The complainant in this case was an employee who was the subject of disciplinary proceedings by their employer. An aspect of those proceedings concerned the complainant’s time keeping, and the employer sought to rely on swipe-card data derived from the complainant’s entry into and exit from the workplace during the relevant period. As a result of an internal appeal process, the employer subsequently agreed not to use the data for this purpose and removed it from the complainant’s disciplinary record. However, the complainant asked the DPC to continue its investigation of the complaint.
The DPC’s investigation focused on the data protection principle that data must be obtained and processed fairly . This includes an obligation to give data subjects’ information including the purpose or purposes for which the data are intended to be processed .
In this case, the employer had not informed the complainant of the use of swipe-card data for the purpose of disciplinary proceedings . (During the investigation, the employer informed the DPC that the complainant’s case was the only one in which it had used swipe-card data for disciplinary purposes .) Similarly, the employer had not informed the complainant or other employees that swipe-card data collected in the workplace was intended to be used for time-keeping purposes .
The employer had failed to inform the complainant about the use of swipe-card data for time-keeping and disci- plinary purposes . The DPC therefore concluded that the employer had not obtained and processed that data fairly .
This case demonstrates the importance of fairness and transparency in protecting data protection rights . Controllers such as employers may have valid legal bases for processing personal data, whether on grounds of performance of contract, legitimate interest or otherwise . However, the principles of data protection set out in Article 5 of the GDPR must be observed regardless of the legal basis that is relied on .
The complainant was a member of an income protection insurance scheme and had taken a leave of absence from work due to illness. The income protection scheme was organised by the complainant’s employer. In order to claim under the scheme, the complainant was required to attend medical appointments organised by an insurance company. Information relating to the complainant’s illness was shared by the complainant with the insurance company only. However, a third-party company (whose involvement in the claim was not known to the complainant) forwarded information to the complainant’s employer regarding medical appointments that the complainant was required to attend. The information included the area of specialism of the doctors in question.
It was established that the insurance company was the data controller as it controlled the contents and use of the complainant’s personal data for the purposes of managing and administering the complainant’s claim under the insurance scheme . The data in question included details of the complainant’s illness, scheduled medical appointments and proposed treatment and was deemed to be personal data because the complainant could be identified from it and it related to the complainant as an individual .
During the course of the investigation, the data controller argued that the complainant had signed a form, which contained a statement confirming that the complainant gave consent to the data controller seeking information regarding the complainant’s illness . When asked by the DPC to clarify why it had shared the information regarding the complainant’s medical appointments with the third-party company (who was the broker of the insurance scheme), the data controller advised it had done so to update the broker and to ensure that matters would progress swiftly .
The data controller stated it had a legislative obligation to provide the complainant with certain information . In particular, that the data controller was obliged to inform the complainant as to the recipients or categories of recipients of the complainant’s personal data . The DPC pointed out that, while the data controller had notified the complainant that it might seek personal data relating to them, it had failed to provide sufficient information to the complainant as regards the recipients of the complainant’s personal data .
Data protection legislation also requires that data, which are kept by a data controller, be adequate, relevant and limited to what is necessary in relation to the purposes for which the data were collected . The DPC examined the reason given by the data controller for disclosing information about the nature of the complainant’s medical appointments (i .e . to update the broker and to ensure matters progressed smoothly) . The DPC was of the view that it was excessive for the data controller to disclose information regarding the specific nature of the medical appointments, including the specialisms of the doctors in question, to the third party company .
The DPC pointed out that, under data protection legislation, data concerning health is afforded additional protection . The DPC was of the view that, because the information disclosed by the data controller included details of the specialisms of the doctors involved, it indicated the possible nature of the complainant’s illness and thus benefitted from that additional protection.
The DPC confirmed that, because of the additional protection, there was a prohibition on processing the data in question, unless one of a number of specified conditions applied . For example (and of relevance here), the personal data concerning health could be legally processed if the complainant’s explicit consent to the processing was provided to the data controller . The DPC then considered whether the complainant signing the claim form (containing the paragraph about consent to the data controller seeking information, as described above) could be said to constitute explicit consent to the processing (disclosure) of the information relating to the complainant’s medical appointments . The DPC noted that it could be said that the complainant’s explicit consent had been given to the seeking of such information by the data controller . However, the complainant had not given their explicit consent to the giving of such information by the data controller to third parties . On this basis, the DPC held that a further contravention of the legislation had been committed by the data controller in this regard .
Under Article 13 of the GDPR, where personal data are collected from a data subjects, the data controller is required to provide the data subject with certain information at the time the personal data are obtained, such as the identity and contact details of the data controller and, where applicable, its Data Protection Officer, the purpose and legal basis for the processing and the recipients of the data, if any, as well as information regarding the data subject’s rights . This information is intended to ensure that personal data are processed fairly and transparently . Where the personal data have been obtained otherwise than from the data subject themselves, additional information is required to be provided to the data subject under Article 14 of the GDPR . This information must be given in a concise, transparent, intelligible and easily accessible form .
Additionally, the data minimisation principle under Article 5(1)(c) requires that personal data be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed . This means that the period for which personal data are stored should be limited to a strict minimum and that personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means.
Finally, data controllers should note that personal data concerning health is considered a “special category of personal data” under Article 9 of the GDPR and is subject to specific rules, in recognition of its particularly sensitive nature and the particular risk to the fundamental rights and freedoms of data subjects which could be created by the processing of such data . The processing of medical data is only permitted in certain cases as provided for in Article 9(2) of the GDPR and sections 45 to 54 of the Data Protection Act 2018, such as where the data subject has given explicit consent to the processing for one or more specified purposes.
We received a complaint from a parent in respect of their child. The parent had attended a festival organised by a state agency with their child, where a professional photographer took the child’s photograph. The following year the state agency used this photograph in promotional material. The child’s parent, while accepting that they had conversed with the photographer, had understood at the time of the photograph that they would be contacted prior to any use of the image.
During the investigation, the state agency indicated that they had relied upon consent pursuant to section 2A(1) (a) of the Acts as the photographer had obtained verbal permission from the child’s parent . However, the state agency also accepted that it was not clear to the child’s parent that the image would be used for media/ PR purposes . The state agency further accepted that the parent was not adequately informed regarding the retention of the image . The DPC welcomed the state agency’s indications that it would immediately review their practices and procedures.
In conclusion, the DPC found that the state agency had not provided the child’s parent with adequate information in order to consent to the processing of the image used in promotional material.
We received a complaint against a city-centre bar, alleging that it had disclosed the complainant’s personal data, contained in CCTV footage, to his employer without his knowledge or consent and that it did not have proper CCTV signage notifying the public that CCTV recording was taking place.
During our investigation, we established that a workplace social event had been hosted by an employer organisation in the bar on the night in question . The complainant was an employee of that organisation and had attended the workplace social event in the bar . An incident involving the complainant and another employee had taken place in the context of that workplace social event and there was an allegation of a serious assault having occurred . An Garda Síochána had been called to the premises on the night in question and the incident had been reported for a second time by the then manager and headwaiter to the local Garda station the following day . We established that the employer organisation had become aware of the incident and had contacted the bar to verify the reports it had received . Ultimately the bar manager had allowed an HR officer from the employer organisation to view the CCTV footage on the premises. The HR officer, upon viewing the CCTV footage, considered it a serious incident and requested a copy of the footage so that the employer organisation could address the issue with the complainant. The bar manager allowed the HR officer to take a copy of the footage on their mobile phone as the footage download facility was not working .
The Data Protection Commission (DPC) considered whether there was a legal basis, under the grounds of the ‘legitimate interests’ of the data controller or a third party under Section 2A(1)(d) of the Acts, for the bar to process the complainant’s personal data by providing the CCTV footage to the employer organisation . This provision allows for the processing that is ‘necessary for the purposes of the legitimate interests pursued by the data controller or by a third party or parties to whom the data are disclosed except where the processing is unwarranted in any particular case by reason of prejudice to the fundamental rights and freedoms or legitimate interests of the data subject’ .
In its analysis of this case, the DPC had regard to the judgment of the CJEU in the Riga regional security police case in which the CJEU had considered the application of Article 7(f) of the Data Protection Directive (95/46/EC) on which Section 2A(1)(d) of the Acts is based, and identified three conditions that the processing must meet in order to justify the processing as follows:
The DPC established during its investigation that, arising from the incident in question, there was an allegation of a serious assault committed by the complainant against a colleague and the bar had provided a copy of the CCTV footage to the complainant’s employer so that the employer could properly investigate that incident and the allegations made . The DPC took into account that as the incident had occurred during the employer organi- sation’s workplace social event, the employer might have been liable for any injuries to any employee that could have occurred during the incident . Accordingly, the CCTV was processed in furtherance of the employer organisation’s obligation to protect the health and safety of its employees . As the CJEU has previously held that the protection of health is a legitimate interest, the DPC was satisfied that there was a legitimate interest justifying the processing . The DPC also considered that the disclosure of the CCTV in this instance was necessary for the legitimate interests pursued by the employer organisation so that it could investigate and validate allegations of wrongdoing against the complainant . The DPC considered, in line with the comments of Advocate General Bobek in the Riga regional security police case, that it was important that data protection is not utilised in an obstructive fashion where a limited amount of personal data is concerned . In these circumstances, the DPC considered that it would have been unreasonable to expect the bar to refuse a request by the employer organisation to view and take a copy of the CCTV footage, against a backdrop of allegations of a serious assault on its premises, especially where the personal data had been limited to the incident in question and had not otherwise been disclosed . On the question of balancing the interest of the employer organisation against the complainant’s rights and interests, the DPC had primary regard to the context of the processing, where the bar had received a request for the viewing and provision of a serious incident on its premises, which it had deemed grave enough to report to An Garda Síochána . A refusal of the request might have impeded the full investigation of an alleged serious assault, and the employer organisation’s ability to protect the health and welfare of its employees . Accordingly, the DPC considered that it was reasonable, justifiable and necessary for the bar to process the CCTV footage by providing it to the employer organisation, and that the legitimate interest of the employer organisation took precedence over the rights and freedoms of the complainant, particularly given that the processing did not involve sensitive personal data and there had not been excessive processing .
On the facts, the DPC was also satisfied that the bar currently had adequate signage alerting patrons to the use of CCTV for the purpose of protecting staff and customers and preventing crime, and that in the absence of any evidence to the contrary offered by the complainant, the complainant had been on notice of the use of CCTV at the time in question .
In many of the complaints that the DPC handles, data subjects hold the mistaken belief that because they have not consented to the processing of their personal data, it is de facto unlawful However, there are a number of legal bases other than consent that justify processing depending on the particular circumstances . With regard to the legitimate interests justification, the DPC will rigorously interrogate whether the circumstances of the processing satisfy the elements that the CJEU has indicated must be present for controllers to rely on this legal basis . Equally, however, the DPC emphasises that where the circumstances genuinely meet the threshold required for this justification, as per the sentiment of Advocate General Bobek of the CJEU, protection of personal data should not disintegrate into obstruction of genuine legitimate interests by personal data .
This complaint concerned the processing of the complainant’s personal data (in this case, details about the nature of the complainant’s medical condition) by his employer, for the purpose of administering the complainant’s sick leave and related payments. In particular, the complainant raised concerns regarding the sharing of his medical records by the data controller (the employer), including with staff at the local office of the data controller where the complainant worked. The complainant highlighted his concerns to a senior official in the organisation. However, the view of the senior official was that the minimum amount of information necessary had been shared.
When a person’s personal data is being processed by a data controller, there are certain legal requirements that the data controller must meet . Of particular relevance to this complaint are the obligations (1) to process personal data fairly; (2) to obtain such data for specific purposes and to not further process it in a manner that is incom- patible with those purposes; (3) that the data be relevant and adequate and the data controller not process more of it than is necessary to achieve the purpose for which it was collected; and (4) to maintain appropriate security of the personal data . As well as the rules that apply when personal data is being processed, because the personal data in this case concerned medical information, (which is afforded even more protection under data protection legislation), there were additional requirements that had to be met by the data controller .
It was considered that the initial purpose of the processing of this personal data by the data controller was the admin- istration of a statutory illness payment scheme. This office also found that the further processing of complainant’s personal data for the purpose of managing employees with work-related stress or long-term sick leave and the monitoring of sick pay levels was not incompatible with the purpose for which the data was initially collected . Moreover, the DPC concluded that processing for the purpose of managing work-related stress and long-term sick leave and monitoring sick pay was necessary for the performance of a contract to which the data subject was a party, for compliance with a legal obligation to which the controller was subject, and for the purpose of exercising or performing a right or obligation which is conferred or imposed by law on the data controller in connection with employment .
It was, however, considered that the data processed by the local HR office (that is, the specific nature of the com- plainant’s medical illness) was excessive for the purpose of managing long-term sick leave and work-related stress leave and for monitoring sick-pay levels . Moreover, the DPC concluded that, on the basis that excessive personal data was disclosed by the shared services provider to the local HR office and further within that office, the level of security around the complainant’s personal data was not appropriate . Finally, it was considered that, in these circumstances, the data controller did not process the complainant’s personal data fairly . Therefore, the data controller was found to have contravened its data protection obligations .
We received a complaint that concerned the use of CCTV cameras by the data controller in the complainant’s work premises, and the viewing of that CCTV footage (which contained personal data of the complainant, consisting of, among other things, images of the complainant) for the purpose of monitoring the complainant’s performance in the course of his employment with the data controller.
At the time of the complaint, the data controller had a CCTV policy in place, which stated that the reason for the CCTV system was for security and safety . This was also stated on signage in place in areas where the CCTV cameras were in operation . The facts indicated that the purposes for which the complainant’s personal data was initially collected were security and safety . However, during a meeting with the complainant, a manager informed the complainant that CCTV footage containing the com- plainant’s personal data had been reviewed solely for the purposes of monitoring the complainant’s performance in the course of the complainant’s employment with the data controller. This purpose was not one of the specified purposes of processing set out in the CCTV policy and signage . The controller acknowledged that the use of the complainant’s personal data in this way was a contraven- tion of its policies .
Where personal data is processed for a purpose that is different from the one for which it was collected, the purposes underlying such further processing must not be incompatible with the original purposes . In relation to the use of the complainant’s personal data, the purpose of monitoring their performance was separate and distinct from the original purposes of security and safety for which the CCTV footage was collected . On that basis, the processing of the complainant’s personal data contained in the CCTV footage for the purpose of monitoring performance was further processing for a purpose that was incompatible with the original purposes of its collection .
A further issue arose regarding the security around the manner in which the CCTV system and CCTV logs were accessed . In written responses to the DPC, the controller stated that, at the time of the complaint, access to CCTV footage was available on a standalone PC in the department, which did not require log-in information . The responses from the controller indicated that access to CCTV footage was not logged either manually or automat- ically . The absence of an access log for the CCTV footage was a deficiency in data security generally. Data controllers must implement appropriate security and organisational measures, in line with Article 32 of the GDPR, in relation to conditions around access to personal data .
The CCTV policy has since been substantially revised and replaced by a new policy. The controller confirmed that the PC utilised has now been deactivated and removed . Access to CCTV recordings is now limited to a single individual in the specific unit and recordings are reviewed only in the event of a security incident or accident .
Of particular relevance in this type of situation are the obligations to process personal data fairly (Article 5(1) (a)), and to obtain such data for specific purposes and not further process it in a manner that is incompatible with those purposes (Article 5(1)(b)) . Further, appropriate security measures should be in place to ensure the security of the personal data (Article 5(1)(f) and Article 32) .
21st May 2025
A data subject issued a complaint to the Data Protection Commission (DPC) against their employer (data controller) regarding the processing of their personal data under the General Data Protection Regulation (GDPR). The data subject explained to the DPC that details of a confidential matter as part of a reference was given to a third party (a prospective employer). Before contacting the DPC the data subject contacted the data controller to address their concerns as they felt their personal data had been unlawfully processed; however, they did not receive a satisfactory response to their complaint.
The DPC notes that the provision of a reference about a staff member from a present/former employer, to a third party, such as a prospective employer, will generally involve the disclosure of personal data. The data subject mentioned that the data controller disclosed a confidential matter in the reference provided to the prospective employer.
As part of its examination, the DPC engaged with the data controller and shared the details of the data subject’s complaint. The data controller responded to the DPC and explained that, it is relying on consent and legitimate interest for disclosing the confidential matter.
The data controller outlined that in balancing the data subject’s rights against the interests of the third party (and those to whom it provides care) it determined that it had a duty of care to ensure that the recipient of the reference (prospective employer) received a reference which was true, accurate, fair and relevant to the role which the data subject had applied for. The data controller was satisfied that the data was processed, fairly and in a transparent manner. It further stated that due to the nature of the employment it had a duty of care not only to the people they support, the staff members, but also to prospective employers who provide support services to same category of clients.
It is important to consider whether the status of the data controller, the applicable legal or contractual obligations (or other assurances made at the time of collection) could give rise to reasonable expectations of stricter confidentiality and stricter limitations on further use. The DPC has taken into consideration whether the data controller could have achieved the same result without disclosing the confidential details to the prospective employer. The statements made in the reference were based on facts, which could be proven and were necessary to achieve the legitimate interests of and the duty of care of the data controller’s clients.
The DPC is satisfied that despite the duty of confidence, and in circumstances where the data subject nominated the data controller to provide the reference, thus consented to the sharing of the data subject’s relevant personal data to a prospective employer, the prospective employer’s legitimate interest and the wider public interest justifies the disclosure of the confidential matter.
Having examined the matter thoroughly, under section 109(5)(c) of the 2018 Act the DPC advised the data subject that the explanation put forward by the data controller in the circumstances of this complaint are reasonable and no unlawful processing had occurred. Accordingly, no further action against the data controller was considered necessary in relation to the data subject’s complaint.
A data subject issued a complaint to the Data Protection Commission (DPC) against their employer (data controller) regarding the processing of their health data under Article 9 of the General Data Protection Regulation (GDPR). The data subject explained to the DPC that they had been signed off work by their GP and so, presented their medical certificate to their employer, in an envelope addressed to the organisation’s Medical Officer. A staff member in an acting-up manager role, opened the medical cert; however, this person’s role was not as a medical officer. Before contacting the DPC the data subject contacted their employer to address their concerns that they felt their sensitive personal data had been unlawfully processed; however, they did not receive a response to their complaint.
As part of its examination, the DPC engaged with the data controller and shared the details of the data subject’s complaint. The data controller responded to the DPC and explained that, as per their organisation’s Standard Operating Procedures, as there was no medical officer on duty on the day in question, the responsibility and authority for granting leave, sick or otherwise, automatically falls to the manager on the day, who in this instance was the manager who processed the medical certificate. The data subject did not accept the explanation provided by the data controller and contested that a medical certificate should not be processed by anyone who is not the designated medical office.
Through its examination, the DPC found that, under Articles 6(1)(b), (c), (f) and 9(2)(b) of the GDPR the data controller had legitimate bases to process the data subject’s sensitive personal data under the GDPR and so no unlawful processing had occurred. No further action against the data controller was considered necessary in relation to the data subject’s complaint.
A data subject submitted a complaint to the Data Protection Commission (DPC) against their bank (the data controller) as they believed their personal data was processed unlawfully. The data subject explained that they held a mortgage with the data controller, and this mortgage was sold to another bank, as part of a loan sale agreement. The data subject complained that this sale was processed without their prior knowledge or consent and was specifically concerned about the data controller sharing their personal email address and mobile phone number with another bank as they deemed this as an excessive disclosure of personal data. While the data subject did not object to their name, address or landline number being shared, they believed their email address and mobile phone number were “sensitive” personal data and the disclosure of same was disproportionate.
Prior to contacting the DPC, the data subject engaged with the data controller directly regarding their complaint. The data controller responded to the data subject and advised that their lawful basis for processing their personal data was Article 6(1)(f) of the General Data Protection Regulation (GDPR) which states: “Processing is necessary for the purposes of the legitimate interests pursued by the controller.”
Upon commencing their examination, the DPC shared the data subject’s complaint with the data controller and requested a detailed response. The data controller informed the DPC that as part of their Data Privacy Notice, a copy of which is provided to their customers, details that the data controller may sell assets of the company in order to manage their business. This is also further detailed in the loan offer letter to mortgage applicants.
In relation to the sharing of excessive personal data, the data controller outlined that they do not consider an email address or a mobile phone number to be sensitive information nor do they fall under special categories of personal data under Article 9 of the GDPR. The DPC advised that while consent is one of six lawful basis for processing personal data, it is lawful to process personal data without prior consent once one of the five other bases, which are listed in Article 6 of the GDPR, are met. In this instance the data controller was relying on Article 6(1)(f) and as such, they are required to conduct a balancing test to ensure that the legitimate interest that are pursued by the controller are not overridden by the interests, rights, or fundamental freedoms of the data subject. The data controller confirmed to the DPC that they had conducted a balancing test and it was confirmed that the processing of personal data, in this instance, did not override the interests, rights or fundamental freedoms of the data subject.
The data controller further explained that it was necessary for the data controller to share the data subject’s contact information with the other bank as they were the new data controllers for the data subject’s loan. The data controller also clarified that they do not differentiate between different types of contact information, i.e. landline and mobile numbers as this information was provided to the data controller for the purpose of contacting customers. As such, this information is required by the bank managing the loan. Article 9 of the GDPR describes special category personal data as:
“personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.”
As such, the DPC clarified to the data subject that mobile numbers and email addresses do not fall into this category. Under section 109(5)(c) of the 2018 Act the DPC advised the data subject that, having examined their complaint, the DPC found no evidence that their personal data was processed unlawfully. While the data controller relied on a legitimate basis to process data, they did so in a transparent manner, and kept the data subject fully informed at all key stages of the sale, so it was conducted with the data subject’s prior knowledge. The DPC did not consider any further action necessary at the time of issuing the outcome.