must comply with data protection
law and their obligations as a data controller.

One complaint examined in 2024 by the DPC was from an individual against their neighbour alleging that the entire CCTV system, made up of multiple cameras, was capturing their personal data. The DPC contacted the camera operator who provided footage from the CCTV system. Upon examination of the footage provided to the DPC it was noted that a number of the cameras were capturing areas outside the perimeter of the operator’s own home and that the remaining cameras were dummy cameras.  The DPC engaged with the operator to bring the relevant devices into line with the domestic exemption. 

The complainant in this case remained dissatisfied and requested additional details from the DPC about the cameras. The DPC engaged further with the individual to advise that once the cameras were being operated within the parameters of the domestic exemption and/or were dummy cameras, that it could not provide further information.

More information on this subject matter of domestic CCTV can be found at: Domestic CCTV 

A third level institution reported a data breach to the DPC that related to a survey, it had carried out on former students. Each year recently graduated students were surveyed with a focus on their further studies and employment and this data was then used to publish a report on graduate outcomes. The summary statistics, which were not anonymised in this instance and included personal data, were published on the institution’s website. 

A member of the public reviewing the 2023 reports noticed that they were able to view the personal data of the survey respondents by right-clicking on the tables and brought this to the attention of the institution. This data included name, salary information and details of work or further studies. The third level institution removed the report and other externally available reports which were thought could experience the same issue. The third level institution also sought assurances that the personal data had not been saved or shared by the individual who discovered the dataset. 

As part of the investigation of this breach, the institution informed the DPC that a new system was introduced for producing reports in 2022 and that a lack of familiarity with the new system had led to the data being published in a non-anonymised format. To mitigate against a recurrence of this issue the institution reviewed its internal processes for generating reports, as well as liaising with their internal IT teams to ensure appropriate technological measures are now in place.
 

A third level institution reported a data breach to the DPC relating to the storage of student medical certificates for a particular course. A student had discovered medical certificates relating to other students when attempting to upload their own certificate to the institutions Virtual Learning Environment (VLE).  The institution immediately informed the DPO and their IT department  removed the files. 

The DPC assessed the notification and, given the nature of the special category (health) data involved, requested further information from the organisation. The investigation by the organisation determined that human error had led to a misconfiguration on the VLE, which meant that medical certificates were displayed to a group of students, rather than solely to the course coordinator/lecturer. 

The breach was originally deemed high risk by the organisation but following a review of the breached data and the risks posed to the rights and freedoms of the affected individuals, it was deemed to of lesser risk than originally assessed. The organisation decided to notify the impacted individuals about the breach out of an abundance of caution.  

In order to prevent a recurrence of this situation, the institution issued an email to all staff to remind them not to use the VLE for the submission of personal data. The institution also added messages to the VLE platform to remind both staff and students of their data protection obligations when using the system.

The organisation engaged with the provider of the VLE to introduce measures to ensure that personal data is stored and processed securely, and security settings configured appropriately.

An organisation operating in the broadcasting sector notified a data breach to the DPC relating to an employee who had fallen victim to a phishing email. The email, purporting to be an advertisement for an internal vacancy, requested that the employee input their email and data storage platform credentials as well as their Multifactor Authentication (MFA) Authenticator Prompt. Having obtained this information from the employee, the bad actor who sent the phishing email was then able to gain access to this employee’s email and data storage platform account. 

Categories of personal data that were potentially accessed by the bad actor included names, email address, photos/videos, financial data and special category data (health data). The affected individuals included employees within the organisation and third party contacts who had engaged with the broadcaster. The organisation became aware of the breach when the employee reported issues logging into their email and data storage platform. The organisation’s phishing detection systems had disabled the phished account automatically after 17 minutes, but the account was then manually reactivated by their in-house IT team in error. A manual review of audit logs showed suspicious logins attempted from different locations leading to the account being reset and the bad actor being locked out permanently.  

The DPC reminded the organisation of its obligations as a data controller. On foot of this, the organisation implemented preventative measures in order to mitigate against a recurrence of this breach. These measures included spam/ phishing filters, reminders to all staff to exercise caution opening external emails, increased training and staff awareness exercises, and new guidelines in relation to the reactivation of suspended user accounts. 

In February 2024, the DPC received notification from an individual of an alleged unsolicited email communication from Thérapie Clinic. The individual had provided the DPC with a copy of their marketing preferences and a copy of an unsolicited email communication. 

Subsequent to further investigation, Thérapie Clinic confirmed to the DPC that the complainant was a client of theirs and had not given consent to receive marketing communications. Thérapie Clinic conducted an internal investigation, which found that the email message, which was the subject of the complaint,  had been sent manually by a member of staff in one of their clinics. 

The email was not a system-generated message, and therefore no opt-out mechanism had been included in the communication. As such, the individual  had received an unsolicited marketing email message without an option to optout of receiving further marketing messages. As the DPC had issued a warning in February 2023 to Thérapie Clinic in regards to a previous complaint, the DPC decided to prosecute arising from this complaint case.

On 25 October 2024, Thérapie Clinic was prosecuted for sending unsolicited emails to a customer who had previously opted out of receiving marketing communications. The company was found to have violated Regulation 13(12) (c) and Regulation 13(13)(a)(i) of S.I. No. 336/2011 - European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011. In lieu of a conviction and fine, the Dublin Metropolitan District Court ordered the company to make a donation of €325 to the Little Flower Penny Dinners charity and to pay the DPC’s legal costs.

In November 2023, the DPC received notification from an individual of alleged unsolicited marketing communications via telephone from Google Ireland Limited. The individual in question had received three separate phone calls in the space of a 4-hour period from individuals identified as sales representatives on behalf of Google Ireland Limited. The DPC launched an investigation, during the course of which Google Ireland Limited confirmed that a third-party contractor had disregarded the individual’s previous request to opt-out of marketing communications, resulting in a number of calls being made to the individual. 

The DPC had previously issued a warning to Google Ireland Limited in July 2023 concerning unsolicited phone calls made without consent to the same individual. As part of this warning, Google Ireland Limited was notified that if the individual was to receive further phone calls, Google Ireland Limited may face prosecution. Google Ireland Limited breached the rules governing unsolicited marketing phone calls, as the company continued to make marketing phone calls after the individual had explicitly withdrawn their consent.

At Dublin Metropolitan District Court on 25 October 2024, Google Ireland Limited pleaded guilty to two charges of making unsolicited marketing telephone calls under Regulation 13 of S.I. No. 336/2011 - European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011. Dublin Metropolitan District Court directed the company to contribute €1,500 to the Little Flower Penny Dinners charity and to pay the DPC’s legal costs in lieu of a conviction and fine.

An individual made an access request under Article 15 of the GDPR to an organisation they believed to be processing their personal data. Upon receipt of this request, the organisation notified the individual that it was not the data controller in this instance. The organisation advised the individual that it had referred the request to the actual data controller in line with its obligations under Article 28(3)(e) of the GDPR to assist “…the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller’s obligation to respond to requests for exercising the data subject’s rights”. With the individual was not satisfied with the response and submitted a complaint to  the DPC.

The DPC requested documentary evidence from the organisation (data processor) which would support its assertion that it was not the data controller in this instance. The organisation provided the DPC with a copy of a data protection agreement, which explicitly detailed the organisation as the data processor and the other party as the data controller in relation to the personal data being processed in this instance. This agreement outlined in specific detail that the organisation only processed personal data upon instruction from the data controller. The DPC examined this agreement and affirmed that the organisation to which the individual submitted the access request was the data processor in this instance.

The DPC accepted that the organisation was the data processor for the personal data which had been requested in this instance and that it had complied with its obligations under both Article 15 and Article 28(3)(e) of the GDPR.

An individual raised a query with the DPC about gaining access to information held by a garage detailing the history of the vehicle the individual now owned, including details of damages assessed, recommended repairs, and an engineer’s report conducted towards the end of a particular year. The individual submitted an access request under Article 15 of the GDPR to the garage for all data related to the vehicle. The garage refused the request. As they were dissatisfied with the response received from the garage, they contacted the DPC to raise their concerns. 

In response, the DPC reviewed the request and provided relevant information, advising that under GDPR, “personal data” is defined in Article 4(1) as any information relating to an identified or identifiable natural person. While a vehicle’s registration plate could be considered personal data, the condition of the vehicle itself prior to a person’s ownership did not relate to the individual as a natural person. Consequently, the DPC considered that data protection law did not apply in this case, and the concerns raised fell outside its remit.

In August 2023, the DPC received a complaint from an individual regarding alleged unsolicited marketing SMS messages received from Supermac’s Ireland Limited. The DPC launched an investigation, in the course of which Supermac’s Ireland Limited explained that the individual had registered for their online ordering system in 2018 and had ticked the box to receive SMS and email marketing communications. The individual subsequently placed an online order in 2023 and was added to an active marketing list for SMS purposes. 

The DPC requested that the individual’s details be removed from the active marketing list in August 2023. Supermac’s Ireland Limited confirmed to the DPC that the opt-out had been successful and the individual had been removed from their marketing list. However, the individual contacted the DPC again in October 2023 to inform the DPC that they had received a further marketing SMS from Supermac’s Ireland Limited, despite assurances that they had been removed from marketing lists. Upon further investigation, Supermac’s Ireland informed the DPC that, due to a technical error by their subcontractor, the individual’s phone number had not been removed properly. 

The DPC’s investigation of this complaint established that Supermac’s Ireland Limited did not have valid consent to send electronic marketing communications to the individual concerned. As the DPC had issued a warning to the company in February 2023 with regards to a previous complaint, the DPC decided to prosecute the case. 

On 3 September 2024 before Judge Fahy in Galway District Court, Supermac’s Ireland Limited pleaded guilty to five charges of sending unsolicited marketing SMS messages under Regulation 13(7) and Regulation 13(13)(a)(i) of S.I. No. 336/2011 - European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011. Galway District Court ordered the company to make a contribution of €3,500 to the Galway Simon Community and Cope  Galway, in lieu of a conviction and fine. The company was also required to discharge the DPC’s legal costs.

In October 2023, the DPC received notification from an individual regarding unsolicited marketing SMS messages received from Pulse Gym, trading as Energie Fitness Dublin 8. An investigation was launched during which Pulse Gym explained that when a member signed up online, they agreed to Pulse Gym’s terms and conditions, which included a reference to giving consent to receive marketing materials by electronic means. 

The DPC requested a copy of the consent referred to under Article 7 of the GDPR, but Pulse Gym was unable to provide such a copy. The DPC highlighted that consent for marketing is required to be “freely given, specific, informed and unambiguous”, and that Pulse Gym was not permitted to “bundle” consent for processing of individuals’ personal data for different purposes. 

Pulse Gym also confirmed during the investigation that the opt-out attempts made by the individual had been unsuccessfully implemented as there was a  fault in the service provider’s software. 

A warning had previously been issued to Pulse Gym following an investigation of a similar complaint in July 2023. As part of this warning, the DPC had made Pulse Gym aware of their requirements to ensure that their mailing list only contained details of individuals who had explicitly consented to receive marketing communications and to ensure their opt-out function was operational and opt out requests were respected. However, upon receipt of this further complaint in October 2023, it became apparent that not all changes identified in the DPC’s warning letter had been implemented. As a result, the DPC decided to move to prosecution proceedings in this instance.

Pulse Gym pleaded guilty to one charge of sending unsolicited marketing SMS messages at Dublin Metropolitan District Court on 27th May 2024 under Regulation 13 of S.I. No. 336/2011 - European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011. In lieu of a conviction and fine, Judge Halpin applied the Probation Act and the company was instructed to make a donation of €700 to the Little Flower Penny Dinners charity and to pay the DPC’s legal  costs in full.