Inquiry into Kildare County Council
This inquiry sought to assess whether Kildare County Council was processing personal data in compliance with the GDPR and the Data Protection Act 2018. The inquiry examined a number of the Council’s processing operations including its use of CCTV cameras in public places used for the purposes of prosecuting crime or other purposes.
The findings made in the decision include:
- The Council had no legal basis for personal data collected via CCTV cameras at two locations for the purposes of the prevention of criminal offences.
- The Council had no legal basis for personal data collected via CCTV cameras for the purposes of traffic management.
- The Council infringed Article 5(1)(a) GDPR by sharing the live feed of traffic management CCTV cameras with An Garda Síochána without a valid legal basis.
- The Council lacked a lawful basis to carry out surveillance with CCTV cameras which employed Automatic Number Plate Recognition technology.
- The Council did not fulfil its transparency obligations under Article 13 by failing to erect signage in respect of its CCTV processing operations.
- The Council infringed Article 32(1) of the GDPR by failing to maintain a data log that recorded user specific accesses of the CCTV camera views and recorded footage from Naas Garda Station.
- The Council infringed its obligations under Sections 71(1)(f), 72(1) and 78 of the 2018 Act by failing to implement technical or organisational security measures to protect against unauthorised or unlawful processing and against accidental loss, destruction or damage of personal data collected via the camera feeds from the CCTV systems at two locations.
- The Council infringed Section 82(2) of the 2018 Act by failing to maintain a data log that recorded the identity of any individual who consulted personal data contained in the CCTV camera views and recorded footage from two locations.
- The Council infringed Section 71(1)(c) and Section 76(2) of the 2018 Act by recording CCTV of private properties, in the absence of any privacy masking technology, at one location.
- The Council infringed Section 71(10) of the 2018 Act by failing to be in a position to demonstrate that its processing of personal data via CCTV cameras at one location was not excessive to its purpose of preventing anti-social behaviour.
- The Council infringed its obligations under Sections 71(1)(f), 72(1) and 78 of the 2018 Act in connection with arrangements surrounding the transfer of personal data to An Garda Síochána using unencrypted USB sticks.
Corrective Powers Exercised:
- A temporary ban on the processing of personal data with CCTV cameras at a number of locations used for the purposes of criminal law enforcement until a legal basis can be identified.
- A temporary ban on the processing of personal data with CCTV cameras used for traffic management purposes until a legal basis can be identified.
- An order for Kildare County Council to bring its processing of personal data into compliance taking certain actions specified in the decision.
- An administrative fine of €50,000.
For more information, you can download the full decision at this link: Inquiry into Kildare County Council - January 2023 (PDF, 2.9mb).
Inquiry into Meta Platforms Ireland Limited
These two inquiries relate to the data processing operations of Meta Platforms Ireland Limited (“Meta Ireland”) in connection with the delivery of its Facebook and Instagram services. (Meta Ireland was previously known as Facebook Ireland Limited).
Final decisions weren made by the DPC in which it fined Meta Ireland €210 million (for breaches of the GDPR relating to its Facebook service), and €180 million (for breaches in relation to its Instagram service).
Meta Ireland was also directed to bring its data processing operations into compliance within a period of 3 months.
The inquiries concerned two complaints about the Facebook and Instagram services, each one raising the same basic issues. One complaint was made by an Austrian data subject (in relation to Facebook); the other was made by a Belgian data subject (in relation to Instagram).
The complaints were made on 25 May 2018, the date on which the GDPR came into operation.
In advance of 25 May 2018, Meta Ireland had changed the Terms of Service for its Facebook and Instagram services. It also flagged the fact that it was changing the legal basis on which it relies to legitimise its processing of users’ personal data. (Under Article 6 of the GDPR, data processing is lawful only if and to the extent that it complies with one of six identified legal bases). Having previously relied on the consent of users to the processing of their personal data in the context of the delivery of the Facebook’s and Instagram’s services (including behavioural advertising), Meta Ireland now sought to rely on the “contract” legal basis for most (but not all) of its processing operations.
If they wished to continue to have access to the Facebook and Instagram services following the introduction of the GDPR, existing (and new) users were asked to click “I accept” to indicate their acceptance of the updated Terms of Service. (The services would not be accessible if users declined to do so).
Meta Ireland considered that, on accepting the updated Terms of Service, a contract was entered into between Meta Ireland and the user. It also took the position that the processing of users’ data in connection with the delivery of its Facebook and Instagram services was necessary for the performance of that contract, to include the provision of personalised services and behavioural advertising, so that such processing operations were lawful by reference to Article 6(1)(b) of the GDPR (the “contract” legal basis for processing).
The complainants contended that, contrary to Meta Ireland’s stated position, Meta Ireland was in fact still looking to rely on consent to provide a lawful basis for its processing of users’ data. They argued that, by making the accessibility of its services conditional on users accepting the updated Terms of Service, Meta Ireland was in fact “forcing” them to consent to the processing of their personal data for behavioural advertising and other personalised services. The complainants argued that this was in breach of the GDPR.
Following comprehensive investigations, the DPC prepared draft decisions in which it made a number of findings against Meta Ireland. Notably, it found that:
- 1. In breach of its obligations in relation to transparency, information in relation to the legal basis relied on by Meta Ireland was not clearly outlined to users, with the result that users had insufficient clarity as to what processing operations were being carried out on their personal data, for what purpose(s), and by reference to which of the six legal bases identified in Article 6 of the GDPR. The DPC considered that a lack of transparency on such fundamental matters contravened Articles 12 and 13(1)(c) of the GDPR. It also considered that it amounted to a breach of Article 5(1)(a), which enshrines the principle that users’ personal data must be processed lawfully, fairly and in a transparent manner. The DPC proposed very substantial fines on Meta Ireland in relation to the breach of these provisions and directed it to bring its processing operations into compliance within a defined and short period of time.
- 2. In circumstances where it found that Meta Ireland did not, in fact, rely on users’ consent as providing a lawful basis for its processing of their personal data, the “forced consent” aspect of the complaints could not be sustained. From there, the DPC went on to consider Meta Ireland’s reliance on “contract” as providing a legal basis for its processing of users’ personal data in connection with the delivery of its personalised services (including personalised advertising). Here, the DPC found that Meta Ireland was not required to rely on consent; in principle, the GDPR did not preclude Meta Ireland’s reliance on the contract legal basis.
Under a procedure mandated by the GDPR, the draft decisions prepared by the DPC were submitted to its peer regulators in the EU/EEA, also known as Concerned Supervisory Authorities (“CSAs”).
On the question as to whether Meta Ireland had acted in contravention of its transparency obligations, the CSAs agreed with the DPC’s decisions, albeit that they considered the fines proposed by the DPC should be increased.
Ten of the 47 CSAs raised objections in relation to other elements of the draft decisions (one of which was subsequently withdrawn in the case of the draft decision relating to the Facebook service). In particular, this subset of CSAs took the view that Meta Ireland should not be permitted to rely on the contract legal basis on the grounds that the delivery of personalised advertising (as part of the broader suite of personalised services offered as part of the Facebook and Instagram services) could not be said to be necessary to perform the core elements of what was said to be a much more limited form of contract.
The DPC disagreed, reflecting its view that the Facebook and Instagram services include, and indeed appear to be premised on, the provision of a personalised service that includes personalised or behavioural advertising. In effect, these are personalised services that also feature personalised advertising. In the view of the DPC, this reality is central to the bargain struck between users and their chosen service provider, and forms part of the contract concluded at the point at which users accept the Terms of Service.
Following a consultation process, it became clear that a consensus could not be reached. Consistent with its obligations under the GDPR, the DPC next referred the points in dispute to the European Data Protection Board (“the EDPB”).
The EDPB issued its determinations on 5 December 2022.
The EDPB determinations rejected many of the objections raised by the CSAs. They also upheld the DPC’s position in relation to the breach by Meta Ireland of its transparency obligations, subject only to the insertion of an additional breach (of the “fairness” principle) and a direction that the DPC increase the amount of the fines it proposed to impose.
The EDPB took a different view on the “legal basis” question, finding that, as a matter of principle, Meta Ireland was not entitled to rely on the “contract” legal basis as providing a lawful basis for its processing of personal data for the purpose of behavioural advertising.
The final decisions adopted by the DPC on 31 December 2022 reflect the EDPB’s binding determinations as set out above. Accordingly, the DPC’s decisions include findings that Meta Ireland is not entitled to rely on the “contract” legal basis in connection with the delivery of behavioural advertising as part of its Facebook and Instagram services, and that its processing of users’ data to date, in purported reliance on the “contract” legal basis, amounts to a contravention of Article 6 of the GDPR.
In terms of sanctions, and in light of this additional infringement of the GDPR, the DPC has increased the amount of the administrative fines imposed on Meta Ireland to €210 million (in the case of Facebook) and €180 million in the case of Instagram. (The revised levels of these fines also reflect the EDPB’s views in relation to Meta Ireland’s breaches of its obligations in relation to the fair and transparent processing of users’ personal data).
The DPC’s existing requirement that Meta Ireland must bring its processing operations into compliance with the GDPR within a period of 3 months has been retained.
Separately, the EDPB has also purported to direct the DPC to conduct a fresh investigation that would span all of Facebook and Instagram’s data processing operations and would examine special categories of personal data that may or may not be processed in the context of those operations. The DPC’s decisions naturally do not include reference to fresh investigations of all Facebook and Instagram data processing operations that were directed by the EDPB in its binding decisions. The EDPB does not have a general supervision role akin to national courts in respect of national independent authorities and it is not open to the EDPB to instruct and direct an authority to engage in open-ended and speculative investigation. The direction is then problematic in jurisdictional terms, and does not appear consistent with the structure of the cooperation and consistency arrangements laid down by the GDPR. To the extent that the direction may involve an overreach on the part of the EDPB, the DPC considers it appropriate that it would bring an action for annulment before the Court of Justice of the EU in order to seek the setting aside of the EDPB’s directions.
You can download the full decision at this link: Inquiry into Meta Platforms Ireland Limited (Facebook service) - December 2022 (PDF, 1.8mb).
You can download the full decision at this link: Inquiry intoMeta Platforms Ireland Limited (Instagram service) - December 2022 (PDF, 1.8mb).
Inquiry into A&G Couriers Limited T/A Fastway Couriers (Ireland)
This inquiry was commenced in respect of a personal data breach that A&G Couriers Limited T/A Fastway Couriers, Ireland (Fastway) notified to the DPC on 4 March 2021. Fastway is a company, which provides courier services, such as delivery of parcels, letters, packages, and documents, as well as parcel tracking and tracing options. The personal data breach concerned the unauthorised access to personal data held by Fastway, while it was engaging with its service provider in order to undertake a modification to Fastway ICT systems to facilitate declarations of duty and VAT.
- The decision found that Fastway infringed Article 32(1) of the GDPR by failing to implement appropriate technical and organisational measures to ensure an appropriate security level in relation to its processing of personal data for the provision of delivery services and stored in its internal report system at the time of the personal data breach.
Corrective Powers Exercised
- The decision issued Fastway with a reprimand in respect of the infringement.
- The decision imposed an administrative fine on Fastway in the amount of €15,000 in respect of the infringement.
You can download the full decision at this link: A&G Couriers Limited T/A Fastway Couriers (Ireland) - December 2022 (PDF, 2.5 MB).
Inquiry into Virtue Integrated Elder Care Ltd (VIEC)
The inquiry was commenced after VIEC notified a personal data breach to the DPC on 19 August 2020. VIEC operates and manages five nursing homes on the Southside of Dublin and in County Louth. The data breach notification concerned an unknown actor who gained access to a VIEC manager email account by way of a phishing attack and set up mail forwarding rules to an external account. As a result of this, the personal data of residents, including special category data such as health and biometric data, was accessed by the unknown actor.
The decision considered whether VIEC had complied with Articles 5(1)(f) and 32(1) GDPR and, in particular, whether VIEC had implemented appropriate technical and organisational measures to ensure a level of risk appropriate to the risks associated with its processing operations.
The decision found that VIEC had infringed its obligations under Articles 5(1) and 32(1) GDPR. The processing by VIEC of personal and special category data on its email system prior to the phishing attack, without adequate security measures, placed such data at risk of being unlawfully accessed.
Corrective Powers Exercised
- The decision issued VIEC with a reprimand in respect of the infringements.
- The decision ordered VIEC to bring its processing by into compliance with Articles 5(1)(f) and 32(1) of the GDPR.
- The decision imposed an administrative fine on VIEC in the amount of €100,000 in respect of the infringement of Article 5(1)(f) GDPR.
You can download the full decision at this link: A&G Couriers Limited T/A Fastway Couriers (Ireland) - December 2022 (PDF, 2.5 MB).
Inquiry into An Garda Síochána
This inquiry, conducted under Part 5 of the Data Protection Act 2018, concerned a report by An Garda Síochána to the DPC of a personal data breach, following a data breach at a Garda station. The inquiry sought to determine whether infringements of sections 71(1)(f), 72(1), 75 and 78 of the Data Protection Act 2018 had occurred in An Garda Síochána’s processing of personal data. These provisions require that:
- processing is undertaken in a manner that ensures appropriate security, including the implementation of appropriate technical and organisational measures to protect against unauthorised or unlawful processing, and accidental loss, destruction or damage;
- in determining appropriate technical or organisational measures, a controller ensures that the measures provide a level of security appropriate to the harm that might result from accidental or unlawful destruction, loss, alteration or unauthorised disclosure of, or access to, the data concerned;
- a controller shall implement appropriate technical and organisational measures to ensure that the processing of personal data for which it is responsible is performed in compliance with Part 5 of the Data Protection Act 2018; and
- certain matters be had regard to in determining the appropriate technical and organisational measures to be taken by a controller, including the risks to the rights and freedoms of individuals arising from the processing concerned and the likelihood and severity of such risks; the nature of the personal data concerned; the nature, scope, context and purpose of the processing concerned; the accessibility of the data, and the state of the art and cost of implementation.
The data breach the subject of this inquiry concerned the personal data of “persons of interest” to An Garda Síochána in the context of ongoing investigations, which was processed on an Intelligence Bulletin board located in a room in a Garda station, to which any person other than a Garda should not have had unaccompanied access. This personal data, which included the names and addresses of 108 data subjects, including vulnerable data subjects, was accessed by a contractor who was undertaking repair works at the Garda station. The personal data was ultimately shared on social media.
Findings made in the decision that followed the DPC investigation of this matter include that there was:
- An absence of specific policies and procedures in An Garda Síochána’s processing of personal data, such that they failed to satisfy the requirements of sections 72(1), 75 and 78, and by extension 71(1)(f) of the Data Protection Act 2018. Specifically, An Garda Síochána failed to implement appropriate technical and organisational measures to protect the personal data An Garda Síochána processed at the time of the breach.
- An absence of specific security measures in place at the time of the breach relating to the circumstances of the breach, which resulted in the failure of An Garda Síochána to implement a level of security appropriate to the harm that might result from An Garda Síochána’s processing of personal data.
- A failure to undertake a risk assessment before processing commenced, in order to determine the appropriateness of security measures vis-à-vis the harm that might result from processing.
- A failure to demonstrate that An Garda Síochána carried out any pre-breach assessment of the matters to which a controller should have regard, under section 78(a) to (g) Data Protection Act 2018.
- In circumstances where the personal data processed on the Intelligence Bulletin concerned ongoing investigations and the personal data of vulnerable data subjects, a finding that the nature of that personal data was highly sensitive.
Corrective Powers Exercised
The decision found it appropriate to exercise corrective powers in accordance with section 124(3) of the 2018 Act, and sets out the corrective powers exercised, pursuant to section 127(1) of the 2018 Act. These are:
- A reprimand issued to An Garda Síochána, pursuant to section 127(1)(b) of the Data Protection Act 2018, in respect of the infringements. The nature of the infringements identified demonstrated a generalised failure by An Garda Síochána to implement appropriate technical and organisational measures in order to ensure that its processing of personal data was undertaken in accordance with the Data Protection Act 2018, and
- An order issued to An Garda Síochána to bring its processing into compliance with the relevant provisions of the Data Protection Act 2018 through the implementation of appropriate technical and organisational measures with regard to the security of Intelligence Bulletins throughout its network of Garda stations in Ireland.
Inquiry concerning Meta Dataset
On 25 November 2022, the Data Protection Commission (the DPC) adopted a decision to impose a fine of €265 million and to exercise other corrective powers on Meta Platforms Ireland Limited (formerly Facebook Ireland Limited) (Meta Platforms).
The DPC commenced this inquiry on 14 April 2021, on foot of media reports into the discovery of a collated dataset of Facebook personal data that had been made available on the internet. The scope of inquiry concerned an examination and assessment of the Facebook Search, Facebook Messenger Contact Importer and Instagram Contact Importer tools in relation to processing carried out by Meta Platforms during the period between 25 May 2018 and September 2019. The material issues in this inquiry concerned questions of compliance with the GDPR obligation for Data Protection by Design and Default. The DPC examined the implementation of technical and organisational measures pursuant to Article 25 GDPR (which deals with this concept).
There was a comprehensive inquiry process. As the processing under examination constituted “cross-border” processing, the DPC’s decision was subject to the cooperation and consistency mechanism outlined in Article 60 GDPR and all of the other European supervisory authorities were engaged. Those supervisory authorities agreed with the decision of the Data Protection Commission. Accordingly, the DPC’s decision represents the collective views of both the DPC and its counterpart supervisory authorities throughout the EU.
The decision, which was adopted on Friday, 25 November 2022, records findings of infringement of Articles 25(1) and 25(2) GDPR. The decision imposed a reprimand and an order requiring Meta Platforms to bring its processing into compliance by taking a range of specified remedial actions within a particular timeframe. In addition, the decision has imposed administrative fines totalling €265 million on Meta Platforms.
You can download the full decision at this link: Inquiry concerning Meta Dataset - November 2022 (PDF, 1.1 MB).
Inquiry into Ark Life Assurance Company dac
This decision arose from an own-volition inquiry commenced by the DPC pursuant to section 110 of the Data Protection Act 2018 to consider whether Ark Life had complied with the GDPR in relation to its processing operations. The inquiry was initiated after Ark Life had notified 156 personal data breaches to the DPC between December 2018 and May 2020. The data breach notifications primarily concerned the unauthorised disclosure of personal data as a result of address inaccuracies and issues within the postal and email procedures operated by Ark Life.
The decision considered whether Ark Life had complied with Article 32(1) GDPR and in particular whether Ark Life had implemented appropriate technical and organisational measures to ensure a level of risk appropriate to the risks associated with its processing operations.
The decision found that Ark Life had complied with its obligations under Article 32(1) GDPR. It was held Ark Life had implemented policies, which were specifically tailored to the risks associated with the processing. Ark Life also provided repeated training to sectors of the business, which were the most susceptible to personal data breaches of this kind. Ark Life also took proactive measures to counter the increasing risk profile of some business units by implementing additional security measures after some personal data breaches occurred. These measures addressed inherent flaws in their processes concerning customer contact details and dealing with returned mail.
Taking into account the quantum of data breaches, the technical and organisational measures implemented by Ark Life and the moderate to low severity of risk to data subjects, DPC has concluded that Ark Life has not infringed Article 32(1). Accordingly, no corrective powers were exercised in this decision
You can download the full decision at this link: Inquiry concerning Ark Life Assurance Company dac - September 2022 (PDF, 352 KB).
Inquiry into Airbnb Ireland UC
On 14 September 2022, following an inquiry the Data Protection Commission (the DPC) adopted a decision to exercise corrective powers on Airbnb Ireland UC (Airbnb).
The DPC commenced this inquiry on 25 March 2021, on foot of a complaint that Airbnb failed to comply with an erasure request and a subsequent access request the Complainant had submitted to it within the statutory timeframe and further that when the Complainant submitted their request for erasure, Airbnb requested that they verify their identity by providing a photocopy of their identity document (ID) which they had not previously provided to Airbnb.
The scope of the inquiry concerned an examination and assessment of the following:
- Whether Airbnb had a lawful basis for requesting a copy of the Complainant’s I.D. in order to verify their identity in circumstances where they had submitted a request for erasure pursuant to Article 17;
- Whether Airbnb’s handling of the Complainant’s erasure request was compliant with the GDPR and the Act; and
- Whether Airbnb’s handling of the Complainant’s access request was compliant with the GDPR and the Act.
As the processing under examination constituted “cross border” processing, the DPC’s decision was subject to the cooperation and consistency mechanism outlined in Article 60 of the GDPR and pursuant to Article 60(3) of the GDPR, the DPC submitted its draft decision to the supervisory authorities concerned for their opinion. As the DPC received no relevant and reasoned objections to the draft decision from the supervisory authorities concerned within the statutory period, the supervisory authorities concerned were deemed to be in agreement with the draft decision of the DPC and are bound by it in accordance with Article 60(6) of the GDPR. The DPC adopted its decision in respect of this complaint in accordance with Article 60(7) of the GDPR.
The decision, which was adopted on Wednesday, 14 September 2022, records findings of infringement as follows:
- Article 5(1)(c) of the GDPR
The DPC finds that Airbnb’s requirement that the Complainant verify their identity by way of submission of a copy of their photographic ID constituted an infringement of the principle of data minimisation, pursuant to Article 5(1)(c) of the GDPR. This infringement occurred in circumstances where less data-driven solutions to the question of identity verification were available to Airbnb.
- Article 6(1) of the GDPR
The DPC finds that, in the specific circumstances of this complaint, the legitimate interest pursued by the controller does not constitute a valid lawful basis under Article 6 of the GDPR for seeking a copy of the Complainant’s photographic ID in order to process their erasure request.
- Article 12(3) of the GDPR
The DPC finds that Airbnb infringed Article 12(3) of the GDPR with respect to its handling of the Complainant’s access request. This infringement occurred when Airbnb failed to provide the Complainant with information on the action taken on their request within one month of the receipt of the access request.
For more information, you can download the full decision at this link: Inquiry into Airbnb Ireland UC - September 2022 (PDF, 5.5mb).
Inquiry concerning the processing of personal data relating to child users of the Instagram social networking service
The DPC commenced this own-volition inquiry on 21 September 2020, based both on information provided by a third party, and in connection with processing identified by the DPC itself. The scope of inquiry concerned two types of processing carried out by Meta Platforms Ireland Limited (as the data controller of the personal data processed in the context of the Instagram platform), as follows
1. Meta Platforms Ireland Limited allowed child users between the ages of 13 and 17 to operate ‘business accounts’ on the Instagram platform. At certain times, the operation of such accounts required and/or facilitated the publication (to the world-at-large) of the child user’s phone number and/or email address.
2. At certain times, Meta Platforms Ireland Limited operated a user registration system for the Instagram service whereby the accounts of child users were set to “public” by default, thereby making public the social media content of child users, unless the account was otherwise set to “private” by changing the account privacy settings.
Following a lengthy and comprehensive inquiry, the DPC submitted a draft decision to all Concerned Supervisory Authorities (“CSAs”), for the purpose of Article 60(3) GDPR, in December 2021. The DPC subsequently received objections from six CSAs. The DPC was unable to reach consensus with the CSAs on the subject-matter of the objections and, in the circumstances, decided to refer the objections to the European Data Protection Board (“EDPB”) for determination pursuant to the dispute resolution process provided for in Article 65 GDPR.
The EDPB adopted its binding decision on the subject-matter of the objections on 28 July 2022. That decision required the DPC to amend certain aspects of its decision to, firstly, include a finding of infringement of Article 6(1) GDPR, and, secondly, to reassess its proposed administrative fines on the basis of a number of factors contained in the EDPB’s decision, including a requirement for the DPC to impose an additional administrative fine in respect of the finding of infringement of Article 6(1) GDPR that had been established by the EDPB.
With regard to the processing outlined above, the DPC’s decision, which was adopted on 2 September 2022, records findings of infringement of Articles 6(1), 5(1)(a), 5(1)(c), 12(1), 24, 25(1), 25(2) and 35(1) GDPR.
Corrective Powers Exercised:
The DPC’s decision imposed administrative fines totalling €405 million on Meta Platforms Ireland Limited. In addition to these administrative fines, the DPC also imposed a reprimand and an order requiring Meta Platforms Ireland Limited to bring its processing into compliance by taking a range of specified remedial actions.
For more information, you can download a copy of the full decision at this link: Meta Platform Ireland Limited, formerly Facebook Ireland Limited, and the "Instagram" social media network - September 2022 (PDF, 3.1 MB)
Inquiry into the Pre-Hospital Emergency Care Council
The Data Protection Commission (DPC) commenced this own-volition Inquiry as a result of a monitoring and enforcement exercise carried out pursuant to the tasks of a supervisory authority contained in Article 57 of the GDPR.
The DPC sought to monitor and enforce the application of the GDPR concerning the designation of a Data Protection Officer (DPO) by organisations. The designation of a DPO and related obligations of data controllers are contained in Article 37 of the GDPR. The Pre-Hospital Emergency Care Council was identified as an apparent public sector organisation that may be required to designate a DPO, publish the details of the DPO and communicate them to the DPC as the supervisory authority.
The Pre-Hospital Emergency Care Council (PHECC) was one of many public sector organisations contacted during the monitoring and enforcement exercise. PHECC did not respond to any correspondence issued to it. There was no record in the DPC of the PHECC having communicated its DPO details to the DPC. In addition, there were no contact details for a DPO available on the PHECC website.
This Inquiry was commenced to establish whether the PHECC was required to designate a DPO pursuant to Article 37(1) of the GDPR and whether the PHECC had done so. In addition, the Inquiry sought to establish whether the PHECC infringed Article 37(7) of the GDPR concerning the publication of the DPO contact details and the communication of contact details to the DPC. The Inquiry was also commenced to establish whether the PHECC infringed Article 31 of the GDPR by failing to cooperate, on request, with the DPC in the performance of its tasks.
The Decision found that the PHECC had infringed the following provisions of the GDPR: Article 37(1) of the GDPR, which requires inter alia that public sector controllers designate a data protection officer. The PHECC infringed Article 37(1) by failing to designate a data protection officer for the organisation. Article 37(7) of the GDPR was infringed by the PHECC by failing to publish the contact details of a data protection officer and failing to communicate the contact details to the supervisory authority. Article 31 of the GDPR requires controllers to cooperate with the supervisory authority, on request, when carrying out its tasks pursuant to Article 57 of the GDPR. The PHECC infringed Article 31 of the GDPR by failing to respond to any of the correspondence issued to it via email and registered post, despite acknowledging, during the Inquiry, that the correspondence had been received. The Decision accepted that the failure to cooperate with the DPC was without intent, but noted that It cannot be the case that a public authority or body (or any controller), can fail to answer, in any way, repeated efforts to monitor and enforce the GDPR.
Corrective Powers Exercised:
The Decision issued the Pre-Hospital Emergency Care Council with a reprimand in respect of the infringements of Articles 31, 37(1), and 37(7) of the GDPR.
For more information, you can download a copy of the full decision at this link: Pre-Hospital Emergency Care Council May 2022 (PDF, 1,010 KB).