Article: DPC-Report-2022

This following fact sheet summarises points taken from the Data Protection Commissioner’s report of 2022 in order to act as a reminder of the importance of implementing the appropriate technical and organismal measures as required by the General Data Protection Regulations (GDPR) and the Data Protection Act 2018.

It is important to continue to maintain and record in your GDPR Diary of Compliance (Section 4(a) of the Protectorate Solutions Ltd.’s GDPR Consultancy Package).

It can be seen from the Data Protection Commissioner’s report that their attitude and approach to data breaches involving organisations who have implemented the appropriate technical and organisational measures, who train their employees, who assessed risks while continuing to monitor their compliance in relation to the GDPR and Data Protection Act 2018 were very favourable. The two data breach cases mentioned in the report namely Alliance and Ark Life received no administrative fines or corrective powers being exercised by the Data Protection Commissioners as a result of their compliance under the GDPR.

If you have any issue or concern concerning any issue in this report, please feel free to contact John on (086) 3338886 or emailing us on info@protectoratesolutions.com

• 1. Data Protection Commissioner’s Office / Budget
• 2. Data Protection Commissioner Focus for 2023
• 3. Number of Complaints Processed in 2022
• 4. Data Protection Commissioners approach to dealing with complaints against organisations that have appropriate technical and organisation measures implemented to protect personal data.
• 5. Details of administrative fines issued by the Data Protection Commissioner
• 6. Failure to Report Data Breach / Communicate with Data Protection Commissioner.
• 7. Failure to protect personal data in emails.
• 8. Data Access Request from Non-Custodial Parent / Estranged Parent
• 9. Frequent Topics of Data Protection Complaints in 2022
• 10. Most frequent cause of data breaches
• 11. Data Protection Commissioner Examining Websites for compliance.
• 12. Warning in relation to breaches of Data Minimisation Principle – by requesting Photographic ID for identification in respect of a Data Subject Erasure Requests
• 13. Issues arising concerning the use of CCTV Systems
• 14. Advertising to Children – Query ‘Legal Basis’ and issue of ‘Joint Controller Requirements’
• 15. Direct Marketing
• 16. Matters prioritised for direct intervention in 2022
• 17. Data Breaches
• 18. Time limit - ePrivacy Regulations Breaches Notification to Data Protection Officer

It is important to realise that the office and functions of the Data Protection Commissioner are very real and should to be taken seriously.

The number of staff in the DPS’s office in 2022 was 196 with a view to increase the numbers in 2023 through a recruitment drive.

The annual budget allocated to finance this office was €23.234 Million in 2022. This funding represents an increase of €4.106 million on the 2021 allocation.

The Data Protection Commissioner’s report for 2022, stated that their focus in 2023 will be to pursue the

• • issues of greatest consequence for data subjects,
• • drive compliance, and,
• • most importantly, safeguard individuals’ rights.

In 2022 the Data Protection Commissioner (DPC) processed 9,370 new cases of which 2,710 progressed to formal complaint handling.

The fact that 6,660 new cases were dealt with relatively expeditiously, demonstrated the Data Protection Commissioner’s approach of ‘intervening and seeking a swift and informal resolution of the matter in the first instance’ provided of course that the data controller has implemented the appropriate technical and organisational measures to protect personal data being processes.

The undermentioned cases demonstrate the DPC’s approach taken with organisations who implement appropriate technical and organisational measures to comply with the requirements of the GDPR and Data Protection Act 2018.

• • Allianz reported personal data breaches between the 25thJune 2020 and the 31st December 2020. Due to Allianz being proactive in relation to the GDPR in implementing policies specifically tailored to the risks associated with the processing and providing repeated training to sectors of the business as well as increasing the risk profile of some business units through implementing additional security measures after personal data breaches occurred, the Data Protection Commissioner exercised no corrective powers in its decision.
• • Ark Life reported personal data protection breaches between December 2018 and May 2021 – concerning the unauthorised disclosure of personal data as a result of address inaccuracies that arose within the postal and email procedures operated by Ark life. The Data Protection Commissioner found that Ark Life had implemented policies which were specifically tailored to the risks associated with the processing. Ark Life also provided repeated training to sectors of the business which were the most susceptible to personal data breaches of this kind. Ark Life took proactive measures to counter the increasing risk profile of some business units by implementing additional security measures after some personal data breaches occurred. These measures addressed inherent flaws in their processes concerning customer contact details and dealing with returned mail. Taking into account the quantum of data breaches, the technical and organisational measures implemented by Ark Life and the moderate to low severity of risk to data subjects, the DPC concluded that Ark Life did not infringe Article 32(1). Accordingly, no corrective powers were exercised in this decision.
• • The importance of implementing the appropriate technical and organisational measures to comply with the requirements of the GDPR and Data Protection Act 2018 cannot be overstated as the cases mentioned at point 5 below demonstrate of the attitude and measures imposed by the Data Protection Commissioner when organisations failed to implement the appropriate technical and organisational measures or comply with the requirements of the GDPR and the Data Protection Act 2018.

• • MOVE Ireland - August 2021 fined (€1,500) Loss of 18 SD cards containing personal data from group sessions.
• • Teaching Council - December 2021 fined (€60,000) – Unauthorised access to personal data contained in emails relating to 9,735 data subjects.
• • Limerick City and County Council – December 2021 fined (€110,000) CCTV GDPR related issues.
• • Slane Credit Union - January 2022 fined (€5,000) – Publication of Members details on internet.
• • Guerin Media Limited fined (€6,000) sending two unsolicited marketing emails (previous breaches occurred). The DPC concluded 207 electronic direct marketing investigations in 2022.
• • Telco and Publishing House were prosecuted in respect of four separate charges of sending of unsolicited marketing communications without consent (Regulation 13 of Statutory Instrument 336 of 2011). The Court returned convictions on all charges, and it imposed fines totalling €6,500.
• • Bank of Ireland plc - March 2022 fined (€463,000) – Unauthorised disclosure of customer personal data to the Central Credit Register, accidental alterations of customer data and failure to report breach or notify data subjects.
• • A&G Couriers Ltd. T/A Fastway Couriers Ireland (Fastway) were fined €15,000 for failing to implement appropriate technical and organisational measures.
• • Meta (Facebook) failed to have in place appropriate technical and organisational measures, fined €17 million.
• • Meta (Facebook) fined €210 million in relation to relying on a legal basis of ‘Contract’ in relation to delivery of behavioural advertising as part of its service. Investigated in relation to legal basis and transparency information in relation to this data processing.
• • Meta (Facebook) (Instagram) fined €180 million in relation to relying on a legal basis of ‘Contract’ in relation to delivery of behavioural advertising as part of its service. Investigated in relation to legal basis and transparency information in relation to this data processing.
• • Meta (Facebook) fined €265 million in relation to 533 million users data being made available online. They were found to be in breach of failing to implement appropriate technical and organisational measures designed to implement purpose limitation principal and the integrity and confidentiality principle in an effective manner.
• • Meta (Facebook) fined €405 million in relation to children’s personal data (phone number and email addresses) being made public. (Note the relevance to Children’s data, as the administrative fine was nearly doubled from the previous large fines issues to Meta (Facebook) when it related to children).

Failure to report a data breach and or notify data subject is not taken very lightly by the Data Protection Commissioner as Bank of Ireland found out when it was fined €436,000 for the unauthorised disclosure of customer personal data to the Central Credit Register (CCR), accidental alterations of customers personal data on the CCR, failure to report the breach without delay, failure to provide sufficient details to the Data Protection Commissioner in respect of the data breach, failure to ensure a level of security appropriate to the risks involved in transferring information to the CCR and failure to notify the relevant data subjects (customers).

Virtue Integrated Elder Care Ltd was fined €100,000 for data breach in relation to unauthorised access to manager’s email account resulting in the personal and special category data of residents being accessed by cybercriminals i.e. failing to implement appropriate technical and organisational measures on its email system.

Protectorate Solutions’ Ltd. Email Attachment Application could have prevented such a breach if it has been used). All it takes is for one employee to open a malicious link or email for cybercriminals to install malware that redirects emails and their contents to the cybercriminal to let them exploit the organisations and data subjects. This in turn results in unauthorised access to personal data, failure to implement appropriate technical and organisational measures breaches the security principle of the GDPR etc.

This issue on how to deal with a ‘Data Access Request in respect of a child’ from an estranged parent where the school have concerns for the welfare of both the custodial parent and child / children was raised in the Data Protection Commissioner’s report 2022.

The Data Protection Commissioner advised a school that as the data controller, they have an obligation to ensure that the right of access does not adversely affect the rights and freedoms of others under Article 15(4) GDPR. This includes the rights of the child and the other parent.

Data controllers may restrict a parent’s right of access to their child’s data where they have reasonable grounds to believe this would not be in the best interests of the child.

This is not to say that an access request should be dismissed entirely. The DPC informed the school that they should provide a response to the request. However, the school may redact certain information where they deem it necessary to safeguard the rights and freedoms of the child or custodial parent.

The controller has to balance the data protection rights of children against the interests of their parents in approach such a request.

The most frequent GDPR topics from enquiries and complaints related to issues of

• • Access Rights 1,142 complaints – 42%
• • Fair Processing 383 complaints – 14%
• • Direct Marketing 263 complaints – 10%
• • Disclosure 183 complaints – 7%
• • Right to be Forgotten (delisting and or removal requests).

The most frequent cause of breaches reported to the DPC arose as a result of correspondence inadvertently being misdirected to the wrong recipients, at 62% of the overall total.

Additionally, autofill options on email address bars have given rise to a significant number of breach notifications, where emails have been misdirected. These types of errors are attributable to both a failure on the part of organisations to update data in a timely fashion and, in some instances, customers’ failure to notify organisations of a change of address.

Protectorate Solution ‘Email Attachment Encryption App’ would solve such occurrences as only the correct recipient could open the encrypted attachment, hence no data breach would occur.

The Data Protection Commissioner while carrying out ‘a monitoring and enforcement exercise’ discovered that Pre- Hospital Emergency Care Council’s website did not have details their Data Protection Officer listed. The DPC then checked their own records and observed that they were not notified by Pre- Hospital Emergency Care Council of their appointed Data Protection Officer. Pre- Hospital Emergency Care Council were reprimanded for the infringements by the Data Commissioner Office. (May 2022)

• • Twitter was found to have breached ‘data minimisation’ Art.5(1)(c) by requesting a copy of the complainant’s photographic ID in a data erasure request, as well as a breach of Art 6(1) for not identifying a valid lawful basis for seeking a copy of the complainant’s Photographic ID to process his erasure request. In delaying to deal with the request they were also found to have breached Art. 17(1) for the undue delay in handling the complainant’s request for erasure as well as a breach of Art. 12(3) for failing to inform the data subject within one month of the action taken on his request for erasure.
• • Airbnb - The Data Protection Commissioner found that Airbnb request for Photographic ID in an erasure request constituted an infringement of the principal of data minimisation (Art. 5(1)(c). It found that this infringement occurred in circumstances where less data-driven solutions to the request of identity verification were available to Airbnb (namely getting complainants to log into their account). The Data Protection Commissioner also held that the legitimate interest pursued by the controller did not constitute a valid lawful basis under Article 6 of the GDPR for seeking a copy of the complainant’s photographic ID in order to process their erasure request. The Data Protection Commissioner also found Airbnb infringed Article 12(3) as they failed to provide the complainant with information on the action taken on their request within one month of the receipt of the access request.
• • However – in another case the Data Commissioner held that Airbnb were correct to request photographic ID from a registered member of Airbnb to verify their identity in order to protect the safety and security of the users of the Airbnb platform, as Airbnb operations brings hosts and members who are unknown to each other into a situation where they may actually meet in person at the host’s premises, or elsewhere. The DPC agreed that a legitimate interest existed for Airbnb ensuring it had adequate safety and security measures in place to protect users of the platform. The DPC took the view that the service operated by Airbnb is significantly different to a purely online service such as a social media platform. Given that Airbnb members stay at the premises of a host “in the real world”, the DPC recognised the importance of verifying the identity of hosts to ensure that they are who they say they are. The DPC found that in a balancing test, the rights of the host were not prejudiced by this verification process.

The Data Protection Commissioner raise a number of concerns in relation to processing data through the use of CCTV systems – these included.

• • the justification for 24/7 CCTV surveillance
• • the intrusiveness of some of the cameras ‘smart’ capabilities – pan / tilt / zoom capabilities overlooking private property / areas. (One solution implemented by a local authority was to disable auto-scan and roaming capabilities of cameras)

The DPC emphasised.

• • the necessity for robust security measures,
• • the need to respect the privacy rights of residents and
• • the responsibility on the data controller to protect the public and mitigate risks CCTV security systems could have for children and vulnerable members of society.

When advertising to children through a media platform occurs the Data Protection Commissioner has advised that even where consent has been obtained from the parents, the processing of personal data for targeted advertising would likely require compliance with the requirements of ‘Joint Controllers’. Which in practice would mean preparing the necessary compliance documentation in consultation with their Data Protection Officer, to set out the justification and legal basis for this processing and to identify and mitigate any potential risks to children.

The Data Protection Commissioner also advised that in the context of preparing their Data Protection Impact Assessment (DPIA), the organisation should consider whether ‘consent’ would be the most appropriate legal basis for this processing, as it would in practice be difficult for children or parents to give meaningful and distinct consent to targeted advertising in circumstances where they must accept it as a condition for using the service in the first place.

The DPC advised that alternate legal bases under Article 6 of the GDPR may be more appropriate, but it was for the organisation itself to determine this, taking into account its context, statutory remit, objectives and obligations under the law as applicable.

The advice that the DPC gave in this case is relevant to any public sector organisation that is considering whether to use social media to target children. Such organisations should in particular bear in mind the following considerations.

• • First, the Data Protection Commissioner cannot give blanket endorsements of social media advertising tools and it is therefore up to the organisation itself to determine on a case-by-case basis whether it can use such tools in a proportionate and privacy-preserving manner for a purpose that reflects the best interests in the child. An organisation that wants to use social media advertising to pursue its objectives cannot assume that the associated data protection compliance is the sole responsibility of the social media company itself.
• • Second, there is a lot of confusion around the appropriateness of consent as a lawful basis and in particular the role of the age of digital consent.

Public sector organisations in particular should consider whether alternate legal bases are more appropriate, taking into account their particular duties and obligations in relation to children and any other relevant contextual factors.

The DPC received 204 new complaints in relation to electronic direct marketing in 2022. These included.

• • 118 complaints in relation to email messages,
• • 52 complaints in relation to text messages,
• • 28 complaints in relation to cookies and
• • 6 complaints concerning phone calls.

A total of 207 electronic direct marketing investigations were concluded in 2022. This figure is made up of 2 complaints from 2020; 50 complaints from 2021; and 155 complaints from 2022.

Matters prioritised by the Data Protection Commissioner in 2022 included:

• • CCTV in cinemas, school toilets, fast-food outlets, nursing home, medical centre as well as
• • remote access to CCTV as a substitute for onsite workplace supervision.
• • Census data collection practices.
• • Residential property sector excessive data collection.
• • Mobile home park excessive data collection.

In 2022, the DPC received 5,828 personal data breach notifications. A total of 5,695 valid GDPR data breaches were recorded, representing a 13% decrease (854) on the GDPR data breach numbers reported in 2021.

Since the introduction of GDPR – and in line with previous years – the highest category of data breaches notified to the DPC in 2022 related to unauthorised disclosures, in cases affecting one or small numbers of individuals, accounting for 62% of the total notifications.

Of the total 5,828 breach notifications that the DPC received in 2022, in terms of breakdown,

• • Private Sector 3,014 – 52%
• • Public Sector 2568 – 44%
• • Voluntary
• • Charity Sector 246 -4%

Data Breach Notification by Category	Charity	Private	Public	Voluntary	Total
Disclosure unauthorised – Postal Material to incorrect recipient	18	1067	836	15	1936
Disclosure unauthorised – Email incorrect recipient	40	456	563	22	1081
Disclosure unauthorised - Other	24	294	299	24	571
Integrity - unintentional alteration (PD disclosed)		407	7		414
Unauthorised Access - Paper files/ Documents/Record	15	117	178	8	318
Paper Lost/Stolen – Official Document		9	236	3	248
Availability - accidental (Loss/destruction of PD)	6	27	189		242
Hacking	12	186	9	2	209
Paper Lost / Stolen	5	38	130	3	176
Processing Error – (PD Disclosed	8	87	47	6	148
Integrity – Unauthorised Alteration (PD Discloses)	1	80	3		84
Unauthorised Access – Online Account	1	37	22	2	62
Other					339

All breaches under the ePrivacy Regulations should be notified to the DPC no later than 24 hours after the detection of the personal data breach, regardless of the degree of risk they are believed to pose.

The DPC received a total of 105 valid data-breach notifications (an increase of 176% on 2021 figure) under the ePrivacy Regulations, which accounted for just under 2% of total valid breach cases notified for the year.

As predicted in its 2021 Annual Report, the number of breaches notified to the DPC under the ePrivacy Regulations increased significantly in 2022, due to changes in ePrivacy legislation.

The 105 valid data breaches notified to the DPC in 2022 represents a three-fold increase on the previous year’s figures.

Examples of breaches of ePrivacy Regulations

• • Use of electronic communications services to send direct marketing to natural persons unless the have given their consent.
• • Installation of cookies on data subject’s computer / devices without their consent.
• • Lack of cookie notice on websites that use cookies.