Who We Are

Inquiry into the Department of Employment Affairs and Social Protection

Area: Public Authority

Topic: DPO

Articles: 38, 39

DPC Reference: IN-18-12-1

Decision Date: 10 May 2021

The Data Protection Commission (DPC) commenced this own-volition inquiry after it received a complaint from Digital Rights Ireland alleging a “serious interference with the independence of the Data Protection Officer (DPO) in the Department”. On 4 July 2018, the Department received a media query in relation to the Privacy Statement’s reference to biometric data. This query set off a series of internal email threads and discussions within the Department questioning the reference to biometric data. On 6 July 2018, the Department amended its Privacy Statement and removed the only reference to its processing of biometric data from the Statement. As part of the complaint, Digital Rights Ireland submitted the Department’s internal email threads to the DPC having received them pursuant to the Freedom of Information Act 2014.

The scope of this inquiry concerned whether the Department’s DPO was involved in the issue of amending the Privacy Statement in a proper and timely manner in accordance with Article 38(1) of the GDPR; and whether the DPO received instructions regarding the exercise of his tasks contrary to the requirements of Article 38(3) of the GDPR. The scope of the inquiry did not concern whether the Department’s amendment complied with its transparency obligations under the GDPR. During the inquiry, the DPC gathered all of the relevant information in order to comprehensively consider the background, in addition to the email threads submitted with the complaint. The DPC conducted a voluntary interview with the DPO who held that position at the relevant time. The DPC also had regard to statements submitted to the DPC by the Department’s Secretary General and DPO respectively. The DPC also analysed the Department’s relevant internal emails between 4 - 6 July 2018 concerning the amendment to the Privacy Statement. Having regard to all of the relevant information, the DPC found that:

  • The Department involved their DPO, properly and in a timely manner, in the Department’s amendment to its Privacy Statement as implemented on 6 July 2018. Therefore, the Department did not infringe Article 38(1) of the GDPR in the circumstances.
  • The Department did not provide any instructions to the DPO regarding the exercise of the tasks referred to in Article 39 of the GDPR in respect of the Department’s amendment to its Privacy Statement as implemented on 6 July 2018. Therefore, the Department did not infringe Article 38(3) of the GDPR in the circumstances.

For more information, you can download a copy of the full decision at this link: Department of Employment Affairs and Social Protection May 2021 (PDF, 1,234 KB).

Inquiry into the Irish Credit Bureau DAC

Area: Bank/Credit/Insurance

Topic: Data security

Articles: 5, 24, 25, 26

DPC Reference: IN-19-7-2

Decision Date: 23 March 2021

This inquiry was commenced in respect of a personal data breach that the Irish Credit Bureau (‘ICB’) notified to the DPC on 31 August 2018. The ICB is a credit reference agency that maintains a database on the performance of credit agreements between financial institutions and borrowers. The personal data breach occurred when the ICB implemented a code change to its database that contained a technical error. As a result, between 28 June 2018 and 30 August 2018, the ICB database inaccurately updated the records of 15,120 closed accounts. The ICB disclosed 1,062 inaccurate account records to financial institutions or data subjects before fixing the issue. All of the inaccurate account records disclosed to the financial institutions stated that the accounts had been closed more recently than they actually had been, but none misstated that a balance was outstanding on the accounts.

  • The decision found that the ICB infringed Article 25(1) of the GDPR by failing to implement appropriate technical and organisational measures designed to implement the principle of accuracy in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of the GDPR and protect the rights of data subjects.
  • The decision found that the ICB infringed Article 5(2) and 24(1) of the GDPR by failing to demonstrate compliance with its obligation, pursuant to Article 25(1) of the GDPR, to undertake appropriate testing of proposed changes to its database.
  • The decision found that the ICB did not infringe Article 26(1) of the GDPR in circumstances where the ICB members are not joint controllers in respect of the ICB’s database.

The corrective powers exercised

  • The decision imposed an administrative fine on the ICB in the amount of €90,000 in respect of the infringements.
  • The decision issued the ICB with a reprimand in respect of the infringements.
  • Having regard to the measures implemented by the ICB since the personal data breach and during the inquiry, it was not necessary for the decision to order the ICB to take specific action to bring its processing operations into compliance with the GDPR

For more information, you can download a copy of the full decision at this link: Irish Credit Bureau DAC March 2021 (PDF, 1,427 KB).

Inquiry Concerning Twitter International Company (‘TIC’)

Area: Cross Border Private Company

Topic: Data security

Articles: 33, S 110, S 111

DPC Reference: IN-19-1-1

Decision Date: 9 December 2020

This Inquiry, which was commenced by the Data Protection Commission (‘the Commission) on 22 January 2019, examined whether Twitter International Company (‘TIC’) had complied with its obligations under the GDPR in respect of its notification, on 8 January 2019, of a personal data breach (‘the Breach’) to the Commission. The Breach, which occurred at TIC’s processor, Twitter Inc., related to a bug whereby if a Twitter user with a protected account, using Twitter for Android, changed their email address, their account would become unprotected.

The purpose of the Inquiry was to examine certain issues surrounding TIC’s notification of the Breach, as distinct from examining the substantive issues relating to the Breach itself. In this regard, the Inquiry examined whether TIC had complied with Article 33(1) of the GDPR, in terms of the timing of its notification of the Breach to the Commission, and whether it had complied with Article 33(5) of the GDPR, in respect of its documenting of the Breach.

The DPC submitted its draft decision in this inquiry to other Concerned Supervisory Authorities under Article 60 GDPR on 22 May 2020. This was the first draft decision to go through the Article 65 dispute resolution process and was the first Draft Decision in a “big tech” case on which all EU supervisory authorities were consulted as Concerned Supervisory Authorities. The European Data Protection Board adopted its decision under Article 65(1)(a) on 9 November 2020. The DPC issued its final decision to TIC on 9 December 2020.

Facts leading to Inquiry

TIC’s notification of the Breach to the Commission, which led to the Inquiry, took place on 8 January 2019 by way of a completed Cross-Border Breach Notification Form. In the Form, TIC outlined that it had received a bug report through its ‘Bug Bounty Program’ to the effect that “…if a Twitter user with a protected account, using Twitter for Android, changed their email address the bug would result in their account being unprotected.” The Breach Notification Form further outlined, in respect of the reasons for not notifying the Commission within the 72 hour period required by Article 33(1), that

“The severity of the issue - and that it was reportable - was not appreciated until 3 January 2018 [sic] at which point Twitter’s incident response process was put into action.”

The Breach Notification Form identified the potential impact for affected individuals, as assessed by TIC, as being “significant”. In a further follow up notification form submitted by TIC to the Commission on 16 January 2019, TIC confirmed the number of affected EU and EEA users was 88,726. It also confirmed that the bug which had led to the Breach “was introduced on 4 November 2014 and fully remediated by 14 January 2019” and that, as it was not possible to identify all impacted persons (due to retention limitations on available logs), it believed that additional people were impacted during that period.

Inquiry under Section 110, Data Protection Act 2018

As it appeared from the Breach Notification Form submitted by TIC that a period of in excess of 72 hours had elapsed from when TIC (as controller) became aware of the Breach, and having regard to the number of affected data subjects, the Commission commenced the Inquiry, under Section 110(1) of the Data Protection Act 2018 (‘the 2018 Act’) for the purpose of examining whether TIC had complied with its obligations under Article 33, and more particularly, with its obligations under Article 33(1) and Article 33(5).

Compliance with Article 33(1)

In assessing TIC’s compliance with Article 33(1), the Commission examined the timeline relating to TIC’s notification of the Breach to the Commission. In this regard, TIC confirmed to the Commission during the Inquiry that notice of the bug was first received on 26 December 2018 by an external contractor engaged by Twitter to search for and assess bugs via the Bug Bounty Program, a program whereby anyone may submit a bug report. TIC further confirmed that, on 29 December 2018, the external contractor, having assessed the bug report, communicated the outcome of its assessment to Twitter Inc. TIC further confirmed that Twitter Inc. then commenced its internal Information Security review of the issue on 2 January 2019, and that, following this, on 3 January 2019, Twitter Inc. assessed the incident as being a potential personal data breach under the GDPR and determined that the incident response plan should be initiated. TIC also confirmed that, following this (on 4 January 2019), an Incident Management (IM) ticket was opened but that, due to a failure (by Twitter Inc. staff) to follow a particular step in the incident management process as it was prescribed, the Data Protection Officer (DPO) for TIC was not added to the IM ticket, which resulted in a delay in the DPO (and, therefore TIC as controller) being notified of the issue.

TIC confirmed to the Commission that it was first made aware of the Breach by its processor, Twitter Inc., on 7 January 2019. It submitted that, in circumstances where it had notified the Breach to the Commission on 8 January 2019, it had complied with the requirement to notify under Article 33(1).

Having considered the timeline in relation to TIC’s notification of the Breach, the Commission formed the view that, notwithstanding TIC’s actual awareness of the Breach on 7 January 2019, TIC ought to have been aware of the Breach at an earlier point in time and, in this particular case, at the latest by 3 January 2019. In forming this view, the Commission took account of the fact that 3 January 2019 was the date on which Twitter Inc. first assessed the incident as being a potential personal data breach but that, for reasons of the ineffectiveness of the process in the particular circumstances that transpired and/or a failure by Twitter Inc. staff to follow its own incident management process, a delay occurred in the DPO being informed of the potential data breach, which, in turn, resulted in TIC (as controller) not being notified of the Breach until 7 January 2019.

In making this finding, the Commission also took account of an earlier delay that had arisen in the period from when the incident was first notified to Twitter Inc. by its external contractor on 29 December 2018 to when Twitter Inc. commenced its Information Security review of the issue on 2 January 2019. During the course of the Inquiry, TIC confirmed to the Commission that this delay had arisen “due to the winter holiday schedule” (in circumstances where three of the four days in question were holidays – a weekend and New Years Day) which had led to the issue not being identified and escalated as it should have been. However, the Commission did not accept this delay as being reasonable, in particular in circumstances where potential risks to the data protection and privacy rights of data subjects cannot be neglected, even for a limited period of days, simply because it is an official holiday day/period or a weekend and given that Twitter’s services do not cease to operate during such times.

As outlined in the Decision, the alternative application of Article 33(1), and that which was suggested by TIC during the Inquiry, whereby the performance by a controller of its obligation to notify is, essentially, contingent upon the compliance by its processor with its obligations under Article 33(2), would undermine the effectiveness of the Article 33 obligations on a controller. Such an approach would be at odds with the overall purpose of the GDPR and the intention of the EU legislator.

Compliance with Article 33(5)

In assessing TIC’s compliance with Article 33(5), the Commission carried out a review of the documentation provided by TIC during the course of the Inquiry, and in which it claimed that it had documented the Breach.

In doing so, the Commission found that TIC had not complied with Article 33(5). This was in circumstances where the documentation maintained by TIC – either individually or collectively – did not comprise a record, or document, of, specifically, a ‘personal data breach’ within the terms of Article 33(5), but rather was documentation of a more generalised nature, including reports and internal communications, that were generated in the course of TIC’s management of the incident.

In addition, the Commission found that the documentation maintained by TIC in relation to the Breach did not contain sufficient information so as to enable the question of TIC’s compliance with the requirements of Article 33 to be verified, as is required by Article 33(5). In particular, the Commission found that the documentation, which TIC had identified as being the primary record in which it had documented the facts, effects and remedial action taken in respect of the Breach, was deficient in circumstances where it did not contain all material facts relating to the notification of the Breach to the Commission. In particular, the documentation did not contain any reference to the issues that had led to the delay in TIC being notified of the Breach by its processor, nor did it address how TIC had assessed the risk to affected users arising from the Breach. The Commission also found that the deficiencies in the documentation furnished by TIC as a record of the Breach were further demonstrated by the fact that, during the Inquiry, the Commission had to raise multiple queries in order to gain clarity concerning the facts surrounding the notification of the Breach.

Process under Article 60 and Article 65 GDPR

On 22 May 2020, the Commission issued a draft of its Decision (‘the Draft Decision’) to the other concerned supervisory authorities (‘CSAs’) for their opinion in accordance with the process under Article 60 GDPR. The Draft Decision set out the Commission’s proposed finding of infringements under Articles 33(1) and 33(5) and its proposal to impose an administrative fine. Under Article 60(4), CSAs have a period of four weeks within which to express a relevant and reasoned objection to a draft decision.

A number of CSAs expressed objections in relation to aspects of the Draft Decision, including objections on the basis that the Commission should, as part of its Inquiry, have considered other provisions of the GDPR; objections relating to non-substantive matters, such as the designation of the role of the respondent under investigation (TIC) and the competence of the Commission, as Lead Supervisory Authority, to deal with the matter; and objections in relation to the administrative fine which the Commission proposed.

Having considered the objections raised, and having endeavoured to reach consensus with the CSAs, the Commission was unable to follow the objections in an amended Draft Decision. On this basis, the Commission referred the matter to the European Data Protection Board (‘EDPB’) for determination pursuant to the Article 65 dispute resolution mechanism. The EDPB commenced the Article 65 procedure on 8 September 2020. Having adopted its binding decision under Article 65(1)(a) (‘the EDPB Decision’) on 9 November 2020, the EDPB notified same to the Commission on 17 November 2020. Thereafter, pursuant to Article 65(6), the Commission was required to adopt its final decision on the basis of the EDPB Decision “without undue delay and at the latest by one month after the Board has notified its decision.”

Article 65(1)(a) provides that the EDPB’s binding decision under Article 65 “…shall concern all the matters which are the subject of the relevant and reasoned objection, in particular whether there is an infringement of [the GDPR]”. In this regard, in terms of the EDPB’s assessment of the objections raised by the CSAs in this case, the EDPB Decision found that certain of the objections raised were not ‘relevant and reasoned’ within the meaning of Article 4(24) on the basis that they did not provide a clear demonstration as to the significance of the risks posed by the Draft Decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the European Union (as is required by Article 4(24)).

With regard to a number of other objections raised, and which had been made on the basis that the Commission should have considered further infringements under other provisions of the GDPR (specifically, Articles 5(1)(f), 5(2), 24 and 32), whilst the EDPB found that these objections were relevant and reasoned under Article 4(24), it determined that it could not, on the basis of the factual elements in the Draft Decision or in the objections themselves, establish the existence of such further (or alternative) infringements.

Finally, and with regard to the objections raised by CSAs in respect of the administrative fine imposed, the EDPB found that certain of these objections were relevant and reasoned under Article 4(24). As such, the EDPB issued a binding direction to the Commission to reassess the elements that it had relied upon to calculate the amount of the fine (under Article 83(2) GDPR) and to amend its Draft Decision by increasing the level of the fine. (For further detail on the EDPB Decision, please refer to the EDPB website where the EDPB Decision is published).

Decision under Section 111 of 2018 Act

The Commission adopted its final Decision (‘the Decision’) on the basis of the EDPB Decision, pursuant to Article 60(7) in conjunction with Article 65(6), on 9 December 2020. In finding that TIC had infringed both Article 33(1) and Article 33(5), the Commission imposed an administrative fine of $500,000 (estimated for this purpose at €450,000) which reflected an increase in the level of the proposed administrative fine set out in the Draft Decision, in accordance with the direction of the EDPB. In determining this fine, the Commission ensured, as it is required to do under Article 83(1) GDPR, that the fine imposed was effective, proportionate and dissuasive. In this regard, in deciding to impose a fine and in determining the amount of same, the Commission considered the full range of factors under Article 83(2) GDPR in the context of the circumstances of this particular case. In doing so, the Commission had particular regard to the nature, gravity and duration of the infringements concerned, taking account of the nature, scope and purpose of the processing and the number of data subjects affected. The Commission also had regard to the negligent character of the infringements. In setting the fine, the Commission also took account of certain other factors, including the steps that had been taken by Twitter Inc. to rectify the bug.

In reaching its decision in this case, the Commission also highlighted that controller compliance with the obligations under Article 33(1) and Article 33(5) is of central importance to the overall functioning of the supervision and enforcement regime performed by data protection authorities.

For more information, you can download a copy of the full decision at this link: Twitter International Company (‘TIC’) - December 2020  (PDF, 2,014 KB).

Decision concerning Groupon International Limited

Area: Cross Border Private Company

Topic: DS Rights

Articles: 5, 6, 12, 17

Decision Date: 16 December 2020

Acting in its capacity as lead supervisory authority, the DPC commenced an examination of a complaint originally received by the Polish Data Protection Authority. The complaint concerned cross-border processing in which the DPC was competent to act as lead supervisory authority. This complaint concerned Groupon’s practice at the time of the complaint of requiring data subjects to verify their identity with an electronic copy of a national identity card. This requirement applied when data subjects made certain requests, including requests for erasure of personal data, but the requirement did not apply when data subjects created a Groupon account. The decision-making followed the procedure set out in Article 60 of the GDPR for cross border processing. The procedure included an examination of the complaint by the DPC, including an attempt to amicably resolve the complaint; a Draft Decision circulated amongst the Concerned Supervisory Authorities; the DPC’s careful consideration of each relevant and reasoned objection received; a Revised Draft Decision circulated amongst the Concerned Supervisory Authorities; the adoption of the Final Decision; and finally the Polish Data Protection Authority was responsible for informing the complainant of the decision.

  • The decision found that Groupon infringed the principle of data minimisation in Article 5(1)(c) GDPR by requiring the complainant to verify their identity by submitting a copy of a national ID document in circumstances where a less datadriven solution to the question of identity verification (namely by way of confirmation of email address) was available to Groupon.
  • The decision also found that Groupon infringed Articles 12(2), 17(1)(a) and 6(1) in the circumstances of the complainant’s case.
  • The decision also reprimanded Groupon in respect of the infringements

For more information, you can download a copy of the full decision at this link: Groupon International Limited - December 2020  (PDF, 1,227 KB).

Inquiry into University College Dublin

Area: University

Topic: Data security

Articles: 5, 32, 33

DPC Reference: IN-19-7-4

Decision Date: 17 June 2020

This inquiry was commenced in respect of 7 personal data breaches that University College Dublin (‘UCD’) notified to the DPC between 8 August 2018 to 21 January 2019. The personal data breaches concerned instances where unauthorised third parties accessed UCD email accounts, or where the login credentials for UCD email accounts were posted online.

  • The decision found that UCD infringed Articles 5(1)(f) and 32(1) of the GDPR by failing to process personal data on its email service in a manner that ensured appropriate security of the personal data using appropriate technical and organisational measures.
  • The decision found that UCD infringed Article 5(1)(e) of the GDPR by storing certain personal data in an email account in a form which permitted the identification of data subjects for longer than necessary for the purpose for which the personal data were processed.
  • The decision found that UCD had infringed Article 33(1) of the GDPR by failing to notify one of the personal data breaches to the DPC without undue delay. This personal data breach was notified 13 days after UCD became aware of it.

The corrective powers exercised

  • The decision imposed an administrative fine on UCD in the amount of €70,000 in respect of the infringements.
  • The decision ordered UCD to bring its processing operations concerning its email service into compliance with Articles 5(1)(f) and 32(1) of the GDPR.
  • The decision issued UCD with a reprimand in respect of the infringements.

For more information, you can download a copy of the full decision at this link: University College Dublin - December 2020 (PDF, 1,347 KB).

Decision concerning Ryanair DAC

Area: Cross Border Private Company

Topic: Data security

Articles: 12, 15

Decision Date: 10 November 2020

Acting in its capacity as lead supervisory authority, the DPC commenced an examination of a complaint originally received by the U.K. Data Protection Authority. The complaint concerned cross-border processing in which the DPC was competent to act as lead supervisory authority. The complaint concerned a subject access request made by the complainant to Ryanair. Ryanair provided the complainant with certain personal data on foot of the request. However, it failed to provide the complainant with a copy of a recording of a call that the complainant had made. Due to the delay on Ryanair’s part in processing the request, Ryanair had since deleted the call recording in accordance with company policy and they had been unable to retrieve it.

The decision-making followed the procedure set out in Article 60 of the GDPR for cross border processing. The procedure included an examination of the complaint by the DPC, including an attempt to amicably resolve the complaint; a Draft Decision circulated amongst the Concerned Supervisory Authorities; the DPC’s careful consideration of each relevant and reasoned objection received, which in this case the DPC followed certain of the relevant and reasoned objections received, and declined to follow certain other relevant and reasoned objections; a Revised Draft Decision circulated amongst the Concerned Supervisory Authorities; the adoption of the Final Decision; and finally the U.K. Data Protection Authority was responsible for informing the complainant of the decision.

  • The decision found that Ryanair infringed Article 15 of the GDPR by failing to provide the complainant with a copy their personal data that was undergoing processing at the time of the request.
  • The decision also found that Ryanair infringed Article 12(3) of the General Data Protection Regulation by failing to provide the complainant information on action taken on their request under Article 15 within the statutory timeframe of one month.
  • The decision also reprimanded Ryanair in respect of the infringements

For more information, you can download a copy of the full decision at this link: Ryanair DAC - November 2020 (PDF, 150 KB).

Inquiry into Waterford City and County Council

Area: Public Authority

Topic: LED

Articles: S 79

Decision Date: 21 October 2020

This inquiry is one of a number of own-volition inquiries into a broad range of issues pertaining to surveillance technologies deployed by State authorities. The findings made in the decision include:

  • Findings that the Litter Pollution Act 1997 and the Waste Management Act 1996 do not provide a lawful basis for Waterford City and County Council’s use of covert CCTV and dash cams to detect illegal littering and dumping. The DPC comprehensively considered these Acts and found that they do not regulate this processing of personal data as is required by the Law Enforcement Directive, as transposed by the Data Protection Act 2018. Furthermore, the decision found that the Acts do not to meet the standards of clarity, precision, and foreseeability in respect of such processing as required by the case law of the Court of Justice of the European Union and the European Court of Human Rights.
  • A finding that Waterford City and County Council’s use of certain CCTV cameras for crime prevention and investigation is unlawful in the absence of authorisation from the Garda Commissioner in accordance with Section 38 of An Garda Síochána Act 2005.
  • A finding that Waterford City and County Council and An Garda Síochána are joint controllers in respect of certain CCTV cameras authorised under Section 38(3)(c) of An Garda Síochána Act 2005. In this regard, the decision found that Waterford City and County Council infringed Section 79 of the Data Protection Act 2018 by failing to implement an agreement in writing with An Garda Siochána.
  • The other findings in the decision include infringements relating to the adequacy of Waterford City and County Council’s policy in respect of its use of drones for monitoring compliance on permitted waste sites and preventing dumping on illegal waste sites, and its obligation to maintain a data log for specific accesses to CCTV recordings

The corrective powers exercised:

  • A temporary ban on the processing of personal data through certain specified CCTV cameras, covert CCTV cameras, and dash cams for law enforcement purposes.
  • Orders to Waterford City and County Council to bring its processing of personal data into compliance by taking certain action specified in the decision.
  • Reprimands in respect of Waterford City and County Council’s infringements

For more information, you can download a copy of the full decision at this link: Waterford City and County Council - October 2020  (PDF, 1,251 KB).

Inquiries concerning the Health Service Executive

Area: Public Authority

Topic: Data security

Articles: 5, 32

DPC Reference: IN-19-9-1 & IN-19-9-2

Decision Date: 18 August 2020

Date of Decisions: 18 August 2020 & 29 September 2020

The DPC commenced inquiry IN-19-9-1 in respect of one personal data breach notified by the HSE to the DPC. The personal data breach occurred when documentation containing the personal data of 78 individuals, including special category personal data in respect of 6 of those data subjects, were disposed of in a public recycling centre. The list was created in Cork University Maternity Hospital, but was discovered by a member of the public in a public recycling area in Cork County.

  • The decision found that the HSE infringed Articles 5(1)(f) and 32(1) of the GDPR by failing to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk presented by its use and disposal of hardcopy documents containing patients’ personal data.

The DPC commenced Inquiry IN-19-9-2 in respect of a personal data breach that the HSE notified to the DPC on 1 May 2019. The personal data breach occurred when a member of the public found documentation that contained the personal data of 15 data subjects, including data relating to clinical information and treatments received. The documents were created in Our Lady of Lourdes Hospital, but were discovered by a member of the public in their front garden.

  • The decision found that the HSE infringed Articles 5(1)(f) and 32(1) of the GDPR by failing to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk presented by its use and disposal of hardcopy documents containing patients’ personal data.

The corrective powers exercised

  • Decision IN-19-9-1 imposed an administrative fine of €65,000 on the HSE for its infringements of Articles 5(1)(f) and 32(1) of the GDPR.
  • Decision IN-19-9-1 ordered the HSE to bring its processing operations regarding the use and disposal of hardcopy documents containing patients’ personal data into compliance with Articles 5(1)(f) and 32(1) of the GDPR.
  • Decision IN-19-9-1 issued the HSE with a reprimand in respect of its infringements of Article 5(1)(f) and 32(1) of the GDPR.
  • Decision IN-19-9-2 did not exercise further additional corrective powers in light of how decision IN-19-9-1 addressed the circumstances of the same infringements as were subsequently also identified in decision IN-19-9-1. Both decisions also concern the same processing operations, undertaken by the same controller, and concern the same time period.

For more information, you can download a copy of the full decision at this link: Health Service Executive - August and September 2020 (PDF,1,866 KB).

Inquiry into Tusla Child and Family Agency

Area: Public Authority

Topic: Data security

Articles: 5, 32, 33

DPC Reference: IN-18-11-4

Decision Date: 12 August 2020

This inquiry was commenced in respect of 71 personal data breaches notified by Tusla to the DPC. The decision considered a broad range of Tusla’s processing operations and the findings included:

  • Five distinct findings of infringements of Article 32(1) of the GDPR in respect of Tusla’s obligation implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk presented by its various processing operations.

  • A finding that Tusla infringed Article 32(4) of the GDPR by failing to take steps to ensure that any natural person acting under their authority does not process personal data except on instructions from Tusla.

  • A finding that Tusla infringed Article 5(1)(d) of the GDPR on the four occasions by failing to ensure that the personal data that it processed was accurate and, where necessary, kept up to date.

  • A finding that Tusla infringed Article 33(1) of the GDPR on 8 occasions by failing to notify the personal data breaches without undue delay.

The corrective powers exercised

  • The decision imposed two distinct administrative fines on Tusla for its infringements of Article 32(1) and Article 33(1) in circumstances where some of the processing operations under consideration were not “the same or linked processing operations” within the meaning of Article 83(3) of the GDPR. The amount of the fines were €50,000 and €35,000 respectively.

  • The decision ordered Tusla to bring its processing operations identified in the decision into compliance with Article 32(1) of the GDPR by implementing appropriate organisational measures to ensure a level of security appropriate to the risks.

  • The decision issued a reprimand to Tusla regarding its infringements of Articles 5(1)(d), 32(1), 32(4), and 33(1) of the GDPR.

For more information, you can download the full decision at this link: Inquiry into Tusla Child and Family Agency - August 2020 (PDF, 1.92mb).

Inquiry into Tusla Child and Family Agency

Area: Public Authority

Topic: Data security

Articles: 32, 33

DPC Reference: IN-19-12-8

Decision Date: 21 May 2020

This inquiry was commenced in respect of one personal data breach notified by Tusla to the DPC. The personal data breach occurred when a social worker for Tusla wrote a safeguarding letter to the ex-partner of an individual against whom abuse allegations had been made. The purpose of this letter was to inform the ex-partner about the alleged abuse and to advise her of safeguarding procedures to ensure ongoing safety. However, the letter contained the names of three individuals who made the allegations and details of the allegations made. The ex-partner subsequently shared a photograph of the safeguarding letter on social media.

  • The decision found that Tusla infringed Article 32(1) of the GDPR by failing to implement appropriate organisational measures to ensure a level of security appropriate to the risk presented by its safeguarding letters processing operation.

  • The decision also found that Tusla infringed Article 33(1) of the GDPR by failing to notify the DPC of the third breach without undue delay.

The corrective powers exercised

  • The decision imposed an administrative fine of €40,000 on Tusla for its infringements of Article 32(1) and Article 33(1).

  • The decision ordered Tusla to bring its processing operations into compliance with Article 32(1) of the GDPR by implementing appropriate organisational measures to ensure a level of security appropriate to the risk.

  • The decision issued Tusla with reprimands in respect of the infringements of Articles 32(1) and 33(1) of the GDPR.

For more information, you can download the full decision at this link: Inquiry into Tusla Child and Family Agency - May 2020 (PDF, 1.90mb).