Photo of Jessica Morris

The Data Protection Commission (DPC) recently published its decision following a formal inquiry into the Irish Credit Bureau DAC (the ICB) following the ICB’s notification to the DPC of a personal data breach on the 31 August 2018. The ICB is a credit reference agency that maintains a database on the performance of credit agreements between financial institutions and borrowers.

The personal data breach occurred when the ICB implemented a code change to its database that contained a technical error. As a result, between 28 June 2018 and 30 August 2018, the ICB database inaccurately updated the records of 15,120 closed accounts. This update had the effect of changing key data in a data subject’s record so that it appeared that their accounts had been closed recently, even where the loans or credit facilities had been paid off years before. This caused the ICB to disclose 1,062 inaccurate account records to financial institutions as part of credit checks, which would have potentially resulted in a refusal of credit in circumstances where it would have been granted. The records did not, however, misstate that a balance was outstanding on the accounts.

The incident was handled by the ICB as a data breach and was reported to the DPC. The DPC’s investigation focussed on the application of Data Protection by Design and by Default (Article 25), the appropriateness of organisational and technical controls under Article 24, and whether or not there was a joint controller relationship under Article 26 GDPR between the ICB and the lenders who shared data with them.


Continue Reading Irish Credit Bureau fine offers insight into the DPC’s use of its corrective powers

Photo of Sarah Dunne

The European Data Protection Board (EDPB) recently responded to questions submitted by the EU Commission seeking clarification on the consistent application of the GDPR to health research. The responses cover 21 questions and provide clarity on issues such as: the legal basis for processing health data; processing of special categories of data on a large scale; and further processing of previously collected health data. While it is clear that many questions remain unanswered, further responses are expected in forthcoming guidance currently being prepared by the EDPB.

Continue Reading EDPB responds to questions on processing health data

Photo of Davinia Brennan

On 7 September 2020, the European Data Protection Board (EDPB) issued draft guidelines on the concepts of controller and processor. The concepts play a crucial role in the application of the GDPR, as they determine who will be responsible for compliance with different data protection rules, and how data subjects can exercise their rights in practice.

The concepts have not changed compared to the Data Protection Directive 95/46/EC (now repealed) and the general criteria for how to attribute the different roles remain the same. However, the EDPB acknowledges the necessity of providing clarification on these concepts under the GDPR.  Since the entry into force of the GDPR, many questions have arisen in relation to the implications of the concept of joint controllership (under Article 26 GDPR), and the specific obligations for processors (under Article 28 GDPR). The guidelines replace the previous Opinion of the Article 29 Working Party on the concepts of controller and processor (Opinion 1/2010).

In part I, the guidelines discuss the definitions of the concepts of controller, joint controllers, processor, and third party/recipient. Part II considers the consequences that are attached to the different roles. The guidelines also contain helpful examples of the circumstances when an entity is a controller, joint controller or processor.


Continue Reading EDPB publishes draft guidelines on the concepts of controller and processor

Photo of Davinia Brennan

The Irish Court of Appeal has held that while the definition of “personal data” is very broad, to interpret a document as constituting personal data for the sole reason that it was generated as a result of a complaint made by the data subject, would be to “overstretch” the concept of personal data.  In a related judgment, the Court found that the data subject was entitled only to a “copy of his personal data, and not the data in its “original form.

Continue Reading Court of Appeal warns against “overstretching” the concept of personal data

Photo of Grace Moore

The European Data Protection Board (EDPB) has adopted a statement on restrictions on data subject rights in connection with the state of emergency in Member States. The EDPB emphasises that, despite the international crisis, the GDPR remains applicable and allows an efficient response to the pandemic, while still protecting fundamental rights and freedoms.

The EDPB’s statement was made in response to a Hungarian government decree dated 4 May 2020. The decree sets out certain derogations from the GDPR and, in particular, allows data controllers involved in Covid-19 related data processing to suspend the fulfilment of data subjects’ requests under Articles 15-22 GDPR (such as the right of access or erasure) until the state of emergency is revoked in Hungary. The decree does not indicate any time limit in respect of the state of emergency.


Continue Reading EDPB issues statement on restrictions on data subject rights during the Covid-19 crisis

Photo of Grace Moore

The Belgian Data Protection Authority (Belgian DPA) recently imposed a €50,000 fine on a large telecommunications operator (the company), for failing to comply with the GDPR in relation to the appointment of their Data Protection Officer (DPO).  The Belgian DPA decided that the DPO’s tasks and duties under the GDPR conflicted with its role as Head of Audit, Risk and Compliance.

Continue Reading Belgian DPA issues €50,000 fine for DPO’s conflicting company roles

Photo of Steven Craig

The European Data Protection Board (EDPB), the body tasked with ensuring consistent application of the GDPR across Europe, has published its annual report for 2019. As we approach the two year anniversary of the GDPR, the EDPB Chair refers to a “common data protection culture” emerging as a result of the continued cooperation between European Data Protection Authorities (DPAs).

The following are some of the key points from the EDPB’s activities in 2019.


Continue Reading EDPB publishes Annual Report for 2019

With the significant increase in the number of people working from home due to the Covid-19 pandemic, the use of video-conferencing technologies and applications (VC Technology) by businesses for both internal and external meetings has seen a sharp increase. Similarly, there has been a surge in individuals relying on the various VC Technologies available to make sure they can still have their Friday after-work drinks, attend their weekly quiz nights, continue their monthly book clubs or simply stay in touch with family and friends, from a safe, online, distance.

To assist both individuals and organisations with navigating this new online working and socialising way of life, the Irish Data Protection Commission (DPC) has published some tips on how to ensure that any use of this Technology is carried out in a safe manner.


Continue Reading Data Protection Commission publishes tips for video-conferencing

Photo of James McCarthy

On 6 April 2020, the Data Protection Commission (DPC) published a report on the use of cookies and other tracking technologies (Report) and an updated guidance note on cookies and other tracking technologies (Guidance).

The Report is based on a review carried out by the DPC of websites in various sectors in Ireland, including insurance, banking, media, retail and the public sector. The purpose of the DPC’s report was to examine whether organisations are complying with the law, and, in particular, how organisations are obtaining the consent of users for the use of cookies. The majority of the 38 organisations examined were found to have potential compliance issues, particularly in relation to reliance on implied consent for setting non-necessary cookies; lack of choice for users to reject all cookies; bundling of consent for all purposes; and the possible misclassification of cookies as “necessary” or “strictly necessary“.  The Report gives an overview of the responses received highlighting what the DPC considers to be both “good” and “bad” practices that it encountered on the websites, and the Guidance provides website operators with guidance on how to comply with the rules relating to cookies, which are set out in the Irish ePrivacy Regulations.


Continue Reading DPC publishes Report and Guidance on cookies following a “cross-sector and cross-size” sweep of website operators

Photo of Steven Craig

In Doolin v DPC [2020], the High Court held that an employer’s use of CCTV footage in an employee’s disciplinary proceedings constituted unlawful further processing. It concluded that the Data Protection Commission (DPC) had made an “error of law” in their finding that no further processing of the CCTV footage had occurred. The Court found that the CCTV footage was lawfully collected for security purposes. However, the CCTV footage was then unlawfully further processed for the purpose of the disciplinary proceedings, which was incompatible with the original purpose for which the CCTV footage was processed. The decision shows the importance of only using personal data, particularly CCTV footage, for the purpose for which it was collected.

Continue Reading Use of CCTV footage in disciplinary proceedings breached employee’s data protection rights