An employee of the data controller, a public-sector body, lost an unencrypted USB device containing personal information belonging to a number of colleagues and service users.

The public controller had the appropriate policy and procedures in place prohibiting the removal and storage of personal data from its central IT system by way of unencrypted devices . However, it lacked the appropriate oversight and supervision necessary to ensure that its rules were complied with, and the employee appeared not to have been aware of the policy regarding the use of unencrypted devices . The breach could have been prevented had the organisation fully implemented the policy and made staff aware of it.

In February 2021, a data subject lodged a complaint pursuant to Article 77 GDPR with the Data Protection Commission concerning an Irish-based data controller. The DPC was deemed to be the competent authority for the purpose of Article 56(1) GDPR.

The details of the complaint were as follows:

a . The data subject emailed the data controller in January 2021 to request erasure of his personal data .

b . The data subject did not receive any response from the data controller

Following a preliminary examination of the material referred to it by the complainant, the DPC considered that there was a reasonable likelihood of the parties concerned reaching informal resolution of the subject matter of the complaint within a reasonable timeframe .

The DPC engaged with both the data subject and the data controller in relation to the subject matter of the complaint . Further to that engagement, it was established that during the week in which the data subject sent his erasure request by email to the controller a new process to better manage erasure requests was implemented by the controller . The data controller informed the DPC that it was in a transition period during the week the email came in and it appears a response was missed . New personnel were being trained on how to manage these types of requests during this transition period . The data controller stated that it was an oversight, possibly due to the technical transition or human error, and it regretted the error . In the circumstances, the data controller agreed to take the following actions:

1 . The data controller agreed to comply with the erasure request; and

2 . The data controller sincerely apologised for the error

In January 2022, the DPC informed the data subject by email of the final outcome of its engagement with the data controller . When doing so, the DPC noted that the actions now taken by the data controller appeared to adequately deal with the concerns raised in his complaint . In the circumstances, the DPC asked the data subject to notify it, within two months, if he was not satisfied with the outcome so that the DPC could consider the matter further .

On the following day the data subject informed the DPC by email that he agreed with the informal resolution given his concerns regarding the data controller were now satisfied. The DPC was subsequently informed by the data controller that the erasure request was completed and that the personal data of the data subject had been erased.

For the purposes of the GDPR consistency and cooperation procedure, the DPC communicated a draft of the outcome which confirmed that:

• The complaint, in its entirety, had been amicably re- solved between the parties concerned;
• The agreed resolution was such that the object of the complaint no longer existed .

No relevant and reasoned objections were received from the concerned supervisory authorities concerning the draft and the DPC subsequently closed the file in this case.

This case study concerns a complaint the DPC received via the One Stop Shop (OSS) mechanism created by the GDPR from an individual regarding an erasure request made by them to MTCH Technology Services Limited (Tinder). As way of background, the individual’s account was the subject of a suspension by Tinder. Following this suspension, the individual submitted a request to Tinder, under Article 17 of the GDPR, seeking the erasure of all personal data held in relation to them. When contacting Tinder, the individual also raised an issue with the lack of a direct channel for contacting Tinder’s DPO. As the individual was not satisfied with the response they received from Tinder, they made a complaint to the Greek Supervisory Authority.

The individual asserted that neither their request for erasure nor their concerns about accessing the DPO channels, had been properly addressed by Tinder . As the DPC is the Lead Supervisory Authority (LSA) for Tinder, the Greek Supervisory Authority forwarded the complaint to the DPC for handling . The DPC intervened to seek a swift and informal resolution of the matter in the first instance. The DPC put the substance of the complaint to Tinder and engaged with it . In response and by way of a proposed amicable resolution, Tinder offered to conduct a fresh review of the ban at the centre of this case . Following this review, Tinder decided to lift the ban . The lifting of a ban by Tinder allows an individual to be then in a position to access their account on the platform . The individual can then decide if they wish to use the self-delete tools to erase their account from within the Tinder platform . In addition to the above, Tinder provided information for the individual in relation to its retention policies .

In relation to the matter of individuals being able to contact its DPO, on foot of the DPC’s engagement with Tinder, the platform agreed to strengthen its existing processes by posting a dedicated Frequently Asked questions (FAq) page on its platform . This page now provides enhanced information to individuals on specific issues relating to the processing of personal data and exercising those rights directly with Tinder’s DPO . Through the Greek Supervisory Authority, the DPC informed the individual of the actions taken by Tinder . In their response the individual confirmed that they were content to conclude the matter and, as such, the matter was amicably resolved pursuant to section 109(3) of the Data Protection Act 2018 (the Act), and the complaint was deemed to have been withdrawn.

During 2021, GDPR Article 61 mutual assistance requests were received by the DPC from the Dutch and the French data protection authorities. Each of these requests sought the DPC to further investigate a number of concerns relating to TikTok’s processing of its users’ personal data, particularly child users.

The authorities concerned had been investigating TikTok prior to the company locating its main establishment (EU headquarters) in Ireland in July 2020, following which in December 2020 the DPC assumed the role of TikTok’s lead supervisory authority once other EU supervisory authorities had satisfied themselves TikTok was main- established in Ireland .

As a result, the Dutch and French authorities concluded that they no longer had competence to investigate TikTok and accordingly transferred their investigation files, requesting the DPC to investigate further . These investi- gations coupled with the DPC’s own identification of key concerns through active engagement with TikTok in 2021 led the DPC to commence two own-volition inquiries pursuant to Section 110 of the Data Protection Act 2018 in relation to TikTok compliance with requirements of the GDPR .

The DPC received a complaint in March 2021 from the Bavarian data protection authority on behalf of a Bavarian complainant against Yahoo EMEA Limited. Under the One Stop Shop (OSS) mechanism created by the GDPR, the location of a company’s main EU establishment dictates which EU authority will act as the lead supervisory authority (LSA) in relation to any complaints received. Once the lead authority is established, the authority that received the complaint acts as a concerned supervisory authority (CSA). The CSA is the intermediary between the LSA and the individual. In this case, the DPC is the LSA, as the company complained of has its main establishment in Ireland.

The complainant in this matter had lost access to his email account following an update on his computer . The complainant noted that he had engaged with Yahoo in order to regain access and was asked for information relating to the account in order to authenticate his ownership of it . The complainant asserted that he had provided this information . However, Yahoo informed the complainant that it could not verify his identity with the use of the information that it had been provided .

The complainant was unclear which information he had provided was not correct and thus continued to give the same answers to the security questions . As Yahoo could not authenticate the complainant’s ownership of the account, it recommended that he create a new email account .

The complainant was not satisfied with this solution and made a complaint to his local supervisory authority, who referred the complaint on the DPC in its role as Lead Supervisory Authority for Yahoo .

This complaint was identified as potentially being capable of amicable resolution under Section 109 of the Data Protection Act 2018, with both the individual and data controller agreeing to work with the DPC to try to amicably resolve the matter .

The DPC contacted Yahoo on the matter, and Yahoo took a proactive approach and immediately noted its desire to reach out to the complainant directly to seek to resolve the issue as soon as possible . Yahoo thereafter quickly confirmed to the DPC that its member services team made contact with the complainant, who provided alternative information that enabled Yahoo to success- fully validate identity of the requester and subsequently restore their account access .

The DPC received a complaint in September 2020, via its complaint webform, against Google Ireland Limited (YouTube). The complaint was made by a parent acting on behalf of their child and concerned a YouTube channel/account. The YouTube channel/account had been set up when the child was ten years old and at a time when they did not appreciate the consequences of posting videos online.

Although the complaint was made directly to the DPC by an Irish resident, upon assessment it was deemed to constitute a cross-border complaint because it related to YouTube’s general operational policies and, as YouTube is available throughout the EU, the processing complained of was therefore deemed to be of a kind “which substan- tially affects or is likely to substantially affect data subjects in more than one Member State” (as per the definition of cross-border processing under Article 4(23) of the GDPR) .

According to the complainant, the child no longer had control over the account as they had lost their passwords and the account was no longer in use . However, classmates of the child had discovered the videos, previously posted by the child which were now the subject of embarrassment to the child . The parent of the child had engaged in extensive correspondence with Google, seeking inter alia the erasure of the account from the YouTube platform . The parent had provided the URL for a specific video on the account and for the account itself . The parent was informed by Google, on a number of occasions, that it had taken action and removed the content from the platform . However, the parent repeatedly followed up to note that the content had not in fact been removed and was still available online . As she considered that the complaint had not been appropriately addressed she raised the matter with the DPC .

This complaint was identified as potentially being capable of amicable resolution under Section 109 of the Data Protection Act 2018, with both the individual and Data Controller agreeing to work with the DPC to try to amicably resolve the matter . The DPC investigated the background to the complaint and noted that it appeared that Google had removed a specific video from the account, for which the URL had been provided, but it had not removed the account in its entirety, with the result that further videos remained online .

The DPC communicated with Google on the matter and informed Google of the particular background of the complaint . Google immediately took action and removed the YouTube account in its entirety. Google confirmed that a misunderstanding had arisen as its support team had incorrectly assessed the URL for a specific video provided by the complainant, rather than the entire account .

The DPC informed the parent of the outcome and it proposed an amicable resolution to the complaint . The parent thereafter informed the DPC that she had recently become aware of another YouTube channel that her child had created, which again was no longer in use, and the child wanted deleted . The DPC corresponded further with Google and Google confirmed it had taken immediate action to remove the account and informed the parent of the actions it had taken .

The DPC received a complaint in September 2020 relating to a request for access (under Article 15 of the GDPR), that the complainant had made to Airbnb Ireland UC (“Airbnb”). The complaint was made directly to the DPC, from an individual based in Malta. Upon assessment by the DPC, the complaint was deemed to be a cross border one because it related to Airbnb’s general operational policies and, as Airbnb is available throughout the EU, the processing complained of was therefore deemed to be of a kind “….which substantially affects or is likely to substantially affect data subjects in more than one Member State” (as per the definition of cross-border processing under Article 4(23) of the GDPR). The complainant submitted an access request to Airbnb . Airbnb facilitated this access request by providing the complainant with a link to an access file containing his personal data . However, when the complainant tried to use the link, it was not operational . In addition, the complainant was frustrated with the difficulty they faced in contacting Airbnb in relation to this matter . The complainant submitted their complaint to the DPC on this basis .

The DPC contacted Airbnb and asked that it facilitate the complainant’s request. The DPC specified that Airbnb should ensure any links it sends to complainants are fully tested and operational .

In reply, Airbnb explained that once it was informed that the initial link it sent to the complainant was not operational, it sent a renewed link to the complainant and was unaware that the complainant had had any difficulty in accessing this second link. Nonetheless, in the interests of amicably resolving the complaint, Airbnb agreed to provide an additional link to an access file to the complainant and for an encrypted file to be sent to the complainant via secure email .

As a result, the matter was amicably resolved pursuant to section 109(3) of the Data Protection Act 2018 (“the Act”), and under section 109(3) of the Act the complaint was deemed to have been withdrawn . This case study demon- strates the benefits — to individual complainants — of the DPC’s intervention by way of the amicable resolution process .

In this case, the DPC’s involvement led to the complainant being able to access his data.

In this case, the complainant initially submitted their complaint to the Information Commissioner’s Office (ICO) of the UK, which was thereafter received by the DPC, on 2 March 2019. The complaint related to the alleged failure by the Ryanair DAC (Ryanair) to comply with a subject access request submitted to it by the complainant on 26 September 2018 in accordance with Article 15 of the GDPR. The ICO provided the DPC with a copy of the complaint form submitted to the ICO by the complainant, a copy of the acknowledgement, dated 26 September 2018, that the complainant had received from the data controller when submitting the access request, and a copy of the complainant’s follow up email to the data controller requesting an update in relation to their request.

Acting in its capacity as Lead Supervisory Authority, the DPC commenced an examination of the complaint by contacting the data controller, outlining the details of the complaint and instructing the data controller to respond to the access request in full and to provide the DPC with a copy of the cover letter that issued to the complainant . Ryanair provided the complainant with access to copies of their personal data relating to the specific booking reference that the complainant had provided to the ICO and data relating to a separate complaint . Ryanair advised that it could not provide the complainant with a copy of the call recording they had requested as, due to the delay on Ryanair’s part in processing the request, the call recording had been deleted in accordance with company policy and they had been unable to retrieve it . Ryanair advised the DPC that it had previously informed the complainant of this via its online portal . Ryanair stated that at the time the request was submitted, due to the volume of data subjects who did not verify their email address, access requests were not assigned to the relevant department until the email was verified by the data subject . Ryanair advised the DPC that the complainant responded to the request, verifying their email address, but the agent who was working on the request had ceased working on the online portal and therefore the request had not been assigned to the relevant department .

Ryanair asserted that this error was not discovered until sometime later, when the request was then assigned to the customer services department to provide the necessary data, including the call recording, at which point the call record had been deleted in accordance with Ryanair’s retention policy . Ryanair provided the DPC with a copy of its retention policy, in which it states that call recordings are retained for a period of 90 days from the date of the call . Ryanair advised that, as the com- plainant’s call had been made on 5 September 2018, it would have been automatically deleted on 4 December 2018 . Ryanair further stated that it does not have the functionality to retrieve deleted call recordings . Pursuant to Section 109(2) of the Data Protection Act 2018, the DPC attempted to facilitate the amicable resolution of the complaint . However, the complainant was unwilling to accept Ryanair’s proposals in respect of same . As such, the matter fell to be decided by way of a decision under Article 60 of the GDPR .

1. Initial Draft Decision

As the complaint related to cross-border processing, the DPC was obliged, in accordance with the Article 60 process, to make a draft decision in respect of the complaint . In its initial version of the draft decision, the DPC made a finding of infringement of Article 15 of the GDPR in that Ryanair failed to provide the complainant with a copy their personal data that was undergoing processing at the time of the request . The DPC also found an infringement of Article 12(3) of the GDPR in that Ryanair failed to provide the complainant information on action taken on their request under Article 15 within the statutory timeframe of one month . The DPC provided the draft decision to Ryanair to allow it to make submissions . Ryanair subsequently provided a number of submissions, which (along with the DPC’s analysis thereof) were taken into account in the draft decision .

2. Provision of Draft Decision to Concerned Supervisory Authorities

In accordance with the Article 60 process, the DPC proceeded to submit its draft decision to the IMI to be circulated amongst the Concerned Supervisory Authorities (CSAs), pursuant to Article 60(3) of the GDPR . The DPC’s draft decision was uploaded to the IMI on 25 May 2020 and, pursuant to Article 60(4) of the GDPR, the CSAs were thereafter entitled to four weeks in which to submit any relevant and reasoned objections to the decision.

The DPC subsequently received a number of relevant and reasoned objections and comments in relation to its draft decision from the CSAs . In particular, certain CSAs argued that additional infringements of the GDPR ought to have been found, and in addition that a reprimand ought to have been imposed .

3. Revised Draft Decision

In accordance with Article 60(3) of the GDPR, the DPC is obliged to take due account of the CSAs’ views . In light of the objections and comments received from the CSAs, the DPC carefully considered each relevant and reasoned objection and comment received in respect of its draft decision . The DPC revised its draft decision to include a summary and analysis of the objections and comments expressed by the CSAs . In revising its initial draft, the DPC followed certain relevant and reasoned objections received, and declined to follow others . In the its revised draft decision, the DPC proposed to issue a reprimand to Ryanair, pursuant to Article 58(2) (b) of the GDPR . The DPC provided its revised draft decision to Ryanair to allow it to make final submissions. Ryanair noted that the DPC had found that it had infringed the GDPR, and that the DPC had exercised its powers in this case in line with Recital 129 and the due process requirements in Article 58 of the GDPR . Ryanair advised the DPC that it accepted the findings and the associated reprimand and did not wish to make any further submissions .

4. Provision of Revised Draft Decision to Concerned Supervisory Authorities

In accordance with Article 60(5) of the GDPR, once the DPC submitted its revised draft decision to the CSAs for their views, the CSAs were entitled to two further weeks in which to submit any further objections to the decision . Pursuant to Article 60(5) of the GDPR, the DPC submitted its revised draft decision to the CSAs for their opinion on 20 October 2020 . As the DPC received no further objections or comments in relation to the revised draft decision from the CSAs within the statutory period, the CSAs were deemed to be in agreement with the revised draft decision of the DPC and bound by it in accordance with Article 60(6) of the GDPR .

5. Adoption of Final Decision

Upon the passing of the deadline for receipt of any further objections, the DPC proceeded to adopt the final decision, in accordance with Article 60(7) of the GDPR . The DPC then uploaded its final decision to the IMI and communi- cated it to Ryanair. The final decision was uploaded on 11 November 2020 . Pursuant to Article 60(7), the ICO, with whom the complaint was initially lodged, was responsible for informing the complainant of the decision .

In summary, the DPC found infringements of Articles 12(3) and Article 15 of the GDPR in respect of this complaint ..

The DPC received a multi-faceted complaint in April 2019 relating to requests for access (under Article 15 of the GDPR), rectification (under Article 16 of the GDPR) and erasure (under Article 17 of the GDPR) that the complainant had made to Facebook Ireland Limited (“Facebook”). The complaint was made directly to the DPC, from a data subject based in the UK. Upon assessment in the DPC, the complaint was deemed to be cross border because it related to Facebook’s general operational policies and, as Facebook is available throughout the EU, the processing complained of was therefore deemed to be of a kind “….which substantially affects or is likely to substantially affect data subjects in more than one Member State” (as per the definition of cross border processing under Article 4(23) of the GDPR).

The complainant initially made his requests to Facebook because his Facebook account had been locked for over a year, without reason in the view of the complainant, and he believed Facebook held inaccurate personal data relating to him . Wishing to ultimately erase all the personal data that Facebook held in relation to him, the complainant was of the view that this inaccurate information was preventing him from being successfully able to log into his Facebook account to begin the erasure process . He had therefore made an access request to Facebook, but had been unable to verify his identity to Facebook’s satisfaction . The complainant subsequently made his complaint to the DPC .

After a considerable amount of engagement by the DPC with both Facebook and the complainant with a view to amicably resolving the complaint, in the course of which the complainant was able to verify his identity to Facebook’s satisfaction, Facebook agreed to provide the complainant with a link containing the personal data that it held in relation to him . The complainant accessed the material at the link, but remained dissatisfied because he claimed that the material provided was insufficient. In particular, the complainant indicated that he wished to be advised of any personal data held in relation to him by Facebook beyond that which was processed in order to operate his Facebook profile. Facebook responded to the DPC indicating that the material provided to the complainant via the link was the totality of the account data that it held in relation to him . The complainant remained dissatisfied with this response, indicating that he wished to obtain information regarding any personal data that Facebook held in relation to him that was not related to his Facebook account . He also reiterated his belief that some of this personal data, allegedly held by Facebook but not related to his Facebook account, may be inaccurate, in which case he wished to have it rectified.

In response, Facebook advised the DPC that, since the commencement of the complaint, it had made certain enhancements to its ‘Download Your Information’ tool . Following this update to its access tools, it had determined that a very small amount of additional personal data existed in relation to the complainant’s Facebook account, and provided the complainant with a new link containing all of the personal data it held in relation to the complainant, including this additional data . The complainant accessed this additional material and, with a view to resolving his complaint, sought confirmation that, once the deletion of his account was effected, Facebook would no longer hold any personal data in relation to him . Facebook reverted to indicate that the material it had provided to the complainant was the totality of the data it held in relation to him that fell within the scope of Article 15, and indicated that it would proceed with the erasure of the complainant’s personal data once he had indicated that he was now satisfied for it to do so.

The complainant was content to conclude the matter on this basis and, as such, the matter was amicably resolved pursuant to section 109(3) of the Data Protection Act 2018 (the Act), and under section 109(3) of the Act the complaint was deemed to have been withdrawn .

This case study demonstrates the benefits — to individual complainants — of the DPC’s intervention by way of the amicable resolution process . In this case, the DPC’s involvement led to the complainant being able to verify his identity to Facebook’s satisfaction, and to Facebook providing him with links containing his personal data on two occasions . The DPC’s engagement with the controller also resulted in it confirming, to the complainant’s satis- faction, that all the personal data that fell to be released in response to an Article 15 request had been provided to him . This resulted in a fair outcome that was satisfac- tory to both parties to the complaint . This case study also illustrates the intense resource- investment necessary on the part of Data Protection Authorities (DPA) to resolve issues of this nature . The complainant in this case raises an issue of concern to themselves and is entitled to have that addressed . The question the case raises is whether the controller in this case should have been capable of resolving this matter without the requirement for extensive DPA-resources to mediate the outcome .

The DPC received a complaint in June 2020, via its complaint webforms, against MTCH Technology Services Limited (Tinder). Although the complaint was made directly to the DPC, from an Irish resident, upon assessment it was deemed to constitute a cross-border complaint because it related to Tinder’s general operational policies and, as Tinder is available throughout the EU, the processing complained of was therefore deemed to be of a kind “….which substantially affects or is likely to substantially affect data subjects in more than one Member State” (as per the definition of cross border processing under Article 4(23) of the GDPR).

The complaint related to the banning of the complainant from the Tinder platform, subsequent to which the complainant had made a request to Tinder for the erasure of his personal data under Article 17 of the GDPR . In response to his request for erasure, the complainant was referred by Tinder to its privacy policy for information in relation to its retention policies in respect of personal data . In particular, Tinder informed the complainant that “after an account is closed, whatever the reason (deletion by the user, account banned etc .), the user’s data is not visible on the service anymore (subject to allowing for a reasonable delay) and the data is disposed on in accordance with [Tinder’s] privacy policy” . The complainant was dissatisfied with this response and followed up with Tinder again requesting the erasure of his personal data . Tinder responded by reiterating that “…personal data is generally deleted “upon deletion of the corresponding account”, further noting that deletion of such personal data is “only subject to legitimate and lawful grounds to retain it, including to comply with our statutory data retention obligations and for the establishment, exercise or defence of legal claims, as permitted under Art . 17(3) of GDPR .” The complainant subsequently made his complaint to the DPC.

Upon the DPC’s engagement with Tinder in respect of this complaint, Tinder informed the DPC that the complainant had been banned from the platform as his login information was tied to another banned profile. Also, Tinder identified eleven other accounts associated with the complainant’s device ID. All these accounts had been banned from the Tinder platform as it appeared that an unofficial client was being used to access Tinder (a violation of Tinder’s terms of service). The DPC reverted to the complainant with this information, and the complainant advised that he had used the official Tinder client for Android and the official Tinder web site on Firefox . However, it transpired that he had been using a custom Android build on his phone with various security and privacy add-ons. As a result, his phone had a different device ID after each update/ reboot . In the complainant’s view, this was the likely cause of the issue that resulted in his being banned from Tinder. In light of such a ban, as per Tinder’s policy on data retention, his personal data would have been retained for an extended period of time. However, in the circumstances, by way of a proposed amicable resolution, Tinder offered to immediately delete the complainant’s personal data so that he could open a new account.

The complainant had certain residual concerns regarding the manner in which Tinder responds to erasure requests . Upon being informed that such matters were being examined by the DPC by way of a separate statutory inquiry, the complainant agreed to accept Tinder’s proposal for the amicable resolution of the complaint .

As such, the matter was amicably resolved pursuant to section 109(3) of the Data Protection Act 2018 (the Act), and under section 109(3) of the Act the complaint was deemed to have been withdrawn.