Who We Are

Decision concerning Twitter International Company

Area: Cross Border Private Company

Topic: DS Rights

Articles: 5, 6, 12, 17, 58

Decision Date: 27 April 2022

A complaint was lodged directly with the DPC on 02 July 2019 against Twitter International Company (“Twitter”), and accordingly was handled by the DPC in its role as lead supervisory authority.

The complainant alleged that, following the suspension of their Twitter account, Twitter failed to comply with an erasure request they had submitted to it within the statutory timeframe. Further, the complainant alleged that Twitter had requested a copy of their photographic ID in order to action their request without a legal basis to do so. Finally, the complainant alleged that Twitter had retained their personal data following their erasure request without a legal basis to do so.

While the complaint was lodged directly with the DPC by an individual who resides in the UK, the DPC considered that the nature of the data processing operations complained of were such that they substantially affect, or are likely to substantially affect, not only the specific data subject based in the UK who made the complaint but more generally data subjects across the EU in circumstances where such data subjects may be subject to a suspension of their account and wish to make an erasure request. Therefore, the DPC concluded that the type of processing complained of is processing which meets the definition of cross border processing under Article 4(23)(b) of the GDPR.

Following intervention by the DPC, Twitter complied with the complainant’s erasure request without the need to provide a copy of their ID. However, the DPC notes that Twitter failed to comply with the erasure request submitted by the complainant within the statutory timeframe.

The decision-making followed the procedure set out in Article 60 of the GDPR for cross border processing. The procedure included an examination of the complaint by the DPC, including an attempt to amicably resolve the complaint; a Draft Decision circulated amongst the Concerned Supervisory Authorities; the DPC’s careful consideration of each relevant and reasoned objection received, which in this case the DPC followed certain of the relevant and reasoned objections received; a Revised Draft Decision circulated amongst the Concerned Supervisory Authorities; the adoption of the Final Decision; and finally informing the complainant of the decision.

In its decision the Data Protection Commission found that Twitter infringed the General Data Protection Regulation as follows:

  • Article 5(1)(c) of the GDPR as the DPC found that Twitter’s requirement that the complainant verify his identity by way of submission of a copy of his photographic ID constituted an infringement of the principle of data minimisation, pursuant to Article 5(1)(c) of the GDPR.
  • Article 6(1) of the GDPR as the DPC found that Twitter had not identified a valid lawful basis under Article 6(1) of the GDPR for seeking a copy of the complainant’s photographic ID in order to process his erasure request.
  • Article 17(1) of the GDPR as the DPC found that Twitter infringed Article 17(1) of the GDPR, as there was an undue delay in handling the complainant’s request for erasure.
  • Article 12(3) of the GDPR as the DPC found that Twitter infringed Article 12(3) of the GDPR by failing to inform the data subject within one month of the action taken on his erasure request pursuant to Article 17 of the GDPR.

In light of the extent of the infringements, the DPC issued a reprimand to Twitter, pursuant to Article 58(2)(b) of the GDPR. Further the DPC ordered Twitter, pursuant to Article 58(2)(d), to revise its internal policies and procedures for handling erasure requests to ensure that data subjects are no longer required to provide a copy of photographic ID when making data erasure requests, unless it can demonstrate a legal basis for doing so.

For more information, you can download a copy of the full decision at this link: Twitter International Company April 2022 (PDF, 9.0 MB).

Inquiry concerning 12 Facebook personal data breaches

Area: Cross Border Private Company

Topic: Data security

Articles: 5, 24, 32

DPC Reference: IN 18-11-5

Decision Date: 15 March 2022

The DPC has adopted a decision, imposing a fine of €17 million on Meta Platforms Ireland Limited (formerly Facebook Ireland Limited) (“Meta Platforms”).

The decision followed an inquiry by the DPC into a series of 12 data breach notifications it received in the six-month period between 7 June 2018 and 4 December 2018. The inquiry examined the extent to which Meta Platforms complied with the requirements of GDPR Articles 5(1)(f), 5(2), 24(1) and 32(1) in relation to the processing of personal data relevant to the twelve breach notifications.

As a result of its inquiry, the DPC found that Meta Platforms infringed Articles 5(2) and 24(1) GDPR. The DPC found that Meta Platforms failed to have in place appropriate technical and organisational measures, which would enable it to readily demonstrate the security measures that it implemented in practice to protect EU users’ data, in the context of the twelve personal data breaches.

Given that the processing under examination constituted “cross-border” processing, the DPC’s decision was subject to the co-decision-making process outlined in Article 60 GDPR and all of the other European supervisory authorities were engaged as co-decisionmakers. While objections to the DPC’s draft decision were raised by two of the European supervisory authorities, consensus was achieved through further engagement between the DPC and the supervisory authorities concerned. Accordingly, the DPC’s decision represents the collective views of both the DPC and its counterpart supervisory authorities throughout the EU.

For more information, you can download a copy of the full decision at this link: Meta Platforms Ireland Limited (formerly known as Facebook Ireland Limited) - March 2022(PDF, 1,480 KB).

Inquiry into Bank of Ireland Group plc

Area: Bank/Credit/Insurance

Topic: Data security

Articles: 32, 33, 34

DPC Reference: IN-19-9-5

Decision Date: 14 March 2022

This inquiry was commenced in respect of 22 personal data breach notifications that Bank of Ireland Group plc (“BOI”) made to the Data Protection Commission (“DPC”) between 9 November 2018 and 27 June 2019. The notifications related to the corruption of information in the BOI’s data feed to the Central Credit Register (“CCR”), a centralised system that collects and securely stores information about loans. The incidents included unauthorised disclosures of customer personal data to the CCR and accidental alterations of customer personal data on the CCR.

The decision considered as a preliminary issue whether the incidents met the definition of a “personal data breach” under the GDPR, and found that 19 of the incidents reported did meet this definition.

The decision found infringements of the following provisions of the GDPR:

  • Article 33 of the GDPR, which requires controllers to report personal data breaches to the DPC in certain circumstances, was infringed by BOI in respect of 17 of the incidents reported. The infringements varied in respect of each personal data breach. In a number of incidents, Article 33(1) was infringed by BOI’s failure to report the personal data breach without undue delay. Article 33(3) was also infringed by BOI’s failure to provide sufficient detail to the DPC in respect of some personal data breaches;
  • Article 34 of the GDPR, which requires controllers to report personal data breaches to data subjects in certain circumstances, was infringed by BOI in respect of 14 of the incidents reported. The infringements concerned a failure by BOI to issue communications to data subjects without undue delay in circumstances where the personal data breaches were likely to result in a high risk to the data subjects’ rights and freedoms; and
  • Article 32(1) of the GDPR was infringed by BOI by failing to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk presented by its processing of customer data in transferring information to the CCR.

The corrective powers exercised

  • The decision imposed administrative fines on BOI for the infringement of Article 32(1) of the GDPR and certain of the infringements of Articles 33 and 34 of the GDPR. The total amount of administrative fines imposed was €463,000.
  • The decision ordered BOI to bring its processing into compliance with Article 32(1) of the GDPR by ordering it to make certain changes to its technical and organisational measures.
  • The decision issued BOI with a reprimand in respect of all of the infringements of Articles 33, 34 and 32(1) of the GDPR identified in the decision.

For more information, you can download a copy of the full decision at this link: Bank of Ireland Group plc March 2022 (PDF, 1,457 KB).

Inquiry into a Consultancy Provider

Area: National Private Company

Topic: Data security

Articles: 32

DPC Reference: IN-20-4-8

Decision Date: 24 January 2022

This inquiry was commenced in respect of a personal data breach that the Personal Injuries Assessment Board (‘PIAB’) reported to the Data Protection Commission on 10 December 2019. PIAB is an independent statutory body that deals with personal injury claims. The personal data breach occurred when a Consultancy Provider sent an unencrypted USB storage device, containing personal data to PIAB, despite PIAB expressly stating the data was not to be sent. The Inquiry considered whether the Consultancy Provider had complied with its obligation to implement an appropriate level of security under Article 32 GDPR.

  • The decision found that the Consultancy Provider had infringed Article 32(1) GDPR by failing to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk presented by its processing of personal data.

The corrective powers exercised

  • The decision issued the Consultancy Provider with a reprimand in respect of the infringement.

For more information, you can download a copy of the full decision at this link: A Consultancy Provider January 2022 (PDF, 947 KB).

Inquiry into the Personal Injuries Assessment Board

Area: Public Authority

Topic: Data security

DPC Reference: IN-20-4-7

Decision Date: 24 January 2022

This inquiry was commenced in respect of a personal data breach that the Personal Injuries Assessment Board (‘PIAB’) notified to the DPC on 10 December 2019. PIAB is an independent statutory body that deals with personal injury claims. The personal data breach occurred when a third party organisation (‘the Third Party’) contracted by PIAB returned materials containing personal data to PIAB on an unencrypted USB key in a paper envelope, which USB key was ultimately lost in the post with only a ripped envelope delivered to PIAB.

The Inquiry considered whether the PIAB had complied with its obligation to implement an appropriate level of security under Article 32 GDPR. The Inquiry established that PIAB had requested in advance that the Third Party not send the personal data to PIAB. In those circumstances, the Decision found that PIAB could not possibly have foreseen that without consultation with it, the Third Party would post an unencrypted USB storage device in an unpadded envelope by ordinary (not registered) post.

The corrective powers exercised

  • No corrective powers were exercised by the Data Protection Commission in this instance because no provision of the GDPR was found to have been infringed by PIAB.

For more information, you can download a copy of the full decision at this link: Personal Injuries Assessment Board January 2022 (PDF, 628 KB).

Inquiry into Slane Credit Union

Area: Bank/Credit/Insurance

Topic: Data security

Articles: 5, 24, 28, 30, 32

DPC Reference: IN-19-7-5

Decision Date: 26 January 2022

This inquiry was commenced in respect of a personal data breach that Slane Credit Union notified to the DPC on 30 November 2018. Slane Credit Union was established on 16 February 1968 as a member of the Irish League of Credit Unions. It is regulated by the Central Bank of Ireland under section 84 of the Credit Union Act 1997. The personal data breach related to an unauthorised disclosure of personal data in the form of an unintended publication of member data on the internet. Certain board reports relating to membership enquiries stored within the Slane Credit Union website inadvertently became publicly available through search engine results for a period in 2018. According to Slane Credit Union, this incident occurred due to an update to a search engine optimisation tool installed on the website that Slane Credit Union had not anticipated.

The decision found infringements of the following provisions of the GDPR:

  • Article 5(1)(f) and 32(1) were infringed by Slane Credit Union by failing to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk presented by its processing of the personal data of its members;
  • Article 24 and 30(1) were infringed by Slane Credit Union by failing to implement organisational measures that took account of the nature, scope, context and purposes of its processing, and by failing to include all appropriate information in its record of processing; and
  • Article 28(1) and (3) were infringed by Slane Credit Union by failing to conduct due diligence on its processor and by failing to put in place an agreement with its processor that met the requirements of Article 28(3) of the GDPR.

The corrective powers exercised

  • The decision imposed an administrative fine on Slane Credit Union in the amount of €5,000 in respect of the infringement of Article 5(1)(f) of the GDPR (principle of security of processing).
  • The decision issued Slane Credit Union with a reprimand in respect of all of the infringements.

For more information, you can download a copy of the full decision at this link: Slane Credit Union January 2022 (PDF, 898 KB).

Inquiry into Limerick City and County Council

Area: Public Authority

Topic: LED

Articles: 13, 12, 15

DPC Reference: 03/SIU/2018

Decision Date: 9 December 2021

This inquiry sought to assess whether Limerick City and County Council was processing personal data in compliance with the GDPR and the Data Protection Act 2018. The inquiry examined a number of the Council’s processing operations including its use of CCTV cameras, Automatic Number Plate Recognition technology and drones in public places which were used for the purposes of prosecuting crime or other purposes.

The findings made in the decision include:

  • The Council has no lawful basis for the processing of personal data by CCTV cameras for traffic management purposes.
  • The Council lacked a lawful basis for a number of CCTV cameras used for the purposes of countering crime on account of failing to demonstrate it had obtained a Garda Commissioner authorisation pursuant to section 38(3) of the Garda Síochána Act 2005 which was sufficiently clear, precise and foreseeable as specified by the GDPR.
  • The Council lacked a lawful basis to carry out surveillance with CCTV cameras which employed Automatic Number Plate Recognition technology.
  • The Council infringed Article 15 of the GDPR by rejecting subject access requests in respect of CCTV cameras used for traffic management purposes.
  • The Council did not fulfil its transparency obligations under Article 13 by failing to erect signage in respect of its CCTV processing operations.
  • The Council infringed Article 12 of the GDPR by failing to make its CCTV Policy more easily accessible and transparent.

The corrective powers exercised

  • A temporary ban on the processing of personal data with CCTV cameras at a number of locations used for the purposes of criminal law enforcement until a legal basis can be identified. 
  • A temporary ban on the processing of personal data with CCTV cameras used for traffic management purposes until a legal basis can be identified.
  • An order to Limerick City and County Council to bring its processing of personal data into compliance taking certain actions specified in the decision.
  • A reprimand in respect of a number of Limerick City and County Council’s infringements.
  • An administrative fine of €110,000.

For more information, you can download a copy of the full decision at this link: Inquiry into Limerick City and County Council December 2021 (PDF, 1,622 KB).

Inquiry into the Teaching Council

Area: Public Authority

Topic: Data security

Articles: 5, 32

DPC Reference: IN-20-04-01

Decision Date: 2 December 2021

This inquiry was commenced in respect of a personal data breach that the Teaching Council (the Council) notified to the DPC on 9 March 2020. The Council is the professional standards body for the teaching profession and its purpose is to promote and regulate professional standards in teaching.

The personal data breach occurred when a phishing email was accessed by two staff members of the Council, allowing then for the creation of an auto-forward rule from their email accounts to a malicious email account. As a result, between 17 February 2020 and 6 March 2020 when the auto-forward rule was discovered, 323 emails were forwarded to the unauthorised external email address. The emails contained the personal data of 9,735 data subjects and the sensitive personal data of one data subject.

  • The decision found that the Council infringed Article 5(1) and Article 32(1) of the GDPR between 25 May 2018, when the GDPR came into application, and the dates of the personal data breaches, by failing to process personal data in a manner that ensured the appropriate security of the personal data using appropriate technical and organisational measures.
  • The decision found that the Council infringed Article 33(1) of the GDPR by failing to notify the DPC of the personal data breach(es) when it ought to have been aware of them.

The corrective powers exercised

  • The decision imposed an administrative fine on the Council in the amount of €60,000 in respect of the infringements.
  • The decision issued the Council with a reprimand in respect of the infringements.
  • With due regard to the measures already implemented by the Council since the personal data breach and during the inquiry, a date of 2 June 2022 was given to the Council to bring its processing operations into compliance with Articles 5(1) & 32(1) of the GDPR.

For more information, you can download a copy of the full decision at this link: Inquiry into the Teaching Council December 2021 (PDF, 1 MB).

Inquiry into MOVE (Men Overcoming Violence) Ireland

Area: Not Profit/Charity

Topic: Data security

Articles: 5, 32

DPC Reference: IN-20-7-1

Decision Date: 20 August 2021

This inquiry was commenced in respect of a personal data breach that MOVE notified to the DPC on 3 February 2020. MOVE is a registered charity, which works in the area of domestic violence, with a primary aim of supporting the safety and wellbeing of women and their children who are experiencing, or have experienced violence/abuse in an intimate relationship. MOVE does this by facilitating men (participants) in weekly group sessions with a facilitator encouraging them to take responsibility for their violence and changing their attitude and behaviour. The personal data breach concerned the loss of eighteen SD Cards that may have contained recordings of group sessions of MOVE’s programme where participants discuss their behaviour and attitudes with regard to domestic violence with a facilitator. Whilst the recording of group sessions focused on the delivery of sessions by the facilitators, some of the participants may have been seen and heard in the recordings; furthermore the personal data on the SD Cards included participants’ disclosure of behaviours, feelings and attitudes towards current or ex partners, other family members and friends, who may have been named by the participants. MOVE submitted that 80 to 120 men may have been affected by this personal data breach and, at least, one facilitator per each recorded session.

  • The decision found that MOVE infringed Articles 5(1)(f) and 32(1) of the GDPR by failing to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk presented by its processing by means of recording group sessions on SD Cards containing participants’ and facilitators’ personal data.

The corrective powers exercised

  • The decision issued MOVE with a reprimand in respect of the infringements.
  • The decision ordered MOVE to bring its processing by means of recording group sessions on SD Cards into compliance with Articles 5(1)(f) and 32(1) of the GDPR.
  • The decision imposed an administrative fine on MOVE in the amount of €1,500 in respect of the infringements.

For more information, you can download a copy of the full decision at this link: MOVE Ireland August 2021 (PDF, 649 KB).

Decision concerning WhatsApp Ireland Ltd

Area: Cross Border Private Company

Topic: Transparency

Articles: 5, 13

DPC Reference: IN-18-12-2

Decision Date: 20 August 2021

This inquiry, which was commenced by the Data Protection Commission (DPC) on 10 December 2018, examined whether WhatsApp Ireland Ltd had discharged its GDPR transparency obligations with regard to the provision of information and the transparency of that information to both users and non-users of WhatsApp’s service. This includes information provided to data subjects about the processing of information between WhatsApp and other Facebook companies.

Articles 60 & 65 of the GDPR

Following a lengthy and comprehensive investigation, the DPC submitted a draft decision to all Concerned Supervisory Authorities (CSAs) under Article 60 GDPR in December 2020. The DPC subsequently received objections from eight CSAs. The DPC was unable to reach consensus with the CSAs on the subject matter of the objections and triggered the dispute resolution process (Article 65 GDPR) on 3 June 2021.

Reassessment following EDPB binding decision

On 28 July 2021, the European Data Protection Board (EDPB) adopted a binding decision and this decision was notified to the DPC. This decision contained a clear instruction that required the DPC to reassess and increase its proposed fine on the basis of a number of factors contained in the EDPB's decision. Following this reassessment, the DPC imposed a fine of €225 million on WhatsApp.

In addition to the imposition of an administrative fine, the DPC also imposed a reprimand along with an order for WhatsApp to bring its processing into compliance by taking a range of specified remedial actions.

The EDPB has published the Article 65 decision and the final decision on its website. Binding decision 1/2021 on the dispute arisen on the draft decision of the Irish Supervisory Authority regarding WhatsApp Ireland under Article 65(1)(a) GDPR

For more information, you can download a copy of the full decision at this link: WhatsApp Ireland Ltd. 2021 (PDF, 18.4 MB).