In May 2020, the DPC received a breach notification from an Irish data processor and subsequently a notification from an Irish data controller operating in the voluntary sector who had engaged this processor to provide webhosting and data management services.

The breach related to a ransomware attack that occurred in the data centre utilised by the data processor, and which was the result of malware gaining access via a Remote Desktop Protocol (RDP) 1 port to the server .

The DPC engaged with both the controller and processor and through a number of communications — including the issuing of technical and organisational question- naires focusing on areas of potential non-compliance with data protection regulation . These areas included the processor’s use of a data centre within the US to store back-up data without adequate agreements and sufficient oversight by the controller over its processor as required under Article 28 of the GDPR . The DPC engaged intensively with both parties and the DPC concluded this case by issuing recommendations to both controller and processor . Thereafter the DPC continued to engage with both parties to ensure that implementation of the DPC recommendations had occurred .

A commercial and residential property management company notified the DPC that an employee of a security company whose services they retained had used their personal mobile phone to record CCTV footage of two members of the public engaged in an intimate act, which had been captured by the management company’s security cameras.

The video taken was subsequently shared via WhatsApp to a limited number of individuals . The business advised the DPC that they communicated to staff who may have received the footage that they must delete it and requested no further dissemination of the video .

Both the property management company and the security company were able to demonstrate that adequate policies and procedures did exist, however appropriate oversight and supervision to ensure compliance with these policies and procedures were lacking .

Following recommendations made by the DPC to the property management company, the company has subsequently engaged with its staff to deliver further data protection training with an emphasis on personal data breaches . In addition, further signage was displayed prohibiting the use of personal mobile devices within the confines of the CCTV control room .

A public sector health service provider notified the DPC that a number of files containing patient medical information had been found in a storage cabinet on a hospital premises which was no longer occupied.

The records were discovered by a person who had gained illegally accessed a restricted premises and subsequently posted photographs of the cabinet containing the files on social media . The public sector organisation in question informed the DPC that, having become aware of the breach, a representative of the organisation was sent to locate and secure the files. The files were removed from the premises and secured .

This breach highlights the importance of having appropriate records management policies; including mechanisms for tracking files, appropriate secure storage facilities and full procedures for the retention or deletion of records . The DPC issued a number of recommendations to the organisations to improve their personal data processing practices .

The data controller, a public body, notified the Data Protection Commission (DPC) about an incident involving the transportation of hard-copy legal files containing special-category personal data and risked the personal data falling into the hands of unauthorised individuals.

The controller had contracted a courier company to transport the files to another department but the files went missing in transit . It transpired that the controller did not retain a backup of the original files, resulting in a loss of personal data. The controller did not have sufficient procedures in place for the secure removal and storage of hard-copy files that contained special-category personal data . The breach could have been prevented had the organisation properly considered its requirements when transporting such materials to another location and the inherent risks involved in such activities, and implemented more secure measures to ensure the protection of personal data .

A private sector (educational) data controller reported an incident of phishing, where a staff member had clicked on a suspicious website link and entered their credentials resulting in their email account becoming compromised.

The data controller had not enabled multi-factor authen- tication on its email accounts . Had this technical measure and appropriate cyber security training been in place from the outset this data breach may have been preventable .

An employee of the data controller, a public-sector body, lost an unencrypted USB device containing personal information belonging to a number of colleagues and service users.

The public controller had the appropriate policy and procedures in place prohibiting the removal and storage of personal data from its central IT system by way of unencrypted devices . However, it lacked the appropriate oversight and supervision necessary to ensure that its rules were complied with, and the employee appeared not to have been aware of the policy regarding the use of unencrypted devices . The breach could have been prevented had the organisation fully implemented the policy and made staff aware of it.

In February 2021, a data subject lodged a complaint pursuant to Article 77 GDPR with the Data Protection Commission concerning an Irish-based data controller. The DPC was deemed to be the competent authority for the purpose of Article 56(1) GDPR.

The details of the complaint were as follows:

a . The data subject emailed the data controller in January 2021 to request erasure of his personal data .

b . The data subject did not receive any response from the data controller

Following a preliminary examination of the material referred to it by the complainant, the DPC considered that there was a reasonable likelihood of the parties concerned reaching informal resolution of the subject matter of the complaint within a reasonable timeframe .

The DPC engaged with both the data subject and the data controller in relation to the subject matter of the complaint . Further to that engagement, it was established that during the week in which the data subject sent his erasure request by email to the controller a new process to better manage erasure requests was implemented by the controller . The data controller informed the DPC that it was in a transition period during the week the email came in and it appears a response was missed . New personnel were being trained on how to manage these types of requests during this transition period . The data controller stated that it was an oversight, possibly due to the technical transition or human error, and it regretted the error . In the circumstances, the data controller agreed to take the following actions:

1 . The data controller agreed to comply with the erasure request; and

2 . The data controller sincerely apologised for the error

In January 2022, the DPC informed the data subject by email of the final outcome of its engagement with the data controller . When doing so, the DPC noted that the actions now taken by the data controller appeared to adequately deal with the concerns raised in his complaint . In the circumstances, the DPC asked the data subject to notify it, within two months, if he was not satisfied with the outcome so that the DPC could consider the matter further .

On the following day the data subject informed the DPC by email that he agreed with the informal resolution given his concerns regarding the data controller were now satisfied. The DPC was subsequently informed by the data controller that the erasure request was completed and that the personal data of the data subject had been erased.

For the purposes of the GDPR consistency and cooperation procedure, the DPC communicated a draft of the outcome which confirmed that:

• The complaint, in its entirety, had been amicably re- solved between the parties concerned;
• The agreed resolution was such that the object of the complaint no longer existed .

No relevant and reasoned objections were received from the concerned supervisory authorities concerning the draft and the DPC subsequently closed the file in this case.

This case study concerns a complaint the DPC received via the One Stop Shop (OSS) mechanism created by the GDPR from an individual regarding an erasure request made by them to MTCH Technology Services Limited (Tinder). As way of background, the individual’s account was the subject of a suspension by Tinder. Following this suspension, the individual submitted a request to Tinder, under Article 17 of the GDPR, seeking the erasure of all personal data held in relation to them. When contacting Tinder, the individual also raised an issue with the lack of a direct channel for contacting Tinder’s DPO. As the individual was not satisfied with the response they received from Tinder, they made a complaint to the Greek Supervisory Authority.

The individual asserted that neither their request for erasure nor their concerns about accessing the DPO channels, had been properly addressed by Tinder . As the DPC is the Lead Supervisory Authority (LSA) for Tinder, the Greek Supervisory Authority forwarded the complaint to the DPC for handling . The DPC intervened to seek a swift and informal resolution of the matter in the first instance. The DPC put the substance of the complaint to Tinder and engaged with it . In response and by way of a proposed amicable resolution, Tinder offered to conduct a fresh review of the ban at the centre of this case . Following this review, Tinder decided to lift the ban . The lifting of a ban by Tinder allows an individual to be then in a position to access their account on the platform . The individual can then decide if they wish to use the self-delete tools to erase their account from within the Tinder platform . In addition to the above, Tinder provided information for the individual in relation to its retention policies .

In relation to the matter of individuals being able to contact its DPO, on foot of the DPC’s engagement with Tinder, the platform agreed to strengthen its existing processes by posting a dedicated Frequently Asked questions (FAq) page on its platform . This page now provides enhanced information to individuals on specific issues relating to the processing of personal data and exercising those rights directly with Tinder’s DPO . Through the Greek Supervisory Authority, the DPC informed the individual of the actions taken by Tinder . In their response the individual confirmed that they were content to conclude the matter and, as such, the matter was amicably resolved pursuant to section 109(3) of the Data Protection Act 2018 (the Act), and the complaint was deemed to have been withdrawn.

During 2021, GDPR Article 61 mutual assistance requests were received by the DPC from the Dutch and the French data protection authorities. Each of these requests sought the DPC to further investigate a number of concerns relating to TikTok’s processing of its users’ personal data, particularly child users.

The authorities concerned had been investigating TikTok prior to the company locating its main establishment (EU headquarters) in Ireland in July 2020, following which in December 2020 the DPC assumed the role of TikTok’s lead supervisory authority once other EU supervisory authorities had satisfied themselves TikTok was main- established in Ireland .

As a result, the Dutch and French authorities concluded that they no longer had competence to investigate TikTok and accordingly transferred their investigation files, requesting the DPC to investigate further . These investi- gations coupled with the DPC’s own identification of key concerns through active engagement with TikTok in 2021 led the DPC to commence two own-volition inquiries pursuant to Section 110 of the Data Protection Act 2018 in relation to TikTok compliance with requirements of the GDPR .

The DPC received a complaint in March 2021 from the Bavarian data protection authority on behalf of a Bavarian complainant against Yahoo EMEA Limited. Under the One Stop Shop (OSS) mechanism created by the GDPR, the location of a company’s main EU establishment dictates which EU authority will act as the lead supervisory authority (LSA) in relation to any complaints received. Once the lead authority is established, the authority that received the complaint acts as a concerned supervisory authority (CSA). The CSA is the intermediary between the LSA and the individual. In this case, the DPC is the LSA, as the company complained of has its main establishment in Ireland.

The complainant in this matter had lost access to his email account following an update on his computer . The complainant noted that he had engaged with Yahoo in order to regain access and was asked for information relating to the account in order to authenticate his ownership of it . The complainant asserted that he had provided this information . However, Yahoo informed the complainant that it could not verify his identity with the use of the information that it had been provided .

The complainant was unclear which information he had provided was not correct and thus continued to give the same answers to the security questions . As Yahoo could not authenticate the complainant’s ownership of the account, it recommended that he create a new email account .

The complainant was not satisfied with this solution and made a complaint to his local supervisory authority, who referred the complaint on the DPC in its role as Lead Supervisory Authority for Yahoo .

This complaint was identified as potentially being capable of amicable resolution under Section 109 of the Data Protection Act 2018, with both the individual and data controller agreeing to work with the DPC to try to amicably resolve the matter .

The DPC contacted Yahoo on the matter, and Yahoo took a proactive approach and immediately noted its desire to reach out to the complainant directly to seek to resolve the issue as soon as possible . Yahoo thereafter quickly confirmed to the DPC that its member services team made contact with the complainant, who provided alternative information that enabled Yahoo to success- fully validate identity of the requester and subsequently restore their account access .