Complaints handling, Investigations and Enforcement For Individuals
What happens when a concern is raised with the Data Protection Commission against an organisation?
As an individual, you are entitled to raise a concern with the Data Protection Commission (DPC) in relation to the manner in which an organisation has handled your personal data. This may include concerns about an organisation’s response to a request you have made to access copies of your personal data, concerns about direct marketing material you have received, concerns about your personal data being breached by an organisation, etc.
A general guide to your data protection rights is available here.
A general guide to the obligations and responsibilities of organisations under data protection legislation is available here.
You may raise a concern with this office via our online form.
Generally, we will require you to have raised the matter directly with the organisation before raising a concern with this office. If you have done this, and are dissatisfied with the organisation’s response (or if you have not received a response from the organisation), you may proceed to raise a concern with the DPC. When you raise a concern with us, we are obliged to provide you with an update or outcome report within three months. Where the matter goes on for longer, we will update you at three month intervals thereafter.
When an individual raises a concern with this office, the matter will be first assessed to ensure the matter falls within our remit to address. We will also require the individual to upload (or otherwise provide to us) evidence to support their case, and in the course of our assessment we may need to contact the individual to obtain further information about the matter they have raised.
Once we are satisfied that the issue(s) raised come within our remit, the case will be progressed through this office as appropriate. Depending on the nature of the concern raised, there are a number of possible ways in which the DPC may seek to resolve the matter.
The Data Protection Act 2018 (“the Act”) sets down the parameters which determine how the DPC may handle a concern that an individual raises with us. The DPC is empowered under the Act to take such action as we consider appropriate in respect of the concern. In the first instance, we are mandated to facilitate or arrange an amicable resolution of the matter, where there is a reasonable likelihood of this being achieved, within a reasonable time. Where it appears, on an initial examination of the matter, that the concern being raised against the organisation may have a valid basis and may involve a breach of an individual’s data protection rights, we would encourage the organisation to consider making an appropriate gesture by way of amicable resolution to work with this office and the complainant in order to resolve the complaint amicably and in as short a time frame as possible. This can result in the timely resolution of the matter and may preclude the need for this office to exercise its formal powers under the Act.
Where an individual has raised a concern raised about an organisation that cannot be amicably resolved within a reasonable time (for example where the individual does not accept a gesture on the part of your organisation by way of amicable resolution), the Data Protection Act 2018 sets down the various steps that this office may take to resolve the matter. These include:
- (A) Rejection of the complaint;
- (B) Dismissal of the complaint;
- (C) Providing advice in relation to the matter;
- (D) Serving on the organisation to which the concern relates an enforcement notice, requiring it to comply with an individual’s request to exercise their data protection rights, or to communicate a personal data breach to an individual;
- (E) Causing such inquiry as the DPC thinks fit to be conducted in respect of the matter; and
- (F) Making such other action in respect of the matter as the DPC considers appropriate.
The majority of cases raised with this office will be resolved either by way of amicable resolution or (where amicable resolution cannot be achieved) at the complaint handling stage. If an individual raises a concern against an organisation, and the concern cannot be amicably resolved, or if the processing of personal data which is the subject matter of the concern has not been remedied, the organisation may be served with an enforcement notice (as outlined at point (d) above) requiring the organisation to comply with the individual’s request to exercise their data protection rights (e.g. to issue a response to their access request, or to communicate a breach of the individual’s personal data to them).
In addition to handling complaints to the extent appropriate, the DPC has the power to conduct an inquiry (either with or without an accompanying investigation), which may result in your organisation being subject to an administrative fine or other corrective power. An inquiry may result from a concern raised with this office, or may be conducted of the DPC’s own volition.
An inquiry (with or without investigation) may also result in the DPC issuing a formal decision in relation to the matter. Generally speaking, the DPC will only consider commencing an inquiry where the matter raised indicates that the alleged data breach is of an extremely serious nature and/or indicative of a systemic failing within the organisation in question.
Where, on the basis of an inquiry (with or without investigation), the DPC decides that an infringement has occurred, a corrective power may be applied against the organisation. The corrective powers that may be levied by the DPC against an offending organisation include powers to:
- issue warnings to an organisation that intended processing operations are likely to infringe the GDPR;
- issue reprimands to an organisation;
- order the organisation to comply with an individual’s request to exercise their rights;
- order the organisation to bring its data processing operations into compliance with the GDPR;
- order the organisation to communicate a personal data breach to an individual;
- impose a temporary or permanent ban limitation on an organisation, including a ban on processing personal data;
- order the rectification or erasure of personal data or the restriction of the processing of personal data, and the notification or such erasure, rectification or restriction to recipients to whom the personal data have been disclosed;
- withdraw certification or order a certification body to withdraw (or not issue) certification, where requirements for certification are not or are no longer met;
- impose an administrative fine, in addition to or instead of another corrective power; and
- order the suspension of data flows to a recipient in a third country or an international organisation.
When deciding to impose an administrative fine on an organisation, the DPC is required to give due regard to:
- the nature, gravity and duration of the infringement, taking into account the nature, scope or purpose of the processing, as well as the number of individuals affected and the level of damage they have suffered;
- the intentional or negligent character of the infringement;
- any actions taken by the organisation to mitigate the damage;
- the degree of responsibility of the organisation for the infringement, taking into account the technical and organisational measure it has implemented;
- any previous infringements by the organisation;
- the degree of co-operation by the organisation to remedy the infringement and mitigate its possible adverse effects;
- the categories of personal data involved;
- the manner in which the DPC has become aware of the infringement;
- whether the organisation has complied with any corrective powers previously levied against it;
- whether the organisation has adhered to any applicable approved codes of conduct or certification mechanisms; and
- any other aggravating or mitigating factors.
An administrative fine levied against an organisation for an infringement may be set at up to €20,000,000, or 4% of the organisation’s total worldwide annual turnover for the preceding financial year (whichever figure is higher).
Where an individual raises a concern with us that relates to your organisation’s processing of their personal data before 25 May 2018 (the date on which the GDPR came into force), the previous legislative regime (primarily the Data Protection Acts 1988 & 2003) may dictate how we handle the case.
Where an individual raises a concern relating to the processing of their personal data by your organisation for the purposes of the prevention, investigation, detection or prosecution of criminal offences, or the execution of criminal penalties (including the safeguarding against, and the prevention of, threats to public security), the case may be handled under the provisions of the Law Enforcement Directive (LED). The LED sets out data protection rules specific to organisations which process personal data for law enforcement purposes. More information about the LED is available here.