We received a complaint against a healthcare group arising from its refusal of a request for rectification under Article 16 of the General Data Protection Regulation (GDPR). The complainant alleged that the healthcare group was incorrectly spelling his name on its computer system by not including the síneadh fada, an accent that forms part of the written Irish language.

Hospitals under the administration of this healthcare group use a patient administration system (PAS) to initially record patient data which is then shared with other systems at later points of patient care, that is, laboratory, radiology and cardiology. The healthcare group informed the complainant that it is not possible to record the síneadh fada because syntax characters are recorded as commands on the PAS, impacting on the way data is stored and processed. The healthcare group informed the Data Protection Commission (DPC) that the patient administration system is due to be replaced in 2019/2020. However, the group’s new system will not allow for the use of the síneadh fada. The healthcare group informed the DPC this was for the purpose of enabling a streamlined single point of contact for patient information across different systems. This would enable professionals to access this information across different units within a hospital or hospital group without re-entering the data at a later point, thereby avoiding potential for later errors .

The other systems across the current healthcare group network and/or wider hospital network do not support the use of the síneadh fada. The healthcare group further advised the DPC that they identify patients with Patient ID numbers rather than isolated names.

The DPC examined this submission and concluded that any update of the computer system would lead to costs in terms of significant costs and time, along with errors in storage and matching of records. The DPC also engaged with An Coimisinéir Teanga (Irish Language Regulator) about its advice to public sector organisations with respect to computer systems supporting the síneadh fada. An Coimisinéir Teanga advised there is no such obligation arising from the Official Languages Act 2003 but such an obligation can arise from a language scheme — an agreement put in place between a public body and the Minister for Culture, Heritage and the Gaeltacht .

The DPC queried the healthcare group on the existence of a language scheme and was provided a copy. This scheme sets out a respect for patient choices regarding names, addresses and their language of choice . The scheme also provides a commitment to update computer systems to achieve “language compliancy”. There is no timeframe provided for the fulfilment of this commitment in the language scheme.

The healthcare group advised the DPC they are committed to patient safety as a primary, core concern and further advised the DPC of the difficulties associated with sharing and storing information across other systems if they updated their system to allow for the use of the síneadh fada . They also advised that they will be testing the possibility of using the síneadh fada in any update of their computer system .

The DPC had regard to Article 16 and Article 5(1) (d) of the GDPR in examining this complaint. Both articles set out the rights of individuals subject to “the purposes of the processing”. The right to rectification under Article 16 of the GDPR is not an absolute right. Organisations that control or process personal data are required tom take reasonable steps in the circumstances. The DPC had regard to case law from the European Court of Human Rights on linguistic rights and/or naming. This case law reflects that the spelling of names falls under the ambit of Article 8 of the European Convention on Human Rights but that the Court adopts a restrictive approach in this regard. As such, the DPC reiterated the purpose of the processing in the circumstances of the complaint was the administration of health care to the complainant and involved the use of Patient ID number. The name of the complainant was not the isolated means of identification and therefore the purpose of the processing is being achieved without the use of diacritical marks .

The DPC had regard to any risks to the complainant in the refusal of their Article 16 request also. The DPC noted the risk to the complainant would increase because of the difficulties associated with cross-system handling of the síneadh fada and the impact this would have on any health care decision making for the individual. In the circumstances, the non-use of the síneadh fada would not constitute an interference with the fundamental rights of the individual.

Under section 109(5) (f) of the Data Protection Act 2018 (the 2018 Act), the DPC requested the healthcare group to inform the complainant of its actions in the implementation of a computer system enabled to reflect the síneadh fada. Also, the DPC requested that the group add an addendum to the individual’s file to show the síneadh fada forms part of the individual’s name. The DPC, under section 109(5)(c) of the 2018 Act, advised the complainant that he may contact An Coimisinéir Teanga about the language scheme and any contravention of same.

A complaint was lodged with the Berlin Commissioner for Data Protection and Freedom of Information (“Berlin DPA”) against Airbnb Ireland UC (“Airbnb”) and was thereafter transferred to the DPC to be handled in its role as lead supervisory authority.

The complainant alleged that Airbnb failed to comply with an erasure request and a subsequent access request they had submitted to it within the statutory timeframe . Further, the complainant stated that when they submitted their request for erasure, Airbnb requested that they verify their identity by providing a photocopy of their identity document (“ID”), which they had not previously provided to Airbnb .

The DPC initially attempted to resolve this complaint amicably by means of its complaint handling process. However, those efforts failed to secure an amicable resolution and the case was opened for further inquiry. The issues for examination and determination by the DPC’s inquiry were as follows: (i) whether Airbnb had a lawful basis for requesting a copy of the complainant’s ID where they had submitted an erasure request, pursuant to Article 17 GDPR, (ii) whether Airbnb’s handling of the said erasure request was compliant with the GDPR and Data Protection Act 2018 and (iii) whether Airbnb’s handling of the complainant’s access request was compliant with the GDPR and Data Protection Act 2018.

Airbnb responded to the complainant’s allegations, justifying its request for photographic ID given the adverse effects that would flow from a wrongful deletion of an account. Airbnb highlighted that fraudulent deletion of an Airbnb account can lead to significant real-world harm including, in the case of hosts, the economic harm through cancelled bookings and loss of goodwill built up in the account and, in the case of guests, the potential loss of accommodation while travelling abroad. Airbnb stated that these are not trivial risks and appropriate steps must be taken to address them. It further stated that the provision of an ID document to authenticate an erasure request is a reliable proof of identification and that it does not place a disproportionate burden on the individual making the erasure request. It posited that photographic identity can be considered to be an evidential bridge between an online and an offline identity.

Airbnb ultimately complied with the complainant’s erasure request, validating their identity by providing them with the option of logging into their account to verify their identity, without the necessity to provide ID . Following intervention by the DPC, Airbnb complied with the complainant’s access request . Having completed its inquiry, on 14 September 2022, the DPC adopted its decision in respect of this complaint in accordance with Article 60(7) of the GDPR. In its decision, the Data Protection Commission found that the data controller, Airbnb Ireland UC, infringed the General Data Protection Regulation as follows:

Article 5(1)(c) of the GDPR

The DPC found that Airbnb’s requirement that the complainant verify their identity by way of submission of a copy of their photographic ID constituted an infringement of the principle of data minimisation, pursuant to Article 5(1) (c) of the GDPR. This infringement occurred in circumstances where less data-driven solutions to the question of identity verification were available to Airbnb;

Article 6(1) of the GDPR

The DPC found that, in the specific circumstances of this complaint, the legitimate interest pursued by the controller did not constitute a valid lawful basis under Article 6 of the GDPR for seeking a copy of the complainant’s photographic ID in order to process their erasure request; and

Article 12(3) of the GDPR

The DPC found that Airbnb infringed Article 12(3) of the GDPR with respect to its handling of the complainant’s access request. This infringement occurred when Airbnb failed to provide the complainant with information on the action taken on their request within one month of the receipt of the access request.

In light of the extent of the infringements, the DPC issued a reprimand to Airbnb Ireland UC, pursuant to Article 58(2)(b) of the GDPR. Further the DPC ordered Airbnb Ireland UC, pursuant to Article 58(2)(d), to revise its internal policies and procedures for handling erasure requests to ensure that data subjects are no longer required to provide a copy of photographic ID when making data erasure requests, unless it can demonstrate a legal basis for doing so. The DPC ordered that Airbnb Ireland UC provide details of its revised internal policies and procedures to the DPC by 4 November 2022. Airbnb complied with this order by the set deadline .

A data subject brought a complaint to the Data Protection Commission (DPC) against their former employer (the data controller). The data subject had a number of data protection concerns namely:

1 . The disclosure of their personal email address in a group email by being included in the Carbon Copy (CC) field,

2 . The inclusion of their image on the data controllers social media,

3 . The data subject was not satisfied to the response received from the data controller regarding a subject access request.

In line with the examination of the complaint, the DPC contacted the data controller and shared the details of the complaint. The data controller informed the DPC that the data subject had previously signed a settlement agreement, which waived their right to make any complaints or claims against the company under the Data Protection Acts 1988, 2003 and 2018. In response, the DPC advised the data controller that they were not a party to that agreement and that the DPC has a statutory obligation to examine complaints to the extent appropriate. An enforcement of any settlement agreement is a matter between the data controller and data subject.

In relation to the disclosure of the data subject’s email address in a group email, the data controller acknowledged that the Blind Carbon Copy (BCC) function should have been used in this instance. The data controller also advised that this incident had been reported to the DPC as a breach under Article 33 of the General Data Protection Regulation (GDPR) and additional measures have been put in place to avoid the incident re-occurring. Staff training has been rolled out and the data subject’s email address has been removed from the auto-collected email addresses on file. The DPC noted that the circumstances of the breach arose as a result of human error and has not been identified as a systemic issue.

Under Article 17 of the GDPR, the data subject requested the removal of their image from the data controller’s social media outlets without undue delay. The data subject withdrew their consent for the processing of their personal data under Article 17(1)(b) of the GDPR . The data controller conducted a search of their social media and removed any posts, which identified the data subject. The data controller advised that where third parties further used these images, the data subject would have to submit an erasure request to these organisations directly.

The data subject also made a subject access request under Article 15 of the GDPR to the data controller. The data controller complied with the request; however, restrictions were applied under Section 162 of the 2018 Acts to restrict the data subject’s access to correspondence between the data controller and their legal advisors.

While the DPC notes that a right of an individual to access personal data is a fundamental right and any restriction must be interpreted narrowly, the requirement that the restriction of data subjects’ rights be necessary and proportionate, is not contained within section 162 of the 2018 Act. Accordingly, not all access requests can be complied with and based on the information provided to the DPC, the DPC found that the correspondence between the data controller and their legal advisers should not be released in response to a data subject access request.

Further to the above, the DPC noted that the data controller had failed to comply with their obligations under Article 12(3) of the GDPR in that, data controllers must respond to data protection requests from data subjects within one month of receiving those requests. A data controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. However, it was noted that the data controller extended the response period of the subject access request after the initial one-month time period had lapsed.

As such, under section 109(5)(f) the DPC wrote to the data controller and reminded them of their obligations under Articles 12(3) and Article 33 of the GDPR.

The complainant in this complaint made a request to a bank under data protection legislation to supply the complainant with a copy of all personal data relating to them held by the bank. The complainant alleged, in particular, that the bank had failed to provide them with any internal analyses which used the complainant’s personal data to assess the amount of credit the bank would extend to them.

This office established that the bank was identified as the relevant data controller in relation to the complaint, as it controlled personal data, which the complainant provided to the bank when making a loan application. The data in question was personal data relating to the complainant (consisting of, amongst other things, a completed loan application form and supporting documentation) as the complainant could be identified from it and the data related to the complainant as an individual. This office was therefore satisfied that the complaint should be investigated to determine if a breach of data protection legislation had occurred.

During the course of the investigation of this complaint, this office engaged with the bank regarding the nature of any personal data to which the complainant might have been entitled. The bank took the view that the complainant was not entitled to details of its internal analysis and algorithms or any internal decision thresholds upon which it based its lending decision as, in the view of the bank, this information was not personal data, and, in addition, was market sensitive and was the intellectual property of the bank. In particular, the bank did not provide the complainant with details of the complainant’s credit score or the bank’s calculation of the complainant’s net disposable income, which form part of its credit assessment criteria.

This office considered the explanations provided by the bank and took the view that the complainant’s net disposable income figure and credit scope both constituted personal data relating to the complainant as the complainant could be identified from the details and they related to the complainant as an individual. Furthermore, as the bank had not identified a relevant exception under data protection legislation on which it could withhold this data from the complainant, this office considered that the bank had failed to comply with the complainant’s request for access to their data. However, this office agreed that the credit scoring models used by the bank in its credit assessment process were not personal data relating to the complainant and that, as such, the complainant was not entitled to a copy of this information.

Finally, this office considered that the bank had further contravened its obligations under data protection legislation by failing to respond to the request made by the complainant within the applicable statutory time limit. Under Article 15 of the GDPR, data subjects have a right to obtain from data controllers confirmation as to whether or not personal data concerning them are being processed and, where that is the case, access to that personal data. This right only extends to the personal data of the data subject, meaning any information relating to that data subject by which the data subject is identified or identifiable. The data controller must respond to a data subject access request without undue delay and in any event within one month of receipt of the request. However, the right of access to personal data is subject to a number of exceptions under the GDPR and the Data Protection Act 2018 (in particular, sections 59 to 61), such as where compliance with the request for access would adversely affect the rights and freedoms of others.

A data subject lodged a complaint with the DPC against a data controller following a delayed response to a subject access request. The data subject was concerned about the processing of their personal data between the data controller and a third party, a HR investigator (investigator). Such concerns related to the legal basis for processing the data subject’s personal data and the security of processing the personal data, as the investigator was using a Gmail account during the course of the examination.

Upon review of the personal data received, the data subject raised concerns in relation to the processing of their personal data between the data controller and the investigator. As part of its examination, the DPC engaged with the data controller on this matter. The data controller citied section 46 of the Data Protection Act 2018 (the 2018 Act) and Articles 6(1)(c) and Article 9(2)(b) as their lawful basis for processing the personal data. In addition to this, the data subject was in fact an employee, as such the data controller highlighted their legal obligations under the Safety, Health and Welfare at Work Act 2005 as set out in their Employee Handbook. The data subject challenged this lawful basis as they were not previously made aware of such.

With regard to the investigator the data subject explained that no consent was sought for processing the personal data between the data controller and the investigator . The data controller explained that consent was not the only lawful basis under GDPR and stated Article 6(1)(b) as their lawful basis. The data subject contested this lawful basis stating the processing of personal data by the investigator was not necessary for compliance with the employment contract. The data subject also raised transparency concerns as when signing the employment contract they would not have anticipated the processing of their personal data by an investigator. When questioned on the use of a Gmail account by the investigator, the data controller stated the email would be encrypted between the data controller and the Gmail account and that no evidence was available of the data subject’s personal data being compromised.

During the examination of the complaint the issue arose about whether the investigator was a joint controller or a data processor. The data subject took the view that the investigator was a data processor while the data controller stated the investigator was a data controller in their own right and as a result there were no requirements under Article 28 of the GDPR. The DPC examined the facts in this complaint and established that the investigator was provided a list of individuals to interview in order to compile this report and from the terms of reference, interviews are listed as the primary means of gathering information to compile their report. The DPC also noted the investigator was precluded from deciding on or implementing any sanction arising from the findings of the report. Based on this information, the DPC found the investigator as a data processor on behalf of the data controller and noted that the data controller failed to provide a contract between them and the investigator as required under Article 28(3) of the GDPR.

Due to the failure of the data controller to comply with the one-month obligation under Article 12(3) of the GDPR, the DPC reminded the data controller of their obligations under Article 24 to implement appropriate technical and organisational measures to ensure compliance with the GDPR. In doing so the data controller should also ensure they only provide personal data relevant to the subject access request at hand and redact the personal data of third parties. Secondly, with regard to the lawful basis relied upon by the data controller the DPC were satisfied that such lawful basis were reasonable; however recommended they inform staff members in their staff data protection policies that they may rely on section 46 of the 2018 Act and Articles 6(1)(c) and 9(2)(b) of the GDPR for the processing of staff personal data. In addition to this, under section 109(5)(f) of the 2018 Act the DPC recommended the data controller ensures there is a contract in place when an investigator is involved, that they engage in regular testing of organisational and technical processes, and lastly provide the investigator with an organisation email address.

The complainant was involved in a workplace investigation arising out of allegations made by the complainant against a colleague. The complainant’s employer appointed an independent consultancy firm to carry out the investigation and the findings of the consultancy company were subject to a review by an independent panel.

After the conclusion of the workplace investigation, the complainant made a data access request to their employer and a number of documents were provided in response to this request . However, the complainant was of the view that the request was not responded to fully. For example, the complainant claimed that the witness statements (that had been taken during the investigation) that were provided to the complainant were factually incorrect and that certain documents were not provided to the complainant (such as access logs to the complainant’s personnel files). The complainant further alleged that their employer had disclosed details of the complainant’s work performance, sick leave arrangements and copies of the complainant’s pay slips to the complainant’s colleagues. Finally, the complainant claimed that their employer had failed to comply with the complainant’s requests for rectification of the witness statements (which the complainant alleged were factually incorrect) .

It was established that the complainant’s employer was the data controller as it controlled the complainant’s data in the context of the workplace investigation. The data in question consisted of the complainant’s payroll information, information relating to the complainant’s sick leave and witness statements relating to the complainant. The data was personal data because it related to the complainant as an individual and the complainant could be identified from it.

In response to the complainant’s allegation that their access request was not responded to fully, the data controller stated that, in relation to the witness statements, the complainant was provided with the copies of the original witness statements that were held on the complainant’s file. In relation to the access logs, the data controller was of the view that these did not constitute personal data (because they tracked the digital movement of other employees on the data controller’s IT systems).

In relation to other miscellaneous documents that the complainant alleged had not been received, the data controller indicated that, if the complainant could specify details of these documents, it would consider the complainant’s allegation further.

Regarding the complaint that the data controller had disclosed details of the complainant’s work performance to colleagues of the complainant, the data controller argued that the complainant’s performance would have been discussed with the complainant’s managers and therefore was disclosed for legitimate business reasons. Regarding the complaint around disclosure of details regarding the complainant’s sick leave, the data controller noted that was not aware of any such disclosure. Finally, in relation to the allegation that the complainant’s payslips were disclosed, the data controller argued that they were provided to an employee of the data controller to be reviewed in the context of a separate case taken by the complainant.

The complainant also made a request for rectification of witness statements, which the complainant alleged, were factually incorrect. However, the data controller advised that what was recorded in the witness statements represented the views of the people involved and, on this basis, refused to amend the witness statements.

The DPC was of the view that there were five issues to be examined by it in relation to the complaint. The DPC’s view on each of these issues is summarised below (under headings representing each of the five issues).

Access request

The DPC noted that the complainant had made a valid access request. However, having considered the matter, on balance, the DPC was of the view that there was no evidence available to suggest that the data controller unlawfully withheld information. The DPC noted, however, that the complainant’s data access request had not been dealt with in the timeframe required under the legislation. In this regard, the data controller had committed a data protection breach .

Under Article 12(3) of the GDPR, a data subject has a right to obtain from a data controller access to personal data concerning him or her, which are being processed. The data controller must respond to a subject access request without undue delay and in any event within one month of receipt of the request.

Alleged unauthorised disclosure of the complainant’s personal data

Controllers must have a lawful basis, under data protection legislation to process personal data, including the disclosure of that data to a third party. In relation to the disclosure of details regarding the complainant’s work performance, the DPC was of the opinion that such processing was lawful as it was for legitimate business reasons. Regarding the issue of disclosure of sick leave details, the DPC concluded that it did not have sufficient information relating to the alleged incident in order to determine whether a breach of the legislation had occurred. In relation to the disclosure of the complainant’s payslips, the DPC was of the view that the disclosure was lawful. This was because the payslips were disclosed in order to assist the data controller in defending a separate legal claim brought by the complainant, against it.

Under Article 6 of the GDPR, a data controller is required to have a legal basis for processing (including disclosing) any personal data. The available legal bases for processing include (a) that the data subject has given consent, (b) that the processing is necessary for the performance of a contract to which the data subject is a party, (c) that the processing is necessary for compliance with a legal obligation to which the data controller is subject, (d) that the processing is necessary in order to protect the vital interests of an individual, (e) that the processing is necessary for the performance of a task carried out in the public interest, or (f) that the processing is necessary for the purposes of legitimate interests pursued by the data controller or by a third party.

Fair processing

There is an obligation on data controllers to process personal data fairly. During the course of its investigation, the DPC asked the data controller to confirm how it complied with its obligations to process the complainant’s data in a fair manner, in relation to each of the alleged disclosures of the complainant’s personal data. The data controller failed to provide the information required and in these circumstances, the DPC considered that the data controller failed to process the complainant’s data, in line with fair processing obligations.

Under the GDPR, personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject. That principle requires that the data subject be provided with certain information under Articles 13 and 14 of the GDPR in relation to the existence of the processing operation and its purposes. Data subjects should be made aware of risks, rules, safeguards and tights in relation to the processing of their personal data. Where personal data can be legitimately disclosed to another recipient, data controllers should inform the data subject when the personal data are first disclosed of the recipient or categories of recipients of the personal data.

Right to rectification

Under Data Protection legislation, there is a right to rectification of incorrect personal data . However, here the data controller had confirmed that what was recorded in the witness statements represented the views of the people involved . The view was taken that where an opinion is correctly recorded and where the opinion is objectively based on matters that the person giving the opinion, would reasonably have believed to be true, the right to rectification does not apply.

Under Article 5 of the GDPR, personal data being processed must be accurate and, where necessary, kept up to date and data controllers are required to ensure that every reasonable step is taken to ensure that personal data that are inaccurate, having regard to the purpose for which they are processed, are erased or rectified without delay. Under Article 16 of the GDPR, a data subject has the right to obtain from a data controller without undue delay the rectification of inaccurate personal data concerning him or her. However, under section 60 of the Data Protection Act 2018, this right is restricted to the extent that the personal data consist of an expression of opinion about the data subject by another person given in confidence or on the understanding that it would be treated as confidential to a person who has a legitimate interest in receiving the information.

Retention of the complainant’s personal data

The DPC asked the data controller to outline the legal basis for the retention (i.e. processing) of the complainant’s personal data relating to the workplace investigation. The data controller advised that this data was being retained in order to deal with the complainant’s requests and appeals under various statutory processes. On this basis, the DPC was of the view that the retention of the complainant’s personal data was lawful as it was for legitimate business reasons.

Under the GDPR, not only must a data controller have a lawful basis for initially obtaining an individual’s personal data, but it must also have an ongoing legal basis for the retention of those data in accordance with Article 6, as set out above. Under Article 5(1)(e) of the GDPR, personal data which is in a form permitting the identification of data subjects must be kept for no longer than is necessary for the purposes for which they are processed.

This complaint concerned an alleged incomplete response to a data subject access request. The background to this complaint was that the complainant had submitted an access request to the trustees of a pension scheme (the “Trustees”). As part of its response to the access request, the Trustees referred to a draft letter relating to the complainant; however, this draft letter was not provided to the complainant.

It was established that the Trustees were the data controller as they controlled the contents and use of the complainant’s personal data for the purposes of the complainant’s pension. The data in question consisted of (amongst other things) information about the complainant’s employment and pension and was personal data because it related to the complainant as an individual and the complainant could be identified from it.

The data controller sought to argue that the draft letter was legally privileged and that therefore the data controller was not required to provide it to the complainant . The DPC sought further information from the data controller regarding the claim of legal privilege over the draft letter . In response, the data controller did not clarify the basis on which privilege was asserted over the draft letter, however, it agreed to provide the data to the complainant.

It was decided therefore that the data controller had failed to establish an entitlement to rely on the exemption in respect of legally privileged data. Accordingly, the letter should have been provided to the complainant in response to the complainant’s access request within the timeframe set out in the legislation.

Under Article 15 of the GDPR, a data subject has a right to obtain from a data controller access to personal data concerning him or her, which are being processed . The data controller must respond to a data subject access request without undue delay and in any event within one month of receipt of the request . However, the right of access to one’s personal data does not apply to personal data processed for the purpose of seeking, receiving or giving legal advice or personal data in respect of which a claim of privilege could be made for the purpose of or in the course of legal proceedings . Where a data controller seeks to assert privilege over information sought by a data subject under Article 15, the DPC, examining a complaint in relation to the refusal, will require the data controller to provide considerable information, including an explanation as to the basis upon which the data controller is asserting privilege, so that the validity of the claim can be properly evaluated .

This complainant made a data subject access request to their employer. However, the complainant alleged that their employer omitted certain communications from its response, wrongfully withheld data on the basis that it constituted an opinion given in confidence and did not respond to the request within the required timeframe as set out in the legislation.

The complainant’s employer was the data controller as it controlled the contents and use of the complainant’s personal data for the purposes of managing the complainant’s employment. The data in question consisted of the complainant’s HR file and data regarding the administration of the complainant’s employment . The data was personal data because the complainant could be identified from it and the data related to the complainant as an individual.

During the course of the examination of the complaint, the data controller identified additional documents containing the complainant’s personal data and provided these to the complainant . In relation to the document, which the data controller had asserted constituted an opinion given in confidence, during the course of the investigation of this complaint, the individual who had expressed the opinion in question consented to the release of the document to the complainant, and so the document was provided by the data controller to the complainant .

Data protection legislation provides a right of access for a data subject to their personal data and, further, that access must be granted within a certain timeframe . Having investigated the complaint, the DPC was satisfied that the data controller had carried out appropriate searches and had provided the complainant with all the personal data, which the complainant was legally entitled to receive.

The documents provided by the data controller to the complainant during the course of the examination of this complaint should have been furnished to the complainant within the timeframe provided for in the legislation .

This complainant previously owned a property in a development managed by a management company. The complainant made a data access request to the management company but was of the view that the data controller failed to provide all of the complainant’s personal data in its response.

The management company was determined to be the data controller, as it controlled the contents and use of the complainant’s personal data for the purposes of its role as a management company in respect of a development in which the complainant had owned a property . The data in question consisted of (amongst other things) the complainant’s name and address. The data was personal data as the complainant could be identified from it and it related to the complainant as an individual.

During the course of the DPC’s examination of the complaint, the data controller provided a description of a document containing the complainant’s personal data that was being withheld on the basis that it was legally privileged. This document had not been referred to in the data controller’s response to the complainant’s access request . It was noted that the data controller should have referred to this document and the reason(s) for which it was refusing to provide the document to the complainant in its response to the complainant’s access request.

The DPC also considered whether the data controller had supplied the complainant with all of their personal data, as required by legislation. The DPC noted that the complainant had provided specific and detailed descriptions of data they believed had not been provided . In response, the data controller stated that it did not retain data relating to matters that it considered to be closed and had provided the complainant with all of their personal data held by the data controller at the date of the access request. The office was of the view that it was credible that the data controller would not retain personal data on an indefinite basis. The DPC was satisfied that the data controller had provided the complainant with all of their personal data (with the exception of the document over which the data controller had asserted legal privilege, as set out above). For that reason, no further contravention of the legislation had occurred.

Under Article 15 of the GDPR, a data subject has a right to obtain from a data controller access to personal data concerning him or her which are being processed.

However, this right does not apply to personal data processed for the purpose of seeking, receiving or giving legal advice, or to personal data in respect of which a claim of privilege could be made for the purpose of or in the course of legal proceedings (Section 60(3)(a)(iv) of the Data Protection Act 2018). Where a data controller refuses to comply with a request for access to personal data, however, it is required under Article 12 of the GDPR to inform the data subject without delay of the reasons for this refusal.

This complaint concerned an alleged incomplete response to a subject access request for CCTV footage made by the complainant to an educational institution. The complainant advised that they were the victim of an alleged attempted assault. The complainant requested access to CCTV footage from the time the alleged assault happened, in particular in relation to a specific identified time period from two different camera angles.

In response to the request by the organisation, a select number of stills from the CCTV footage relating to one camera were provided to the complainant. The complainant requested to be provided with a still for every second of the recording in which the complainant’s image appeared. The response received from the educational institution was that all “significant” footage, in the opinion of the controller, had been provided and as the CCTV cameras were on a 30-day recording cycle, the footage had since been recorded over. The controller clarified that it did not store any footage unless there was a ”lawful requirement” to do so.

The DPC noted that, when a valid access request is made to a data controller, the request must be complied with by the data controller with a certain period . (Under Article 12(3) of the GDPR, this is generally set at one month) . The right of access to personal data is one of the key fundamental rights provided for in data protection legislation . In the context of access requests to CCTV footage, the data controller’s obligation to provide a copy of the requester’s personal data usually requires providing a copy of the CCTV footage in video format . Where this is not possible, such as where the footage is technically incapable of being copied to another device, or in other exceptional circumstances, it may be acceptable to provide a data subject with stills as an alternative to video footage . However, in such circumstances where stills are provided, the data controller should provide the data subject with a still for every second of the recording in which the data subject’s image appears and an explanation of why the footage cannot be provided in video format . The controller should also preserve all footage relating to the period specified until such time as the requester confirms that they are satisfied with the response provided.

As the data controller had not provided the complainant with either the CCTV footage requested or a complete set of the stills relating to the specified period, the data controller failed to comply with its obligations in relation to the right of access, both from a time perspective (Article 12(3)) and regarding the provision of a full and complete set of personal data processed by the controller (Article 15).