This complaint concerned the processing of the complainant’s personal data (in this case, details about the nature of the complainant’s medical condition) by his employer, for the purpose of administering the complainant’s sick leave and related payments. In particular, the complainant raised concerns regarding the sharing of his medical records by the data controller (the employer), including with staff at the local office of the data controller where the complainant worked. The complainant highlighted his concerns to a senior official in the organisation. However, the view of the senior official was that the minimum amount of information necessary had been shared.
When a person’s personal data is being processed by a data controller, there are certain legal requirements that the data controller must meet . Of particular relevance to this complaint are the obligations (1) to process personal data fairly; (2) to obtain such data for specific purposes and to not further process it in a manner that is incom- patible with those purposes; (3) that the data be relevant and adequate and the data controller not process more of it than is necessary to achieve the purpose for which it was collected; and (4) to maintain appropriate security of the personal data . As well as the rules that apply when personal data is being processed, because the personal data in this case concerned medical information, (which is afforded even more protection under data protection legislation), there were additional requirements that had to be met by the data controller .
It was considered that the initial purpose of the processing of this personal data by the data controller was the admin- istration of a statutory illness payment scheme. This office also found that the further processing of complainant’s personal data for the purpose of managing employees with work-related stress or long-term sick leave and the monitoring of sick pay levels was not incompatible with the purpose for which the data was initially collected . Moreover, the DPC concluded that processing for the purpose of managing work-related stress and long-term sick leave and monitoring sick pay was necessary for the performance of a contract to which the data subject was a party, for compliance with a legal obligation to which the controller was subject, and for the purpose of exercising or performing a right or obligation which is conferred or imposed by law on the data controller in connection with employment .
It was, however, considered that the data processed by the local HR office (that is, the specific nature of the com- plainant’s medical illness) was excessive for the purpose of managing long-term sick leave and work-related stress leave and for monitoring sick-pay levels . Moreover, the DPC concluded that, on the basis that excessive personal data was disclosed by the shared services provider to the local HR office and further within that office, the level of security around the complainant’s personal data was not appropriate . Finally, it was considered that, in these circumstances, the data controller did not process the complainant’s personal data fairly . Therefore, the data controller was found to have contravened its data protection obligations .
We received a complaint that concerned the use of CCTV cameras by the data controller in the complainant’s work premises, and the viewing of that CCTV footage (which contained personal data of the complainant, consisting of, among other things, images of the complainant) for the purpose of monitoring the complainant’s performance in the course of his employment with the data controller.
At the time of the complaint, the data controller had a CCTV policy in place, which stated that the reason for the CCTV system was for security and safety . This was also stated on signage in place in areas where the CCTV cameras were in operation . The facts indicated that the purposes for which the complainant’s personal data was initially collected were security and safety . However, during a meeting with the complainant, a manager informed the complainant that CCTV footage containing the com- plainant’s personal data had been reviewed solely for the purposes of monitoring the complainant’s performance in the course of the complainant’s employment with the data controller. This purpose was not one of the specified purposes of processing set out in the CCTV policy and signage . The controller acknowledged that the use of the complainant’s personal data in this way was a contraven- tion of its policies .
Where personal data is processed for a purpose that is different from the one for which it was collected, the purposes underlying such further processing must not be incompatible with the original purposes . In relation to the use of the complainant’s personal data, the purpose of monitoring their performance was separate and distinct from the original purposes of security and safety for which the CCTV footage was collected . On that basis, the processing of the complainant’s personal data contained in the CCTV footage for the purpose of monitoring performance was further processing for a purpose that was incompatible with the original purposes of its collection .
A further issue arose regarding the security around the manner in which the CCTV system and CCTV logs were accessed . In written responses to the DPC, the controller stated that, at the time of the complaint, access to CCTV footage was available on a standalone PC in the department, which did not require log-in information . The responses from the controller indicated that access to CCTV footage was not logged either manually or automat- ically . The absence of an access log for the CCTV footage was a deficiency in data security generally. Data controllers must implement appropriate security and organisational measures, in line with Article 32 of the GDPR, in relation to conditions around access to personal data .
The CCTV policy has since been substantially revised and replaced by a new policy. The controller confirmed that the PC utilised has now been deactivated and removed . Access to CCTV recordings is now limited to a single individual in the specific unit and recordings are reviewed only in the event of a security incident or accident .
Of particular relevance in this type of situation are the obligations to process personal data fairly (Article 5(1) (a)), and to obtain such data for specific purposes and not further process it in a manner that is incompatible with those purposes (Article 5(1)(b)) . Further, appropriate security measures should be in place to ensure the security of the personal data (Article 5(1)(f) and Article 32) .
21st May 2025
A data subject issued a complaint to the Data Protection Commission (DPC) against their employer (data controller) regarding the processing of their personal data under the General Data Protection Regulation (GDPR). The data subject explained to the DPC that details of a confidential matter as part of a reference was given to a third party (a prospective employer). Before contacting the DPC the data subject contacted the data controller to address their concerns as they felt their personal data had been unlawfully processed; however, they did not receive a satisfactory response to their complaint.
The DPC notes that the provision of a reference about a staff member from a present/former employer, to a third party, such as a prospective employer, will generally involve the disclosure of personal data. The data subject mentioned that the data controller disclosed a confidential matter in the reference provided to the prospective employer.
As part of its examination, the DPC engaged with the data controller and shared the details of the data subject’s complaint. The data controller responded to the DPC and explained that, it is relying on consent and legitimate interest for disclosing the confidential matter.
The data controller outlined that in balancing the data subject’s rights against the interests of the third party (and those to whom it provides care) it determined that it had a duty of care to ensure that the recipient of the reference (prospective employer) received a reference which was true, accurate, fair and relevant to the role which the data subject had applied for. The data controller was satisfied that the data was processed, fairly and in a transparent manner. It further stated that due to the nature of the employment it had a duty of care not only to the people they support, the staff members, but also to prospective employers who provide support services to same category of clients.
It is important to consider whether the status of the data controller, the applicable legal or contractual obligations (or other assurances made at the time of collection) could give rise to reasonable expectations of stricter confidentiality and stricter limitations on further use. The DPC has taken into consideration whether the data controller could have achieved the same result without disclosing the confidential details to the prospective employer. The statements made in the reference were based on facts, which could be proven and were necessary to achieve the legitimate interests of and the duty of care of the data controller’s clients.
The DPC is satisfied that despite the duty of confidence, and in circumstances where the data subject nominated the data controller to provide the reference, thus consented to the sharing of the data subject’s relevant personal data to a prospective employer, the prospective employer’s legitimate interest and the wider public interest justifies the disclosure of the confidential matter.
Having examined the matter thoroughly, under section 109(5)(c) of the 2018 Act the DPC advised the data subject that the explanation put forward by the data controller in the circumstances of this complaint are reasonable and no unlawful processing had occurred. Accordingly, no further action against the data controller was considered necessary in relation to the data subject’s complaint.
A data subject issued a complaint to the Data Protection Commission (DPC) against their employer (data controller) regarding the processing of their health data under Article 9 of the General Data Protection Regulation (GDPR). The data subject explained to the DPC that they had been signed off work by their GP and so, presented their medical certificate to their employer, in an envelope addressed to the organisation’s Medical Officer. A staff member in an acting-up manager role, opened the medical cert; however, this person’s role was not as a medical officer. Before contacting the DPC the data subject contacted their employer to address their concerns that they felt their sensitive personal data had been unlawfully processed; however, they did not receive a response to their complaint.
As part of its examination, the DPC engaged with the data controller and shared the details of the data subject’s complaint. The data controller responded to the DPC and explained that, as per their organisation’s Standard Operating Procedures, as there was no medical officer on duty on the day in question, the responsibility and authority for granting leave, sick or otherwise, automatically falls to the manager on the day, who in this instance was the manager who processed the medical certificate. The data subject did not accept the explanation provided by the data controller and contested that a medical certificate should not be processed by anyone who is not the designated medical office.
Through its examination, the DPC found that, under Articles 6(1)(b), (c), (f) and 9(2)(b) of the GDPR the data controller had legitimate bases to process the data subject’s sensitive personal data under the GDPR and so no unlawful processing had occurred. No further action against the data controller was considered necessary in relation to the data subject’s complaint.
A data subject submitted a complaint to the Data Protection Commission (DPC) against their bank (the data controller) as they believed their personal data was processed unlawfully. The data subject explained that they held a mortgage with the data controller, and this mortgage was sold to another bank, as part of a loan sale agreement. The data subject complained that this sale was processed without their prior knowledge or consent and was specifically concerned about the data controller sharing their personal email address and mobile phone number with another bank as they deemed this as an excessive disclosure of personal data. While the data subject did not object to their name, address or landline number being shared, they believed their email address and mobile phone number were “sensitive” personal data and the disclosure of same was disproportionate.
Prior to contacting the DPC, the data subject engaged with the data controller directly regarding their complaint. The data controller responded to the data subject and advised that their lawful basis for processing their personal data was Article 6(1)(f) of the General Data Protection Regulation (GDPR) which states: “Processing is necessary for the purposes of the legitimate interests pursued by the controller.”
Upon commencing their examination, the DPC shared the data subject’s complaint with the data controller and requested a detailed response. The data controller informed the DPC that as part of their Data Privacy Notice, a copy of which is provided to their customers, details that the data controller may sell assets of the company in order to manage their business. This is also further detailed in the loan offer letter to mortgage applicants.
In relation to the sharing of excessive personal data, the data controller outlined that they do not consider an email address or a mobile phone number to be sensitive information nor do they fall under special categories of personal data under Article 9 of the GDPR. The DPC advised that while consent is one of six lawful basis for processing personal data, it is lawful to process personal data without prior consent once one of the five other bases, which are listed in Article 6 of the GDPR, are met. In this instance the data controller was relying on Article 6(1)(f) and as such, they are required to conduct a balancing test to ensure that the legitimate interest that are pursued by the controller are not overridden by the interests, rights, or fundamental freedoms of the data subject. The data controller confirmed to the DPC that they had conducted a balancing test and it was confirmed that the processing of personal data, in this instance, did not override the interests, rights or fundamental freedoms of the data subject.
The data controller further explained that it was necessary for the data controller to share the data subject’s contact information with the other bank as they were the new data controllers for the data subject’s loan. The data controller also clarified that they do not differentiate between different types of contact information, i.e. landline and mobile numbers as this information was provided to the data controller for the purpose of contacting customers. As such, this information is required by the bank managing the loan. Article 9 of the GDPR describes special category personal data as:
“personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.”
As such, the DPC clarified to the data subject that mobile numbers and email addresses do not fall into this category. Under section 109(5)(c) of the 2018 Act the DPC advised the data subject that, having examined their complaint, the DPC found no evidence that their personal data was processed unlawfully. While the data controller relied on a legitimate basis to process data, they did so in a transparent manner, and kept the data subject fully informed at all key stages of the sale, so it was conducted with the data subject’s prior knowledge. The DPC did not consider any further action necessary at the time of issuing the outcome.
This complaint concerned the processing of the complainant’s personal data in the form of a still image from CCTV footage taken in a betting shop, by distributing that image to various betting shops in the chain with a warning note to staff in order to prevent the complainant from placing bets.
The Commission determined that the betting shop was the data controller because it controlled and processed the personal data in question. The data were (amongst other things) an image of the complainant and internal notes circulated to staff of the data controller about the complainant. The data were personal data because they related to the complainant as an individual and the complainant could be identified from the data.
In response to the complaint, the data controller put forward a number of reasons for processing the complainant’s personal data and sought to argue that there was a valid legal basis for each purpose, as provided for in data protection legislation. The reasons and corresponding legal bases presented by the data controller included the following:
The Commission decided that the data controller had identified an appropriate lawful basis for each purpose for which it processed personal data relating to its customers. The Commission then considered whether the obligation to process personal data fairly had been complied with by the data controller. In this context, the Commission noted that the data controller is obliged to provide the complainant with information in relation to the key elements of the collection and use of the complainant’s personal data. The data controller here had provided the complainant with an internal company document and confirmed that the complainant’s personal data had been processed in accordance with this document. However, the document was dated after the date on which the complainant’s personal data was processed. On this basis, the Commission noted that it was not clear that the required information had been provided to the complainant and therefore the data controller had failed to process the complainant’s personal data fairly.
Finally the Commission considered the period of time the personal data had been retained for. In this regard, it noted that the relevant legislation requires that a data controller keep personal data for no longer than is necessary for the purposes for which the data are processed. The complainant’s personal data had been kept for approximately seven years. The Commission considered that because the data controller had a legitimate interest in retaining the complainant’s data (for commercial risk management), the data controller had acted in accordance with the legislation in this regard.
This complainant was involved in an incident in a carpark of a building in which they worked. A complaint was made by the manager of the car park to the complainant’s employer and images from the CCTV footage of the incident were subsequently obtained by the complainant’s employer. Disciplinary proceedings were then taken against the complainant arising out of the car park incident. The complainant’s manager and other colleagues of the complainant viewed the CCTV stills in the context of the disciplinary proceedings.
The complainant’s employer was the data controller in relation to the complaint, because it controlled the contents and use of the complainant’s personal data for the purposes of managing the complainant’s employment and conducting the disciplinary proceedings. The data in question consisted of images of the complainant and was personal data because it related to the complainant as an individual and the complainant was identifiable from it.
In response to the complaint, the data controller maintained that it had a lawful basis for processing the complainant’s personal data under the legislation because the CCTV images were used to enforce the employee code of conduct, which formed part of the complainant’s contract of employment. It also stated that, because of the serious nature of the incident involving the complainant, it was necessary for the data controller to investigate the incident in accordance with the company disciplinary policy, which was referred to in the complainant’s employment contract. The data controller also argued that the CCTV stills were limited to the incident in question and that only a limited number of personnel involved in the disciplinary process viewed them.
The DPC noted that data protection legislation permits the processing of a person’s personal data where the processing is necessary for the performance of a contract to which the data subject (the person whose personal data is being processed) is a party. The DPC noted the data controller here sought to argue that the use of the CCTV images was necessary for the performance of the complainant’s employment contract. However, the DPC was of the view that it was not ‘necessary’ for the data controller to process the complainant’s personal data contained in the CCTV images to perform that contract. For this argument to succeed, the data controller would have had to show that it could not have performed the complainant’s employment contract without processing the complainant’s personal data. As the data controller had failed to satisfy the DPC that this was the case, the data controller was judged to have infringed the data protection legislation.
The DPC also noted that, in addition to the requirement to have a lawful basis for processing, there are also certain legal principles that a data controller must comply with, when processing personal data. It highlighted that the processing must be adequate, relevant and limited to what is necessary in relation to the purposes for which the data is processed. The DPC noted the data controller’s argument that the CCTV stills were limited to the incident in question and that only a limited number of personnel involved in the disciplinary process viewed the stills.
However, the DPC was of the view that the data controller had failed to show why it was necessary to use the CCTV images. On this basis, there had been a further infringement of the legislation by the data controller.
This complainant was an employee of a shop located in a shopping centre and was involved in an incident in the shopping centre car park regarding payment of the car park fee. After the incident, the manager of the car park made a complaint to the complainant’s employer and images from the CCTV footage were provided to the complainant’s employer. The complainant referred the matter to the DPC to examine whether the disclosure of the CCTV images was lawful.
It was established that the shopping centre was the data controller as it controlled the contents and use of the complainant’s personal information for the purposes of disclosing the CCTV stills to the complainant’s employer. The data in question consisted of images of the complainant and was personal data because it related to the complainant as an individual and the complainant could be identified from it.
The data controller argued that it had a legitimate interest in disclosing the CCTV images to the complainant’s employer, for example, to prevent people from exiting the car park without paying and to withdraw the agreement it had with the complainant’s employer regarding its staff parking in the car park. The DPC noted that a data controller must have a lawful basis on which to process a person’s personal data. One of the legal bases that can be relied on by a data controller is that the processing is necessary for the purposes of legitimate interests pursued by the data controller. (This was the legal basis that the data controller sought to rely on here.) The DPC acknowledged that the data controller had in principle a legitimate interest, in disclosing the complainant’s personal data for the reasons that it put forward. However, it was not “necessary” for the data controller to disclose the CCTV stills to the complainant’s employer for the purposes of pursuing those legitimate interests. This was because the car park attendant employed by the data controller had discretion to take steps against the complainant, in pursuit of the legitimate interests, without the need to involve the complainant’s employer. For example, the car park attendant had discretion to ban the complainant from using the car park without involving the complainant’s employer. On this basis, the DPC determined that it was not necessary for the data controller to notify the complainant’s employer of the incident and provide it with CCTV stills. Accordingly, the data controller had no legal basis for doing so and had contravened data protection legislation.
The complainant was a solicitor who engaged another solicitor to represent them in legal proceedings. The relationship between the complainant and the solicitor engaged by the complainant broke down and the solicitor raised a grievance about the complainant’s behaviour to the Law Society. In this context, the solicitor provided certain information about the complainant to the Law Society. The complainant referred the matter to the DPC, alleging that the solicitor had contravened data protection legislation.
It was established that the complainant’s solicitor was the data controller, as it controlled the contents and use of the complainant’s personal data for the purpose of providing legal services to the complainant. The data in question consisted of (amongst other things) information relating to the complainant’s legal proceedings and was personal data because the complainant could be identified from it and it related to the complainant as an individual.
The DPC noted Law Society’s jurisdiction to handle grievances relating to the misconduct of solicitors (by virtue of the Solicitors Acts 1954-2015). It also accepted that the type of misconduct that the Law Society may investigate includes any conduct that might damage the reputation of the profession. The DPC also noted that the Law Society accepts jurisdiction to investigate complaints made by solicitors about other solicitors (and not just complaints made by or on behalf of clients) and its code of conduct requires that, if a solicitor believes another solicitor is engaged in misconduct, it should be reported to the Law Society. The DPC therefore considered that the complaint made by the data controller to the Law Society was properly made and that it was for the Law Society to adjudicate on the merit of the complaint.
The DPC then considered whether the data controller had committed a breach of data protection legislation. In this regard, the DPC noted that data controllers must comply with certain legal principles that are set out in the relevant legislation. Of particular relevance to this complaint was the requirement that data must be obtained for specified purposes and not further processed in a manner that is incompatible with those purposes. The DPC established that the reason the complainant’s personal data was initially collected/processed was for the purpose of providing the complainant with legal services. The DPC pointed out that when the data controller made a complaint to the Law Society, it conducted further processing of the complainant’s personal data. As the further processing was for a purpose that was different to the purpose for which it was collected, the DPC had to consider whether the purpose underlying the further processing was incompatible with the original purpose.
The DPC confirmed that a different purpose is not necessarily an incompatible purpose and that incompatibility should always be assessed on a case-by-case basis. In this case, the DPC held that, because there is a public interest in ensuring the proper regulation of the legal profession, the purpose for which the complainant’s data was further processed was not incompatible with the purpose for which it was originally collected. On this basis, the data controller had acted in accordance with data protection legislation.
The DPC then noted that, in addition to other legal requirements, a data controller must have a lawful basis for processing personal data. The lawful basis that the data controller sought to rely on in this case was that the processing was necessary for the purposes of the legitimate interests pursued by the data controller. In this regard, the DPC held that the data controller had a legitimate interest in disclosing to the Law Society any behaviour that could bring the reputation of the legal profession into disrepute. Further, the data controller was required by the Law Society’s Code of Conduct to report serious misconduct to the Law Society). As a result, the DPC was of the view that the data controller had a valid legal basis for disclosing the complainant’s personal data and had not contravened the legislation.
Under Article 6 of the GDPR, a data controller must have a valid legal basis for processing personal data. One such legal basis, in Article 6(1)(f) of the GDPR, provides that processing is lawful if and to the extent that it is necessary for the purpose of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights or freedoms of the data subject. However, Article 6(4) of the GDPR provides that where processing of personal data is carried out for a purpose other than that for which the data were initially collected, this is only permitted where that further processing is compatible with the purposes for which the personal data were initially collected.
In considering whether processing for another purpose is compatible with the purpose for which the personal data were initially collected, data controllers should take into account (i) any link between the purposes for which the data were collected and the purposes of the intended further processing, (ii) the context in which the data were collected, (iii) the nature of the personal data, (iv) the possible consequences of the intended further processing for data subjects, and (v) the existence of appropriate safeguards.