Resources

Inquiry into the Pre-Hospital Emergency Care Council - May 2022

(IN-22-2-1)

Date of Decision: 03 May 2022

The Data Protection Commission (DPC) commenced this own-volition Inquiry as a result of a monitoring and enforcement exercise carried out pursuant to the tasks of a supervisory authority contained in Article 57 of the GDPR.

The DPC sought to monitor and enforce the application of the GDPR concerning the designation of a Data Protection Officer (DPO) by organisations. The designation of a DPO and related obligations of data controllers are contained in Article 37 of the GDPR. The Pre-Hospital Emergency Care Council was identified as an apparent public sector organisation that may be required to designate a DPO, publish the details of the DPO and communicate them to the DPC as the supervisory authority.

The Pre-Hospital Emergency Care Council (PHECC) was one of many public sector organisations contacted during the monitoring and enforcement exercise. PHECC did not respond to any correspondence issued to it. There was no record in the DPC of the PHECC having communicated its DPO details to the DPC. In addition, there were no contact details for a DPO available on the PHECC website.

This Inquiry was commenced to establish whether the PHECC was required to designate a DPO pursuant to Article 37(1) of the GDPR and whether the PHECC had done so. In addition, the Inquiry sought to establish whether the PHECC infringed Article 37(7) of the GDPR concerning the publication of the DPO contact details and the communication of contact details to the DPC. The Inquiry was also commenced to establish whether the PHECC infringed Article 31 of the GDPR by failing to cooperate, on request, with the DPC in the performance of its tasks.

The Decision found that the PHECC had infringed the following provisions of the GDPR:  Article 37(1) of the GDPR, which requires inter alia that public sector controllers designate a data protection officer. The PHECC infringed Article 37(1) by failing to designate a data protection officer for the organisation.  Article 37(7) of the GDPR was infringed by the PHECC by failing to publish the contact details of a data protection officer and failing to communicate the contact details to the supervisory authority.  Article 31 of the GDPR requires controllers to cooperate with the supervisory authority, on request, when carrying out its tasks pursuant to Article 57 of the GDPR. The PHECC infringed Article 31 of the GDPR by failing to respond to any of the correspondence issued to it via email and registered post, despite acknowledging, during the Inquiry, that the correspondence had been received. The Decision accepted that the failure to cooperate with the DPC was without intent, but noted that It cannot be the case that a public authority or body (or any controller), can fail to answer, in any way, repeated efforts to monitor and enforce the GDPR.

Corrective Powers Exercised:

The Decision issued the Pre-Hospital Emergency Care Council with a reprimand in respect of the infringements of Articles 31, 37(1), and 37(7) of the GDPR.

For more information, you can download a copy of the full decision at this link: Pre-Hospital Emergency Care Council May 2022 (PDF, 1,010 KB).