Each year the DPC receives numerous queries and complaints from various individuals complaining specifically about the use of CCTVs in restroom areas by various organisations such as public houses, nightclubs, restaurants and transport depots. More particularly, the complaints allege that the cameras are pointing over specific areas in restrooms where there is an increased expectation of privacy, such as over cubicles or urinals.

While, the DPC has engaged with organisations on a one-to-one basis, the issue of the lawfulness of the processing of personal data by way of CCTVs in restrooms needs to be considered more generally. Consequently, the DPC has examined these issues further and updated its Guidance on CCTVs for Data Controllers by including a specific section on ‘The use of CCTV in areas of an increased expectation of privacy.

The DPC received a complaint with regard to an individual who made an access request under Article 15 of the GDPR to a public/state hospital for a copy of all personal information held concerning them. The response from the hospital remained outstanding after more than a month, whereas information provided to the DPC indicated that due the health of the individual this matter required urgent attention.  

The DPC contacted the Data Protection Officer for the Hospital Group by phone and email to inform them of the urgency of the complaint, and requested they respond to the individual’s representatives promptly, providing them with a copy of the individual’s personal information as part of the engagement. The hospital followed the instructions from the DPC.

Whilst the hospital acknowledged receipt of the request within one month of its receipt, the personal data the individual was entitled to was only provided to the individual following the intervention of the DPC.   

The DPC received a complaint via the One-Stop-Shop (OSS) mechanism related to a “right to be forgotten” delisting request made to a large multinational technology company (Data Controller) pursuant to Article 17 GDPR. 

The individual contacted the Data Controller requesting the delisting of several URLs. The content of these URLs described events that transpired at the school of which the individual was the principal. The individual explained that they are not a public figure and were no longer the principal of the school in question. The individual asserted that many of the ‘facts’ cited in the article were incorrect. The article also referred to certain special category data related to the individual, which the individual asserted was also incorrect. The individual stated that they did not receive a response from the Data Controller and submitted a complaint.

Upon receipt of the complaint, the DPC commenced an examination of the complaint with the Data Controller pursuant to section 109 of the Data Protection Act. In response to the DPC’s examination, the Data Controller explained that, following an extensive investigation, it could find no record of the delisting request from the individual. The Data Controller asserted that it did not  refuse the delisting request; rather, it was unaware of the request prior to  the DPC’s intervention. 

On foot of the DPC’s examination, the Data Controller proceeded to carry out a substantive assessment of the individual’s request and determined that, although certain of the complained-of URLs were ineligible for delisting for a number of reasons (e.g. because they did not contain personal data relating to the individual, or because they did not provide a return in the EEA (or UK) versions of its search engine when a search was carried out against the names provided), a number of other URLs were potentially eligible for delisting subject to certain further clarifications being provided by the individual relating to their content.

The Data Controller reached out to the individual directly outlining the results of its assessment and noting that it would need further information to complete its adjudication of the delisting request. The Data Controller continued to engage with the individual in this regard and the individual later wrote to the DPC to confirm that the complained of URLs had now been delisted to their satisfaction and that the matter was resolved.