In April 2018, we received a complaint from a data subject who had ceased to be a customer of the data controller. However, she had discovered that her data was still being processed as she continued to receive bills from the data controller. The complainant had received verbal and written assurances that she did not owe the amount being billed.

However, he complainant subsequently received a text message from a debt-collection company, asking that she contact them. When the complainant phoned the debt-collection company, it refused to provide her with any information regarding the alleged debt until she provided them with personal data verifying her identity, which she refused to do. Later the same day, the complainant received a letter from the debt-collection company confirming that it was seeking to recover monies owed by her to the data controller.

This complaint was identified as potentially capable of amicable resolution under Section 109 of the Data Protection Act 2018, with both the complainant and data controller agreeing to work with the DPC to try to amicably resolve the matter. Company A confirmed with the DPC that an error had caused the complainant’s account balance to appear outstanding but that when the error was identified by the data controller, the outstanding balance was removed from the account. The data controller also confirmed that it had instructed the debt-collection company to cease any collection activities, and also to delete any data associated with the complainant.

While the complainant was satisfied with the ultimate outcome, the DPC emphasised to the data controller that the complainant had previously been informed on at least two occasions that the matter had been resolved. Despite this, her data had been unfairly processed by being passed to a debt-collection company without there being any justification for such disclosure.

In recognition of its failings, the data controller apologised to the complainant, provided certain assurances to her that the matter would have no effect on her credit rating, and made donations to charities of her choice.

For a controller to lawfully engage a processor to process personal data, there must be a justification for the processing of the personal data in the first place. In this case, the controller had disregarded previous concerns raised by the complainant that bills were being issued to her despite her no longer receiving services from the controller and had failed to look into the continued use of her personal data for billing purposes in circumstances where she was no longer a customer.

The DPC encourages individuals to raise data protection concerns directly with the controller in the first instance so that they can address them. However, data controllers frequently ignore or disregard direct attempts made by a data subject to raise complaints until the DPC becomes involved. This is unacceptable and, as part of each organisation’s accountability obligations, it should have meaningful and efficient measures in place to deal with and address data protection complaints when raised directly by a data subject, without the need for the data subject to resort to DPC intervention.

An individual made a complaint to the DPC concerning the data controller’s use of CCTV footage to investigate an incident in which the individual was involved. The individual had organised an event in a leisure facility (the data controller), and displayed signage in relation to Covid-19 procedures to assist attendees. At the end of the event, the individual inadvertently removed a different sign also in relation to Covid-19 procedures when removing the signage they had installed for the event. The data controller reviewed its CCTV footage to establish who had removed the sign. The complainant was of the opinion that the data controller did not process their personal data in a proportionate or transparent manner, and that it did not comply with its obligations as a data controller in how it investigated the incident. Accordingly, the individual lodged a complaint with the DPC.

The DPC intervened to seek to resolve the matter informally and the parties reached an amicable resolution when the leisure centre agreed to undertake an audit of its use of the CCTV system and to restrict access to review CCTV footage to designated staff members. The individual thanked the DPC for handling their complaint in a professional and helpful manner and further stated that they were reluctant to submit the complaint initially as they are aware of the volume of complaints the DPC deals with and the accompanying constraints on resources. The complainant stated that they felt confident that the issue will not arise in the future as a result of the involvement of the DPC . The individual wished to express their appreciation and acknowledge the DPC’s efficiency in dealing with the matter.

The complainant in this case study was a former employee of a statutory service provider, whose work involved driving to locations assigned by his employer. Where this gave rise to claims for overtime or subsistence, the complainant would complete forms provided by the employer, detailing items such as relevant dates and places, dispatch reference numbers, and the amounts claimed. The employer made use of a dispatch system intended to ensure the most efficient use of drivers and vehicles, particularly as they provided response in emergency situations. This system logged the performance and completion of service calls, when vehicles were out on calls or back at base, and when drivers were on or off duty.

The complainant had made a claim for overtime and subsistence. The employer rejected this because of inconsistencies between the details on the complainant’s claim form and those recorded on the employer’s dispatch system . The complainant objected to the use of data from the dispatch system for this purpose and complained to The Data Protection Commission (DPC).

The DPC considered whether the use of data from the dispatch system to verify overtime and subsistence claims was in line with fair processing requirements. The fairness of the processing was to be assessed by reference to whether the complainant and fellow employees had been made aware of the employer’s use of the data for that purpose, whether that processing was compatible with the purpose for which the data was collected, and whether the employer had a legal basis for that processing.

The employer did not have a written policy on the use of the dispatch system . Instead, it relied on the “general awareness” of employees that the system was used for that purpose. The employer pointed out that such use had been noted in an arrangement with its employees’ trade unions some years previously. The DPC noted that overtime and subsistence claims required employees to include relevant dispatch reference numbers from the dispatch system. The DPC took the view that the inclusion of relevant dispatch system reference numbers in overtime and subsistence claims indicated that employees were aware that the data was used not just for logistical processing but also to verify their claims . Even if the major purpose of the dispatch system was to aid logistics, its use to verify overtime claims was not incompatible with that purpose, as that data was the only means available to the employer to verify claims.

The DPC noted that applicable financial regulations required the employer to verify overtime and subsistence claims. The processing to verify overtime and subsistence claims was necessary not just to comply with that legal obligation, but to perform the complainant’s employment contract and for reasons of legitimate interests of the employers.

The Garda Síochána Ombudsman Commission (GSOC) sent a letter containing the outcome of its investigation into a complaint to an address where the person who made the complaint no longer resided. The DPC established the letter was posted to the address where the individual lived at the time of a previous complaint that they had made to GSOC. The individual in question had subsequently informed GSOC they no longer lived at that address and that with regard to the new complaint they were only contactable by email.

The DPC liaised extensively with GSOC regarding this complaint . GSOC reported the data breach to the DPC through the normal breach reporting channels . To avoid this type of incident happening again, GSOC advised the DPC that an email issued internally to all staff advising of the importance of ensuring the accuracy of personal data entered onto the Case Management System (CMS) . GSOC also outlined that it sent a separate email to all line management in the GSOC Casework section advising them of the necessity to accurately input personal data on the CMS and to amend this information whenever updated information is received .

The DPC received a complaint from an individual who alleged they were a victim of a crime. The individual requested to have their sensitive personal data processed by An Garda Síochána (AGS) according to their specific terms, namely they requested to have a full copy of the medical results of forensic tests undertaken by Forensic Science Ireland (FSI) made available to them immediately upon receipt of the results by AGS. The individual then sought to have the sample kit split, with this request subsequently amended to seeking the analysis of specific sample vials.

The DPC noted that the entire process of seeking the analysis of forensic samples, following the alleged crime, was initiated by the individual data subject . In order to proceed with the forensic tests, the individual was required to complete a form entitled ‘Consent for Release of Stored Forensic and a Legal Report to the Custody of An Garda Síochána’ . The DPC determined that any personal data processed by AGS in the context outlined would fall under the Law Enforcement Directive (EU) 2016/680 as transposed in the Data Protection Act .

AGS advised the DPC that in cases where an individual submits their personal data to AGS and FSI for further testing, any related further processing by AGS and FSI is carried out for the purposes of the prevention, investiga- tion, detection or prosecution of criminal offences, or the execution of criminal penalties .

A report issued by Forensic Science Ireland to AGS, is governed by the provisions of Section 94 of the Act, which sets out restrictions on access that may be imposed by a data controller, including a restriction to avoid prejudicing an investigation . Having examined the matters raised, the DPC advised the individual that the Law Enforcement Directive (EU) 2016/680 as transposed in Parts 5 and 6 of the Act does not provide for individuals to stipulate the conditions under which data subjects consent to have their personal data processed by a law enforcement authority .

In relation to the processing of forensic samples in a law enforcement context, the DPC was satisfied the processing of sensitive data was in compliance with sections 71 and 73(1)(b)(i) of the Act . The DPC noted the ‘Consent for Release of Stored Forensic and a Legal Report to the Custody of An Garda Síochána’ form specified all the intended recipients of the data, as well as the fact that the findings of the laboratory tests and the legal report could also be released to the courts for use in evidence .

The DPC recommended the addition of a Data Protection Notice to the form, to allow data subjects obtain detailed information on the legislative framework and procedures governing the conditions of processing in relation to forensic samples and AGS investigations .

The DPC frequently examines complaints in relation to restrictions imposed by An Garda Síochána and the Director of Public Prosecutions (DPP) due to criminal prosecutions pending. Complaints range from assault cases where documentation such as PULSE records, photographs and An Garda Síochána reports of the incidents are sought, to requests for CCTV footage from within An Garda Síochána stations themselves.

In some cases, An Garda Síochána may supply an individual with a copy of their statement provided by the individuals but will withhold other data on the basis of Section 94(3)(a) of the Act whereby a data controller may restrict access, wholly or partly, for the purposes of “the prevention, detection or investigation of offences, the apprehension or prosecution of offenders or the effec- tiveness of lawful methods, systems, plans or procedures employed for the purposes of the matters aforesaid .”

Upon confirmation by a data controller that criminal prosecutions are pending, the DPC will advise an individual that once legal matters in relation to those cases are concluded, the individuals may re-apply for a copy of their data as set out in Section 91 of the Data Protection Act 2018 .

The DPC examined a complaint where an individual alleged that data gathered in one particular law enforcement context was being used by the same data controller for another law enforcement purpose. The complaint concerned the prosecution of an individual for offences in the equine and animal remedies area by the Department of Agriculture, Food and the Marine (DAFM) and the separate referral by DAFM of allegations of professional misconduct to the Veterinary Council of Ireland (VCI) in relation to the same person.

Having examined the matters raised, the DPC referred the complainant to Section 71(5) of the Data Protection Act 2018:

Where a controller collects personal data for a purpose specified in section 70 (1)(a), the controller or another controller may process the data for a purpose so specified other than the purpose for which the data were collected, in so far as— (a) the controller is authorised to process such personal data for such a purpose in accordance with the law of the European Union or the law of the State, and

(b) the processing is necessary and proportionate to the purpose for which the data are being processed .

With regard to section 70(1)(a) and “the law of the State”, the DPC noted the provisions set out in the Veterinary Practice Act 2005 regarding the conduct of inquiries by the VCI into allegations of professional misconduct . In particular, section 76 of the Veterinary Practice Act 2005 outlines that the VCI or any person may apply for an inquiry with regards to the fitness to practice veterinary medicine of a registered person . On this basis, the DPC did not consider data protection legislation to disallow the separate referral by DAFM of allegations of professional misconduct to the VCI in relation to a person, in tandem with prosecution proceedings by DAFM against the same individual for offences in the equine and animal remedies area .

In one case examined by the DPC, a parent applied to An Garda Síochána for copies of the personal data of his young children.

An Garda Síochána refused to supply the data . The DPC advised the parent that it agreed with the restriction imposed, as the controller in this case had particular knowledge of all of the circumstances pertaining to a shared guardianship arrangement in place and considered that consent of all legal guardians would be required in order to release the data in this case .

The Data Protection Commission (DPC) examined a case where restrictions were imposed by An Garda Síochána to access on the basis of Sections 91(7) and (8) of the Data Protection Act 2018.

The matter related to an individual seeking copies of allegations of abuse made against him with regard to the welfare of his parents . Having examined this matter, it was clear to the DPC that releasing the information would entail the release of third-party data and would reveal the identity of the person making the allegations . The DPC was satisfied on review that the information sought was provided in the strictest of confidence and considered the provisions of Section 91(9)(a) also applied .

A complaint was lodged directly with the DPC on 2 July 2019 against Twitter International Company (“Twitter”), and accordingly was handled by the DPC in its role as lead supervisory authority. The complainant alleged that, following the suspension of their Twitter account, Twitter failed to comply within the statutory timeframe with an erasure request they had submitted to it. Further, the complainant alleged that Twitter had requested a copy of their photographic ID in order to action their erasure request without a legal basis to do so. Finally, the complainant alleged that Twitter had retained their personal data following their erasure request without a legal basis to do so.

The complainant’s Twitter account was suspended as Twitter held that the complainant was in breach of its Hateful Conduct Policy . Once Twitter suspended the account, the complainant sought that all of their personal details, such as email address and phone number, be deleted . They submitted multiple requests to Twitter asking that their data be erased . Twitter asked the complainant to submit a copy of their ID in order to verify that they were, in fact, the account holder . The complainant refused to do so . In the premises, Twitter ultimately complied with the erasure request without the complainant’s photographic ID .

The DPC initially attempted to resolve this complaint amicably by means of its complaint handling process . However, those efforts failed to secure an amicable resolution and the case was opened for further inquiry . The issues for examination and determination by the DPC’s inquiry were as follows: (i) whether Twitter had a lawful basis for requesting photographic ID where an erasure request had been submitted pursuant to Article 17 GDPR, (ii) whether Twitter’s handling of the said erasure request was compliant with the GDPR and Data Protection Act 2018 and (iii) whether Twitter had complied with the transparency requirements of Article 12 GDPR .

In defence of its position, Twitter stated that authenticating that the requester is who they say they are is of paramount importance in instances where a party requests the erasure of their account . It states that unique identifiers supplied at the time of registration of an account (i .e . email address and phone number) simply associate a user with an account but these identifiers do not verify the identity of an account holder . Twitter posited that it is cognisant of the fact that email accounts can be hacked and other interested parties might seek to erase an account particularly in a situation such as this, where the account was suspended due to numerous alleged violations of Twitter’s Hateful Conduct Policy . The company indicated that it retains basic subscriber information in- definitely in line with its legitimate interest to maintain the safety and security of its platform and its users .

Twitter further argued that, as it did not actually collect any ID from the complainant, Article 5 (1)(c) was not engaged . Notwithstanding this, it stated that the request for photo identification was both proportionate and necessary in this instance . It indicated that a higher level of authentication is required in circumstances where a person is not logged into their account, as will always be the case where a person’s account has been suspended .

Having regard to the complainant’s erasure request and the associated obligation that any such request be processed without ‘undue delay’, Twitter set out a timeline of correspondence pertaining to the erasure request between it and the complainant . Twitter stated that the complainant had made duplicate requests and, as such, had delayed the process of deletion/ erasure themselves . Regarding data retention, Twitter advised the DPC that it retained the complainant’s phone number and email address following the completion of their access request . It stated that it retains this limited information beyond account deactivation indefinitely in accordance with its legitimate interests to maintain the safety and security of its platform and users . It asserted that if it were to delete the complainant’s email address or phone number from its systems, they could then use that information to create a new account even though they have been identified and permanently suspended from the platform for various violations of its Hateful Conduct Policy .

Following the completion of its inquiry on 27 April, 2022, the DPC adopted its decision in respect of this complaint in accordance with Article 60(7) of the GDPR . In its decision, the DPC found that the data controller,

Twitter international Company, infringed the General Data Protection Regulation as follows:

• Article 5(1)(c): Twitter’s requirement that the com-plainant verify his identity by way of submission of a copy of his photographic ID constituted an infringement of the principle of data minimisation, pursuant to Article 5(1)(c) of the GDPR;
• Article 6(1): Twitter had not identified a valid lawful basis under Article 6(1) of the GDPR for seeking a copy of the complainant’s photographic ID in order to process his erasure request
• Article 17(1): Twitter infringed Article 17(1) of the GDPR, as there was an undue delay in handling the complainant’s request for erasure; and
• Article 12(3): Twitter infringed Article 12(3) of the GDPR by failing to inform the data subject within one month of the action taken on his erasure request pursuant to Article 17 of the GDPR .

The DPC also found in its decision that Twitter had a valid legal basis in accordance with Article 6(1)(f) for the retention of the complainant’s email address and phone number that were associated with the account. It also found that, without prejudice to its finding above concerning the data minimisation principle with regard to photo ID, Twitter was compliant with the data minimisation principle as the processing of the email address and phone number data was limited to what was necessary in relation to the purposes for which they are processed .

In light of the extent of the infringements, the DPC issued a reprimand to Twitter International Company, pursuant to Article 58(2) (b) of the GDPR . Further the DPC ordered Twitter International Company, pursuant to Article 58(2) (d), to revise its internal policies and procedures for handling erasure requests to ensure that data subjects are no longer required to provide a copy of photographic ID when making data erasure requests, unless it can demonstrate a legal basis for doing so . The DPC ordered that Twitter International Company provide details of its revised internal policies and procedures to the DPC by 30 June 2022 . Twitter complied with this order by the set deadline .