An individual opened an online account with a bookmaker and deposited a sum of money to their account. Having attempted to download the application (‘app’) associated with the service, the individual quickly realised that the app was not compatible with their mobile phone. The following day the individual submitted an erasure request under Article 17 of GDPR to the bookmaker. The bookmaker refused to comply with the erasure request, stating that it had legal obligations to retain the personal data as a deposit and withdrawal of funds had taken place on the account, thus making them a ‘customer’. The individual was dissatisfied with this response as they did not agree that they were a ‘customer’ of the bookmaker, as they did not place any bets through the account, either online or through the app.

Following engagement with the DPC, the bookmaker advised that it could not erase the individual’s personal data as it was subject to Anti-Money Laundering legislation, under the Criminal Justice (Money Laundering and Terrorist Financing Acts 2010, which became applicable when the deposit and withdrawal of funds were made on the individual’s account.

The bookmaker outlined to the DPC that although it was legally obliged to retain the individual’s personal data it only retains the minimum amount that is necessary to fulfil this legal obligation in line with the principle of data minimisation as set out in Article 5(1)(c) of the GDPR.

Following its examination of the complaint, the DPC found that while the organisation had demonstrated a valid lawful basis for the ongoing retention of the personal data, the DPC issued recommendations to the organisation on its obligations to ensure that all processing is lawful and fair and that it is transparent about its processing activities.

This complaint concerned the alleged non-response to an erasure request made by an individual to a prospective employer pursuant to Article 17 of the GDPR.

Following receipt of the complaint, the DPC engaged with the individual and the prospective employer (controller) in order to establish the subject matter of the complaint and to commence with the amicable resolution process. Further to this engagement, the DPC established that the individual had since received a response from the controller. However, the individual informed the DPC that while the controller had erased their personal data, their job application ‘account’ was still active on the controller’s website.

Having established this was the case, the DPC contacted the controller, bringing their attention to the fact that information in relation to the account had not been erased. In their response, the controller acknowledged that the information had not been fully deleted, and advised that this was due to a technical error but that they would comply with the erasure request immediately.

Subsequently, the DPC was updated by the organisation concerned that they had since fully complied with the erasure request by deleting the account. The controller also advised that they had contacted the individual to confirm the action they had taken and apologised for the delay in removing the individual’s login credentials from their systems.

A prospective buyer initiated the facilitated purchase of a property through a real estate intermediary. Shortly after this, the vendor of the property withdrew from the sale. As part of the purchasing process, the prospective buyer had provided a copy of their ID, proof of address and bank details to the real estate intermediary. Following the breakdown in the process, the prospective buyer sought the erasure of their personal data pursuant to Article 17 of the GDPR.

The prospective buyer initially submitted this erasure request to the email address listed on the real estate’s privacy policy, but this ’bounced back’ as the email was not active. The prospective buyer then sent the request to the primary email address of the real estate intermediary.

As no response was received from the real estate intermediary, the individual made a complaint to the DPC. Following the intervention of the DPC, the real estate intermediary engaged with the individual concerning their erasure request. However, during the complaint handling process, the DPC established that the organisation concerned refused to comply with the erasure request. According to the organisation, it was relying on an obligation under the Property Services (Regulation) Act 2011, which created a legal requirement to retain the data for six years. The matter was referred to the Property Services Regulatory Authority for clarity, who advised that bank details were not covered by the wording of the Act and could be deleted on foot of an erasure request.

Following this confirmation, the DPC engaged with the real estate intermediary to ensure that the bank details were erased as part of the erasure request. The DPC informed the prospective buyer that certain other items of personal data, such as their name, address and contact details would not be erased as the real estate intermediary had a lawful basis to restrict the right of erasure in line with the Property Services (Regulation) Act 2011. The DPC also ensured that the real estate intermediary updated its privacy policy to accurately reflect the appropriate point of contact.

The DPC received a complaint in which the complainant’s representative indicated that they wished to make a formal complaint regarding the delay by Tusla to release records containing their client’s personal data on foot of a subject access request. The representative further stated that a full response to the complainant’s access request had not been provided and they had been receiving the records containing personal data in a piecemeal fashion for the previous two years. It was unclear to the complainant’s representative the amount of personal data outstanding in relation to their client’s access request.

The DPC commenced an examination of the complaint by contacting Tusla requesting that it provide the individual with a copy of all personal data held or controlled by it in relation to the individual or notify the individual of the refusal of the subject access request identifying any statutory restriction relied on by it to withhold their data.

Tusla responded indicating that it would be in a position to release personal data to the data subject within a specified timeframe. However, this deadline passed without the complete records containing personal data being released. Subsequent to further DPC engagement, Tusla outlined that, due to the volume of personal data involved, the personal data relating to the individual would issue in batches. This release would be subject to restrictions being applied to third party non personal data, personal data subject to legal professional privilege and where the release of personal data would be in contempt of court proceedings.

The complainant’s representative later confirmed they had received  a portion of their client’s personal data but advised that it was heavily redacted. It clarified the records containing the personal data of the individual that remained outstanding and which it was seeking urgently. An extensive exchange of correspondence between Tusla and the DPC followed over an extended period of time during which several deadlines were not met by Tusla in relation to the issuing of records containing personal data and /or responding to correspondence from the DPC and the data subject’s representative.

The DPC considered that an amicable resolution to this complaint was not achievable and considered it appropriate to conclude that process and issue an Enforcement Notice pursuant to Section 109(5)(d)(i) of the Data Protection Act 2018 to require the data controller to furnish the remaining records of personal data to the data subject within a specified timeframe. This notice informed Tusla of the following:

‘A person (being a data controller or data processor) who, without reasonable excuse, fails or refuses to comply with a requirement specified in an enforcement notice shall be guilty of an offence under Section 133*19) of the Data Protection Act 2018 and shall be liable (i) on summary conviction, to a class A fine or imprisonment for a term not exceeding 12 months or both, or (ii) on conviction on indictment, to a fine not exceeding €250,000 or imprisonment for a term not exceeding 5 years or both.’

The issuing of this Enforcement Notice resulted in the remaining records containing personal data issuing to the data subject within the timeframe specified in the Enforcement Notice.

The DPC received a complaint from an individual who had made a subject access request to a state hospital for a copy of all information held concerning them. The individual did not receive a response to this request.

The DPC contacted the Data Protection Officer (DPO) for the Hospital Group and informed them of the complaint.

The DPC reminded the hospital of their GDPR obligations , drawing their attention to Article 12(3), which states that controllers have an obligation to provide a response to an individual’s subject access request within the statutory timeframe. As part of the engagement, the DPC stipulated a timeline for the hospital to respond to the individual and provide them with a copy of the personal data. The data controller complied with the DPC’s direction.

The DPC received a complaint from an individual in relation to a subject access request made to a medical centre for a copy of their personal data. According to the individual, the medical centre had requested a fee to process the access request. Before contacting the DPC, the individual had already advised the medical centre that access to a copy of personal data is free under the GDPR and queried if the letter seeking a fee may have issued in error.

Following receipt of this complaint, the DPC corresponded with the medical centre to ascertain why it had sought a fee to process the subject access request and to seek confirmation that the subject access request had since been complied with.

The medical centre promptly reverted to the DPC accepting that the request for a fee should not have been made. It further outlined additional data protection training for staff regarding its obligations to patients making subject access requests would be provided. The medical centre also confirmed that a copy of the personal data was furnished to the individual with its apologies. The individual confirmed to the DPC that it had received a copy of their personal data.

An individual submitted a subject access request to their former employer. This individual then raised a concern with the DPC querying whether the company was obliged to provide them with the names of all of the employees who had been involved in compiling the response to the subject access request.

The DPC assessed the legal framework surrounding this question and responded to the query with reference to paragraph 73 of judgement C-579/21 of the Court of Justice of the European Union (CJEU) and article 15(4) of the GDPR. In this regard, the CJEU judgement had clarified that ‘the employees of the controller cannot be regard as being ‘recipients’, within the meaning of Article 15(1)(c) of the GDPR [...] when they process personal data under the authority of that controller and in accordance with its instructions’.

Consequently, the DPC advised the individual that they were not entitled to a list of the names of the employees who had been involved in preparing their subject access request response under the category of ‘recipients’ as provided for in the GDPR under Article 15(1)(c) and Article 15(4) of the GDPR.

An individual lodged a complaint with the DPC after they had viewed a rental property. In their complaint, they alleged that the letting agency had requested excessive personal data during the application process.

According to the individual, as they were unsuccessful in their application to rent the property, they made an erasure request to the letting agency under Article 17 of the GDPR for the deletion of their personal data. The letting agency responded to the individual advising that it had erased the personal data and confirmed that it had not shared personal data with any third parties. While the individual was satisfied with the response they received from the letting agent, they still had concerns regarding the amount of personal data that had been requested in the first instance. On this basis, they submitted a complaint to the DPC.

As part of the complaint handling process, the DPC contacted the letting agency requesting clarity on the different types of personal data it was requesting as part of the application process. The organisation confirmed it requested copies of identification; proof of current address; employment and previous landlord references; two-month bank statements; and a PPS number. The letting agency stated that the information was required for it to ensure the identity of the applicant and that the applicant can afford the property.

The DPC found that the organisation did not meet the principle of data minimisation under Article 5(1)(c) of the GDPR, which states: ‘personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed’. The DPC determined that the volume of personal data requested from the individual as a prospective tenant was excessive for the initial stage of an application process.

Four years after the conclusion of an investigation into suspected plagiarism in an educational setting, an individual requested to have aspects of the internal report regarding the investigation rectified. The report was compiled following an independent investigation in which the individual was interviewed as a witness and not as the subject of the investigation.

The individual submitted the rectification request to the data controller, the individual’s employer. As part of their request, the individual stated that there were a number of instances where the personal data in the report was inaccurate, incomplete or misleading, and requested that these instances be rectified in accordance with Article 16 of the GDPR. In its response to the individual, the education provider stated that it could not rectify the report but it could restrict access to it. As the individual was dissatisfied with this response, they submitted a complaint to the DPC.

In this instance, the DPC examined whether the educational provider was correct in its initial refusal of the rectification request. The education provider confirmed to the DPC that due to the passage of time since the report had been created, the investigator’s notes had been destroyed as such it was unable to check the alleged inaccuracies and that as it was not the author of the report it could not alter the contents. The education provider offered, as a proposal for amicable resolution, to add a supplementary statement recording the individual’s position to the report.

The individual refused the proposal as they were of the view that the report was incomplete as not all the evidence they provided was referred to in the report, and where it was quoted, they felt it was taken out of context.

It is important to note, that it is not the role of the DPC, nor is it encompassed within the right to rectification under Article 16 of the GDPR, to reassess or to repeat the work of an independent investigator, nor to undermine the professional opinion of an expert. The independent investigator provided their professional assessment of all evidence and testimony gathered during the investigation, and it was their professional discretion as to what material was relevant to be included in the report. The purpose of the individual’s testimony was to inform the independent investigator in order to assist with the investigation. The fact that the individual disagrees with the assessment did not constitute the report as being inaccurate or incomplete.

The education provider further offered to delete the report which would cease the processing of the individual’s personal data. Once again, the individual did not accept this offer.

The DPC was of the view that the report should be erased where it was no longer necessary for the education provider to retain it. Alternatively, the education provider should add the supplementary statement to provide a more accurate account of the events.

This case relates to an individual who alleged their personal data, in the form of their name, address and email address had been unlawfully retained and processed by a property management company.

The individual received an unsolicited email containing a newsletter from the company, despite not having a business relationship with the company for a number of years. The individual contacted the company requesting an explanation as to why the company had retained the individual’s personal data. The company stated that it was previously the managing agent for a

particular residential development that the individual had a business interest in. It advised that it had sent the email in error. The company informed the individual that it had now deleted their personal data from its database.

The individual was not satisfied with this response from the company and submitted a complaint to the DPC. Following engagement with the DPC the company explained it had been the managing agent for an owner

management company and following the termination of its contract with the owner management company, it had failed to delete the individual’s personal data from its database.

As part of the examination of this complaint, the DPC sought to establish if the company had a lawful basis for processing the individual’s personal data by retaining it following the end of the respective contract. The company informed the DPC that it was relying on Article 6(1)(a) of the GDPR which states that processing shall be lawful where a data subject has given their consent. The company further stated that under the Property Services (Regulation) Act 2011 it was required to retain data for a period of no less than six years. The company further indicated that it was an oversight on its part that it had retained the individual’s personal data beyond the six-year retention period. It also established that an administrative error had resulted in the individual receiving the unsolicited email.

The company acknowledged that it no longer had a lawful basis to process the individual’s personal data by retaining it post the six-year period and confirmed that it had deleted all personal data relating to the individual. The company also confirmed what steps it had taken to improve the procedures for managing its database of contacts to ensure unlawful processing of this type did not recur.

Accordingly, the company did not adhere to the principles relating to processing of personal data in accordance with Article 5(1)(b) of the GDPR (‘purpose limitation’) when it used the individual’s contact details to send them a newsletter when it should not have retained the individuals’ contact details for this period of time. It also did not adhere to Article 5(1)(e) of the GDPR (‘storage limitation’) when it retained the individual’s personal data which permitted the identification of the individual for longer than was necessary for the purpose for which the personal data was original obtained.

The DPC issued recommendations to the controller around its obligations to ensure that all processing is lawful, fair and transparent, as required under Article 5 of the GDPR and that appropriate technical and organisational measures are implemented to ensure and to be able to demonstrate that processing is performed in accordance with the GDPR.