An individual flew with an airline to a destination in Europe. When undertaking their return flight, the individual encountered a situation when their luggage was misplaced. After reporting the issue at the airport, they received a missing luggage slip that contained the name of a different individual but correctly listed the details of their missing luggage.

The individual promptly raised their concerns with the airline, seeking a resolution to ensure their luggage was properly tracked and identified. However, despite the customer’s efforts, the airline was unable to provide a satisfactory resolution, and refused to issue a new ticket reflecting their correct name on the luggage slip. This lack of resolution prompted the individual to escalate the matter further by filing a complaint with the DPC.

In response, the DPC liaised with the airline’s DPO to address the issue of the recording of incorrect personal data. The DPC emphasised the importance of accurate data handling and the implications of data errors on customer experiences. Through this intervention, the DPO worked swiftly to rectify the situation, ensuring that the individual received an updated luggage slip that included their correct name.

This updated slip was crucial for this individual as it allowed them to file a claim with their insurance provider for the lost luggage. The case highlights the importance of effective data management practices and serves as a reminder for organisations to prioritise accurate record-keeping and responsive customer service, especially in situations involving personal belongings.

A charity contacted the DPC seeking advice on a query they had received from a parent asking whether they could request the erasure of their child’s personal data. The data in question dated back several years when the child was a minor. However, the child was now an adult, and the parent, who was their guardian at the time, wanted to know if they could still request that the data be erased.

The DPC advised the charity that, under section 29 of the Data Protection Act 2018, a child is defined as an individual under the age of 18. This meant that, as the individual was now over 18, they were considered an adult and, therefore, had the full legal capacity to exercise their own data protection rights, including the right to request erasure of their personal data.

The DPC also clarified that while the parent could no longer directly request  the erasure of the data on behalf of the now-adult child, the affected individual could choose to provide their parent with a signed letter of authority. This was an option that could be drawn to the attention of the now-adult child and their parent. Such a letter of authority would allow the parent to act on their behalf in making the data erasure request. The DPC reminded the charity that it was their responsibility to verify and ensure that any such request was valid under the circumstances.

The charity thanked the DPC for their response and confirmed that they would share the information with the individual who had initially contacted them. This guidance helped to ensure that both the individual’s rights and the role of the charity were clearly understood, while also acknowledging the potential complexities involved in handling requests from parents of adult children.

An individual raised a query with the DPC concerning the marketing communication practices of an airline following a recent trip with that airline. The issue arose when the individual received an email requesting feedback on their recent trip, which they perceived to be a marketing email. The individual contacted the DPC advising that they could not find an unsubscribe option in  this communication. 

In an effort to resolve the issue, the individual had to navigate to airline’s website to find the option to unsubscribe, a process they documented with an attached screenshot. Additionally, the individual expressed uncertainty about having signed up for this communication, as they noted being careful to avoid consent for unwanted marketing. The individual sought clarification on whether organisations are required to include an unsubscribe link in emails or surveys that are not directly related to a specific service, such as a flight.

In response to the individual, the DPC highlighted that, under Regulation 13 of the ePrivacy Regulations (S.I. 336/2011), as a general rule electronic direct marketing requires the affirmative consent of the recipient. Direct marketing can also be defined as communications aimed at promoting a product or service or encouraging additional enquiries from the recipient. The DPC further clarified that correspondence sent solely for informational or feedback purposes does not constitute direct marketing. However, if such communications included marketing content, they could be classified as direct marketing, thus necessitating the inclusion of an unsubscribe option. 

In this particular scenario, having reviewed the communication message, the DPC noted that it did not include marketing content and that the organisation was only seeking feedback in order to improve the service offered. As such, the DPC determined that this communication did not constitute direct marketing or an infringement of data protection rights. 

An organisation in the voluntary sector became aware during an internal audit review that during their employment, an ex-employee had forwarded emails, and attachments, from their work account to their private email account. The emails contained personal data, including the special category health data under Article 9 of the GDPR of a number of vulnerable individuals. 

The DPC engaged with the organisation to establish the root cause of this breach and to ascertain what measures the organisation had in place in order to protect the rights and freedoms of the affected data subjects.  The organisation carried out an investigation and received assurances from the ex-employee that the personal data had been deleted and was never shared with any third parties, and that they had used their personal email address for convenience in certain circumstances. 

The organisation’s Data Protection Officer (DPO) also engaged with the organisation’s Head of IT to examine if technical measures could be implemented to reduce the risk of this issue reoccurring. All affected data subjects were notified and were advised that the DPO was available to assist them should they have any queries.

Following engagement with the DPC, the organisation implemented a number of solutions, both technical and organisational, to prevent this issue from occurring again. The organisation also launched an awareness campaign to remind all staff, volunteers and the Board of Directors of their responsibilities to keep personal data safe and private; and to ensure compliance with the organisation’s Data Protection Policy. 

The DPC received a complaint from an individual who had submitted an access request under Article 15 of the GDPR to their former employer (a public health
organisation), who provided services in Home Support.

The organisation provided a response to the access request within the statutory period of one month of the date of the receipt of the request. In that response, the organisation had informed the individual that whilst it had endeavoured to comply with the access request, in so far as possible, there were some potential redactions under Article 15(4) of the GDPR that it would be seeking to rely on. The organisation provided the individual with some personal data which contained redactions.

 
Article 15(4) provides that the right to obtain a copy of personal data undergoing processing should not adversely affect the rights and freedoms of others. 

The individual submitted a complaint to the DPC in relation to their concern regarding the organisation’s reliance on Article 15(4) of the GDPR. The individual also indicated their concern that the organisation had not released all the personal data. 

The DPC advised the organisation that a balancing of rights exercise needed to be conducted by them to balance the right of access of the individual to their personal data against the identified risk to the third party that may be brought about by the disclosure of the information prior to seeking to rely on said exemption. Under the GDPR, organisations should endeavour to comply with the request insofar as possible whilst also ensuring adequate protection for the rights and freedoms of others.

The DPC engaged with the organisation and requested it to release the personal data records to the individual that it had re-examined. The DPC also requested the organisation to confirm to the individual that it was not withholding any other documents containing personal data relating to them.

The organisation, subsequently provided the DPC with a copy of its correspondence addressed to the individual confirming it had now released  the personal data records in partially redacted format, which it had initially  withheld. The organisation also confirmed to the individual that it held no further records relating to them. The individual was satisfied that all matters  had been sufficiently resolved.

Following the intervention of the DPC, the organisation confirmed to the DPC that it had re-examined the records that it had initially released in fully redacted format, and following the review had released parts of the records, redacting data that was third party data. 

The DPC received a complaint from an individual who had submitted an access request under Article 15 of the GDPR to a property management company. The individual was seeking access to any personal data processed by the organisation in relation to them. The organisation responded to the access request explicitly stating to the individual that it did not process any personal data in relation to the individual at the time the access request was made or any time before that. 

During the assessment stage, the DPC raised queries with the individual regarding their relationship with the organisation in order to establish if they were “data processor” or “a data controller” in this instance. Upon a review of the individual’s response and the supporting documentation they provided, the DPC established that the property management company was the appropriate “data  controller” in relation to this complaint.

The DPC requested the organisation to provide further details in relation to the searches it carried out to identify any personal data belonging to the individual. In its initial response, the organisation advised that it had conducted a search of its ‘system’ and that the only personal data that could be identified was the initial request made by the individual. The DPC queried the searches completed and requested documentary evidence of the efforts made to locate the individual’s personal data including those conducted in other sections of the organisation.

The organisation responded with a comprehensive outline of the searches undertaken and provided the relevant supporting documentation. The DPC reviewed this correspondence and it subsequently identified three records containing the individual’s personal data (two (2) invoices & one (1) data entry  on a software system) which had not been provided to the individual.

Following further engagement between the DPC and the organisation, the three outstanding documents containing the individual’s personal data were provided
to the individual. 

The DPC received a complaint from an individual regarding the withholding of records containing personal data in response to an access request. The individual had made an access request under Article 15 of the GDPR to a financial service provider, following the sale of the individual’s mortgage to the organisation. 

The organisation advised that personal data was being withheld from the customer in line with Section 60(3)(b) of the Data Protection Act 2018 (DPA 2018). The organisation stated that “securitisation documents did not constitute [the complainant’s] personal data”. 

The DPC informed the organisation as to the definition of personal data under Article 4(1) of the GDPR and that if any of the stated documents being withheld contained the individual’s personal data, clarification would be required as to the reliance on the restrictions applied. The DPC received a response from the organisation confirming that no personal data existed in the securitisation documents with additional reference to a “final response letter” that it issued to the individual. Subsequently, the DPC requested a copy of this “final response letter” and requested a list of alleged outstanding personal data or any further information as to the location of records containing personal data from the individual. The DPC also requested the organisation to outline specifically each record containing personal data being withheld and the legislative basis for  doing so. 

The organisation initially advised it was relying on sections 60(3) and 60(7) of the DPA 2018 for not releasing the documents. The DPC further probed the restrictions being applied by the organisation. On foot of this engagement, the organisation confirmed to the DPC that it would no longer be relying on any part of Section 60 of the DPA 2018 to withhold the individual’s personal data. In light of the DPC’s intervention, the organisation furnished the individual with their personal data, which had previously been restricted.  Following this release of documents, the individual specified the existence of additional personal data and requested copies of mortgage statements from a specific year. The DPC queried this with the organisation, which then released this further personal data to the individual. The DPC determined that the organisation had failed to respond to the access request within the specified timeline under Article 12(3) of the GDPR. 

The DPC received a complaint from an individual in relation to an access request made to an internet service provider. According to the individual, they rang the company regarding the possibility of switching broadband services and considered that the level of service received from the customer service agent was unsatisfactory. As a result, they made an access request for a copy of their personal data processed by the company.  

 
In response to the individual’s access request, the company sought further information from the individual including an account number.  The individual informed the company they could not supply an account number, as they were not a customer, merely a potential customer enquiring about switching their broadband service. In their response, the company advised the individual that without an account number they could not process the access request. On foot of this response, the individual proceeded to make a complaint to the DPC. Following receipt of this complaint, the DPC corresponded with the internet service provider to ascertain why the access request could not be processed without an account number, and to comply with the individual’s access request. 

The company promptly responded to the DPC accepting that the agent who responded to the individual should not have informed them that they could not process the access request. They also outlined that the agent involved did not follow the correct process for dealing with access requests from non-customers, and advised that additional data protection training would be provided to the agent. The company also provided the individual with a copy of their personal data. The individual confirmed that while they did receive a copy of their personal data, the matter was only resolved following the DPC’s intervention.

An individual contacted the DPC inquiring about how to access the medical records of their late sibling, who had tragically passed away as an infant many
years previously. Since both parents had also passed away several years ago, the individual was unable to obtain information about the circumstances surrounding the death of their sibling.

The DPC recognises the sensitive nature of such queries and always responds with empathy and respect. In this instance, the individual was informed that, as per Article 4(1) of the GDPR, personal data is defined as “any information relating to an identified or identifiable natural person (data subject).” However, as also outlined in Recital 27 of the GDPR, the law does not apply to the personal data of deceased persons. Notwithstanding the sensitive nature of the query raised, the DPC advised that while the organisation may choose to release the data they were seeking, unfortunately as outlined above, the DPC could not compel them to do so as there was no obligation on the organisation to do so under the GDPR. As a result, the DPC advised that data protection law could not be engaged in relation the issue in question, meaning the concerns raised were beyond the DPC’s remit. Unfortunately, this meant the Office could not assist the individual further in this matter.

The DPC received a complaint with regard to an individual who made an access request under Article 15 of the GDPR to a public/state hospital for a copy of all personal information held concerning them. The response from the hospital remained outstanding after more than a month, whereas information provided to the DPC indicated that due the health of the individual this matter required urgent attention.  

The DPC contacted the Data Protection Officer for the Hospital Group by phone and email to inform them of the urgency of the complaint, and requested they respond to the individual’s representatives promptly, providing them with a copy of the individual’s personal information as part of the engagement. The hospital followed the instructions from the DPC.

Whilst the hospital acknowledged receipt of the request within one month of its receipt, the personal data the individual was entitled to was only provided to the individual following the intervention of the DPC.