Resources

Inquiry into the Department of Employment Affairs and Social Protection (“the Department”)

(IN-18-12-1)

Date of Decision: 10 May 2021

The Data Protection Commission (“the DPC”) commenced this own-volition inquiry after it received a complaint from Digital Rights Ireland alleging a “serious interference with the independence of the Data Protection Officer (DPO) in the Department”. On 4 July 2018, the Department received a media query in relation to the Privacy Statement’s reference to biometric data. This query set off a series of internal email threads and discussions within the Department questioning the reference to biometric data. On 6 July 2018, the Department amended its Privacy Statement and removed the only reference to its processing of biometric data from the Statement. As part of the complaint, Digital Rights Ireland submitted the Department’s internal email threads to the DPC having received them pursuant to the Freedom of Information Act 2014.

The scope of this inquiry concerned whether the Department’s DPO was involved in the issue of amending the Privacy Statement in a proper and timely manner in accordance with Article 38(1) of the GDPR; and whether the DPO received instructions regarding the exercise of his tasks contrary to the requirements of Article 38(3) of the GDPR. The scope of the inquiry did not concern whether the Department’s amendment complied with its transparency obligations under the GDPR. During the inquiry, the DPC gathered all of the relevant information in order to comprehensively consider the background, in addition to the email threads submitted with the complaint. The DPC conducted a voluntary interview with the DPO who held that position at the relevant time. The DPC also had regard to statements submitted to the DPC by the Department’s Secretary General and DPO respectively. The DPC also analysed the Department’s relevant internal emails between 4 - 6 July 2018 concerning the amendment to the Privacy Statement. Having regard to all of the relevant information, the DPC found that:

  • The Department involved their DPO, properly and in a timely manner, in the Department’s amendment to its Privacy Statement as implemented on 6 July 2018. Therefore, the Department did not infringe Article 38(1) of the GDPR in the circumstances.
  • The Department did not provide any instructions to the DPO regarding the exercise of the tasks referred to in Article 39 of the GDPR in respect of the Department’s amendment to its Privacy Statement as implemented on 6 July 2018. Therefore, the Department did not infringe Article 38(3) of the GDPR in the circumstances.

For more information, you can download a copy of the full decision at this link: Department of Employment Affairs and Social Protection May 2021 (PDF, 1,234 KB).