An individual submitted an access request to their employer, a SME business-to-business service provider. Based on the documentation provided by the organisation to the individual  in response, the individual submitted a complaint to the DPC alleging that the organisation unlawfully disclosed their personal data, including special category data, to a third party, a Human Resources Service Provider (HR provider).

When examining the information provided it became apparent to the DPC that  the organisation had engaged the HR provider to investigate an allegation of bullying made by the individual against a co-worker. The organisation provided various categories of the individual’s personal data to the HR provider, including the individual’s personal contact details, medical data and a letter confirming the individual’s fitness to partake in the alleged bullying investigation.

The individual provided evidence to the DPC proving that they had asked the organisation not to disclose their personal data to a third party and claimed  that they were not informed that their personal data had been provided to  the third party. 

As part of the examination of the complaint, the DPC sought to establish if the organisation had a valid lawful basis for disclosing the individual’s personal data and special category data to the HR provider in line with Article 6 and Article 9  of the GDPR. The DPC also sought to establish whether the personal data disclosed to the HR provider was relevant and limited to what is necessary for  the purposes for which they were processed, in accordance with the principle  of data minimisation under Article 5(1)(c) of the GDPR.

From its responses to the DPC it appeared that the organisation relied on Articles 6(1)(b) (contract); 6(1)(c) (legal obligation) and; 6(1)(f) (legitimate interests) of the GDPR, as the lawful bases under which it disclosed the individual’s personal data to the HR provider. 

The organisation stated it had legitimate reasons to provide the personal data and medical data to the HR provider under the terms of the individual’s contract of employment and that the individual had consented to take part in the alleged bullying investigation. Further, the organisation stated that the HR provider requested it obtain from the individual a doctor’s letter to confirm that the individual was fit to take part in the alleged bullying investigation.

The DPC accepted that provision of certain categories of the individual’s personal data to the HR provider would be necessary under the terms of their  employment contract in line with Article 6(1)(b) of the GDPR. However, the  organisation failed to identify the legal obligation to which it stated it was subject to rely on under Article 6(1 (c) of the GDPR as a lawful basis for processing the personal data. The organisation also failed to provide evidence that it conducted a balancing test under Article 6(1)(f) of the GDPR prior to providing the individual’s personal data to the HR provider. Additionally, the organisation failed to identify a lawful basis for disclosing the individual’s medical data under Article 9 of  the GDPR.

The DPC engaged with the organisation further to ensure that going forward  it was aware of its obligations under the GDPR in relation to the lawful bases for processing.

An individual was owed a debt from the Estate of a deceased person. The individual wrote to the law firm representing the Estate of the deceased to relay that they were no longer interested in pursuing the debt owed to them by the Estate. The law firm subsequently shared this letter with third parties – the executors and other beneficiaries to the Estate. The individual became aware that a copy of their letter was shared and contacted the law firm asking why their letter was shared without their consent. The law firm replied that as the individual had voluntarily written to it to decline any claim on the Estate, it had assumed it had the individual’s consent to share with third parties for the purposes of disclosing the individual’s now defunct claim on the estate. It also advised that the individual had given their consent for their personal data to be shared with third parties, including their name and address as well as the letter itself. The individual was unhappy with this response and therefore contacted the DPC to make  a complaint.

The DPC requested the law firm to outline the lawful basis under which it shared the individual’s letter with third parties. It replied that it had shared the letter as part of its contract to administer the Estate of the deceased. Furthermore, the law firm claimed, the individual had voluntarily written the letter and therefore it had inferred consent for the processing of the individual’s personal data, as they were part of the claims on the Estate. It also claimed that it had been acting in the best interests of the individual by informing the third parties that they were no longer involved in the case.

Under Article 7(1) of the GDPR data controllers, when relying on consent as a lawful basis for processing personal data, must be able to demonstrate that the data subject has consented through a clear affirmative act in a freely given, specific, informed and unambiguous manner (as per Article 4(11) of the GDPR).  The law firm was unable to demonstrate that it had secured the individual’s consent for it to process their personal data in the manner described. 

The DPC engaged with the law firm further to ensure that going forward it was aware of its obligations under the GDPR in relation to the lawful bases for processing. In this case it was sufficient for the law firm to inform its clients and other third parties that the individual had relinquished their claim and therefore it was unnecessary to share the correspondence itself.

An individual was employed at a medical practice, which used CCTV footage ofthe waiting room to assess patient waiting times. When the medical practice was reviewing the CCTV footage, in the presence of the employee, the employee realised that their image had been recorded by the CCTV system throughout their employment without being aware of it. The individual tried to resolve the issue with the medical practice but was ultimately dissatisfied with the response they received and contacted the DPC to make a complaint. 

The DPC contacted the medical practice to enquire about its legal basis for processing personal data in this manner. The medical practice advised that it had a CCTV policy in place prior to the individual commencing employment with it and that the purpose of the CCTV system was to ensure the health and safety of staff and clients of the medical practice. Having requested a copy of the CCTV policy,  upon review the DPC noted that it was drafted prior to the introduction of the GDPR and had not been updated since. 

Having engaged with the individual, the DPC established that they had not been made aware that CCTV was in operation constantly, including the areas where they worked, when they first joined the practice. There was one small sign on the entrance door of the practice that stated CCTV was in operation but the sign did not specify that the CCTV cameras were recording within the practice building. 

During the course of the DPC’s examination of the complaint the medical practice adopted measures to restrict the recording by the system so that it would no longer be in operation during business hours.

In this instance, the DPC found that the medical practice did not provide a  valid lawful basis under Article 6 of the GDPR for this type of monitoring. Furthermore, the medical practice did not fulfil its transparency obligations  under Article 13 of the GDPR, as it did not inform individuals at any point that  the CCTV system would process their personal data, by recording their image, whilst in the practice. 

In light of the medical practice’s voluntary restriction of the CCTV cameras to operate outside of business hours only, the DPC engaged with the medical practice providing recommendations and guidance around the use of CCTV. On foot of this engagement, the medical practice increased the size, and the number of signs informing staff and patients of the use of CCTV and the  contact details of the data controller in compliance with its obligations. 

The DPC received a complaint from an individual who had made an access request to a transport company. They sought a copy of CCTV footage of an accident they were involved in with one of the transports company’s buses. The individual did not receive a response to this request.

The DPC contacted the Data Protection Officer (DPO) for the transport company and informed them of the complaint.

The DPC reminded the transport company of their GDPR obligations, drawing their attention to Article 12(3) of the GDPR, which states that organisations have an obligation to provide a response to an individual’s subject access request within the statutory timeframe. As part of the engagement, the DPC stipulated a timeline for the transport company to respond to the individual and provide them with a copy of the CCTV footage. The transport company complied with the DPC’s direction and the individual confirmed they received the requested personal data.

During 2024, the DPC received 157 complaints from individuals regarding the use of recording devices, for example domestic CCTV systems and smart doorbells by private individuals to protect their homes and property.  

In examining these complaints, the DPC’s focus is whether the processing of personal data by these devices comes within the scope of the GDPR or not. This is because of the household exemption under Article 2(2) (c) of the GDPR, which applies where personal data is processed by a natural person in the course of a purely personal or household activity.  In the sphere of CCTV and smart doorbells, this would generally mean that as long as the images captured are within the perimeter of an individual’s own home and are only used for their personal purposes, the domestic exemption is likely to apply. However, where a device operates in such a way as to capture images of people outside the perimeter of a home (in public spaces or in neighbouring property), individuals are no longer able to avail of the domestic exemption. In those circumstances, either the camera operation must change the way the device captures images to limit this to only within their property or they must comply with data protection
law and their obligations as a data controller.

One complaint examined in 2024 by the DPC was from an individual against their neighbour alleging that the entire CCTV system, made up of multiple cameras, was capturing their personal data. The DPC contacted the camera operator who provided footage from the CCTV system. Upon examination of the footage provided to the DPC it was noted that a number of the cameras were capturing areas outside the perimeter of the operator’s own home and that the remaining cameras were dummy cameras.  The DPC engaged with the operator to bring the relevant devices into line with the domestic exemption. 

The complainant in this case remained dissatisfied and requested additional details from the DPC about the cameras. The DPC engaged further with the individual to advise that once the cameras were being operated within the parameters of the domestic exemption and/or were dummy cameras, that it could not provide further information.

More information on this subject matter of domestic CCTV can be found at: Domestic CCTV 

A third level institution reported a data breach to the DPC that related to a survey, it had carried out on former students. Each year recently graduated students were surveyed with a focus on their further studies and employment and this data was then used to publish a report on graduate outcomes. The summary statistics, which were not anonymised in this instance and included personal data, were published on the institution’s website. 

A member of the public reviewing the 2023 reports noticed that they were able to view the personal data of the survey respondents by right-clicking on the tables and brought this to the attention of the institution. This data included name, salary information and details of work or further studies. The third level institution removed the report and other externally available reports which were thought could experience the same issue. The third level institution also sought assurances that the personal data had not been saved or shared by the individual who discovered the dataset. 

As part of the investigation of this breach, the institution informed the DPC that a new system was introduced for producing reports in 2022 and that a lack of familiarity with the new system had led to the data being published in a non-anonymised format. To mitigate against a recurrence of this issue the institution reviewed its internal processes for generating reports, as well as liaising with their internal IT teams to ensure appropriate technological measures are now in place.
 

A third level institution reported a data breach to the DPC relating to the storage of student medical certificates for a particular course. A student had discovered medical certificates relating to other students when attempting to upload their own certificate to the institutions Virtual Learning Environment (VLE).  The institution immediately informed the DPO and their IT department  removed the files. 

The DPC assessed the notification and, given the nature of the special category (health) data involved, requested further information from the organisation. The investigation by the organisation determined that human error had led to a misconfiguration on the VLE, which meant that medical certificates were displayed to a group of students, rather than solely to the course coordinator/lecturer. 

The breach was originally deemed high risk by the organisation but following a review of the breached data and the risks posed to the rights and freedoms of the affected individuals, it was deemed to of lesser risk than originally assessed. The organisation decided to notify the impacted individuals about the breach out of an abundance of caution.  

In order to prevent a recurrence of this situation, the institution issued an email to all staff to remind them not to use the VLE for the submission of personal data. The institution also added messages to the VLE platform to remind both staff and students of their data protection obligations when using the system.

The organisation engaged with the provider of the VLE to introduce measures to ensure that personal data is stored and processed securely, and security settings configured appropriately.

An organisation operating in the broadcasting sector notified a data breach to the DPC relating to an employee who had fallen victim to a phishing email. The email, purporting to be an advertisement for an internal vacancy, requested that the employee input their email and data storage platform credentials as well as their Multifactor Authentication (MFA) Authenticator Prompt. Having obtained this information from the employee, the bad actor who sent the phishing email was then able to gain access to this employee’s email and data storage platform account. 

Categories of personal data that were potentially accessed by the bad actor included names, email address, photos/videos, financial data and special category data (health data). The affected individuals included employees within the organisation and third party contacts who had engaged with the broadcaster. The organisation became aware of the breach when the employee reported issues logging into their email and data storage platform. The organisation’s phishing detection systems had disabled the phished account automatically after 17 minutes, but the account was then manually reactivated by their in-house IT team in error. A manual review of audit logs showed suspicious logins attempted from different locations leading to the account being reset and the bad actor being locked out permanently.  

The DPC reminded the organisation of its obligations as a data controller. On foot of this, the organisation implemented preventative measures in order to mitigate against a recurrence of this breach. These measures included spam/ phishing filters, reminders to all staff to exercise caution opening external emails, increased training and staff awareness exercises, and new guidelines in relation to the reactivation of suspended user accounts. 

In February 2024, the DPC received notification from an individual of an alleged unsolicited email communication from Thérapie Clinic. The individual had provided the DPC with a copy of their marketing preferences and a copy of an unsolicited email communication. 

Subsequent to further investigation, Thérapie Clinic confirmed to the DPC that the complainant was a client of theirs and had not given consent to receive marketing communications. Thérapie Clinic conducted an internal investigation, which found that the email message, which was the subject of the complaint,  had been sent manually by a member of staff in one of their clinics. 

The email was not a system-generated message, and therefore no opt-out mechanism had been included in the communication. As such, the individual  had received an unsolicited marketing email message without an option to optout of receiving further marketing messages. As the DPC had issued a warning in February 2023 to Thérapie Clinic in regards to a previous complaint, the DPC decided to prosecute arising from this complaint case.

On 25 October 2024, Thérapie Clinic was prosecuted for sending unsolicited emails to a customer who had previously opted out of receiving marketing communications. The company was found to have violated Regulation 13(12) (c) and Regulation 13(13)(a)(i) of S.I. No. 336/2011 - European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011. In lieu of a conviction and fine, the Dublin Metropolitan District Court ordered the company to make a donation of €325 to the Little Flower Penny Dinners charity and to pay the DPC’s legal costs.

In November 2023, the DPC received notification from an individual of alleged unsolicited marketing communications via telephone from Google Ireland Limited. The individual in question had received three separate phone calls in the space of a 4-hour period from individuals identified as sales representatives on behalf of Google Ireland Limited. The DPC launched an investigation, during the course of which Google Ireland Limited confirmed that a third-party contractor had disregarded the individual’s previous request to opt-out of marketing communications, resulting in a number of calls being made to the individual. 

The DPC had previously issued a warning to Google Ireland Limited in July 2023 concerning unsolicited phone calls made without consent to the same individual. As part of this warning, Google Ireland Limited was notified that if the individual was to receive further phone calls, Google Ireland Limited may face prosecution. Google Ireland Limited breached the rules governing unsolicited marketing phone calls, as the company continued to make marketing phone calls after the individual had explicitly withdrawn their consent.

At Dublin Metropolitan District Court on 25 October 2024, Google Ireland Limited pleaded guilty to two charges of making unsolicited marketing telephone calls under Regulation 13 of S.I. No. 336/2011 - European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011. Dublin Metropolitan District Court directed the company to contribute €1,500 to the Little Flower Penny Dinners charity and to pay the DPC’s legal costs in lieu of a conviction and fine.