The DPC received a complaint in which the complainant’s representative indicated that they wished to make a formal complaint regarding the delay by Tusla to release records containing their client’s personal data on foot of a subject access request. The representative further stated that a full response to the complainant’s access request had not been provided and they had been receiving the records containing personal data in a piecemeal fashion for the previous two years. It was unclear to the complainant’s representative the amount of personal data outstanding in relation to their client’s access request.

The DPC commenced an examination of the complaint by contacting Tusla requesting that it provide the individual with a copy of all personal data held or controlled by it in relation to the individual or notify the individual of the refusal of the subject access request identifying any statutory restriction relied on by it to withhold their data.

Tusla responded indicating that it would be in a position to release personal data to the data subject within a specified timeframe. However, this deadline passed without the complete records containing personal data being released. Subsequent to further DPC engagement, Tusla outlined that, due to the volume of personal data involved, the personal data relating to the individual would issue in batches. This release would be subject to restrictions being applied to third party non personal data, personal data subject to legal professional privilege and where the release of personal data would be in contempt of court proceedings.

The complainant’s representative later confirmed they had received  a portion of their client’s personal data but advised that it was heavily redacted. It clarified the records containing the personal data of the individual that remained outstanding and which it was seeking urgently. An extensive exchange of correspondence between Tusla and the DPC followed over an extended period of time during which several deadlines were not met by Tusla in relation to the issuing of records containing personal data and /or responding to correspondence from the DPC and the data subject’s representative.

The DPC considered that an amicable resolution to this complaint was not achievable and considered it appropriate to conclude that process and issue an Enforcement Notice pursuant to Section 109(5)(d)(i) of the Data Protection Act 2018 to require the data controller to furnish the remaining records of personal data to the data subject within a specified timeframe. This notice informed Tusla of the following:

‘A person (being a data controller or data processor) who, without reasonable excuse, fails or refuses to comply with a requirement specified in an enforcement notice shall be guilty of an offence under Section 133*19) of the Data Protection Act 2018 and shall be liable (i) on summary conviction, to a class A fine or imprisonment for a term not exceeding 12 months or both, or (ii) on conviction on indictment, to a fine not exceeding €250,000 or imprisonment for a term not exceeding 5 years or both.’

The issuing of this Enforcement Notice resulted in the remaining records containing personal data issuing to the data subject within the timeframe specified in the Enforcement Notice.

The DPC received a complaint from an individual who had made a subject access request to a state hospital for a copy of all information held concerning them. The individual did not receive a response to this request.

The DPC contacted the Data Protection Officer (DPO) for the Hospital Group and informed them of the complaint.

The DPC reminded the hospital of their GDPR obligations , drawing their attention to Article 12(3), which states that controllers have an obligation to provide a response to an individual’s subject access request within the statutory timeframe. As part of the engagement, the DPC stipulated a timeline for the hospital to respond to the individual and provide them with a copy of the personal data. The data controller complied with the DPC’s direction.

The DPC received a complaint from an individual in relation to a subject access request made to a medical centre for a copy of their personal data. According to the individual, the medical centre had requested a fee to process the access request. Before contacting the DPC, the individual had already advised the medical centre that access to a copy of personal data is free under the GDPR and queried if the letter seeking a fee may have issued in error.

Following receipt of this complaint, the DPC corresponded with the medical centre to ascertain why it had sought a fee to process the subject access request and to seek confirmation that the subject access request had since been complied with.

The medical centre promptly reverted to the DPC accepting that the request for a fee should not have been made. It further outlined additional data protection training for staff regarding its obligations to patients making subject access requests would be provided. The medical centre also confirmed that a copy of the personal data was furnished to the individual with its apologies. The individual confirmed to the DPC that it had received a copy of their personal data.

An individual submitted a subject access request to their former employer. This individual then raised a concern with the DPC querying whether the company was obliged to provide them with the names of all of the employees who had been involved in compiling the response to the subject access request.

The DPC assessed the legal framework surrounding this question and responded to the query with reference to paragraph 73 of judgement C-579/21 of the Court of Justice of the European Union (CJEU) and article 15(4) of the GDPR. In this regard, the CJEU judgement had clarified that ‘the employees of the controller cannot be regard as being ‘recipients’, within the meaning of Article 15(1)(c) of the GDPR [...] when they process personal data under the authority of that controller and in accordance with its instructions’.

Consequently, the DPC advised the individual that they were not entitled to a list of the names of the employees who had been involved in preparing their subject access request response under the category of ‘recipients’ as provided for in the GDPR under Article 15(1)(c) and Article 15(4) of the GDPR.

An individual lodged a complaint with the DPC after they had viewed a rental property. In their complaint, they alleged that the letting agency had requested excessive personal data during the application process.

According to the individual, as they were unsuccessful in their application to rent the property, they made an erasure request to the letting agency under Article 17 of the GDPR for the deletion of their personal data. The letting agency responded to the individual advising that it had erased the personal data and confirmed that it had not shared personal data with any third parties. While the individual was satisfied with the response they received from the letting agent, they still had concerns regarding the amount of personal data that had been requested in the first instance. On this basis, they submitted a complaint to the DPC.

As part of the complaint handling process, the DPC contacted the letting agency requesting clarity on the different types of personal data it was requesting as part of the application process. The organisation confirmed it requested copies of identification; proof of current address; employment and previous landlord references; two-month bank statements; and a PPS number. The letting agency stated that the information was required for it to ensure the identity of the applicant and that the applicant can afford the property.

The DPC found that the organisation did not meet the principle of data minimisation under Article 5(1)(c) of the GDPR, which states: ‘personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed’. The DPC determined that the volume of personal data requested from the individual as a prospective tenant was excessive for the initial stage of an application process.

Four years after the conclusion of an investigation into suspected plagiarism in an educational setting, an individual requested to have aspects of the internal report regarding the investigation rectified. The report was compiled following an independent investigation in which the individual was interviewed as a witness and not as the subject of the investigation.

The individual submitted the rectification request to the data controller, the individual’s employer. As part of their request, the individual stated that there were a number of instances where the personal data in the report was inaccurate, incomplete or misleading, and requested that these instances be rectified in accordance with Article 16 of the GDPR. In its response to the individual, the education provider stated that it could not rectify the report but it could restrict access to it. As the individual was dissatisfied with this response, they submitted a complaint to the DPC.

In this instance, the DPC examined whether the educational provider was correct in its initial refusal of the rectification request. The education provider confirmed to the DPC that due to the passage of time since the report had been created, the investigator’s notes had been destroyed as such it was unable to check the alleged inaccuracies and that as it was not the author of the report it could not alter the contents. The education provider offered, as a proposal for amicable resolution, to add a supplementary statement recording the individual’s position to the report.

The individual refused the proposal as they were of the view that the report was incomplete as not all the evidence they provided was referred to in the report, and where it was quoted, they felt it was taken out of context.

It is important to note, that it is not the role of the DPC, nor is it encompassed within the right to rectification under Article 16 of the GDPR, to reassess or to repeat the work of an independent investigator, nor to undermine the professional opinion of an expert. The independent investigator provided their professional assessment of all evidence and testimony gathered during the investigation, and it was their professional discretion as to what material was relevant to be included in the report. The purpose of the individual’s testimony was to inform the independent investigator in order to assist with the investigation. The fact that the individual disagrees with the assessment did not constitute the report as being inaccurate or incomplete.

The education provider further offered to delete the report which would cease the processing of the individual’s personal data. Once again, the individual did not accept this offer.

The DPC was of the view that the report should be erased where it was no longer necessary for the education provider to retain it. Alternatively, the education provider should add the supplementary statement to provide a more accurate account of the events.

This case relates to an individual who alleged their personal data, in the form of their name, address and email address had been unlawfully retained and processed by a property management company.

The individual received an unsolicited email containing a newsletter from the company, despite not having a business relationship with the company for a number of years. The individual contacted the company requesting an explanation as to why the company had retained the individual’s personal data. The company stated that it was previously the managing agent for a

particular residential development that the individual had a business interest in. It advised that it had sent the email in error. The company informed the individual that it had now deleted their personal data from its database.

The individual was not satisfied with this response from the company and submitted a complaint to the DPC. Following engagement with the DPC the company explained it had been the managing agent for an owner

management company and following the termination of its contract with the owner management company, it had failed to delete the individual’s personal data from its database.

As part of the examination of this complaint, the DPC sought to establish if the company had a lawful basis for processing the individual’s personal data by retaining it following the end of the respective contract. The company informed the DPC that it was relying on Article 6(1)(a) of the GDPR which states that processing shall be lawful where a data subject has given their consent. The company further stated that under the Property Services (Regulation) Act 2011 it was required to retain data for a period of no less than six years. The company further indicated that it was an oversight on its part that it had retained the individual’s personal data beyond the six-year retention period. It also established that an administrative error had resulted in the individual receiving the unsolicited email.

The company acknowledged that it no longer had a lawful basis to process the individual’s personal data by retaining it post the six-year period and confirmed that it had deleted all personal data relating to the individual. The company also confirmed what steps it had taken to improve the procedures for managing its database of contacts to ensure unlawful processing of this type did not recur.

Accordingly, the company did not adhere to the principles relating to processing of personal data in accordance with Article 5(1)(b) of the GDPR (‘purpose limitation’) when it used the individual’s contact details to send them a newsletter when it should not have retained the individuals’ contact details for this period of time. It also did not adhere to Article 5(1)(e) of the GDPR (‘storage limitation’) when it retained the individual’s personal data which permitted the identification of the individual for longer than was necessary for the purpose for which the personal data was original obtained.

The DPC issued recommendations to the controller around its obligations to ensure that all processing is lawful, fair and transparent, as required under Article 5 of the GDPR and that appropriate technical and organisational measures are implemented to ensure and to be able to demonstrate that processing is performed in accordance with the GDPR.

The DPC received a query from an individual relating to what appeared to be the unintentional inclusion of their property on an advert published by a property website. The individual advised that the property website had published on its website an image of a property for sale as well as a number of other neighbouring properties. The owner of one of these other properties was the individual that contacted the DPC.

The individual first contacted the DPC via email raising their concern and followed up a short time later with a phone call to the DPC Helpdesk. During the Helpdesk call, the individual advised the DPC that the image contained, a photograph of their house along with their address.

In response to this information, the individual was advised about the six lawful bases for processing personal data under Article 6 of the GDPR. They were also advised of the definition of personal data as set out in the GDPR; information concerning or relating to a living person who is identified or identifiable (such a person is referred to as a ‘data subject’).

The individual was further advised that while an image of a property alone may not constitute personal data, an image containing the property address as well as a house number, may entitle them to request erasure of this data from the property website. The DPC recommended that in the first instance, the individual make contact, in writing, with the owners of the property website requesting the removal of their property from the published images on the website.

Having followed the advice provided by the DPC, the individual reverted to the DPC to advise that owners of the property website had promptly complied with their request and had removed the image of their property from its website.