The DPC received a complaint from an individual regarding an access request made to the data controller, a retailer. The solicitors acting for the individual in relation to a personal injury claim had submitted the access request relating to a two-week period when the alleged incident had taken place. They were seeking records of the incident to include CCTV footage. Data was released but the individual identified that the CCTV footage, the accident report form and witness statements had not been released. In responding to the individual’s query in relation to these items, the data controller advised they were restricting access to the items as it was necessary to avoid any obstruction or impairment of the legal proceedings and/or operation of legal privilege.

This complaint was identified as potentially being capable of amicable resolution under Section 109 of the Data Protection Act 2018, with both the complainant and data controller agreeing to work with the DPC to try to amicably resolve the matter.

The DPC advised the data controller to prepare a list, which would document any items which the organisation was applying an exemption to, while also documenting the exemption on which they were relying. On receipt of the list, the DPC probed the exemptions being used and looked for the organisation to demonstrate how they had ensured the restriction was necessary and proportionate. The DPC also looked for samples of the documents to be released so we could examine how the exemptions were being applied.

Upon investigation, the DPC identified that the documents did contain some personal data of the individual and requested the data controller to release them with relevant redactions . In relation to the CCTV footage, the DPC stated that the primary reason for capturing the data was for security purposes and not for the defence of litigation claim and therefore requested the footage be released to the individual with relevant redactions. The DPC accepted the remaining exemptions were being validly applied as provided by the legislation.

An individual participated in a Zoom meeting that was recorded by the data controller. This was the sporting club’s Annual General Meeting (AGM). The individual made an access request for a copy of this recording. The data controller refused the request stating that it did not fall within the remit of GDPR. The individual believed the data contained in the recording was their personal data. The data controller stated the video recordings of the AGM were no longer accessible due to corruption while saving and the inexperience of the data controller in employing this remote video hosting software. However, they stated the minutes of the meeting would be available for viewing within a space of weeks.

At this time, the DPC proposed the conclusion of this case in light of the apparent inaccessibility of videos sought by the individual, but the individual did not agree with this approach, stating that video conferencing used during the AGM had been common practice for the data controller for some time and so it seemed unlikely to the individual that the difficulties described by the data controller would have occurred . Upon further questioning by the DPC, the data controller confirmed that video footage was in fact available, but advanced Article 15(4) of GDPR as a reason for its restriction . The data controller was now stating that the video footage of third parties visible in the recording could be considered third-party data and the individual was not entitled to this . However, they were willing to provide written transcripts of the footage to the individual . The DPC contested this, coming to the opinion that, in light of the public nature of the original recordings, as they were part of an AGM, they were made with the participant’s understanding that they could be considered accessible at a later date .

Further issues arose when the individual received written transcripts of the video . The individual claimed that the transcripts were inaccurate and did not reflect the contents of the original video .

In light of this, the DPC contacted the data controller once again, both highlighting the DPC’s opinion regarding the advancement of Article 15(4) and seeking sight of the video from which the transcript had been made . The data controller provided the audio of the video only . Upon assessment, it was clear that the transcript was an accurate reflection of the video’s audio content. The DPC recommended that in order to facilitate an amicable resolution at this stage the data controller should release the same audio content, previously provided to the DPC, to the individual . The data controller complied, but the individual was still not satisfied, once again restating their request for sight of the video content . Upon further request by the DPC to state the exemption it relied on to restrict access to the video content, it was decided by the data controller to release the full video content to the individual . The DPC did not receive copy of the full video content, and so was unable to directly assess whether there was any disparity between it and the audio provided . However, upon confirmation of its receipt, the individual stated they were satisfied with its content and thus this matter was concluded amicably .

The above case involved extensive communication between the DPC, the data controller and the individual . This matter could have been resolved by the data controller if they had released the requested video footage on receipt of the access request . If the data controller was aware of its obligations under GDPR in the first instance then this case would not have been lodged with the DPC.

A complaint was received from an individual who had submitted an access request to a hotel (the data controller) for a copy of all information relating to them. The hotel asked the requester to provide a copy of a utility bill and a copy of photo ID verified by An Garda Síochána. The DPC asked the data controller to set out the particular concerns it had regarding the identity of the requester in circumstances where the postal address and email address being used by the requester were the same as those provided by them during the booking and check-in process at the hotel. The data was subsequently released to the requester

In relation to the general approach to requesting ID where data subjects seek to exercise their rights, controllers should only request the minimum amount of further information necessary and proportionate in order to prove the requester’s identity . Seeking proof of identity would be less likely to be appropriate where there was no real doubt about identity; but where there are doubts, or the information sought is of a particularly sensitive nature, then it may be appropriate to request proof .

Bearing in mind the general principle of data minimisation, seeking more information than that already held as a means of proving identity is likely to be disproportionate . A request for official ID is only likely to be proportionate to validate identification where the category of information relating to that individual is sensitive in nature and where the information on the official ID can be corroborated with the personal data already held by the data controller such as a photo, address or date of birth .

The categories of personal data held and the likelihood of the risks associated with its release should be considered on a case-by-case basis to determine the minimum level of information required . Where no special category personal data is held, confirmation of address may be sufficient.

In November 2018, we received a complaint from a data subject in relation to an access request for his personal data comprising CCTV footage for a particular time and date, made to a golf club, the data controller.

The data subject provided us with initial correspondence from the golf club asking him why he required the footage and subsequent correspondence informing him that it had discovered a problem with the CCTV system software and was unable to provide him with the requested footage .

This complaint was deemed potentially capable of being amicably resolved under Section 109 of the Data Protection Act 2018 .

As part of the amicable resolution process, we sought an explanation from the golf club as to why the requested CCTV could not be provided to the complainant . The golf club informed us that its CCTV system was not operational on the date for which the data subject had requested footage, and that this had only been discovered when it sought to comply with the access request . The DPC was not satisfied with the generality of this explanation and required a more detailed written explanation on the issues affecting the CCTV, which could also be shared with the complainant . In response to this request, we were supplied with a letter from the golf club’s security company that outlined the issues with the CCTV system, including the fact that the hard drive on the CCTV system had failed and that the system had not been in use for some time. The DPC was satisfied with the technical explanation provided and golf club agreed that this letter could be shared with the complainant. The complainant was satisfied with the explanation, leading to an amicable resolution.

Each year the DPC receives numerous queries and complaints from various individuals complaining specifically about the use of CCTVs in restroom areas by various organisations such as public houses, nightclubs, restaurants and transport depots. More particularly, the complaints allege that the cameras are pointing over specific areas in restrooms where there is an increased expectation of privacy, such as over cubicles or urinals.

While, the DPC has engaged with organisations on a one-to-one basis, the issue of the lawfulness of the processing of personal data by way of CCTVs in restrooms needs to be considered more generally. Consequently, the DPC has examined these issues further and updated its Guidance on CCTVs for Data Controllers by including a specific section on ‘The use of CCTV in areas of an increased expectation of privacy.

An individual raised a concern with their employer in the beauty industry regarding what they believed was excessive use of CCTV cameras in the workplace. The individual stated that they were not informed that the cameras were being installed and had concerns that the devices were capable of recording both audio and video. In response to their concerns, the organisation advised the individual that the cameras were installed for the safety of staff and that no audio was recorded.

The individual then submitted a complaint to the DPC as they were dissatisfied with the response received from the organisation. As part of its examination, the DPC queried the organisation on the alleged audio recordings via the CCTV cameras. The organisation provided the DPC with evidence in the form of a letter from the CCTV system supplier, which confirmed that the cameras did not have audio recording capability.

Regarding the background as to why the organisation made the decision to install CCTV cameras, the organisation informed the DPC that it initially installed the cameras following a series of security issues including incidents of theft. However, it also stated that the cameras were installed for the safety of staff when working alone. Whilst the individual claimed that they were unaware the cameras had been installed, the organisation stated that the cameras had been in place for three years prior to the individual making a complaint to the DPC and that the individual had provided training to the staff in relation to same.

The organisation cited a number of lawful basis for the processing of data in this manner, including Article 6(1)(d) of the GDPR as its lawful basis stating that the cameras are necessary to protect the vital interests of its staff. Article 6(1)(d) of the GDPR states that the processing of personal data shall be lawful if ‘processing is necessary in order to protect the vital interests of the data subject or of another natural person’. It further cited Article 6(1)(f) of the GDPR which states that processing shall be lawful if ‘processing is necessary for the purposes of the legitimate interests pursued by the controller...’ as the organisation has a legitimate interest in the security of the workplace, safety of staff and prevention of crime.

In response the DPC informed the organisation that Article 6(1)(d) of the GDPR may only be relied upon by an organisation where the processing of personal data is necessary to protect a person’s life or mitigate against a serious threat to a person. As such, the DPC advised the organisation that it could not rely on Article 6(1)(d) of the GDPR as its lawful basis for the use of CCTV cameras in the workplace. Regarding its reliance on Article 6(1)(f) of the GDPR, the organisation confirmed that it had conducted a legitimate interest balancing test prior to the installation of the CCTV cameras. The organisation further stated that the processing was limited to what is necessary and cited its requirement for safety purposes. It stated that footage was retained for a period of 20 days and had put in place access controls to the footage.

Following its examination of the complaint, the DPC found that the organisation had demonstrated a valid lawful basis for the processing of personal data by means of CCTV cameras under Article 6(1)(f) of the GDPR.

An individual contacted the DPC after an energy service provider further processed their personal data by sharing it with a third party (data processor), a debt collection agency. According to the individual, they had completed the contract with the service provider and had received their final invoice for the services provided. The individual disputed some of the charges on the invoice; however, they did not receive a response from the service provider and were subsequently contacted by a debt collection agency.

As part of the complaint handling process, the DPC contacted the service provider and questioned the lawful basis it was relying on under Article 6 of the GDPR for sharing the individual’s personal data the debt collection agency. The service provider stated that its lawful basis for processing the individual’s personal data was Article 6(1)(b) of the GDPR which states that processing shall be lawful if the ‘processing is necessary for the performance of a contract to which the data subject is party…’. The service provider further explained that the individual’s invoice dispute related to an ‘early exit fee’ which was applied to the invoice as the individual had cancelled the contract with the service provider prior to the agreed contract length. The service provider also advised that its terms and conditions stated that should a customer break the contract with the service provider, they would be charged an exit fee. The service provider further advised that the individual agreed to its terms and conditions when they registered with the service provider.

However, the service provider also informed the DPC that it had failed to record the individual’s dispute of the invoice. This failure to record the dispute resulted in the individual’s personal data being shared with a third party incorrectly. The service provider acknowledged that it had not followed its own internal procedures for dealing with disputed debts and that this was a result of human error.

Although the service provider would normally have a lawful basis for the processing of an individual’s personal data by sharing in the circumstances of this case, by not following the correct internal procedures, the service provider incorrectly processed the individual’s personal data by providing their details to the third party, the data processor.

Accordingly, the service provider failed to demonstrate its compliance with a key principle of the GDPR, processing personal data in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing, using appropriate technical or organisational measures, in accordance with Article 5(1)(f) of the GDPR (‘integrity and confidentiality’).

The service provider should have had regard to Article 25 of the GDPR (‘Data protection by design and default’), in ensuring that the appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed, are in fact followed by all staff members.

The DPC recommended to the service provider that where there is a live dispute on the account it should ensure that its staff are aware of the internal procedure to document the dispute so that accounts are not referred to a debt collection agency until the dispute is resolved or closed.

An individual submitted a Freedom of Information (‘FOI’) request to their former employer, a State Agency. Once in receipt of the response to the FOI request, the individual became aware that the State Agency had disclosed their financial data and special category personal data, namely health data, to a connected third party. The individual subsequently submitted a complaint to the DPC in relation to this disclosure.

The DPC was tasked with examining whether the State Agency had lawfully processed, in a non-excessive manner, the individual’s personal data when a staff member of the State Agency disclosed the individual’s health and financial data to a connected third party.

In the circumstance of this case, the individual had communicated with a member of the Human Resources (‘HR’) department in their official capacity, highlighting issues connected with the individual’s health, financial status and personal life. Due to issues connected to the individual’s health, they were regularly in contact with the HR staff member in their official capacity.

Following a meeting between the individual and the HR staff member, the HR staff member emailed a summary of what was discussed with a connected third party i.e. a member of the Civil Service Employee Assistance Service (‘CSEAS’). The CSEAS provides an internal Employee Assistance Programme to civil service staff, which employees can refer to by contacting the service. It is a shared service utilised by all State Agencies for the benefit of all employees, promoting employee wellness and organisational effectiveness.

During the examination of this complaint, the State Agency stated that the processing of the personal data, the sharing of the individual’s personal data by the HR staff member to the CSEAS member, was lawful as the individual shared the personal data freely with the HR staff member, accordingly they had consented to the processing; the overlapping services and consultation between the HR staff member and the CSEAS in relation to an employee would be normal; both the HR staff member and the CSEAS member operate under strict confidentially in the performance of their duties; and what the individual shared with the HR staff member was so concerning, that the HR staff member had to urgently disclose it to the CSEAS member in order to seek appropriate guidance, and support to assist the individual. Accordingly, the State Agency’s position was that there were no prohibitions on the disclosure.

Notwithstanding, the HR staff member had a genuine concern for the health and welfare of the individual, the DPC found that the circumstances did not fit the urgency associated with protecting life rather the processing occurred as the HR staff member sought direction and guidance from the CSEAS member to urgently deal with the issues raised by the individual.

The DPC also found that the State Agency could not rely on having obtained the consent of the individual to process their personal data in this manner, as although the individual shared the personal data freely with the HR staff member, they did not consent to the HR staff member disclosing this personal data to the CSEAS member.

The State Agency did not provide any other lawful bases for the processing. The DPC found that the State Agency did not have a lawful basis for the processing and accordingly, the processing was unlawful.

In consideration of the principles relating to processing of personal data the DPC found that the State Agency obtained the personal data for a specified, explicit and legitimate purpose, namely to provide the individual with HR assistance with the issues they had raised with HR. Similarly, considering the connected relationship between the HR staff member in their official capacity and the CSEAS member, the sharing of the individual’s personal data was not further processed in a manner that was incompatible with the purpose for which it was obtained, as it was disclosed in order to provide the individual with assistance regarding the issues raised, which included employee wellness.

However, the DPC found that the State Agency disclosed an excessive amount of personal data than what was required in order to seek, and provide, assistance to the individual. Accordingly, the State Agency did not adhere to the principle of data minimisation, and this was identified and accepted by the State Agency.

An individual contacted the DPC following the refusal of their erasure request by a health care provider. According to the individual, they had requested the erasure of all historic health records relating to them held by the health care provider, as the individual was of the opinion that the records were incorrect as they related to an alleged misdiagnosis.

As part of its examination of the complaint, the DPC requested that the health care provider set out its lawful basis for processing the individual’s health records, specifically in relation to Articles 6 and 9 of the GDPR. The health care provider advised that it was relying on Article 6(1)(e) of the GDPR for processing the individual’s personal data which states that processing shall be lawful if ‘processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller’.

In relation to Article 9 of the GDPR, the health care provider stated that it continues to process the health records under Articles 9(2)(h) and (i) of the GDPR. Article 9(2)(h) of the GDPR states, ‘processing is necessary for the purposes of preventive or occupational medicine, medical diagnosis…’. While Article 9(2)(i) of the GDPR states, ‘processing is necessary for reasons of public interest in the area of public health…’.

As part of their engagement with the health care provider, the individual provided them with a contradictory diagnosis from another health care provider, which the individual stated was evidence that proved the original diagnosis was incorrect. Having reviewed the documentation provided, the health care provider noted that a medical diagnosis is a medical opinion that is given at a point in time. Therefore, any medical opinion, given at a different point in time, cannot be accepted as evidence that a historic medical opinion was incorrect. The medical provider further advised that while a medical condition may change over time, it does not eradicate the fact that an individual was, at one point, treated for a particular illness or provided with a certain diagnosis.

The DPC noted that for the purposes of the GDPR, personal data is inaccurate if it is incorrect as to a matter of fact. However, based on the information available to the DPC, the personal data held on file by the health care provider, namely the original diagnosis, was not inaccurate as it was the original diagnosis at that point in time. On this basis, the DPC found that the health care provider had a lawful basis for the continued processing of the individual’s health records in accordance with Article 17(1)(a) of the GDPR.

In this regard, the processing of the personal data in the form of retaining the original diagnosis is still necessary in relation to the purposes for which the personal data was originally collected or otherwise processed. Further, the DPC found that the health care provider’s refusal to comply with the individual’s erasure request is consistent with Article 17(3)(c) of the GDPR in providing comprehensive medical assessment and treatment of the individual.

Following the engagement of the DPC, the health care provider added a supplementary statement on the individual’s medical record to include the documentation provided by the individual, which would inform any future readers of the individual’s medical file of the individual’s opinion, and the contradictory diagnosis in relation to the medical diagnosis.

Note: Article 17(1)(a) of the GDPR states that a data controller shall erase personal data that is no longer necessary for its original purposes. However, Article 17(3)(c) of the GDPR excludes the application of Article 17(1) in circumstances where the processing is necessary, ‘for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3).’.