An individual made a complaint against a parish church regarding the processing of the individual’s personal data arising from the live streaming and recording of a family member’s funeral service that the individual had attended. The individual also complained about a lack of transparency that the recording was taking place.

The individual complained to the DPC about the parish church’s response to their concern around the use of live streaming and recording for funeral services. In our examination of the complaint, the DPC engaged with the parish church to ascertain their lawful basis for processing and for clarification on their response to the data complaint. The parish church informed the DPC that live streaming of funeral services was used during Covid-19 restrictions and that they record funeral services when requested to do so by family members, which did happen in this complaint, usually when one cannot attend the funeral. The parish church informed the DPC they use one camera in a fixed location to make these recordings and for live streaming. The parish church removes the recordings from their website at the end of 30 days.

The parish church apologised to the individual for any distress caused and particularly for not informing the individual of the 30 days only retention period. The parish church informs attendees at the beginning of services that they will be live streamed and have signs with this information at their entrance doors. The parish church implemented changes because of this complaint, including informing attendees during a service that it is being live streamed, including information on their live streaming and recording in parish newsletters and on their website, only responding to written requests for recordings and password protecting the recordings in future.

The DPC wrote to the individual and advised them under section 109(5)(c) of the 2018 Act that the parish church and those unable to attend a funeral service had a legitimate interest to view the service by live stream or recording. The DPC noted the 30-day retention period of the footage, the fixed restricted view of the camera and the changes the parish church had made arising from this complaint, including requiring a request for recording to be made in writing and password protecting these recordings. The DPC advised the individual that the response of the parish church was reasonable in the circumstances of this complaint and noted that the recording was requested by another family member of the deceased. Nevertheless, the DPC recommended under section 109(5)(f) of the 2018 Act that the parish church update the privacy policy available on its website with more information on the live streaming and recording of funeral services.

The DPC received a complaint from an individual regarding the publication of their photograph in an article contained in a workplace newsletter without their consent. The data controller, who was the individual’s public sector employer, informed the individual that it should have obtained consent to use the photograph in the workplace newsletter as this was not the purpose for which the photograph was obtained. The data controller also informed the individual that a data breach had occurred in this instance.

This complaint was identified as potentially being amicably resolved under Section 109 of the Data Protection Act 2018, with both the complainant and data controller agreeing to work with the DPC to try to amicably resolve the issue.

The data controller engaged with the DPC on the matter, and advised that it had conducted an internal investigation and determined that a data breach did occur and that consent should have been obtained to use the individual’s photograph in the workplace newsletter. The purpose(s) for which the photograph was initial obtained did not include publication in a newsletter. An apology from the employer was issued to the individual. However, the complainant did not deem this to be an appropriate resolution to the complaint at hand.

The DPC provided recommendations that a consent information leaflet be distributed to staff in advance of using photography, audio and/or video, and that a consent form for photography, audio and video be completed and signed prior to images or recordings being obtained, which the controller subsequently implemented. Article 5(1)(b) of the GDPR states that “personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (‘purpose limitation’). The DPC was satisfied that the data controller further processed the individual’s personal data without their consent (or other legal basis) for doing so when it published the employee photograph in the workplace newsletter. The DPC issued an outcome letter advising the complainant of same. The DPC was satisfied with the organisational measures subsequently introduced and as such no further actions by the controller in this case was warranted.

In this case study, the risks to the fundamental rights and freedoms of the individual could not be deemed significant, but nonetheless the personal data processing upset the individual and is an infringement of GDPR in the circumstances. This underlines the need for all organisations to train staff — at all levels and in all roles — to be aware of the GDPR and take account of its principles.

We received a complaint against a private receiver who was appointed by a financial institution over the complainant’s property.

The complaint alleged infringements of the Acts on the basis that the receiver:

• Was not registered as a controller pursuant to section 16 of the Acts;
• Had no lawful basis for obtaining the complainant’s personal data from the financial institution;
• Further processed personal data unlawfully by disclosing information to a company appointed by the receiver to manage the receivership (the receiver’s “managing agent”);
• Opened a bank account in the complainant’s name;
• Obtained the property ID and PIN from Revenue which gave the receiver access to the complainant’s personal online Revenue account; and
• Insured the property in the complainant’s name.

Following an investigation pursuant to section 10 of the Acts, the DPC established that the receiver was appointed by the financial institution on foot of a Deed of Appointment of Receiver (DOA), which granted the receiver powers pursuant to the Conveyancing Act 1881, and pursuant to the mortgage deed between the complainant and the financial institution. On being appointed, the receiver wrote to the complainant informing them of their appointment as the receiver over the complainant’s property and provided a copy of the DOA. The receiver appointed a separate company as their managing agent to assist in the managing of the property. During the receivership, the receiver liaised with Revenue in order to pay any outstanding taxes on the property, such as the Local Property Tax (LPT). It was also established that the receiver opened a bank account for the purpose of managing the income from the property. The bank account name included the name of the complainant. It was further established that an insurance policy was taken out, in respect of the property. This insurance policy referred to the complainant’s name.

The DPC first considered whether a receiver was required to register as a data controller in accordance with section 16 the Acts, and whether the exemptions listed in the Data Protection Act 1988 (Section 16(1)) Regulations 2007 (the “Registration Regulations”) applied. The DPC held that a receiver was not required to register, as the exemption under regulation 3(1)(g) of the Registration Regulations applied to the receiver. Regulation 3(1)(g) exempted data controllers who were processing data in relation to its customers. Having considered the relationship between the complainant and the receiver, the DPC held that the exemption applied in respect of the receiver’s activities regarding the complainant.

Next the DPC considered whether the receiver had a lawful basis for obtaining the personal data from the financial institution, disclosing it to the managing agent, and whether such processing constituted further processing incompatible with the original purpose it was obtained pursuant to section 2(1)(c)(ii) of the Acts. The complainant had a mortgage with the financial institution, which had fallen into arrears. Under section 19(1)(ii) of the Conveyancing Act 1881, the financial institution could appoint a receiver once the debt on the mortgage had come due. Section 2A(1)(b)(i) of the Acts permits processing of personal data where the processing is necessary “for the performance of a contract to which the data subject is party”. The mortgage deed was a contract between the data subject and the financial institution, and in circumstances where the terms of the contract were not being adhered to, the appointment of the receiver by the financial institution was necessary for the performance of the contact. The DPC held that the receiver had a lawful basis for obtaining the complainant’s personal data from the financial institution.

The DPC also found that the receiver had a lawful basis pursuant to section 2A(1)(b)(i) of the Acts to disclose personal data to its managing agent, to assist in the day to day managing of the receivership. The DPC found that the financial institution obtained the complainant’s personal data for the purposes of entering into a loan agreement. This was specific, explicit and a legitimate purpose. The disclosure of the complainant’s personal data by the financial institution to the receiver, and by the receiver to the managing agent was in accordance with the initial purpose for which the personal data was obtained. This processing during the receivership did not constitute further processing pursuant to section 2(1)(c)(ii) of the Acts. The DPC assessed whether the receiver had a lawful basis to open a bank account in the complainant’s name. The complainant submitted that this account was opened without their knowledge or consent . Consent is one of the lawful bases for processing personal data under the Acts. The DPC considered whether the receiver otherwise had a lawful basis for processing under section 2A(1)(d) of the Acts, on the basis of legitimate interests. To assess this lawful basis, the DPC took account of the Court of Justice of the European Union (CJEU) case in Rīgas C-13/16(1) which sets out a three step test for processing on the basis of legitimate interests, as follows:

Valsts policijas Rīgas reģiona pārvaldes Kārtības policijas pārvalde v Rīgas pašvaldības SIA ‘Rīgas satiksme’ Case C-13/16

• The processing of personal data must be for the pursuit of a legitimate interest of the controller or a third party;
• The processing must be necessary for the purpose and legitimate interests pursued; and
• The fundamental rights and freedoms of the individual concerned do not take precedence.

The DPC held that the opening of the bank account was a reasonable measure to manage the income and expenditure during a receivership. The receiver submitted that referring to complainant’s name as part of the bank account name was necessary to ensure the receivership was carried out efficiently and to avoid confusion between different receiverships. While it would have been possible to open an account without using the complainant’s name, the DPC took account of the CJEU’s judgment in Huber v Bundesrepublik C-524/062 where the Court held that processing could be considered necessary where it allowed the relevant objective to be more effectively achieved. The DPC held that the reference to the complainant’s name on the bank account was therefore necessary, as it allowed for the more effective pursuit of the receiver’s legitimate interests.

With regard the third element of the legitimate interests test (which requires a balancing exercise, taking into account the fundamental rights and freedoms of the data subject), the DPC held that the reference to the complainant’s name on the account would have identified them to individuals who had access to the bank account or been supplied with the bank account name. The DPC balanced these concerns against the administrative and financial costs, which would result from the need for the receiver to implement an alternative procedure for naming accounts. On balance, the DPC did not find that the complainant’s fundamental rights took precedence over the legitimate interests of the receiver and as a result, the receiver had a lawful basis for processing the complainant’s name, for the purpose of the receiver’s legitimate interests.

With regard to the allegation that the receiver had gained access to the personal Revenue account of the complainant, the DPC found that the receiver did not gain access to the complainant’s personal online Revenue account as alleged. The receiver was acting as a tax agent in relation to the LPT and this did not allow access to a personal Revenue account. In relation to the insurance policy being taken out in the complainant’s name the DPC held that the receiver did not process personal data in this instance.

During the course of the investigation, the DPC also examined whether the receiver had complied with the data protection principles under section 2 of the Acts. In this regard, the DPC examined the initial correspondence the receiver had sent to the complainant notifying them of their appointment. This correspondence consisted of a cover letter and a copy of the DOA. The cover letter and DOA were assessed in order to determine whether the receiver had met their obligation to process the personal data fairly . Section 2D of the Acts required an organisation in control of personal data to provide information on the identity of the data controller, information on the intended purposes for which the data may be processed, the categories of the data concerned as well as any other information necessary to enable fair processing. The DPC held that the correspondence was sufficient in informing the complainant of the identity of the data controller (and original data controller). However, the DPC held that, while a receiver was not required to provide granular information on each purpose for which personal data was to be processed, the receiver should have given a broad outline of the purposes for which the personal data was intended to be processed, and this was not done in this case. It was also held that the receiver should have provided the categories of personal data they held in relation to the complainant, but this was not done. In light of this, the DPC held that the receiver had not complied with section 2D of the Acts.

This decision of the DPC demonstrates that private receivers and their agents may lawfully process personal data of borrowers, where such processing is necessary in order to manage and realise secured assets. Individuals should be aware that their information may be processed without their consent in circumstances where a deed of mortgage provides for the appointment of a receiver. At the same time, receivers must comply with their obligations under the Acts and GDPR to provide individuals with information on processing at the outset of the receivership. The decision is currently the subject of an appeal by the complainant to the Circuit Court.

1. Valsts policijas Rīgas reģiona pārvaldes kārtības policijas pārvalde v Rīgas pašvaldības SIA ‘Rīgas satiksme’ Case C-13/16
2. Heinz Huber v Bundesrepublik Deutschland Case C-524/06
3. The processing of personal data was considered in a similar case where the same complainant made a complaint against the managing agent in this case. In that decision the DPC held that the managing agent had legitimate interest in processing the complainant’s personal data for the purposes of insuring the property.

In April 2018, we received a complaint from a data subject who had ceased to be a customer of the data controller. However, she had discovered that her data was still being processed as she continued to receive bills from the data controller. The complainant had received verbal and written assurances that she did not owe the amount being billed.

However, he complainant subsequently received a text message from a debt-collection company, asking that she contact them. When the complainant phoned the debt-collection company, it refused to provide her with any information regarding the alleged debt until she provided them with personal data verifying her identity, which she refused to do. Later the same day, the complainant received a letter from the debt-collection company confirming that it was seeking to recover monies owed by her to the data controller.

This complaint was identified as potentially capable of amicable resolution under Section 109 of the Data Protection Act 2018, with both the complainant and data controller agreeing to work with the DPC to try to amicably resolve the matter. Company A confirmed with the DPC that an error had caused the complainant’s account balance to appear outstanding but that when the error was identified by the data controller, the outstanding balance was removed from the account. The data controller also confirmed that it had instructed the debt-collection company to cease any collection activities, and also to delete any data associated with the complainant.

While the complainant was satisfied with the ultimate outcome, the DPC emphasised to the data controller that the complainant had previously been informed on at least two occasions that the matter had been resolved. Despite this, her data had been unfairly processed by being passed to a debt-collection company without there being any justification for such disclosure.

In recognition of its failings, the data controller apologised to the complainant, provided certain assurances to her that the matter would have no effect on her credit rating, and made donations to charities of her choice.

For a controller to lawfully engage a processor to process personal data, there must be a justification for the processing of the personal data in the first place. In this case, the controller had disregarded previous concerns raised by the complainant that bills were being issued to her despite her no longer receiving services from the controller and had failed to look into the continued use of her personal data for billing purposes in circumstances where she was no longer a customer.

The DPC encourages individuals to raise data protection concerns directly with the controller in the first instance so that they can address them. However, data controllers frequently ignore or disregard direct attempts made by a data subject to raise complaints until the DPC becomes involved. This is unacceptable and, as part of each organisation’s accountability obligations, it should have meaningful and efficient measures in place to deal with and address data protection complaints when raised directly by a data subject, without the need for the data subject to resort to DPC intervention.

An individual made a complaint to the DPC concerning the data controller’s use of CCTV footage to investigate an incident in which the individual was involved. The individual had organised an event in a leisure facility (the data controller), and displayed signage in relation to Covid-19 procedures to assist attendees. At the end of the event, the individual inadvertently removed a different sign also in relation to Covid-19 procedures when removing the signage they had installed for the event. The data controller reviewed its CCTV footage to establish who had removed the sign. The complainant was of the opinion that the data controller did not process their personal data in a proportionate or transparent manner, and that it did not comply with its obligations as a data controller in how it investigated the incident. Accordingly, the individual lodged a complaint with the DPC.

The DPC intervened to seek to resolve the matter informally and the parties reached an amicable resolution when the leisure centre agreed to undertake an audit of its use of the CCTV system and to restrict access to review CCTV footage to designated staff members. The individual thanked the DPC for handling their complaint in a professional and helpful manner and further stated that they were reluctant to submit the complaint initially as they are aware of the volume of complaints the DPC deals with and the accompanying constraints on resources. The complainant stated that they felt confident that the issue will not arise in the future as a result of the involvement of the DPC . The individual wished to express their appreciation and acknowledge the DPC’s efficiency in dealing with the matter.

The complainant in this case study was a former employee of a statutory service provider, whose work involved driving to locations assigned by his employer. Where this gave rise to claims for overtime or subsistence, the complainant would complete forms provided by the employer, detailing items such as relevant dates and places, dispatch reference numbers, and the amounts claimed. The employer made use of a dispatch system intended to ensure the most efficient use of drivers and vehicles, particularly as they provided response in emergency situations. This system logged the performance and completion of service calls, when vehicles were out on calls or back at base, and when drivers were on or off duty.

The complainant had made a claim for overtime and subsistence. The employer rejected this because of inconsistencies between the details on the complainant’s claim form and those recorded on the employer’s dispatch system . The complainant objected to the use of data from the dispatch system for this purpose and complained to The Data Protection Commission (DPC).

The DPC considered whether the use of data from the dispatch system to verify overtime and subsistence claims was in line with fair processing requirements. The fairness of the processing was to be assessed by reference to whether the complainant and fellow employees had been made aware of the employer’s use of the data for that purpose, whether that processing was compatible with the purpose for which the data was collected, and whether the employer had a legal basis for that processing.

The employer did not have a written policy on the use of the dispatch system . Instead, it relied on the “general awareness” of employees that the system was used for that purpose. The employer pointed out that such use had been noted in an arrangement with its employees’ trade unions some years previously. The DPC noted that overtime and subsistence claims required employees to include relevant dispatch reference numbers from the dispatch system. The DPC took the view that the inclusion of relevant dispatch system reference numbers in overtime and subsistence claims indicated that employees were aware that the data was used not just for logistical processing but also to verify their claims . Even if the major purpose of the dispatch system was to aid logistics, its use to verify overtime claims was not incompatible with that purpose, as that data was the only means available to the employer to verify claims.

The DPC noted that applicable financial regulations required the employer to verify overtime and subsistence claims. The processing to verify overtime and subsistence claims was necessary not just to comply with that legal obligation, but to perform the complainant’s employment contract and for reasons of legitimate interests of the employers.

The Garda Síochána Ombudsman Commission (GSOC) sent a letter containing the outcome of its investigation into a complaint to an address where the person who made the complaint no longer resided. The DPC established the letter was posted to the address where the individual lived at the time of a previous complaint that they had made to GSOC. The individual in question had subsequently informed GSOC they no longer lived at that address and that with regard to the new complaint they were only contactable by email.

The DPC liaised extensively with GSOC regarding this complaint . GSOC reported the data breach to the DPC through the normal breach reporting channels . To avoid this type of incident happening again, GSOC advised the DPC that an email issued internally to all staff advising of the importance of ensuring the accuracy of personal data entered onto the Case Management System (CMS) . GSOC also outlined that it sent a separate email to all line management in the GSOC Casework section advising them of the necessity to accurately input personal data on the CMS and to amend this information whenever updated information is received .

The DPC received a complaint from an individual who alleged they were a victim of a crime. The individual requested to have their sensitive personal data processed by An Garda Síochána (AGS) according to their specific terms, namely they requested to have a full copy of the medical results of forensic tests undertaken by Forensic Science Ireland (FSI) made available to them immediately upon receipt of the results by AGS. The individual then sought to have the sample kit split, with this request subsequently amended to seeking the analysis of specific sample vials.

The DPC noted that the entire process of seeking the analysis of forensic samples, following the alleged crime, was initiated by the individual data subject . In order to proceed with the forensic tests, the individual was required to complete a form entitled ‘Consent for Release of Stored Forensic and a Legal Report to the Custody of An Garda Síochána’ . The DPC determined that any personal data processed by AGS in the context outlined would fall under the Law Enforcement Directive (EU) 2016/680 as transposed in the Data Protection Act .

AGS advised the DPC that in cases where an individual submits their personal data to AGS and FSI for further testing, any related further processing by AGS and FSI is carried out for the purposes of the prevention, investiga- tion, detection or prosecution of criminal offences, or the execution of criminal penalties .

A report issued by Forensic Science Ireland to AGS, is governed by the provisions of Section 94 of the Act, which sets out restrictions on access that may be imposed by a data controller, including a restriction to avoid prejudicing an investigation . Having examined the matters raised, the DPC advised the individual that the Law Enforcement Directive (EU) 2016/680 as transposed in Parts 5 and 6 of the Act does not provide for individuals to stipulate the conditions under which data subjects consent to have their personal data processed by a law enforcement authority .

In relation to the processing of forensic samples in a law enforcement context, the DPC was satisfied the processing of sensitive data was in compliance with sections 71 and 73(1)(b)(i) of the Act . The DPC noted the ‘Consent for Release of Stored Forensic and a Legal Report to the Custody of An Garda Síochána’ form specified all the intended recipients of the data, as well as the fact that the findings of the laboratory tests and the legal report could also be released to the courts for use in evidence .

The DPC recommended the addition of a Data Protection Notice to the form, to allow data subjects obtain detailed information on the legislative framework and procedures governing the conditions of processing in relation to forensic samples and AGS investigations .

The DPC frequently examines complaints in relation to restrictions imposed by An Garda Síochána and the Director of Public Prosecutions (DPP) due to criminal prosecutions pending. Complaints range from assault cases where documentation such as PULSE records, photographs and An Garda Síochána reports of the incidents are sought, to requests for CCTV footage from within An Garda Síochána stations themselves.

In some cases, An Garda Síochána may supply an individual with a copy of their statement provided by the individuals but will withhold other data on the basis of Section 94(3)(a) of the Act whereby a data controller may restrict access, wholly or partly, for the purposes of “the prevention, detection or investigation of offences, the apprehension or prosecution of offenders or the effec- tiveness of lawful methods, systems, plans or procedures employed for the purposes of the matters aforesaid .”

Upon confirmation by a data controller that criminal prosecutions are pending, the DPC will advise an individual that once legal matters in relation to those cases are concluded, the individuals may re-apply for a copy of their data as set out in Section 91 of the Data Protection Act 2018 .

The DPC examined a complaint where an individual alleged that data gathered in one particular law enforcement context was being used by the same data controller for another law enforcement purpose. The complaint concerned the prosecution of an individual for offences in the equine and animal remedies area by the Department of Agriculture, Food and the Marine (DAFM) and the separate referral by DAFM of allegations of professional misconduct to the Veterinary Council of Ireland (VCI) in relation to the same person.

Having examined the matters raised, the DPC referred the complainant to Section 71(5) of the Data Protection Act 2018:

Where a controller collects personal data for a purpose specified in section 70 (1)(a), the controller or another controller may process the data for a purpose so specified other than the purpose for which the data were collected, in so far as— (a) the controller is authorised to process such personal data for such a purpose in accordance with the law of the European Union or the law of the State, and

(b) the processing is necessary and proportionate to the purpose for which the data are being processed .

With regard to section 70(1)(a) and “the law of the State”, the DPC noted the provisions set out in the Veterinary Practice Act 2005 regarding the conduct of inquiries by the VCI into allegations of professional misconduct . In particular, section 76 of the Veterinary Practice Act 2005 outlines that the VCI or any person may apply for an inquiry with regards to the fitness to practice veterinary medicine of a registered person . On this basis, the DPC did not consider data protection legislation to disallow the separate referral by DAFM of allegations of professional misconduct to the VCI in relation to a person, in tandem with prosecution proceedings by DAFM against the same individual for offences in the equine and animal remedies area .