Each year the DPC receives numerous queries and complaints from various individuals complaining specifically about the use of CCTVs in restroom areas by various organisations such as public houses, nightclubs, restaurants and transport depots. More particularly, the complaints allege that the cameras are pointing over specific areas in restrooms where there is an increased expectation of privacy, such as over cubicles or urinals.

While, the DPC has engaged with organisations on a one-to-one basis, the issue of the lawfulness of the processing of personal data by way of CCTVs in restrooms needs to be considered more generally. Consequently, the DPC has examined these issues further and updated its Guidance on CCTVs for Data Controllers by including a specific section on ‘The use of CCTV in areas of an increased expectation of privacy.

The DPC received a complaint with regard to an individual who made an access request under Article 15 of the GDPR to a public/state hospital for a copy of all personal information held concerning them. The response from the hospital remained outstanding after more than a month, whereas information provided to the DPC indicated that due the health of the individual this matter required urgent attention.  

The DPC contacted the Data Protection Officer for the Hospital Group by phone and email to inform them of the urgency of the complaint, and requested they respond to the individual’s representatives promptly, providing them with a copy of the individual’s personal information as part of the engagement. The hospital followed the instructions from the DPC.

Whilst the hospital acknowledged receipt of the request within one month of its receipt, the personal data the individual was entitled to was only provided to the individual following the intervention of the DPC.   

The DPC received a complaint via the One-Stop-Shop (OSS) mechanism related to a “right to be forgotten” delisting request made to a large multinational technology company (Data Controller) pursuant to Article 17 GDPR. 

The individual contacted the Data Controller requesting the delisting of several URLs. The content of these URLs described events that transpired at the school of which the individual was the principal. The individual explained that they are not a public figure and were no longer the principal of the school in question. The individual asserted that many of the ‘facts’ cited in the article were incorrect. The article also referred to certain special category data related to the individual, which the individual asserted was also incorrect. The individual stated that they did not receive a response from the Data Controller and submitted a complaint.

Upon receipt of the complaint, the DPC commenced an examination of the complaint with the Data Controller pursuant to section 109 of the Data Protection Act. In response to the DPC’s examination, the Data Controller explained that, following an extensive investigation, it could find no record of the delisting request from the individual. The Data Controller asserted that it did not  refuse the delisting request; rather, it was unaware of the request prior to  the DPC’s intervention. 

On foot of the DPC’s examination, the Data Controller proceeded to carry out a substantive assessment of the individual’s request and determined that, although certain of the complained-of URLs were ineligible for delisting for a number of reasons (e.g. because they did not contain personal data relating to the individual, or because they did not provide a return in the EEA (or UK) versions of its search engine when a search was carried out against the names provided), a number of other URLs were potentially eligible for delisting subject to certain further clarifications being provided by the individual relating to their content.

The Data Controller reached out to the individual directly outlining the results of its assessment and noting that it would need further information to complete its adjudication of the delisting request. The Data Controller continued to engage with the individual in this regard and the individual later wrote to the DPC to confirm that the complained of URLs had now been delisted to their satisfaction and that the matter was resolved. 

The DPC received a complaint via the One-Stop-Shop (OSS) mechanism related to an access request made to a large social media platform (Data Controller) pursuant to Article 15 GDPR. 

The individual noticed that their account with the Data Controller appeared to have been hacked and subsequently disabled by the Data Controller. The individual made an access request to the Data Controller in order to obtain a copy of their data. The Data Controller directed them to a set of self-service tools outlining how to access and download their data. 

However, the individual was unable to avail of the self-service tools due to the restriction placed on their account. Having raised this issue with the Data  Controller, the individual received further correspondence from the Data  Controller explaining that for security reasons it was unable to reinstate the account or provide a copy of the data and considered the case closed. Upon receipt of the complaint, the DPC commenced an examination of the complaint with the Data Controller pursuant to section 109 of the Data Protection Act. In response to the DPC’s examination, the Data Controller referred the account to its internal team for further investigation, which confirmed that the account showed signs of compromise and that the account had been disabled as a result of activity which occurred on the account during the period it was compromised. The Data Controller therefore agreed to reverse the disablement of the individual’s account and facilitate them in regaining access. Once they had regained full access to their account, the Data Controller advised how the individual could access the self-service tools to access and download a copy of their data if they still wished to do so.

In light of the above actions, the Data Subject subsequently confirmed to the 
DPC that they considered their complaint resolved.

An individual contacted a search engine company to request that a number of websites remove articles about them that contained their name, as they believed the articles were no longer relevant to their current life and circumstances. The search engine organisation replied to them and outlined that their requests did not fulfil the criteria for it to remove them. The individual was unhappy with this response and contacted the DPC to make a complaint. 

The DPC began its examination of the complaint by asking the company for the reasons why it believed that the individual’s Article 17 rights under the GDPR did not apply to the individual’s request. The company responded that it was under the understanding that only the links to articles that arise from a search of the individual’s full name can qualify for consideration when requests are made  under Article 17 of the GDPR. In other words, the search engine will separate the  automatic appearance of those URLs when the individual’s full name is searched for in its results listing.  However, the original articles remain online on the websites that posted them. 

When the individual had made their request to the company, they had listed a series of URLs that contained their full (first and last) name. However when the organisation performed a search of the individual’s full name the URLs they had specified did not appear in the results listing and therefore did not fall under the scope of Article 17 of the GDPR. In this instance after performing searches under the individual’s full name the DPC did not find the URLs that they had requested be delisted and therefore found that on this occasion the right to be forgotten under Article 17 of the GDPR was not applicable.