Data Protection Commission publishes 2021 Annual Report

Commissioner for Data Protection, Helen Dixon, has today launched the Irish Data Protection Commission’s Annual Report for 2021.

Highlights of the 2021 Annual report include:

• The DPC received 7,469 queries and 3,419 complaints from individuals in 2021 (an increase of 7% on 2020 figures).
• The DPC concluded 7,081 queries and 3,564 complaints, including 1,884 complaints received prior to 2021.
• Total valid breach notifications received in 2021 was 6,549. Of the total recorded breach cases, 95% were concluded in 2021 (6,274 cases).
• In 2021, the DPC concluded 5 large-scale inquiries; sent forward 4 draft decisions to the EU co-decision making process; referred 1 case to the EU dispute resolution mechanism on foot of which the DPC issued a finalised decision; issued a further 9 preliminary drafts of decisions for submissions to regulated entities and complainants in advance of finalisation, and sought submissions on statements of issues or inquiry reports from relevant parties in a further 17 inquiries.
• In September, the DPC announced a conclusion to a GDPR investigation it conducted into WhatsApp Ireland Ltd. The decision was subject to the EU dispute resolution process, after which the DPC imposed a fine of €225 million on WhatsApp, in addition to an order for WhatsApp to bring its processing into compliance.
• 138 electronic direct marketing investigations were concluded in 2021 and two telco companies were prosecuted for persistently contacting customers who had opted out of correspondence.
• In December 2021 the DPC published its Data Protection Audit of Political Parties in Ireland. The report was compiled following data protection audits conducted this year by the DPC in twenty-six registered political parties in Ireland.
• In December 2021, the DPC settled legal proceedings with the Department of Social Protection (D/SP) on the D/SP’s processing of personal data when issuing Public Service Card.
• In 2021, the DPC published its finalised Fundamentals for a Child-Oriented Approach to Data Processing, giving much-needed direction to organisations involved in the processing of children’s data.
• In December 2021, the DPC published its Five-Year Regulatory Strategy for 2022-2027, providing clarity to stakeholders as to the direction of travel for the regulatory priorities of the DPC going forward.
• Staff numbers increased to 190 and budget increased to €19.1 million (€23.2 million in 2022).

The Commissioner for Data Protection, Helen Dixon, commented:

“2021 has been a year of strong regulatory results from the DPC, in which it delivered impactful and far-reaching outcomes for the protection of individuals’ personal data. The GDPR is a strong framework law that demands accountability, fairness and transparency from all organisations that process personal data. It is clear that “data controllers” in Ireland continue to improve their compliance efforts, but higher standards of responsiveness to individuals seeking to exercise their rights are still needed in many sectors. The DPC will continue to target enforcement actions aimed at driving those necessary improvements, in addition to publishing decisions and case studies on its website to guide data controllers in the application of the GDPR. Operationalising the aims of the GDPR is an important work-in-progress for all of us and must continue. “

The Data Protection Commission Annual Report 2021 is available here.