In August 2023, the DPC received a complaint from an individual regarding alleged unsolicited marketing SMS messages received from Supermac’s Ireland Limited. The DPC launched an investigation, in the course of which Supermac’s Ireland Limited explained that the individual had registered for their online ordering system in 2018 and had ticked the box to receive SMS and email marketing communications. The individual subsequently placed an online order in 2023 and was added to an active marketing list for SMS purposes. 

The DPC requested that the individual’s details be removed from the active marketing list in August 2023. Supermac’s Ireland Limited confirmed to the DPC that the opt-out had been successful and the individual had been removed from their marketing list. However, the individual contacted the DPC again in October 2023 to inform the DPC that they had received a further marketing SMS from Supermac’s Ireland Limited, despite assurances that they had been removed from marketing lists. Upon further investigation, Supermac’s Ireland informed the DPC that, due to a technical error by their subcontractor, the individual’s phone number had not been removed properly. 

The DPC’s investigation of this complaint established that Supermac’s Ireland Limited did not have valid consent to send electronic marketing communications to the individual concerned. As the DPC had issued a warning to the company in February 2023 with regards to a previous complaint, the DPC decided to prosecute the case. 

On 3 September 2024 before Judge Fahy in Galway District Court, Supermac’s Ireland Limited pleaded guilty to five charges of sending unsolicited marketing SMS messages under Regulation 13(7) and Regulation 13(13)(a)(i) of S.I. No. 336/2011 - European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011. Galway District Court ordered the company to make a contribution of €3,500 to the Galway Simon Community and Cope  Galway, in lieu of a conviction and fine. The company was also required to discharge the DPC’s legal costs.

In October 2023, the DPC received notification from an individual regarding unsolicited marketing SMS messages received from Pulse Gym, trading as Energie Fitness Dublin 8. An investigation was launched during which Pulse Gym explained that when a member signed up online, they agreed to Pulse Gym’s terms and conditions, which included a reference to giving consent to receive marketing materials by electronic means. 

The DPC requested a copy of the consent referred to under Article 7 of the GDPR, but Pulse Gym was unable to provide such a copy. The DPC highlighted that consent for marketing is required to be “freely given, specific, informed and unambiguous”, and that Pulse Gym was not permitted to “bundle” consent for processing of individuals’ personal data for different purposes. 

Pulse Gym also confirmed during the investigation that the opt-out attempts made by the individual had been unsuccessfully implemented as there was a  fault in the service provider’s software. 

A warning had previously been issued to Pulse Gym following an investigation of a similar complaint in July 2023. As part of this warning, the DPC had made Pulse Gym aware of their requirements to ensure that their mailing list only contained details of individuals who had explicitly consented to receive marketing communications and to ensure their opt-out function was operational and opt out requests were respected. However, upon receipt of this further complaint in October 2023, it became apparent that not all changes identified in the DPC’s warning letter had been implemented. As a result, the DPC decided to move to prosecution proceedings in this instance.

Pulse Gym pleaded guilty to one charge of sending unsolicited marketing SMS messages at Dublin Metropolitan District Court on 27th May 2024 under Regulation 13 of S.I. No. 336/2011 - European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011. In lieu of a conviction and fine, Judge Halpin applied the Probation Act and the company was instructed to make a donation of €700 to the Little Flower Penny Dinners charity and to pay the DPC’s legal  costs in full.

An individual flew with an airline to a destination in Europe. When undertaking their return flight, the individual encountered a situation when their luggage was misplaced. After reporting the issue at the airport, they received a missing luggage slip that contained the name of a different individual but correctly listed the details of their missing luggage.

The individual promptly raised their concerns with the airline, seeking a resolution to ensure their luggage was properly tracked and identified. However, despite the customer’s efforts, the airline was unable to provide a satisfactory resolution, and refused to issue a new ticket reflecting their correct name on the luggage slip. This lack of resolution prompted the individual to escalate the matter further by filing a complaint with the DPC.

In response, the DPC liaised with the airline’s DPO to address the issue of the recording of incorrect personal data. The DPC emphasised the importance of accurate data handling and the implications of data errors on customer experiences. Through this intervention, the DPO worked swiftly to rectify the situation, ensuring that the individual received an updated luggage slip that included their correct name.

This updated slip was crucial for this individual as it allowed them to file a claim with their insurance provider for the lost luggage. The case highlights the importance of effective data management practices and serves as a reminder for organisations to prioritise accurate record-keeping and responsive customer service, especially in situations involving personal belongings.

A charity contacted the DPC seeking advice on a query they had received from a parent asking whether they could request the erasure of their child’s personal data. The data in question dated back several years when the child was a minor. However, the child was now an adult, and the parent, who was their guardian at the time, wanted to know if they could still request that the data be erased.

The DPC advised the charity that, under section 29 of the Data Protection Act 2018, a child is defined as an individual under the age of 18. This meant that, as the individual was now over 18, they were considered an adult and, therefore, had the full legal capacity to exercise their own data protection rights, including the right to request erasure of their personal data.

The DPC also clarified that while the parent could no longer directly request  the erasure of the data on behalf of the now-adult child, the affected individual could choose to provide their parent with a signed letter of authority. This was an option that could be drawn to the attention of the now-adult child and their parent. Such a letter of authority would allow the parent to act on their behalf in making the data erasure request. The DPC reminded the charity that it was their responsibility to verify and ensure that any such request was valid under the circumstances.

The charity thanked the DPC for their response and confirmed that they would share the information with the individual who had initially contacted them. This guidance helped to ensure that both the individual’s rights and the role of the charity were clearly understood, while also acknowledging the potential complexities involved in handling requests from parents of adult children.

An individual raised a query with the DPC concerning the marketing communication practices of an airline following a recent trip with that airline. The issue arose when the individual received an email requesting feedback on their recent trip, which they perceived to be a marketing email. The individual contacted the DPC advising that they could not find an unsubscribe option in  this communication. 

In an effort to resolve the issue, the individual had to navigate to airline’s website to find the option to unsubscribe, a process they documented with an attached screenshot. Additionally, the individual expressed uncertainty about having signed up for this communication, as they noted being careful to avoid consent for unwanted marketing. The individual sought clarification on whether organisations are required to include an unsubscribe link in emails or surveys that are not directly related to a specific service, such as a flight.

In response to the individual, the DPC highlighted that, under Regulation 13 of the ePrivacy Regulations (S.I. 336/2011), as a general rule electronic direct marketing requires the affirmative consent of the recipient. Direct marketing can also be defined as communications aimed at promoting a product or service or encouraging additional enquiries from the recipient. The DPC further clarified that correspondence sent solely for informational or feedback purposes does not constitute direct marketing. However, if such communications included marketing content, they could be classified as direct marketing, thus necessitating the inclusion of an unsubscribe option. 

In this particular scenario, having reviewed the communication message, the DPC noted that it did not include marketing content and that the organisation was only seeking feedback in order to improve the service offered. As such, the DPC determined that this communication did not constitute direct marketing or an infringement of data protection rights. 

An organisation in the voluntary sector became aware during an internal audit review that during their employment, an ex-employee had forwarded emails, and attachments, from their work account to their private email account. The emails contained personal data, including the special category health data under Article 9 of the GDPR of a number of vulnerable individuals. 

The DPC engaged with the organisation to establish the root cause of this breach and to ascertain what measures the organisation had in place in order to protect the rights and freedoms of the affected data subjects.  The organisation carried out an investigation and received assurances from the ex-employee that the personal data had been deleted and was never shared with any third parties, and that they had used their personal email address for convenience in certain circumstances. 

The organisation’s Data Protection Officer (DPO) also engaged with the organisation’s Head of IT to examine if technical measures could be implemented to reduce the risk of this issue reoccurring. All affected data subjects were notified and were advised that the DPO was available to assist them should they have any queries.

Following engagement with the DPC, the organisation implemented a number of solutions, both technical and organisational, to prevent this issue from occurring again. The organisation also launched an awareness campaign to remind all staff, volunteers and the Board of Directors of their responsibilities to keep personal data safe and private; and to ensure compliance with the organisation’s Data Protection Policy. 

The DPC received a complaint from an individual who had submitted an access request under Article 15 of the GDPR to their former employer (a public health
organisation), who provided services in Home Support.

The organisation provided a response to the access request within the statutory period of one month of the date of the receipt of the request. In that response, the organisation had informed the individual that whilst it had endeavoured to comply with the access request, in so far as possible, there were some potential redactions under Article 15(4) of the GDPR that it would be seeking to rely on. The organisation provided the individual with some personal data which contained redactions.

 
Article 15(4) provides that the right to obtain a copy of personal data undergoing processing should not adversely affect the rights and freedoms of others. 

The individual submitted a complaint to the DPC in relation to their concern regarding the organisation’s reliance on Article 15(4) of the GDPR. The individual also indicated their concern that the organisation had not released all the personal data. 

The DPC advised the organisation that a balancing of rights exercise needed to be conducted by them to balance the right of access of the individual to their personal data against the identified risk to the third party that may be brought about by the disclosure of the information prior to seeking to rely on said exemption. Under the GDPR, organisations should endeavour to comply with the request insofar as possible whilst also ensuring adequate protection for the rights and freedoms of others.

The DPC engaged with the organisation and requested it to release the personal data records to the individual that it had re-examined. The DPC also requested the organisation to confirm to the individual that it was not withholding any other documents containing personal data relating to them.

The organisation, subsequently provided the DPC with a copy of its correspondence addressed to the individual confirming it had now released  the personal data records in partially redacted format, which it had initially  withheld. The organisation also confirmed to the individual that it held no further records relating to them. The individual was satisfied that all matters  had been sufficiently resolved.

Following the intervention of the DPC, the organisation confirmed to the DPC that it had re-examined the records that it had initially released in fully redacted format, and following the review had released parts of the records, redacting data that was third party data. 

The DPC received a complaint from an individual who had submitted an access request under Article 15 of the GDPR to a property management company. The individual was seeking access to any personal data processed by the organisation in relation to them. The organisation responded to the access request explicitly stating to the individual that it did not process any personal data in relation to the individual at the time the access request was made or any time before that. 

During the assessment stage, the DPC raised queries with the individual regarding their relationship with the organisation in order to establish if they were “data processor” or “a data controller” in this instance. Upon a review of the individual’s response and the supporting documentation they provided, the DPC established that the property management company was the appropriate “data  controller” in relation to this complaint.

The DPC requested the organisation to provide further details in relation to the searches it carried out to identify any personal data belonging to the individual. In its initial response, the organisation advised that it had conducted a search of its ‘system’ and that the only personal data that could be identified was the initial request made by the individual. The DPC queried the searches completed and requested documentary evidence of the efforts made to locate the individual’s personal data including those conducted in other sections of the organisation.

The organisation responded with a comprehensive outline of the searches undertaken and provided the relevant supporting documentation. The DPC reviewed this correspondence and it subsequently identified three records containing the individual’s personal data (two (2) invoices & one (1) data entry  on a software system) which had not been provided to the individual.

Following further engagement between the DPC and the organisation, the three outstanding documents containing the individual’s personal data were provided
to the individual. 

The DPC received a complaint from an individual regarding the withholding of records containing personal data in response to an access request. The individual had made an access request under Article 15 of the GDPR to a financial service provider, following the sale of the individual’s mortgage to the organisation. 

The organisation advised that personal data was being withheld from the customer in line with Section 60(3)(b) of the Data Protection Act 2018 (DPA 2018). The organisation stated that “securitisation documents did not constitute [the complainant’s] personal data”. 

The DPC informed the organisation as to the definition of personal data under Article 4(1) of the GDPR and that if any of the stated documents being withheld contained the individual’s personal data, clarification would be required as to the reliance on the restrictions applied. The DPC received a response from the organisation confirming that no personal data existed in the securitisation documents with additional reference to a “final response letter” that it issued to the individual. Subsequently, the DPC requested a copy of this “final response letter” and requested a list of alleged outstanding personal data or any further information as to the location of records containing personal data from the individual. The DPC also requested the organisation to outline specifically each record containing personal data being withheld and the legislative basis for  doing so. 

The organisation initially advised it was relying on sections 60(3) and 60(7) of the DPA 2018 for not releasing the documents. The DPC further probed the restrictions being applied by the organisation. On foot of this engagement, the organisation confirmed to the DPC that it would no longer be relying on any part of Section 60 of the DPA 2018 to withhold the individual’s personal data. In light of the DPC’s intervention, the organisation furnished the individual with their personal data, which had previously been restricted.  Following this release of documents, the individual specified the existence of additional personal data and requested copies of mortgage statements from a specific year. The DPC queried this with the organisation, which then released this further personal data to the individual. The DPC determined that the organisation had failed to respond to the access request within the specified timeline under Article 12(3) of the GDPR. 

The DPC received a complaint from an individual in relation to an access request made to an internet service provider. According to the individual, they rang the company regarding the possibility of switching broadband services and considered that the level of service received from the customer service agent was unsatisfactory. As a result, they made an access request for a copy of their personal data processed by the company.  

 
In response to the individual’s access request, the company sought further information from the individual including an account number.  The individual informed the company they could not supply an account number, as they were not a customer, merely a potential customer enquiring about switching their broadband service. In their response, the company advised the individual that without an account number they could not process the access request. On foot of this response, the individual proceeded to make a complaint to the DPC. Following receipt of this complaint, the DPC corresponded with the internet service provider to ascertain why the access request could not be processed without an account number, and to comply with the individual’s access request. 

The company promptly responded to the DPC accepting that the agent who responded to the individual should not have informed them that they could not process the access request. They also outlined that the agent involved did not follow the correct process for dealing with access requests from non-customers, and advised that additional data protection training would be provided to the agent. The company also provided the individual with a copy of their personal data. The individual confirmed that while they did receive a copy of their personal data, the matter was only resolved following the DPC’s intervention.