The complainant in this case was an employee who was the subject of disciplinary proceedings by their employer. An aspect of those proceedings concerned the complainant’s time keeping, and the employer sought to rely on swipe-card data derived from the complainant’s entry into and exit from the workplace during the relevant period. As a result of an internal appeal process, the employer subsequently agreed not to use the data for this purpose and removed it from the complainant’s disciplinary record. However, the complainant asked the DPC to continue its investigation of the complaint.

The DPC’s investigation focused on the data protection principle that data must be obtained and processed fairly . This includes an obligation to give data subjects’ information including the purpose or purposes for which the data are intended to be processed .

In this case, the employer had not informed the complainant of the use of swipe-card data for the purpose of disciplinary proceedings . (During the investigation, the employer informed the DPC that the complainant’s case was the only one in which it had used swipe-card data for disciplinary purposes .) Similarly, the employer had not informed the complainant or other employees that swipe-card data collected in the workplace was intended to be used for time-keeping purposes .

The employer had failed to inform the complainant about the use of swipe-card data for time-keeping and disci- plinary purposes . The DPC therefore concluded that the employer had not obtained and processed that data fairly .

This case demonstrates the importance of fairness and transparency in protecting data protection rights . Controllers such as employers may have valid legal bases for processing personal data, whether on grounds of performance of contract, legitimate interest or otherwise . However, the principles of data protection set out in Article 5 of the GDPR must be observed regardless of the legal basis that is relied on .

The complainant was a member of an income protection insurance scheme and had taken a leave of absence from work due to illness. The income protection scheme was organised by the complainant’s employer. In order to claim under the scheme, the complainant was required to attend medical appointments organised by an insurance company. Information relating to the complainant’s illness was shared by the complainant with the insurance company only. However, a third-party company (whose involvement in the claim was not known to the complainant) forwarded information to the complainant’s employer regarding medical appointments that the complainant was required to attend. The information included the area of specialism of the doctors in question.

It was established that the insurance company was the data controller as it controlled the contents and use of the complainant’s personal data for the purposes of managing and administering the complainant’s claim under the insurance scheme . The data in question included details of the complainant’s illness, scheduled medical appointments and proposed treatment and was deemed to be personal data because the complainant could be identified from it and it related to the complainant as an individual .

During the course of the investigation, the data controller argued that the complainant had signed a form, which contained a statement confirming that the complainant gave consent to the data controller seeking information regarding the complainant’s illness . When asked by the DPC to clarify why it had shared the information regarding the complainant’s medical appointments with the third-party company (who was the broker of the insurance scheme), the data controller advised it had done so to update the broker and to ensure that matters would progress swiftly .

The data controller stated it had a legislative obligation to provide the complainant with certain information . In particular, that the data controller was obliged to inform the complainant as to the recipients or categories of recipients of the complainant’s personal data . The DPC pointed out that, while the data controller had notified the complainant that it might seek personal data relating to them, it had failed to provide sufficient information to the complainant as regards the recipients of the complainant’s personal data .

Data protection legislation also requires that data, which are kept by a data controller, be adequate, relevant and limited to what is necessary in relation to the purposes for which the data were collected . The DPC examined the reason given by the data controller for disclosing information about the nature of the complainant’s medical appointments (i .e . to update the broker and to ensure matters progressed smoothly) . The DPC was of the view that it was excessive for the data controller to disclose information regarding the specific nature of the medical appointments, including the specialisms of the doctors in question, to the third party company .

The DPC pointed out that, under data protection legislation, data concerning health is afforded additional protection . The DPC was of the view that, because the information disclosed by the data controller included details of the specialisms of the doctors involved, it indicated the possible nature of the complainant’s illness and thus benefitted from that additional protection.

The DPC confirmed that, because of the additional protection, there was a prohibition on processing the data in question, unless one of a number of specified conditions applied . For example (and of relevance here), the personal data concerning health could be legally processed if the complainant’s explicit consent to the processing was provided to the data controller . The DPC then considered whether the complainant signing the claim form (containing the paragraph about consent to the data controller seeking information, as described above) could be said to constitute explicit consent to the processing (disclosure) of the information relating to the complainant’s medical appointments . The DPC noted that it could be said that the complainant’s explicit consent had been given to the seeking of such information by the data controller . However, the complainant had not given their explicit consent to the giving of such information by the data controller to third parties . On this basis, the DPC held that a further contravention of the legislation had been committed by the data controller in this regard .

Under Article 13 of the GDPR, where personal data are collected from a data subjects, the data controller is required to provide the data subject with certain information at the time the personal data are obtained, such as the identity and contact details of the data controller and, where applicable, its Data Protection Officer, the purpose and legal basis for the processing and the recipients of the data, if any, as well as information regarding the data subject’s rights . This information is intended to ensure that personal data are processed fairly and transparently . Where the personal data have been obtained otherwise than from the data subject themselves, additional information is required to be provided to the data subject under Article 14 of the GDPR . This information must be given in a concise, transparent, intelligible and easily accessible form .

Additionally, the data minimisation principle under Article 5(1)(c) requires that personal data be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed . This means that the period for which personal data are stored should be limited to a strict minimum and that personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means.

Finally, data controllers should note that personal data concerning health is considered a “special category of personal data” under Article 9 of the GDPR and is subject to specific rules, in recognition of its particularly sensitive nature and the particular risk to the fundamental rights and freedoms of data subjects which could be created by the processing of such data . The processing of medical data is only permitted in certain cases as provided for in Article 9(2) of the GDPR and sections 45 to 54 of the Data Protection Act 2018, such as where the data subject has given explicit consent to the processing for one or more specified purposes.

We received a complaint from a parent in respect of their child. The parent had attended a festival organised by a state agency with their child, where a professional photographer took the child’s photograph. The following year the state agency used this photograph in promotional material. The child’s parent, while accepting that they had conversed with the photographer, had understood at the time of the photograph that they would be contacted prior to any use of the image.

During the investigation, the state agency indicated that they had relied upon consent pursuant to section 2A(1) (a) of the Acts as the photographer had obtained verbal permission from the child’s parent . However, the state agency also accepted that it was not clear to the child’s parent that the image would be used for media/ PR purposes . The state agency further accepted that the parent was not adequately informed regarding the retention of the image . The DPC welcomed the state agency’s indications that it would immediately review their practices and procedures.

In conclusion, the DPC found that the state agency had not provided the child’s parent with adequate information in order to consent to the processing of the image used in promotional material.

We received a complaint against a city-centre bar, alleging that it had disclosed the complainant’s personal data, contained in CCTV footage, to his employer without his knowledge or consent and that it did not have proper CCTV signage notifying the public that CCTV recording was taking place.

During our investigation, we established that a workplace social event had been hosted by an employer organisation in the bar on the night in question . The complainant was an employee of that organisation and had attended the workplace social event in the bar . An incident involving the complainant and another employee had taken place in the context of that workplace social event and there was an allegation of a serious assault having occurred . An Garda Síochána had been called to the premises on the night in question and the incident had been reported for a second time by the then manager and headwaiter to the local Garda station the following day . We established that the employer organisation had become aware of the incident and had contacted the bar to verify the reports it had received . Ultimately the bar manager had allowed an HR officer from the employer organisation to view the CCTV footage on the premises. The HR officer, upon viewing the CCTV footage, considered it a serious incident and requested a copy of the footage so that the employer organisation could address the issue with the complainant. The bar manager allowed the HR officer to take a copy of the footage on their mobile phone as the footage download facility was not working .

The Data Protection Commission (DPC) considered whether there was a legal basis, under the grounds of the ‘legitimate interests’ of the data controller or a third party under Section 2A(1)(d) of the Acts, for the bar to process the complainant’s personal data by providing the CCTV footage to the employer organisation . This provision allows for the processing that is ‘necessary for the purposes of the legitimate interests pursued by the data controller or by a third party or parties to whom the data are disclosed except where the processing is unwarranted in any particular case by reason of prejudice to the fundamental rights and freedoms or legitimate interests of the data subject’ .

In its analysis of this case, the DPC had regard to the judgment of the CJEU in the Riga regional security police case in which the CJEU had considered the application of Article 7(f) of the Data Protection Directive (95/46/EC) on which Section 2A(1)(d) of the Acts is based, and identified three conditions that the processing must meet in order to justify the processing as follows:

1. There must be the existence of a legitimate interest justifying the processing;
2. The processing of the personal data must be necessary for the realisation of the legitimate interest; and
3. That interest must prevail over the rights and interests of the data subject .

The DPC established during its investigation that, arising from the incident in question, there was an allegation of a serious assault committed by the complainant against a colleague and the bar had provided a copy of the CCTV footage to the complainant’s employer so that the employer could properly investigate that incident and the allegations made . The DPC took into account that as the incident had occurred during the employer organi- sation’s workplace social event, the employer might have been liable for any injuries to any employee that could have occurred during the incident . Accordingly, the CCTV was processed in furtherance of the employer organisation’s obligation to protect the health and safety of its employees . As the CJEU has previously held that the protection of health is a legitimate interest, the DPC was satisfied that there was a legitimate interest justifying the processing . The DPC also considered that the disclosure of the CCTV in this instance was necessary for the legitimate interests pursued by the employer organisation so that it could investigate and validate allegations of wrongdoing against the complainant . The DPC considered, in line with the comments of Advocate General Bobek in the Riga regional security police case, that it was important that data protection is not utilised in an obstructive fashion where a limited amount of personal data is concerned . In these circumstances, the DPC considered that it would have been unreasonable to expect the bar to refuse a request by the employer organisation to view and take a copy of the CCTV footage, against a backdrop of allegations of a serious assault on its premises, especially where the personal data had been limited to the incident in question and had not otherwise been disclosed . On the question of balancing the interest of the employer organisation against the complainant’s rights and interests, the DPC had primary regard to the context of the processing, where the bar had received a request for the viewing and provision of a serious incident on its premises, which it had deemed grave enough to report to An Garda Síochána . A refusal of the request might have impeded the full investigation of an alleged serious assault, and the employer organisation’s ability to protect the health and welfare of its employees . Accordingly, the DPC considered that it was reasonable, justifiable and necessary for the bar to process the CCTV footage by providing it to the employer organisation, and that the legitimate interest of the employer organisation took precedence over the rights and freedoms of the complainant, particularly given that the processing did not involve sensitive personal data and there had not been excessive processing .

On the facts, the DPC was also satisfied that the bar currently had adequate signage alerting patrons to the use of CCTV for the purpose of protecting staff and customers and preventing crime, and that in the absence of any evidence to the contrary offered by the complainant, the complainant had been on notice of the use of CCTV at the time in question .

In many of the complaints that the DPC handles, data subjects hold the mistaken belief that because they have not consented to the processing of their personal data, it is de facto unlawful  However, there are a number of legal bases other than consent that justify processing depending on the particular circumstances . With regard to the legitimate interests justification, the DPC will rigorously interrogate whether the circumstances of the processing satisfy the elements that the CJEU has indicated must be present for controllers to rely on this legal basis . Equally, however, the DPC emphasises that where the circumstances genuinely meet the threshold required for this justification, as per the sentiment of Advocate General Bobek of the CJEU, protection of personal data should not disintegrate into obstruction of genuine legitimate interests by personal data .