An individual submitted a Freedom of Information (‘FOI’) request to their former employer, a State Agency. Once in receipt of the response to the FOI request, the individual became aware that the State Agency had disclosed their financial data and special category personal data, namely health data, to a connected third party. The individual subsequently submitted a complaint to the DPC in relation to this disclosure.

The DPC was tasked with examining whether the State Agency had lawfully processed, in a non-excessive manner, the individual’s personal data when a staff member of the State Agency disclosed the individual’s health and financial data to a connected third party.

In the circumstance of this case, the individual had communicated with a member of the Human Resources (‘HR’) department in their official capacity, highlighting issues connected with the individual’s health, financial status and personal life. Due to issues connected to the individual’s health, they were regularly in contact with the HR staff member in their official capacity.

Following a meeting between the individual and the HR staff member, the HR staff member emailed a summary of what was discussed with a connected third party i.e. a member of the Civil Service Employee Assistance Service (‘CSEAS’). The CSEAS provides an internal Employee Assistance Programme to civil service staff, which employees can refer to by contacting the service. It is a shared service utilised by all State Agencies for the benefit of all employees, promoting employee wellness and organisational effectiveness.

During the examination of this complaint, the State Agency stated that the processing of the personal data, the sharing of the individual’s personal data by the HR staff member to the CSEAS member, was lawful as the individual shared the personal data freely with the HR staff member, accordingly they had consented to the processing; the overlapping services and consultation between the HR staff member and the CSEAS in relation to an employee would be normal; both the HR staff member and the CSEAS member operate under strict confidentially in the performance of their duties; and what the individual shared with the HR staff member was so concerning, that the HR staff member had to urgently disclose it to the CSEAS member in order to seek appropriate guidance, and support to assist the individual. Accordingly, the State Agency’s position was that there were no prohibitions on the disclosure.

Notwithstanding, the HR staff member had a genuine concern for the health and welfare of the individual, the DPC found that the circumstances did not fit the urgency associated with protecting life rather the processing occurred as the HR staff member sought direction and guidance from the CSEAS member to urgently deal with the issues raised by the individual.

The DPC also found that the State Agency could not rely on having obtained the consent of the individual to process their personal data in this manner, as although the individual shared the personal data freely with the HR staff member, they did not consent to the HR staff member disclosing this personal data to the CSEAS member.

The State Agency did not provide any other lawful bases for the processing. The DPC found that the State Agency did not have a lawful basis for the processing and accordingly, the processing was unlawful.

In consideration of the principles relating to processing of personal data the DPC found that the State Agency obtained the personal data for a specified, explicit and legitimate purpose, namely to provide the individual with HR assistance with the issues they had raised with HR. Similarly, considering the connected relationship between the HR staff member in their official capacity and the CSEAS member, the sharing of the individual’s personal data was not further processed in a manner that was incompatible with the purpose for which it was obtained, as it was disclosed in order to provide the individual with assistance regarding the issues raised, which included employee wellness.

However, the DPC found that the State Agency disclosed an excessive amount of personal data than what was required in order to seek, and provide, assistance to the individual. Accordingly, the State Agency did not adhere to the principle of data minimisation, and this was identified and accepted by the State Agency.

An individual contacted the DPC following the refusal of their erasure request by a health care provider. According to the individual, they had requested the erasure of all historic health records relating to them held by the health care provider, as the individual was of the opinion that the records were incorrect as they related to an alleged misdiagnosis.

As part of its examination of the complaint, the DPC requested that the health care provider set out its lawful basis for processing the individual’s health records, specifically in relation to Articles 6 and 9 of the GDPR. The health care provider advised that it was relying on Article 6(1)(e) of the GDPR for processing the individual’s personal data which states that processing shall be lawful if ‘processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller’.

In relation to Article 9 of the GDPR, the health care provider stated that it continues to process the health records under Articles 9(2)(h) and (i) of the GDPR. Article 9(2)(h) of the GDPR states, ‘processing is necessary for the purposes of preventive or occupational medicine, medical diagnosis…’. While Article 9(2)(i) of the GDPR states, ‘processing is necessary for reasons of public interest in the area of public health…’.

As part of their engagement with the health care provider, the individual provided them with a contradictory diagnosis from another health care provider, which the individual stated was evidence that proved the original diagnosis was incorrect. Having reviewed the documentation provided, the health care provider noted that a medical diagnosis is a medical opinion that is given at a point in time. Therefore, any medical opinion, given at a different point in time, cannot be accepted as evidence that a historic medical opinion was incorrect. The medical provider further advised that while a medical condition may change over time, it does not eradicate the fact that an individual was, at one point, treated for a particular illness or provided with a certain diagnosis.

The DPC noted that for the purposes of the GDPR, personal data is inaccurate if it is incorrect as to a matter of fact. However, based on the information available to the DPC, the personal data held on file by the health care provider, namely the original diagnosis, was not inaccurate as it was the original diagnosis at that point in time. On this basis, the DPC found that the health care provider had a lawful basis for the continued processing of the individual’s health records in accordance with Article 17(1)(a) of the GDPR.

In this regard, the processing of the personal data in the form of retaining the original diagnosis is still necessary in relation to the purposes for which the personal data was originally collected or otherwise processed. Further, the DPC found that the health care provider’s refusal to comply with the individual’s erasure request is consistent with Article 17(3)(c) of the GDPR in providing comprehensive medical assessment and treatment of the individual.

Following the engagement of the DPC, the health care provider added a supplementary statement on the individual’s medical record to include the documentation provided by the individual, which would inform any future readers of the individual’s medical file of the individual’s opinion, and the contradictory diagnosis in relation to the medical diagnosis.

Note: Article 17(1)(a) of the GDPR states that a data controller shall erase personal data that is no longer necessary for its original purposes. However, Article 17(3)(c) of the GDPR excludes the application of Article 17(1) in circumstances where the processing is necessary, ‘for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3).’.

An individual opened an online account with a bookmaker and deposited a sum of money to their account. Having attempted to download the application (‘app’) associated with the service, the individual quickly realised that the app was not compatible with their mobile phone. The following day the individual submitted an erasure request under Article 17 of GDPR to the bookmaker. The bookmaker refused to comply with the erasure request, stating that it had legal obligations to retain the personal data as a deposit and withdrawal of funds had taken place on the account, thus making them a ‘customer’. The individual was dissatisfied with this response as they did not agree that they were a ‘customer’ of the bookmaker, as they did not place any bets through the account, either online or through the app.

Following engagement with the DPC, the bookmaker advised that it could not erase the individual’s personal data as it was subject to Anti-Money Laundering legislation, under the Criminal Justice (Money Laundering and Terrorist Financing Acts 2010, which became applicable when the deposit and withdrawal of funds were made on the individual’s account.

The bookmaker outlined to the DPC that although it was legally obliged to retain the individual’s personal data it only retains the minimum amount that is necessary to fulfil this legal obligation in line with the principle of data minimisation as set out in Article 5(1)(c) of the GDPR.

Following its examination of the complaint, the DPC found that while the organisation had demonstrated a valid lawful basis for the ongoing retention of the personal data, the DPC issued recommendations to the organisation on its obligations to ensure that all processing is lawful and fair and that it is transparent about its processing activities.

This complaint concerned the alleged non-response to an erasure request made by an individual to a prospective employer pursuant to Article 17 of the GDPR.

Following receipt of the complaint, the DPC engaged with the individual and the prospective employer (controller) in order to establish the subject matter of the complaint and to commence with the amicable resolution process. Further to this engagement, the DPC established that the individual had since received a response from the controller. However, the individual informed the DPC that while the controller had erased their personal data, their job application ‘account’ was still active on the controller’s website.

Having established this was the case, the DPC contacted the controller, bringing their attention to the fact that information in relation to the account had not been erased. In their response, the controller acknowledged that the information had not been fully deleted, and advised that this was due to a technical error but that they would comply with the erasure request immediately.

Subsequently, the DPC was updated by the organisation concerned that they had since fully complied with the erasure request by deleting the account. The controller also advised that they had contacted the individual to confirm the action they had taken and apologised for the delay in removing the individual’s login credentials from their systems.

A prospective buyer initiated the facilitated purchase of a property through a real estate intermediary. Shortly after this, the vendor of the property withdrew from the sale. As part of the purchasing process, the prospective buyer had provided a copy of their ID, proof of address and bank details to the real estate intermediary. Following the breakdown in the process, the prospective buyer sought the erasure of their personal data pursuant to Article 17 of the GDPR.

The prospective buyer initially submitted this erasure request to the email address listed on the real estate’s privacy policy, but this ’bounced back’ as the email was not active. The prospective buyer then sent the request to the primary email address of the real estate intermediary.

As no response was received from the real estate intermediary, the individual made a complaint to the DPC. Following the intervention of the DPC, the real estate intermediary engaged with the individual concerning their erasure request. However, during the complaint handling process, the DPC established that the organisation concerned refused to comply with the erasure request. According to the organisation, it was relying on an obligation under the Property Services (Regulation) Act 2011, which created a legal requirement to retain the data for six years. The matter was referred to the Property Services Regulatory Authority for clarity, who advised that bank details were not covered by the wording of the Act and could be deleted on foot of an erasure request.

Following this confirmation, the DPC engaged with the real estate intermediary to ensure that the bank details were erased as part of the erasure request. The DPC informed the prospective buyer that certain other items of personal data, such as their name, address and contact details would not be erased as the real estate intermediary had a lawful basis to restrict the right of erasure in line with the Property Services (Regulation) Act 2011. The DPC also ensured that the real estate intermediary updated its privacy policy to accurately reflect the appropriate point of contact.

The DPC received a complaint in which the complainant’s representative indicated that they wished to make a formal complaint regarding the delay by Tusla to release records containing their client’s personal data on foot of a subject access request. The representative further stated that a full response to the complainant’s access request had not been provided and they had been receiving the records containing personal data in a piecemeal fashion for the previous two years. It was unclear to the complainant’s representative the amount of personal data outstanding in relation to their client’s access request.

The DPC commenced an examination of the complaint by contacting Tusla requesting that it provide the individual with a copy of all personal data held or controlled by it in relation to the individual or notify the individual of the refusal of the subject access request identifying any statutory restriction relied on by it to withhold their data.

Tusla responded indicating that it would be in a position to release personal data to the data subject within a specified timeframe. However, this deadline passed without the complete records containing personal data being released. Subsequent to further DPC engagement, Tusla outlined that, due to the volume of personal data involved, the personal data relating to the individual would issue in batches. This release would be subject to restrictions being applied to third party non personal data, personal data subject to legal professional privilege and where the release of personal data would be in contempt of court proceedings.

The complainant’s representative later confirmed they had received  a portion of their client’s personal data but advised that it was heavily redacted. It clarified the records containing the personal data of the individual that remained outstanding and which it was seeking urgently. An extensive exchange of correspondence between Tusla and the DPC followed over an extended period of time during which several deadlines were not met by Tusla in relation to the issuing of records containing personal data and /or responding to correspondence from the DPC and the data subject’s representative.

The DPC considered that an amicable resolution to this complaint was not achievable and considered it appropriate to conclude that process and issue an Enforcement Notice pursuant to Section 109(5)(d)(i) of the Data Protection Act 2018 to require the data controller to furnish the remaining records of personal data to the data subject within a specified timeframe. This notice informed Tusla of the following:

‘A person (being a data controller or data processor) who, without reasonable excuse, fails or refuses to comply with a requirement specified in an enforcement notice shall be guilty of an offence under Section 133*19) of the Data Protection Act 2018 and shall be liable (i) on summary conviction, to a class A fine or imprisonment for a term not exceeding 12 months or both, or (ii) on conviction on indictment, to a fine not exceeding €250,000 or imprisonment for a term not exceeding 5 years or both.’

The issuing of this Enforcement Notice resulted in the remaining records containing personal data issuing to the data subject within the timeframe specified in the Enforcement Notice.

The DPC received a complaint from an individual who had made a subject access request to a state hospital for a copy of all information held concerning them. The individual did not receive a response to this request.

The DPC contacted the Data Protection Officer (DPO) for the Hospital Group and informed them of the complaint.

The DPC reminded the hospital of their GDPR obligations , drawing their attention to Article 12(3), which states that controllers have an obligation to provide a response to an individual’s subject access request within the statutory timeframe. As part of the engagement, the DPC stipulated a timeline for the hospital to respond to the individual and provide them with a copy of the personal data. The data controller complied with the DPC’s direction.

The DPC received a complaint from an individual in relation to a subject access request made to a medical centre for a copy of their personal data. According to the individual, the medical centre had requested a fee to process the access request. Before contacting the DPC, the individual had already advised the medical centre that access to a copy of personal data is free under the GDPR and queried if the letter seeking a fee may have issued in error.

Following receipt of this complaint, the DPC corresponded with the medical centre to ascertain why it had sought a fee to process the subject access request and to seek confirmation that the subject access request had since been complied with.

The medical centre promptly reverted to the DPC accepting that the request for a fee should not have been made. It further outlined additional data protection training for staff regarding its obligations to patients making subject access requests would be provided. The medical centre also confirmed that a copy of the personal data was furnished to the individual with its apologies. The individual confirmed to the DPC that it had received a copy of their personal data.

An individual submitted a subject access request to their former employer. This individual then raised a concern with the DPC querying whether the company was obliged to provide them with the names of all of the employees who had been involved in compiling the response to the subject access request.

The DPC assessed the legal framework surrounding this question and responded to the query with reference to paragraph 73 of judgement C-579/21 of the Court of Justice of the European Union (CJEU) and article 15(4) of the GDPR. In this regard, the CJEU judgement had clarified that ‘the employees of the controller cannot be regard as being ‘recipients’, within the meaning of Article 15(1)(c) of the GDPR [...] when they process personal data under the authority of that controller and in accordance with its instructions’.

Consequently, the DPC advised the individual that they were not entitled to a list of the names of the employees who had been involved in preparing their subject access request response under the category of ‘recipients’ as provided for in the GDPR under Article 15(1)(c) and Article 15(4) of the GDPR.

An individual lodged a complaint with the DPC after they had viewed a rental property. In their complaint, they alleged that the letting agency had requested excessive personal data during the application process.

According to the individual, as they were unsuccessful in their application to rent the property, they made an erasure request to the letting agency under Article 17 of the GDPR for the deletion of their personal data. The letting agency responded to the individual advising that it had erased the personal data and confirmed that it had not shared personal data with any third parties. While the individual was satisfied with the response they received from the letting agent, they still had concerns regarding the amount of personal data that had been requested in the first instance. On this basis, they submitted a complaint to the DPC.

As part of the complaint handling process, the DPC contacted the letting agency requesting clarity on the different types of personal data it was requesting as part of the application process. The organisation confirmed it requested copies of identification; proof of current address; employment and previous landlord references; two-month bank statements; and a PPS number. The letting agency stated that the information was required for it to ensure the identity of the applicant and that the applicant can afford the property.

The DPC found that the organisation did not meet the principle of data minimisation under Article 5(1)(c) of the GDPR, which states: ‘personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed’. The DPC determined that the volume of personal data requested from the individual as a prospective tenant was excessive for the initial stage of an application process.