In February 2024, the DPC received notification from an individual of an alleged unsolicited email communication from Thérapie Clinic. The individual had provided the DPC with a copy of their marketing preferences and a copy of an unsolicited email communication. 

Subsequent to further investigation, Thérapie Clinic confirmed to the DPC that the complainant was a client of theirs and had not given consent to receive marketing communications. Thérapie Clinic conducted an internal investigation, which found that the email message, which was the subject of the complaint,  had been sent manually by a member of staff in one of their clinics. 

The email was not a system-generated message, and therefore no opt-out mechanism had been included in the communication. As such, the individual  had received an unsolicited marketing email message without an option to optout of receiving further marketing messages. As the DPC had issued a warning in February 2023 to Thérapie Clinic in regards to a previous complaint, the DPC decided to prosecute arising from this complaint case.

On 25 October 2024, Thérapie Clinic was prosecuted for sending unsolicited emails to a customer who had previously opted out of receiving marketing communications. The company was found to have violated Regulation 13(12) (c) and Regulation 13(13)(a)(i) of S.I. No. 336/2011 - European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011. In lieu of a conviction and fine, the Dublin Metropolitan District Court ordered the company to make a donation of €325 to the Little Flower Penny Dinners charity and to pay the DPC’s legal costs.

In November 2023, the DPC received notification from an individual of alleged unsolicited marketing communications via telephone from Google Ireland Limited. The individual in question had received three separate phone calls in the space of a 4-hour period from individuals identified as sales representatives on behalf of Google Ireland Limited. The DPC launched an investigation, during the course of which Google Ireland Limited confirmed that a third-party contractor had disregarded the individual’s previous request to opt-out of marketing communications, resulting in a number of calls being made to the individual. 

The DPC had previously issued a warning to Google Ireland Limited in July 2023 concerning unsolicited phone calls made without consent to the same individual. As part of this warning, Google Ireland Limited was notified that if the individual was to receive further phone calls, Google Ireland Limited may face prosecution. Google Ireland Limited breached the rules governing unsolicited marketing phone calls, as the company continued to make marketing phone calls after the individual had explicitly withdrawn their consent.

At Dublin Metropolitan District Court on 25 October 2024, Google Ireland Limited pleaded guilty to two charges of making unsolicited marketing telephone calls under Regulation 13 of S.I. No. 336/2011 - European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011. Dublin Metropolitan District Court directed the company to contribute €1,500 to the Little Flower Penny Dinners charity and to pay the DPC’s legal costs in lieu of a conviction and fine.

An individual made an access request under Article 15 of the GDPR to an organisation they believed to be processing their personal data. Upon receipt of this request, the organisation notified the individual that it was not the data controller in this instance. The organisation advised the individual that it had referred the request to the actual data controller in line with its obligations under Article 28(3)(e) of the GDPR to assist “…the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller’s obligation to respond to requests for exercising the data subject’s rights”. With the individual was not satisfied with the response and submitted a complaint to  the DPC.

The DPC requested documentary evidence from the organisation (data processor) which would support its assertion that it was not the data controller in this instance. The organisation provided the DPC with a copy of a data protection agreement, which explicitly detailed the organisation as the data processor and the other party as the data controller in relation to the personal data being processed in this instance. This agreement outlined in specific detail that the organisation only processed personal data upon instruction from the data controller. The DPC examined this agreement and affirmed that the organisation to which the individual submitted the access request was the data processor in this instance.

The DPC accepted that the organisation was the data processor for the personal data which had been requested in this instance and that it had complied with its obligations under both Article 15 and Article 28(3)(e) of the GDPR.

An individual raised a query with the DPC about gaining access to information held by a garage detailing the history of the vehicle the individual now owned, including details of damages assessed, recommended repairs, and an engineer’s report conducted towards the end of a particular year. The individual submitted an access request under Article 15 of the GDPR to the garage for all data related to the vehicle. The garage refused the request. As they were dissatisfied with the response received from the garage, they contacted the DPC to raise their concerns. 

In response, the DPC reviewed the request and provided relevant information, advising that under GDPR, “personal data” is defined in Article 4(1) as any information relating to an identified or identifiable natural person. While a vehicle’s registration plate could be considered personal data, the condition of the vehicle itself prior to a person’s ownership did not relate to the individual as a natural person. Consequently, the DPC considered that data protection law did not apply in this case, and the concerns raised fell outside its remit.

In August 2023, the DPC received a complaint from an individual regarding alleged unsolicited marketing SMS messages received from Supermac’s Ireland Limited. The DPC launched an investigation, in the course of which Supermac’s Ireland Limited explained that the individual had registered for their online ordering system in 2018 and had ticked the box to receive SMS and email marketing communications. The individual subsequently placed an online order in 2023 and was added to an active marketing list for SMS purposes. 

The DPC requested that the individual’s details be removed from the active marketing list in August 2023. Supermac’s Ireland Limited confirmed to the DPC that the opt-out had been successful and the individual had been removed from their marketing list. However, the individual contacted the DPC again in October 2023 to inform the DPC that they had received a further marketing SMS from Supermac’s Ireland Limited, despite assurances that they had been removed from marketing lists. Upon further investigation, Supermac’s Ireland informed the DPC that, due to a technical error by their subcontractor, the individual’s phone number had not been removed properly. 

The DPC’s investigation of this complaint established that Supermac’s Ireland Limited did not have valid consent to send electronic marketing communications to the individual concerned. As the DPC had issued a warning to the company in February 2023 with regards to a previous complaint, the DPC decided to prosecute the case. 

On 3 September 2024 before Judge Fahy in Galway District Court, Supermac’s Ireland Limited pleaded guilty to five charges of sending unsolicited marketing SMS messages under Regulation 13(7) and Regulation 13(13)(a)(i) of S.I. No. 336/2011 - European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011. Galway District Court ordered the company to make a contribution of €3,500 to the Galway Simon Community and Cope  Galway, in lieu of a conviction and fine. The company was also required to discharge the DPC’s legal costs.

In October 2023, the DPC received notification from an individual regarding unsolicited marketing SMS messages received from Pulse Gym, trading as Energie Fitness Dublin 8. An investigation was launched during which Pulse Gym explained that when a member signed up online, they agreed to Pulse Gym’s terms and conditions, which included a reference to giving consent to receive marketing materials by electronic means. 

The DPC requested a copy of the consent referred to under Article 7 of the GDPR, but Pulse Gym was unable to provide such a copy. The DPC highlighted that consent for marketing is required to be “freely given, specific, informed and unambiguous”, and that Pulse Gym was not permitted to “bundle” consent for processing of individuals’ personal data for different purposes. 

Pulse Gym also confirmed during the investigation that the opt-out attempts made by the individual had been unsuccessfully implemented as there was a  fault in the service provider’s software. 

A warning had previously been issued to Pulse Gym following an investigation of a similar complaint in July 2023. As part of this warning, the DPC had made Pulse Gym aware of their requirements to ensure that their mailing list only contained details of individuals who had explicitly consented to receive marketing communications and to ensure their opt-out function was operational and opt out requests were respected. However, upon receipt of this further complaint in October 2023, it became apparent that not all changes identified in the DPC’s warning letter had been implemented. As a result, the DPC decided to move to prosecution proceedings in this instance.

Pulse Gym pleaded guilty to one charge of sending unsolicited marketing SMS messages at Dublin Metropolitan District Court on 27th May 2024 under Regulation 13 of S.I. No. 336/2011 - European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011. In lieu of a conviction and fine, Judge Halpin applied the Probation Act and the company was instructed to make a donation of €700 to the Little Flower Penny Dinners charity and to pay the DPC’s legal  costs in full.

An individual flew with an airline to a destination in Europe. When undertaking their return flight, the individual encountered a situation when their luggage was misplaced. After reporting the issue at the airport, they received a missing luggage slip that contained the name of a different individual but correctly listed the details of their missing luggage.

The individual promptly raised their concerns with the airline, seeking a resolution to ensure their luggage was properly tracked and identified. However, despite the customer’s efforts, the airline was unable to provide a satisfactory resolution, and refused to issue a new ticket reflecting their correct name on the luggage slip. This lack of resolution prompted the individual to escalate the matter further by filing a complaint with the DPC.

In response, the DPC liaised with the airline’s DPO to address the issue of the recording of incorrect personal data. The DPC emphasised the importance of accurate data handling and the implications of data errors on customer experiences. Through this intervention, the DPO worked swiftly to rectify the situation, ensuring that the individual received an updated luggage slip that included their correct name.

This updated slip was crucial for this individual as it allowed them to file a claim with their insurance provider for the lost luggage. The case highlights the importance of effective data management practices and serves as a reminder for organisations to prioritise accurate record-keeping and responsive customer service, especially in situations involving personal belongings.

A charity contacted the DPC seeking advice on a query they had received from a parent asking whether they could request the erasure of their child’s personal data. The data in question dated back several years when the child was a minor. However, the child was now an adult, and the parent, who was their guardian at the time, wanted to know if they could still request that the data be erased.

The DPC advised the charity that, under section 29 of the Data Protection Act 2018, a child is defined as an individual under the age of 18. This meant that, as the individual was now over 18, they were considered an adult and, therefore, had the full legal capacity to exercise their own data protection rights, including the right to request erasure of their personal data.

The DPC also clarified that while the parent could no longer directly request  the erasure of the data on behalf of the now-adult child, the affected individual could choose to provide their parent with a signed letter of authority. This was an option that could be drawn to the attention of the now-adult child and their parent. Such a letter of authority would allow the parent to act on their behalf in making the data erasure request. The DPC reminded the charity that it was their responsibility to verify and ensure that any such request was valid under the circumstances.

The charity thanked the DPC for their response and confirmed that they would share the information with the individual who had initially contacted them. This guidance helped to ensure that both the individual’s rights and the role of the charity were clearly understood, while also acknowledging the potential complexities involved in handling requests from parents of adult children.

An individual raised a query with the DPC concerning the marketing communication practices of an airline following a recent trip with that airline. The issue arose when the individual received an email requesting feedback on their recent trip, which they perceived to be a marketing email. The individual contacted the DPC advising that they could not find an unsubscribe option in  this communication. 

In an effort to resolve the issue, the individual had to navigate to airline’s website to find the option to unsubscribe, a process they documented with an attached screenshot. Additionally, the individual expressed uncertainty about having signed up for this communication, as they noted being careful to avoid consent for unwanted marketing. The individual sought clarification on whether organisations are required to include an unsubscribe link in emails or surveys that are not directly related to a specific service, such as a flight.

In response to the individual, the DPC highlighted that, under Regulation 13 of the ePrivacy Regulations (S.I. 336/2011), as a general rule electronic direct marketing requires the affirmative consent of the recipient. Direct marketing can also be defined as communications aimed at promoting a product or service or encouraging additional enquiries from the recipient. The DPC further clarified that correspondence sent solely for informational or feedback purposes does not constitute direct marketing. However, if such communications included marketing content, they could be classified as direct marketing, thus necessitating the inclusion of an unsubscribe option. 

In this particular scenario, having reviewed the communication message, the DPC noted that it did not include marketing content and that the organisation was only seeking feedback in order to improve the service offered. As such, the DPC determined that this communication did not constitute direct marketing or an infringement of data protection rights. 

An organisation in the voluntary sector became aware during an internal audit review that during their employment, an ex-employee had forwarded emails, and attachments, from their work account to their private email account. The emails contained personal data, including the special category health data under Article 9 of the GDPR of a number of vulnerable individuals. 

The DPC engaged with the organisation to establish the root cause of this breach and to ascertain what measures the organisation had in place in order to protect the rights and freedoms of the affected data subjects.  The organisation carried out an investigation and received assurances from the ex-employee that the personal data had been deleted and was never shared with any third parties, and that they had used their personal email address for convenience in certain circumstances. 

The organisation’s Data Protection Officer (DPO) also engaged with the organisation’s Head of IT to examine if technical measures could be implemented to reduce the risk of this issue reoccurring. All affected data subjects were notified and were advised that the DPO was available to assist them should they have any queries.

Following engagement with the DPC, the organisation implemented a number of solutions, both technical and organisational, to prevent this issue from occurring again. The organisation also launched an awareness campaign to remind all staff, volunteers and the Board of Directors of their responsibilities to keep personal data safe and private; and to ensure compliance with the organisation’s Data Protection Policy.