In one case examined by the DPC, a parent applied to An Garda Síochána for copies of the personal data of his young children.

An Garda Síochána refused to supply the data . The DPC advised the parent that it agreed with the restriction imposed, as the controller in this case had particular knowledge of all of the circumstances pertaining to a shared guardianship arrangement in place and considered that consent of all legal guardians would be required in order to release the data in this case .

The Data Protection Commission (DPC) examined a case where restrictions were imposed by An Garda Síochána to access on the basis of Sections 91(7) and (8) of the Data Protection Act 2018.

The matter related to an individual seeking copies of allegations of abuse made against him with regard to the welfare of his parents . Having examined this matter, it was clear to the DPC that releasing the information would entail the release of third-party data and would reveal the identity of the person making the allegations . The DPC was satisfied on review that the information sought was provided in the strictest of confidence and considered the provisions of Section 91(9)(a) also applied .

A complaint was lodged directly with the DPC on 2 July 2019 against Twitter International Company (“Twitter”), and accordingly was handled by the DPC in its role as lead supervisory authority. The complainant alleged that, following the suspension of their Twitter account, Twitter failed to comply within the statutory timeframe with an erasure request they had submitted to it. Further, the complainant alleged that Twitter had requested a copy of their photographic ID in order to action their erasure request without a legal basis to do so. Finally, the complainant alleged that Twitter had retained their personal data following their erasure request without a legal basis to do so.

The complainant’s Twitter account was suspended as Twitter held that the complainant was in breach of its Hateful Conduct Policy . Once Twitter suspended the account, the complainant sought that all of their personal details, such as email address and phone number, be deleted . They submitted multiple requests to Twitter asking that their data be erased . Twitter asked the complainant to submit a copy of their ID in order to verify that they were, in fact, the account holder . The complainant refused to do so . In the premises, Twitter ultimately complied with the erasure request without the complainant’s photographic ID .

The DPC initially attempted to resolve this complaint amicably by means of its complaint handling process . However, those efforts failed to secure an amicable resolution and the case was opened for further inquiry . The issues for examination and determination by the DPC’s inquiry were as follows: (i) whether Twitter had a lawful basis for requesting photographic ID where an erasure request had been submitted pursuant to Article 17 GDPR, (ii) whether Twitter’s handling of the said erasure request was compliant with the GDPR and Data Protection Act 2018 and (iii) whether Twitter had complied with the transparency requirements of Article 12 GDPR .

In defence of its position, Twitter stated that authenticating that the requester is who they say they are is of paramount importance in instances where a party requests the erasure of their account . It states that unique identifiers supplied at the time of registration of an account (i .e . email address and phone number) simply associate a user with an account but these identifiers do not verify the identity of an account holder . Twitter posited that it is cognisant of the fact that email accounts can be hacked and other interested parties might seek to erase an account particularly in a situation such as this, where the account was suspended due to numerous alleged violations of Twitter’s Hateful Conduct Policy . The company indicated that it retains basic subscriber information in- definitely in line with its legitimate interest to maintain the safety and security of its platform and its users .

Twitter further argued that, as it did not actually collect any ID from the complainant, Article 5 (1)(c) was not engaged . Notwithstanding this, it stated that the request for photo identification was both proportionate and necessary in this instance . It indicated that a higher level of authentication is required in circumstances where a person is not logged into their account, as will always be the case where a person’s account has been suspended .

Having regard to the complainant’s erasure request and the associated obligation that any such request be processed without ‘undue delay’, Twitter set out a timeline of correspondence pertaining to the erasure request between it and the complainant . Twitter stated that the complainant had made duplicate requests and, as such, had delayed the process of deletion/ erasure themselves . Regarding data retention, Twitter advised the DPC that it retained the complainant’s phone number and email address following the completion of their access request . It stated that it retains this limited information beyond account deactivation indefinitely in accordance with its legitimate interests to maintain the safety and security of its platform and users . It asserted that if it were to delete the complainant’s email address or phone number from its systems, they could then use that information to create a new account even though they have been identified and permanently suspended from the platform for various violations of its Hateful Conduct Policy .

Following the completion of its inquiry on 27 April, 2022, the DPC adopted its decision in respect of this complaint in accordance with Article 60(7) of the GDPR . In its decision, the DPC found that the data controller,

Twitter international Company, infringed the General Data Protection Regulation as follows:

• Article 5(1)(c): Twitter’s requirement that the com-plainant verify his identity by way of submission of a copy of his photographic ID constituted an infringement of the principle of data minimisation, pursuant to Article 5(1)(c) of the GDPR;
• Article 6(1): Twitter had not identified a valid lawful basis under Article 6(1) of the GDPR for seeking a copy of the complainant’s photographic ID in order to process his erasure request
• Article 17(1): Twitter infringed Article 17(1) of the GDPR, as there was an undue delay in handling the complainant’s request for erasure; and
• Article 12(3): Twitter infringed Article 12(3) of the GDPR by failing to inform the data subject within one month of the action taken on his erasure request pursuant to Article 17 of the GDPR .

The DPC also found in its decision that Twitter had a valid legal basis in accordance with Article 6(1)(f) for the retention of the complainant’s email address and phone number that were associated with the account. It also found that, without prejudice to its finding above concerning the data minimisation principle with regard to photo ID, Twitter was compliant with the data minimisation principle as the processing of the email address and phone number data was limited to what was necessary in relation to the purposes for which they are processed .

In light of the extent of the infringements, the DPC issued a reprimand to Twitter International Company, pursuant to Article 58(2) (b) of the GDPR . Further the DPC ordered Twitter International Company, pursuant to Article 58(2) (d), to revise its internal policies and procedures for handling erasure requests to ensure that data subjects are no longer required to provide a copy of photographic ID when making data erasure requests, unless it can demonstrate a legal basis for doing so . The DPC ordered that Twitter International Company provide details of its revised internal policies and procedures to the DPC by 30 June 2022 . Twitter complied with this order by the set deadline .

A data subject submitted a complaint to the Data Protection Commission (DPC) regarding the publication of their historical image in a newspaper (data controller). The data subject explained to the DPC that the article was published without their knowledge and without their consent. Before contacting the DPC the data subject contacted the data controller to address their concerns that they felt their personal data had been unlawfully processed and requesting erasure of the image from the newspaper under Article 17 of the General Data Protection Regulation (GDPR); however, the data controller rejected all elements of the data subject’s request.

As part of its examination, the DPC engaged with the data controller and asked for a lawful basis under Article 6 of the GDPR for processing the data subject’s personal data in the manner outlined in this complaint . The data controller informed the DPC that it is not relying on Article 6 of the GDPR for processing the data subject’s personal data and it advised that it is relying on section 43 of the Data Protection Act 2018, (the 2018 Act), (data processing and freedom of expression and information), namely that processing of personal data for the purpose of exercising the right to freedom of expression and information, including processing for journalistic purposes for for the purposes of academic, artistic or literary expression, shall be exempt . The data controller further explained that the data subject was not the subject of the news article in question, that a significant number of years have passed since the photograph was taken and as such, the data subject was not readily identified.

In relation to the data subject’s erasure request, the data controller relied on Section 43 of the 2018 Act as their basis for refusing to erase the image from the article .

Having considered all the elements of this complaint, the DPC found that the newspaper had a lawful basis under Section 43 of the 2018 Act and Article 85 of the GDPR to publish the data subject’s historical image in a news article .

The DPC notes that the journalistic exemption does not exempt a data controller from the whole of the GDPR and data protection acts . A data controller must have consid- eration for their remaining obligations under the GDPR and the 2018 Act . The DPC found the processing of the data subject’s personal data by the data controller to be proportionate, considering that the image in question is a historical image in which it can be reasonably assumed that the data subject is no longer readily identifiable from same . The DPC acknowledges that a third party is the main person of interest and directly quoted within the article and therefore the data subject is not the subject of discussion .

The DPC advised the data subject under section 109(5) (c) of the 2018 Act that the explanation put forward by the data controller concerning the processing of their personal data in the circumstances of this complaint was reasonable .

Following their trip to a leisure facility (the data controller), a data subject submitted a complaint to the Data Protection Commission (DPC) as they were unhappy with how the data controller processed their personal data. The data subject also wanted to exercise their rights under Article 17 of the General Data Protection Regulation (GDPR) and have their, and their families, data deleted by the organisation. Prior to contacting the DPC, the data subject requested the erasure of their data directly from the data controller and this request was refused.

The data subject explained to the DPC that, during their stay at the leisure facility, they believed their personal data was processed unlawfully as they were repeatedly asked to provide details of their booking to staff, in order to gain access to facilities on site such as restaurants and activities . The data subject believed this to be excessive processing and stated at the time they were not given a choice to object to such processing or they could not receive full access to the facilities .

In line with their examination of the complaint, the DPC contacted the data controller and shared the details of the data subject’s complaint . The data controller advised the DPC that their lawful basis for processing personal data is Article 6(1)(f) of the General Data Protection Regulation (GDPR) also commonly referred to as, legitimate interest . The data controller further explained that they request customer’s details prior to accessing facilities or making a purchase in order “to understand patterns and to improve the range of services and facilities available to guests” . This is also detailed in their privacy policy, which is available on their website .

On foot of the data subject’s complaint, the data controller reviewed their policies and identified a training gap with their staff. Following this identification, the data controller briefed their staff to ensure that they were aware that customers were not obliged to provide details of their booking when accessing certain facilities . The data controller also advised that they updated their Data Protection Regulation Department Operating Procedure to reflect this procedure more clearly.

In regards to the data subject’s erasure request, the data controller advised the DPC that they have removed the data subject for all direct marketing communications . However, they were unable to erase any other personal data relating to the data subject, and their family, as it is held in accordance with their retention policy . The data controller’s retention policy states that all personal data is held on file as it may be required in defence of a legal claim and only deleted after the youngest member of the booking reaches the age of 21 years, in accordance with statutory limitation periods . Under section 109(5)(f) of the 2018 Act the DPC recommended that the data controller continue to provide training to all its employees on its obligations and the rights of data subjects under data protection legislation and to keep this training up to date .

The DPC further recommended under section 109(5)(f) of the 2018 Act that the data controller delete all personal data in accordance with their retention period .

The DPC did not consider any further action necessary at the time of issuing the outcome as they noted that the data controller had retrained all staff, apologised to the data subject and offered them compensation as a result of their complaint .

The complainant in this case had made a loan application to a bank. The complainant subsequently withdrew the loan application and wrote to the bank stating that they were withdrawing consent to the processing of any personal data held by the bank relating to the loan application and requesting the return of all documents containing the complainant’s personal data. In response, the bank informed the complainant that it had stopped processing all of the complainant’s personal data, with the exception of data contained in records which the bank stated it was required to retain and process under the Central Bank of Ireland’s Consumer Protection Code. The complainant was not satisfied with this response, and argued, in their complaint to this Office, that in circumstances where the bank had obtained the complainant’s personal data on the basis of the complainant’s consent, the bank was not permitted to continue to process these data on a different legal basis (i.e. processing which is necessary for compliance with a legal obligation to which the bank is subject). The complainant also argued that the continued processing by the bank of their personal data was for a purpose which was not compatible with the purpose for which the data were originally obtained, in contravention of data protection legislation.

This office established that the bank was identified as the relevant data controller in relation to the complaint, as it controlled personal data, which the complainant had provided to the bank when making a loan application . The data in question were personal data relating to the complainant (consisting of, amongst other things, a completed loan application form and supporting docu- mentation) as the complainant could be identified from it and the data related to the complainant as an individual . This office was therefore satisfied that the complaint should be investigated to determine if a breach of data protection legislation had occurred.

During the course of the investigation of this complaint, this office reviewed the bank’s loan application form, which provided that, by signing the form, a person consented to the bank storing, using and processing their personal data for a range of purposes, including to process applications for credit or financial services. However, this office noted that the purposes for which the complainant had given their consent did not include processing for the purpose of compliance with the bank’s legal obligations generally, and specifically did not include the processing of the complainant’s personal data for the purpose of compliance with the Consumer Protection Code . Accordingly, this office considered that at the time of collection of the complainant’s personal data the bank did not claim to rely on consent as the legal basis for the collection and processing of the complainant’s personal data in order to comply with its legal obligations. Rather, this office considered that the bank could validly rely on the lawful basis that the processing was necessary in order to take steps at the request of the data subject prior to entering into a contract .

This office noted that where a loan application is subsequently withdrawn or unsuccessful and the bank does not enter into a contract with the applicant, the retention of personal data relating to the loan application can no longer be on the basis that the processing was necessary in order to take steps at the request of the data subject prior to entering into a contract, as there is no longer the possibility of entering into a contract with the data subject . As such, the bank identified a separate legal basis for the retention of the complainant’s personal data relating to the loan application, namely that this processing was necessary for compliance with a legal obligation to which the bank was subject .

This office noted that the Consumer Protection Code obliged regulated entities to retain details of “individual transactions” for six years after the date on which the particular transaction is discontinued or complete . This Office considered, however, that a loan application which is subsequently withdrawn or ultimately unsuccessful is not a ‘transaction’ for the purpose of the Consumer Protection Code. This office then noted that the Consumer Protection Code also obliged regulated entities to retain “all other records” for six years from the date on which the regulated entity ceased to provide any product or service to the consumer, including potential consumer, concerned. However, this office did not consider that records relating to a loan application which is subsequent- ly withdrawn to fall within the scope of this requirement under the Consumer Protection Code either . Accordingly, this office considered that it was not necessary for the bank to retain personal data relating to the complainant’s withdrawn loan application for the purpose of compliance with its legal obligations under the Consumer Protection Code, and considered that the bank had not identified a lawful basis under data protection legislation for the retention of the complainant’s personal data relating to their loan application .

A data subject had contacted the DPC as they were not satisfied with the responses to a data subject access request and erasure request. This case was against a debt collector and the data subject raised concerns about how their personal data was obtained. The data subject explained that the debt had been cleared but they still received a letter from a debt collector. This letter referred to an outstanding amount owed to a third party.

The data subject outlined to the DPC that their subject access request was made through an online platform . The data subject did not receive a response to their Article 15 Access request or their erasure request under Article 17 of the General Data Protection Regulation (GDPR) . Prior to the DPC involvement, both parties engaged directly . In their correspondence to the data subject, the debt collector explained that the personal data was obtained from a third party . The personal data was then uploaded to their online system and a letter was issued to the data subject .

As part of its examination, the DPC engaged with the debt collector and requested that they outline their relationship with this third party . The debt collector informed the DPC they were acting as a data processor on behalf of the third party and that a data processor agreement, in line with Article 28(3) of the GDPR, was in place at the time they processed this personal data . The debt collector advised the DPC that this contract was now terminated and they would not be acting on behalf of the third party going forward. The DPC accepted this response and identified the debt collector as a data processor and the third party as the data controller . The data processor, stated that debt collection is in the public interest and as such they had a legitimate interest to process personal data where a data subject’s account has been legally assigned to them, or when they are acting under a legal contract . The data processor stated that the processing of the data subject’s personal data was necessary to collect the debt and is allowed even where the data subject does not consent to the processing; meaning the data processor relied on Articles 6(1)(b) and 6(1)(f) of the GDPR for processing the personal data .

The data processor in this case accepted that the data subject may have paid the outstanding debt but stated they could not be held responsible if the data subject pays the data controller directly and the data controller fails to notify the data processor to close the outstanding debt on their systems . The DPC highlighted that there appeared to be an error in the letter the data subject received . In this correspondence the debt collector referred to themselves as a data controller . The debt collector accepted this error and stated it should have read data processor, this error was caused by an oversight when using a template letter .

With regard to the subject access request, due to their data processor relationship they did not respond directly to the data subject’s access request but did share this with the third party, the data controller . In terms of the erasure request, the data processor informed the data subject that they would be required to retain the personal data for six months for taxation/financial/auditing purposes. The six months had passed prior to the DPC involvement and the data processor assured the DPC that the personal data had now been erased . The data processor apologised directly to the data subject and offered a payment as a gesture of good will.

 The DPC advised the data subject under section 109(5) (c) of the 2018 Act that the data processor and data controller had a legitimate interest to collect debts and disclose personal data in order to collect the debts . The DPC acknowledged the errors in the correspondence provided to the data subject and under section 109(5)(f) of the 2018 Act recommended that the data processor engage in regular testing of organisational and technical processes to ensure compliance with the GDPR in order to comply with Article 28 of the GDPR .

Following an unsuccessful application for a credit card, the data subject in this case sought to have their personal data erased under Article 17 of the General Data Protection Regulation (GDPR). When the erasure request was refused by the data controller, the data subject raised concerns with the DPC that their personal data was being unlawfully retained. The DPC engaged with the data controller in order to assess the reasoning for such refusal.

In response to the data subject’s initial erasure request, the data controller stated in line with provision 11 .6 of the Consumer Protection Code 2012 and their Privacy Policy and Cookies Statement they had a legal obligation to retain the information provided . The data controller went further to explain that the personal data provided in the application would be retained for a period of six years from the date on which the service was provided .

As part of its examination, the DPC engaged with the data controller and requested a response to the complaint. The data controller stated that they were relying on Article 6(1)(c) of the GDPR to retain the personal data whereby processing is necessary for compliance with a legal obligation to which the data controller is subject . The data controller in this case was also subject to the Consumer Protection Code 2012 (CPC) . On this basis, the data controller relied on this lawful basis for the refusal of the erasure request . Under Article 17(3)(b) of the GDPR, a data subject’s right to erasure does not apply and may be restricted where the processing is necessary for compliance with a legal obligation.

For reference, the CPC is a set of rules and principles that all regulated financial services firms must follow when providing financial products and services to consumers and was published by the Central Bank of Ireland in compliance with section 117 of the Central Bank Act 1989 . Under section 117(4) of the Central Bank Act 1989, it is an offence for a regulated financial firm to fail to provide the Central Bank with information to demonstrate compliance with the CPC.

Provisions 11 .5 and 11 .6 of the CPC require data controllers to retain the records of a consumer for six years after the date on which a particular transaction is dis- continued or completed . The required records include but are not limited to: all documents required for consumer identification; the consumer’s contact details; all corre- spondence with the consumer; all documents completed or signed by the consumer . The data subject contested this reliance as no service was provided, therefore they were of the view they were not a consumer and as such felt the data controller had no legal right to maintain the personal data. The CPC defines a consumer and includes where appropriate, a potential consumer . In addition to this, the data controller stated when the data subject applied for a credit card, the consideration of the application and subsequent decision was deemed a service.

Under section 109(5)(c) of the 2018 Act, the DPC advised the data subject that within the meaning of the CPC they were classified as a potential consumer. As a result the data controller is legally obliged to retain the personal data for a period of six years . The DPC did not consider any further action necessary at the time of issuing the outcome .

This complaint concerned the alleged non- response to an erasure request made by the complainant to a data controller pursuant to Article 17 GDPR.

Following receipt of the complaint from the complainant, the DPC engaged with both parties in relation to the subject matter of the complaint . Further to this engagement, it was established that, during the week in which the complainant sent their erasure request by email to the data controller, a new process to manage personal data erasure requests was being implemented by the data controller .

The data controller informed the DPC that it was during this transitional period from the old system to the new system that the erasure request was received from the data subject . The data controller further advised that while new personnel were being trained on how to manage these types of requests during this period, it appeared a response to the erasure request was missed . The data controller stated that this was an oversight, possibly due to a technical issue or human error and that it regretted the error .

In the circumstances, the data controller agreed to comply with the erasure request and sincerely apologised for the error. The data controller also subsequently confirmed to the DPC that it had deleted the complainant’s personal data .

The DPC informed the complainant of the outcome of its engagement with the data controller, noting that the positive actions taken by the data controller appeared to deal with the concerns raised in their complaint .

The complainant subsequently confirmed to the DPC that they agreed to the amicable resolution of their complaint as their concerns were now resolved and that their complaint was now withdrawn .

In this circumstance, the complaint was deemed to be amicably resolved and withdrawn, in accordance with section 109 of the Data Protection Act 2018.

The DPC received a complaint from an individual regarding an erasure request made by them to a data controller, a platform for booking accommodation, pursuant to Article 17 GDPR. The complainant had begun creating an account on the data controller’s platform but chose to abandon the process before it was complete. The complainant then communicated his erasure request to the data controller by email and telephone. In response to the erasure request, the data controller informed the complainant that they required an identity document in order to comply with the erasure request.

The complaint was identified as potentially being capable of amicable resolution under Section 109 of the Data Protection Act 2018, and the data controller agreed to work with the DPC to attempt to amicably resolve the complaint . The data controller provided the DPC with its replies to the complainant relating to the matters raised in the complaint thus far, and confirmed that, in response to the complainant’s erasure request, the data controller had requested an identity document .

In the course of the DPC’s investigation of the complaint, the data controller also confirmed that the account in question had never been used to book or host accommodation or to use the service in any way. Following intervention by the DPC, the data controller undertook to delete the complainant’s account without requesting that the complainant provide any additional documentation.

The DPC communicated these developments to the complainant. The complainant responded by confirming that they accepted the proposed action and that erasure of the account would resolve their complaint . The DPC engaged further with the data controller, which provided confirmation to the DPC that it had erased the com- plainant’s account . The data controller also conveyed this erasure confirmation to the complainant directly.

The complaint was amicably resolved in accordance with section 109 of the Data Protection Act 2018 . This case study demonstrates the benefits, to individuals, of the DPC’s intervention by way of the amicable resolution process . In particular, this case study brings to the fore the manner in which the DPC can assist a complainant through the amicable resolution process . This includes explaining the complainant’s individual concerns to the data controller, where initial engagement between them and data controller has not led to a resolution of their concerns . In this case, the DPC’s involvement resulted in deletion of the complainant’s personal data by the data controller, in accordance with Article 17, without requiring any further action on the part of the individual .