In November 2017, we received a complaint from an individual who received a marketing email from the Kilkenny Group. The email, which was personally addressed to him, promoted a pre- Christmas sale and informed him that there was up to 50% off and that everything was reduced. The complainant informed us that he did not believe that he had opted into receiving marketing emails.

During our investigation, it emerged that a previous marketing email had been sent to the same complainant one year earlier, in November 2016, inviting him to a corporate event in the company’s Cork store. The complainant subsequently advised us that he recalled replying to that email, asking that his email address be deleted. In September 2012, arising from our investigation of a complaint about unsolicited marketing text messages sent by the Kilkenny Group to a different complainant, we had issued a warning to the company. In light of that, the DPC decided to prosecute the company in respect of the 2017 complaint.

The matter came before Tralee District Court on 15 October 2018. The defendant faced a total of four charges. Two related to alleged contraventions of Regulation 13(1) of S.I. No. 336 of 2011 for the sending of unsolicited marketing emails to the complainant in November 2016 and November 2017 without his consent. Two further charges related to alleged contraventions of Regulation 13(12) (c) of S .I . No . 336 of 2011. This regulation provides that a person shall not send electronic marketing mail that does not have a valid address to which the recipient may send a request that such a communication shall cease. As guilty pleas were not entered to any of the charges, the matter went to a full hearing involving three defence witnesses and two prosecution witnesses, including the complainant. At the end of the proceedings, the court found the facts were proven in relation to two contraventions of Regulation 13(1) in relation to the sending of two marketing emails without consent. On the understanding that the defendant would discharge the prosecution costs of €1,850, the court applied Section 1(1) of the Probation of Offenders Act in respect of both charges instead of a conviction and fine. The court dismissed the two charges in respect of Regulation 13(12)(c).

In April 2017, we received a complaint from a business owner regarding unsolicited marketing emails that the business email address was receiving from Viking Direct (Ireland) Limited. The complainant indicated that she had previously contacted the company to ask for her business email address to be removed from the marketing list but, despite this, further marketing emails continued to be sent.

During our investigation, Viking Direct (Ireland) Limited confirmed that the complainant had asked to be removed from its mailing list several times. It explained that the internal processes of moving the data to the suppression list had failed and the data remained on the mailing list. The company stated that the systems had now been corrected and tested, such that the situation should not recur. It apologised for any inconvenience caused to the complainant. Our investigation found evidence of three opt-out requests sent by the complainant to Viking Direct (Ireland) Limited by email between 30 March 2017 and 11 April 2017.

Viking Direct (Ireland) Limited had been the subject of an investigation in 2012 on foot of a complaint made to the DPC about unsolicited marketing emails. At that time, we concluded that investigation with a warning to the company. In light of that warning, the DPC decided to prosecute the company in respect of the 2017 complaint.

At Dublin Metropolitan District Court on 14 May 2018, the company entered a guilty plea to one charge of sending an unsolicited marketing email to a business email address in contravention of Regulation 13(4) of S.I. No. 336 of 2011. Under this regulation, it is an offence to send an unsolicited direct-marketing communication by electronic mail to a subscriber (which includes business subscribers) where that subscriber has notified the sender that it does not consent to the receipt of such a communication. The case was adjourned for sentencing until 11 June 2018. At the sentencing hearing, the court applied Section 1(1) of the Probation of Offenders Act in lieu of a conviction and fine. The company agreed to cover the prosecution costs incurred by the DPC.

The DPC received a complaint from the parent of a child whose health data was mistakenly disclosed to an unknown third party. The data was contained in a document attached to a misaddressed email that had been sent by an employee of a public body.

The child was the subject of a health-related assessment by a therapist employed by the public body. The therapist prepared a draft report, which was to be sent to a senior professional . Before sending it, the therapist decided to ask a colleague for a second opinion. The colleague was not in the office, so the therapist chose to send the draft report to the colleague’s personal email address . Soon after doing so, the therapist realised that the email address was incorrect. The public body’s IT service was not able to recall the misaddressed email. The recipient’s email service provider confirmed that the recipient’s account was active, but emails from the public body asking the recipient to delete the misaddressed email were not answered. The public body contacted the parent by telephone, in person and in writing to inform them of the error and apologise for it. It also notified the DPC of a personal data breach. The parent subsequently lodged a complaint with the DPC.

As part of its examination of the complaint, the DPC asked the public authority to explain the steps taken to secure deletion of the misaddressed email, its policy concerning the sending of work-related emails to staff members’ personal addresses, and the measures being adopted to prevent a recurrence of the breach.

In its response, the public body confirmed the sequence of events described above, including its attempts to recall the email and its interactions with the email service provider. It advised the DPC that it had reissued a copy of its data protection policy to all members of the team on which the therapist worked, and wrote to it reminding it that it is not permitted to send any information to personal email addresses, regardless of whether they were asked to do so. It was made clear that this included reports and other work-related documentation. Data protection was added as a fixed item on the agenda of the team’s bi-monthly meetings, and all team members were scheduled for data protection awareness training. In assessing the matter, the central issue identified by the DPC was the obligation of a data controller to take appropriate security measures against risks including unauthorised disclosure of personal data. Appropriate security measures were to be identified having regard to factors including the technology available, the harm that could be caused by disclosure, and the nature of the data. Further, controllers must take all reasonable steps to ensure that their employees are aware of and comply with those measures.

The DPC’s view was that sending a draft report to a personal email address was clearly inappropriate having regard to the required level of security, and was contrary to the public body’s own data protection policies. However, the mere existence of those policies was not enough to satisfy the obligation to take reasonable steps to ensure its employees were aware of and complied with them. The public body had done so only after the breach had occurred.

A data subject issued a complaint to the Data Protection Commission (DPC) against their owner management company (data controller) regarding the disclosure of their personal data under the General Data Protection Regulation (GDPR). The data subject explained to the DPC that an email containing their personal data was circulated by a property management company on behalf of an owner management company (OMC) and contained information regarding the payment of annual services charges.

Before contacting the DPC the data subject contacted the OMC to address their concerns of the disclosure of their personal data. The OMC responded that its policy was to include such personal data in emails to all clients. The data subject confirmed that it had not seen, nor signed this policy.

Following the engagement of the DPC the data controller cited a clause in its OMC Memorandum of Association, which allowed for the disclosure of payment or non-payment of service charges to other unit owners.

The DPC provided both parties with guidance from this office for consideration, “Data Protection Consider- ations Relating to Multi-Unit Developments and Owners’ Management Companies”. The guidance indicated that the disclosure must be justified as both necessary and proportionate to achieve a specific, explicit and legitimate purpose, in accordance with data protection law.

The data controller informed the DPC that a balancing test was conducted and highlighted that the processing of the personal data was necessary to achieve the legitimate interest of the management company to obtain payment of service charges.

Under section 109(5)(c) of the 2018 Act the DPC advised that the data controller had not been able to provide an adequate lawful basis for the processing of personal data as outlined in the complaint.

The outcome reminded the data controller of their obligations as a data controller under Articles 5, 6 and 24 of the GDPR and under section 109(5)(f) of the 2018 Act, the DPC recommended that the data controller review their Memorandum of Association to ensure compliance with the DPC guidance; consider alternative methods to resolve the non-payment of service charges and consider and balance any legal obligation or legitimate interest against the rights and interests of the data subject.

A data subject provided their personal and financial data to an organisation (the data controller) as part of their relative’s application for a scheme. The application was unsuccessful and the applicant was issued with a refusal letter, which included a breakdown of the data subject’s personal and financial data. The data subject made a complaint to the Data Protection Commission (DPC) regarding the lack of transparency in the application process and the disclosure of their personal and financial data to their relative. The data subject requested the return of their personal data from the data controller. The data subject also requested that their personal data be erased by the data controller under Article 17 of the General Data Protection Regulation (GDPR), and if erasure was not an option, their legal basis for retaining their data.

Prior to the commencement of an examination by the DPC, the data subject made suggestions to amicably resolve their complaint, which included, among other things, a ‘goodwill gesture’ from the data controller. However, due to the role of the organisation, the data controller was not in a position to facilitate this request.

As part of its examination, the DPC engaged with the data controller and requested a response to the data subject’s complaint. The data controller stated that while it is part of their procedure to inform applicants of their reasons for refusal, only a partial disclosure should be made in their decision letters where information was gathered from a third party. With regards to the data subject’s erasure request, the data controller advised that the personal data provided would be retained for the lifetime of the applicant plus 10 years. The data controller explained that the data is retained for this period as the data in question may affect any future applications by the applicant.

Subsequently the data subject’s erasure request was refused by the data controller as they advised they are relying on Article 17(3)(b) of the GDPR, which restricts the obligations on data controllers to erase personal data where the personal data is required for compliance with a legal obligation. Also, the data controller relied on Article 23(1)(e) of the GDPR, which states that a data subject’s rights may be restricted for: “Important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, including monetary, budgetary and taxation a matters, public health and social security.”

An apology was issued to the data subject by the data controller, as a result of the disclosure of their personal data in the refusal letter issued to their relative, the applicant. The data subject queried if this disclosure was reported to the DPC as a breach. Under Article 33 of the GDPR, a data controller is required to report a personal data breach to the relevant competent authority without undue delay, unless the data breach is unlikely to result in a risk to the rights and freedoms of natural persons. A data breach is described in Article 4(12) of the GDPR as: “A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”. The DPC found that the disclosure was a result of human error and not identified as a systemic issue.

Through its examination, the DPC found that the refusal letter which resulted in the disclosure of the data subject’s personal data, could be distinguished from other records retained by the data controller as it did not directly follow their guidelines. As such, the DPC invited the data controller to erase or redact the data subject’s personal data from the decision letter held on file. In addition, an amended letter could be issued to the applicant redacting the data subject’s personal data. The data controller advised they would reissue the refusal letter and request the applicant return the initial letter sent. The data controller also advised they would delete the initial letter from their records.

Under section 109(5)(c) of the 2018 Act, the DPC advised the data subject that the explanation put forward by the data controller in the circumstances of their complaint was reasonable. While the data controller acknowledged the disclosure of the data subject’s personal data to their relative, the applicant, they issued an apology for same, and indicated that the original refusal letter will be amended on their system, while an updated letter will issue to the applicant.

Further, under section 109(5)(f) of the 2018 Act, the DPC recommended the data controller provide updated training to their staff regarding their guidance for decision letters.

The complainant in this case was a journalist who emailed a public figure to ask questions about decisions that the public figure had taken in relation to their work. The public figure used their Twitter account to publish a copy of the email. The journalist’s name, work email address and mobile phone number were legible in the published copy of the email. The journalist reported receiving a number of threatening text messages afterwards.

The journalist asked the public figure to delete the published copy of the email. The public figure did so, but also published a Tweet saying that the journalist’s mobile phone number was available online. This included a link to a discussion board message posted by the journalist six years previously, while a student, which included the same mobile number. The journalist complained to the DPC.

As part of its investigation, the DPC asked the public figure to identify the legal basis for disclosing the journalist’s data. The public figure’s response queried whether the journalist’s name and contact details constituted personal data. It also asserted that, because the journalist had previously made that information available on the internet, the journalist had impliedly consented to its publication by the public figure. The journalist rejected that assertion.

The DPC took the position that the journalist’s name, email address and mobile phone number were personal data because the journalist was clearly identifiable by them. Concerning the legal basis for disclosing them, the DPC noted that, while data protection law provided for several possible legal bases for processing, the only basis raised by the public figure had been consent. The DPC’s view was that a media enquiry to a public figure from a journalist acting in that capacity did not amount to valid consent to the sharing of any personal data in the enquiry. For those reasons, the public figure’s disclosure of the data breached data protection law.

The complainant in this case was a borrower from a credit union and was alleged to be in arrears on a loan. The credit union claimed to be unable to contact the complainant. The credit union disclosed personal data of the complainant to a private investigations firm with the intention of locating and communicating with the complainant. The data disclosed included the complainant’s name, address, former address, family status and employment status. Approximately four years later, the complainant became aware of that disclosure and complained to the DPC.

The private investigations firm had ceased to trade several years before the complaint and so was not in a position to assist the DPC’s investigation. The DPC asked the credit union to explain the legal basis on which it had disclosed the data, and why it considered it necessary to do so. The credit union informed the DPC that it did not have a written contract with the private investigations firm, so the DPC asked it to provide details of any internal policy or procedure concerning when it was appropriate to liaise with that firm.

Concerning the legal basis for the disclosure, the credit union claimed that the disclosure was necessary for the purposes of pursuing a legitimate interest and for the performance of its contract with the complainant. It also referred to a provision of section 71(2) of the Credit Union Act 1997 that allows a credit union to disclose a member’s account information where the Central Bank of Ireland (previously, the Registrar of Credit Unions) is of the opinion that doing so is necessary to protect shareholder or depositor funds or to safeguard the interests of the credit union. (The credit union was unable to say whether the Central Bank had expressed such an opinion in relation to this case.)

The credit union maintained that the disclosure was necessary because it had been unable to communicate with the complainant by letter, telephone or through the complainant’s solicitor. In its view, the complainant was seeking to evade its efforts to update its records and discuss the outstanding loan. (The complainant strongly disputed that, pointing out that they had made repayments shortly before the credit union contacted the private investigations firm.)

The credit union told DPC that its credit control policy dealt with cases where it was proposed that a member’s non-performing loan should be written off as a bad debt. Before doing so, the relevant provisions directed that the credit union should make “every effort…to communicate with the member, including the assistance of a third party” to try and continue with agreed arrangements and assist collection of the debt.

The DPC assessed that the legal basis for the disclosure and the existence of a data processing contract as the central issues in the complaint.

In light of all the facts presented, and on the basis of applicable legislation, the DPC concluded that the credit union had a legitimate interest in seeking to obtain up-to-date contact details in order to re-establish contact with the complainant with a view to discussing the repayment of the loan . The processing of personal data was necessary for the purposes of pursuing that legitimate interest. The DPC accepted that the disclosure could affect the complainant’s fundamental rights and legitimate interests. Against that, however, fulfilling the important social function provided by credit unions required that they be able to take action to engage with members whose loans fall into arrears. For that reason, the disclosure was warranted despite the potential prejudice to the complainant’s fundamental rights and freedoms or legitimate interests . The credit union therefore assert the pursuit of its legitimate interest in contacting the complainant and seeking repayment of the loan as the legal basis for disclosing personal data to the private investigations firm.

The DPC also considered whether section 71(2) of the Credit Union Act 1997 provided a legal basis for the disclosure in this case. The DPC noted that compliance with a legal obligation, such as under a court order or provision of a statute, can provide a legal basis for processing . However, section 71(2) (including the provision mentioned by the credit union in its submissions to the DPC) was permissive rather than mandatory in its effect: while it allowed credit unions to disclose information in certain circumstances, it did not require them to do so. Accordingly, the section did not justify the disclosure for the purposes of applicable data protection legislation.

The DPC noted that processing by a processor on behalf of a controller must be conducted under the terms of a contract in writing or in equivalent form that complies with applicable data protection legislation, and in particular ensures that the processing meets the obligations imposed on the controller. In the DPC’s opinion, the credit union’s credit control policy was not sufficient to meet this requirement, so the credit union had failed to meet its statutory obligation in this regard.

A data subject made a complaint to the DPC regarding the publication of their child’s image, name and partial address in a religious newspaper. The image used in the publication was originally obtained from a religious group’s Facebook page. The data subject informed the DPC that consent was not given for the wider use of the image through the publication in the newspaper. The concern was for the child’s privacy arising from the use of the image, name and partial address by the newspaper. In correspondence sent directly between the data subject and the newspaper the data subject cited Article 9 of the GDPR concerning special category personal data applies to their complaint because the image disclosed information regarding the child’s religious beliefs.

As part of its examination, the DPC engaged with the data controller and asked for a response to the complaint. The data controller informed the DPC they never intended any distress to the data subject or their family. A reporter had seen the image on the group’s Facebook page and asked permission to use it from a leading member of the religious group, subsequently this member granted permission for its usage . The newspaper stated the image was already available online through the group’s Facebook page and was taken at a public event and the address used was that of the religious group and not the child’s personal address.

In further response to the DPC’s queries, the newspaper informed the DPC that it was their normal practice to seek consent to take and use images and although in this circumstance the image was available on an open Facebook page the newspaper still contacted the religious group and queried if permission had been obtained to use the image. The leading member of the religious group they had contacted advised them that another person in loco parentis (acting in the place of a parent) had given permission. The newspaper stated to the DPC, that this person “was acting in loco parentis as far as [the newspaper] was concerned and consent had been therefore given.” The newspaper also informed the DPC they rely on Article 9(2)(a) and 9(2)(e) of the GDPR for the processing of special category personal data. The newspaper concluded that they had the required legitimate interest in publishing the photograph, the photograph was in a public domain through the open Facebook page, they took steps to ensure that consent was obtained to publish the photograph and the consent furnished was adequate and they were entitled to rely on same. The newspaper said they were satisfied they had complied with their obligations but they had reviewed and amended their internal policies on this issue.

The DPC provided the data subject with the response to the complaint and asked the data subject whether they considered their data protection concerns adequately addressed and amicably resolved . In addition to this the data subject was invited to make their observations on the response from the data controller. The data subject responded to inform the DPC the matter was not amicably resolved and that explicit consent should have been obtained. The DPC proceeded to conclude the examination and provide an outcome to both parties as required under section 109(5) of the Data Protection Act 2018 (the 2018 Act) .

The DPC advised the data subject under section 109(5)(c) of the 2018 Act that the explanation put forward by the data controller concerning the processing of the child’s personal data in the circumstances of this complaint was reasonable. In saying this, the DPC wrote to the religious newspaper and under section 109(5)(f) of the 2018 Act recommended that it considers the Code of Practice from the Press Council, in particular principle 9 therein, ensuring that the principle of data minimisation is respected, and to conduct and record the balancing exercise between public interest in publication and the rights and interests of data subjects.

The complainant in this case held a joint bank account with a family member. Following a request from the solicitors of the other joint account holder, the bank (the data controller) disclosed copies of bank statements relating to the account, which included the complainant’s personal data, to those solicitors. The complainant was concerned that this disclosure did not comply with data protection law.

During the course of the DPC’s handling of this complaint, the bank set out its position that any joint account holder is entitled to access the details and transaction information of the joint account as a whole. The bank further took the view that, in relation to solicitors who are acting for its customers, it is sufficient for it to accept written confirmation from a solicitor on their headed paper that the solicitor acts for the customer as authority for the bank to engage with the solicitor in their capacity as a representative of the bank’s customer. Data protection law requires that personal data be collected or obtained for specified, explicit and legitimate purposes and not be further processed in a manner that is incompatible with those purposes (the “purpose limitation” principle). In this case, the DPC noted that the bank had obtained the complainant’s personal data in order to administer the joint account which the complainant held with the other account holder, including the making of payments, the collection of transaction information and the preparation of bank statements. It appeared to the DPC that it was consistent with the bank’s terms and conditions for the joint account, and the account holder’s signing instructions on the account (which allowed either party to sign for transactions without the consent of the other account holder), that the administration of the account could be completed by one account holder without the consent of the other. In the light of this, the DPC considered that the disclosure of bank statements to the solicitors of the other joint account holder was not incompatible with the specified, explicit and legitimate purpose for which the complainant’s personal data had been obtained by the bank, that is, for the administration of the joint account.

Second, the DPC considered whether the bank had a lawful basis for the disclosure of the complainant’s personal data, as required under data protection law. In this regard, the DPC was satisfied that the bank was entitled to rely on the “legitimate interests” lawful basis, which permits the processing of personal data where that processing is necessary for the purposes of the legitimate interests pursued by the data controller or by a third party. In this case, the bank had disclosed the complainant’s personal data on the basis that the solicitor was acting for the other joint account holder and was seeking the statements for legitimate purposes, namely to carry out an audit of the other account holder’s financial affairs. In circumstances where, in accordance with the signing instructions on the account, the other account holder would have been entitled to administer the account, the DPC was satisfied that the bank would not have had any reason to suspect that the disclosure would be unwarranted by reason of any prejudice to the complainant’s fundamental rights or freedoms. Accordingly, the DPC considered that the bank had a lawful basis for the disclosure, regardless of whether the complainant had provided consent.

Finally, the DPC considered whether the bank had complied with its obligations under data protection law to take appropriate technical and organisational measures to ensure security of personal data against unauthorised or unlawful disclosure. In this regard, the DPC accepted the position of the bank, set out in its policies, that it was appropriate to accept written confirmation from a solicitor that they were authorised to act on behalf of an account holder, without seeking further proof. The bank’s policy in this regard was based on the fact that a solicitor has professional duties as an officer of the court and as a member of a regulated profession.

An individual complained to the DPC that a clothing and food company disclosed their personal medical information by issuing postal correspondence with the words “Coeliac Mailing” printed on the outside of the envelope. As part of the Stores Value Card facility, the individual in question had signed up to receive an ‘Annual Certificate of Expenditure’ of gluten-free products purchased during the year, which could be used for tax purposes. The DPC advised the store that under Article 9 of the GDPR, health data is deemed sensitive data and is afforded additional protection and that displaying the words “Coeliac Mailing” has to be examined in light of Article 9 of the GDPR. In response, the store advised the DPC that it instructed its marketing department to cease using this wording on the outside of envelopes for all future mailings. The DPC welcomes the positive outcome to this engagement.