February 2019 saw the Data Protection Commission (the “Commission”) publish its first annual report since the introduction of the General Data Protection Regulation (“GDPR”) on 25 May 2018. The report, which covers the period from 25 May 2018 to 31 December 2018, provides useful insights into how the Commission is approaching its enhanced powers and responsibilities under the new data protection framework.
The report’s many statistics provide an interesting snapshot of the current data protection landscape in Ireland. Like previous years, data access rights continue to take centre stage, with more than one third of the 2,864 complaints to the Commission relating to such rights. The highest category of data breaches reported related to unauthorised disclosures. The statistics also show commendable progress in complaints handling, with the Commission concluding 868 of the 1,928 GDPR-related complaints it received during the period.
The Commission occupies the unique position among its European counterparts as the lead supervisory authority to many large multinational companies having their European headquarters in Ireland. As such, the Commission is charged with the significant task of safeguarding the data protection rights of hundreds of millions of individuals across the European Union.
As of 31 December 2018, the Commission had 15 statutory inquiries open in relation to compliance by seven multinational companies with their GDPR obligations. The focus of the inquiries ranged from the lawful bases on which the organisations rely to process personal data, to the transparency of information they provide to individuals regarding how and why their personal data are processed.
The Commission has also been prompted by submissions in respect of the conduct of technology companies in online advertising to closely examine the sector, and to commit to prioritising this work in 2019. Particular areas of scrutiny are the profiling of individuals (particularly where special categories of data are involved), the use of location data and processing personal data without a lawful basis.
The case studies detailed in the Commission’s report deal with a range of incidents, including the late response to a data access request, the loss of an unencrypted USB device and the failure to implement written data protection policies.
An interesting aspect of the Commission’s role is its obligation to limit data protection rights where appropriate, such as where it considers that limitation is necessary to promote genuine legitimate interests and the protection of the rights of others. This can be seen in one case study involving a complaint by an individual that his personal data, contained in CCTV footage, had been disclosed by a bar to his employer without his knowledge or consent. The surrounding circumstances involved an alleged physical altercation between the complainant and his colleague during a social event hosted by their employer at the bar.
The Commission found that the CCTV was processed in furtherance of the employer’s obligation to protect the health and safety of its employees, which constituted a legitimate interest justifying the processing. The Commission considered it was necessary for the bar to release the CCTV footage to the employer, to enable it to investigate and validate allegations of wrongdoing against the complainant. On the question of balancing the employer’s legitimate interest in processing the personal data with the complainant’s data protection rights, the Commission found that the scale tipped in favour of processing given that withholding the CCTV could have impeded the full investigation of an alleged serious assault, and the employer’s ability to protect its employees. The Commission therefore found that the complainant’s data protection rights were not infringed by the bar releasing his personal data to his employer, and rejected his complaint.
Prosecutions under the ePrivacy Regulations
The Commission’s report contains summaries of five separate prosecutions it pursued before the District Court for offences under the ePrivacy Regulations in respect of electronic direct marketing. All of the complaints giving rise to the prosecutions related to the absence of a legal basis for sending electronic direct marketing to the recipients, or failing to action recipients’ requests to remove them from marketing lists. The sentences imposed by the District Court ranged from ordering one defendant to cover the Commission’s prosecution costs, to imposing a €2,000 fine on another defendant.
The Commission’s first post-GDPR annual report reflects its focus on driving awareness of data protection obligations both in the public and private sectors, and its commitment to taking appropriate action when such obligations are not met. While the flurry of preparing for 25 May 2018 has now long since passed, it is imperative that organisations continue to review their data protection practices on an ongoing basis to ensure that they remain relevant and appropriate to their activities on the ground.
Click here to see the Commission’s full report.
Back to Full News
Share this article:
About the Authors
Laura is a partner in the Commercial & Business team at Hayes solicitors. Laura advises clients on a diverse range of corporate and commercial matters and regulatory requirements. She is an experienced adviser on terms and conditions of sale and purchase, IT issues, data protection, product liability, advertising and promotions, intellectual property and a wide range of commercial agreements.
Ruth is a solicitor in the Commercial & Business team at Hayes solicitors specialising in commercial litigation and dispute resolution. Her experience includes advising financial institutions, private equity funds, private companies and individuals in a variety of matters including contract law disputes, enforcement and recovery actions and general litigation cases.