Resources

Inquiry into MOVE (Men Overcoming Violence) Ireland

(IN-20-7-1)

Date of Decision: 20 August 2021

This inquiry was commenced in respect of a personal data breach that MOVE notified to the DPC on 3 February 2020. MOVE is a registered charity, which works in the area of domestic violence, with a primary aim of supporting the safety and wellbeing of women and their children who are experiencing, or have experienced violence/abuse in an intimate relationship. MOVE does this by facilitating men (participants) in weekly group sessions with a facilitator encouraging them to take responsibility for their violence and changing their attitude and behaviour. The personal data breach concerned the loss of eighteen SD Cards that may have contained recordings of group sessions of MOVE’s programme where participants discuss their behaviour and attitudes with regard to domestic violence with a facilitator. Whilst the recording of group sessions focused on the delivery of sessions by the facilitators, some of the participants may have been seen and heard in the recordings; furthermore the personal data on the SD Cards included participants’ disclosure of behaviours, feelings and attitudes towards current or ex partners, other family members and friends, who may have been named by the participants. MOVE submitted that 80 to 120 men may have been affected by this personal data breach and, at least, one facilitator per each recorded session.

  • The decision found that MOVE infringed Articles 5(1)(f) and 32(1) of the GDPR by failing to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk presented by its processing by means of recording group sessions on SD Cards containing participants’ and facilitators’ personal data.

The corrective powers exercised:

  • The decision issued MOVE with a reprimand in respect of the infringements.
  • The decision ordered MOVE to bring its processing by means of recording group sessions on SD Cards into compliance with Articles 5(1)(f) and 32(1) of the GDPR.
  • The decision imposed an administrative fine on MOVE in the amount of €1,500 in respect of the infringements.

For more information, you can download a copy of the full decision at this link: MOVE Ireland August 2021 (PDF, 649 KB).