Annual Report 1 January — 31 December 2019 1 Annual Report 1 January — 31 December 2019 2 International Activities Data ProtectionOfficers Supervision � Legal Affairs Inquiries Breaches Complaints Information andAssessment Review of2019 Roles andResponsibilities Foreword � � Table ofContents Appendix 1:CourtofJusticetheEuropeanUnion(CJEU)CaseLaw APPENDICES Corporate Affairs Key DPCProjects � Communications Processing Children’sPersonalData by DEASPinrelationtothePublicServicesCard Appendix 3:InvestigationbytheDPCintoprocessingofpersonaldata Appendix 2:LitigationconcerningStandardContractualClauses Commission in2019 Appendix 5:ReportonProtectedDisclosuresreceivedbytheDataProtection for theperiod1January2019to31December Appendix 4:StatementofInternalControlsinRespecttheDPC Appendix 6:FinancialStatementsfortheYear1Januaryto31December2019
� � � � � � � � � � � �
� � � � � �
�
� 81 95 93 98 97 62 12 16 10 56 52 38 34 18 76 74 70 64 68 89 6
3 Annual Report 1 January — 31 December 2019
Foreword
6 with bytheDPC aresetoutonpage36.Media queries being concise).Breachesnotified andindividuallydealt how todeliversufficienttransparency touserswhilealso long entrencheddataprotection challenges(forexample, with globalcounterpartstofind real-worldsolutionsto meetings inBrussels(87 in2019)andengaging DPC makesservicingEuropeanDataProtectionBoard the amountoftravelandinternationalcommitment also consumeconsiderableresources.Page65shows The larger-scaleinquiriesaredetailedonpage40and opposed tolarge-scaleandmoresystemicinvestigations). are devotedtothehandlingofindividualcomplaints(as resolved bytheoffice.Atleast40%ofourresources lodged withusandthenumberofindividualcomplaints of thenewlaw.Page19detailsvolumecomplaints of generalguidancetheDPCissuedtohelpinterpretation of GDPR.Page71thisreportdetailstherecordlevels Volume wasakeywordfortheDPCinthisfirstfullyear Quantity andQuality which willassistindrivingthisforward. cooperation withtheCroatianDataProtectionAuthority, an EU-fundedprojectonawarenessraisingforSMEs,in sectoral focuswithguidance.TheDPCisnowengagedin appropriate implementationmeasuresandformoreofa SMEs areaskingformorehelptoidentifyreasonableand GDPR anda key takeaway was that across Europe, smaller organised bytheEUCommissiontomarkoneyearof I participatedinausefulstock-takingeventBrussels has beensomethingofathemeduring2019.InJune, more guidancefromdataprotectionauthorities(DPAs) ence inDublinMarch2020.Callsfortheprovisionof DPC andthewillhostitsfirstDPONetworkconfer they arekeenformoreresourcesandsupportfromthe subjects’ rightsareconsideredinallprojects.DPOstellus tor andlargedataprocessingorganisationsensuring to theDPCandtheyareengageddailywithinpublicsec 1,500 dataprotectionofficers(DPOs)havebeennotified able datapracticesacrosstheirorganisations.InIreland, been quietlygettingonwithembeddingmoreaccount Law EnforcementDirectiveandmanyorganisationshave full calendaryearoftheoperationGDPRand Away fromthehigherprofileheadlines,it’sbeenfirst Facebook), itwasn’tayearthatwasshortonbignews. privacy financialpenalty(the$5bnimposedbytheFTCon SCCs datatransferlitigation,totheworld’slargest and Planet49)theAdvocateGeneral’sopinionon including instructiveCJEUjudgments(suchasFashionID sciousness. FromarangeofimportantEUdevelopments moved tobeinganestablishedfixtureofpubliccon- protection hadabigmomentin2018,ithasnowclearly ments, such has been the pick-up in developments. If data full-time staffsolelytomonitorcaselawandlegaldevelop- legal practicessaytheyhadfounditnecessarytohire 2019 wasthefirstyearIheardmultipledataprotection First fullyearofGDPR - - - up toacodeof conductonchildren’sdataprocessing. these partiesasweencourage bigtechplatformstosign of children’sdigitalrightsand willcontinuetoworkwith engaged heavilywithexpertstakeholders inthearea principles forcontrollers.Throughout 2019,theDPC personal dataandisnowpreparing topublishguiding The DPCalsocompleteditsconsultation onchildren’s ies anddirectmarketing. harmonise EUlawsonprivacyofcommunications,cook to tryconcludeamodernisede-privacyregulation on page28.Inthemeantime,EUlegislaturecontinues pursued rigorouslybytheofficein2019andaredetailed E-privacy prosecutionsfordirectmarketingoffenceswere under GDPRandkeentoknowhowexercisethem. couraging isthatpeoplearebroadlyawareoftheirrights of view,aswellthatthecontroller.Whatisreallyen ies andtodrawoutthelessonsfromaconsumerpoint intends toincreaseitseffortsproducemorecasestud understand theirapplicationinthereal-world.TheDPC more worked-throughscenariosfromtheDPC,tobetter with regardtotheirpersonaldataandwouldwelcome are thatmanypeoplefeelconfusedabouttheirrights expectations ofthedataprotectionauthority.Keyfindings groups withthepublictoestablishtheirawarenessand gy for2020to2025,theDPCengagedin2019focus In preparationforourpending5-yearregulatorystrate their rightstodataerasurewhentheyleaveaplatform. management ofindividuals’accountsandinparticular grown involume,withthemainissuescentringaround heard. Complaintsagainstinternetplatformshavealso to lodgecomplaintswiththeDPCasameansofbeing out withinthosesectors,withouttheneedforconsumers at their core consumer protection issues cannot be sorted sectors inIreland,itisdisappointingthatmoreofwhatare istration andcharges.Giventheseareheavilyregulated with complaintsessentiallyfocussingonaccountadmin- among themostcomplainedaboutsectorstoDPC, central tomanyofthesecases.Telcosandbanksremain reliance onaccessrequestsasadjudicatedbytheDPC can orderdiscoveryinemploymentclaims,whichmakes Workplace RelationsCommissionnortheLabourCourt This isundoubtedlydrivenbythefactthatneither of thelitigationDPCissubjecttoincourtstoday. in factbreachedatallmakeupasignificantproportion DPC decisionsthattheirdataprotectionrightswerenot a disputedaccessrequest.Litigationbyindividualsagainst lodged withtheDPC,battleoftenstagedaround employers remainasignificantthemeofthecomplaints Disputes betweenemployeesandemployersorformer the volumeofactivityisonlygoingtogrow. of processingentitiesunderthesupervisioneachDPA, ubiquitous asblinkingand,withhundredsofthousands automated personaldataprocessinginparticularnowas committee engagementsaredetailedonpage71.With responded toandmedia,conferenceparliamentary - - - -
7 Annual Report 1 January — 31 December 2019 Creating a larger team and driving forward To manage the increased volumes of work, the DPC has has been made of the fact that across the EU only three continued to hire additional staff, increasing our staff relatively minor cross-border cases have so far resulted numbers from 110 at the start of the year to 140 at the in fines, and very modest in size at that, since 25th May end of 2019. Regulatory lawyers, legal researchers, inves- 2018 up to the end of 2019. A new legal framework and tigators and technologists all joined the DPC team last one that contemplates very significant penalties, not year. The ongoing dialogue the DPC maintains with the to mention legal novelty in terms of the ‘cooperation broad and international community on data protection and consistency’ provisions set down, is always going matters remains an important facet of our role in driving to take time to implement correctly. But have no doubt better solutions to both old and newly emerging data that intensive work is underway. We currently have: 30 protection challenges. In 2019, the DPC was honoured to live litigation cases as of the end of 2019; a large-scale have been visited by the Commissioners from New Zea- and complex investigation into Facebook’s transfers of land, Australia, Iceland, and the UK, as well as teams of personal data; an appealed Enforcement Notice by the staff from the Swedish, Dutch, Icelandic, Luxembourg and Department of Employment Affairs and Social Protection Regional German DPAs. In addition, the DPC hosted study in Ireland regarding the Public Services Card; further visits by a group of US Congress staffers studying lessons pending e-privacy prosecutions; new corrective powers from the GDPR in the context of a potential US Federal under the 2018 Act exercised with certain controllers; Privacy Bill and Californian State Senators examining the progress and resolution of thousands of complaints issues of technology and data protection. resolved through driving compliance with controllers in 2019. There is certainly no shortage of commitment and In 2019, the DPC concluded its first investigation and capability at the Irish DPC. But equally there is a keen decision under the new Irish Data Protection Act 2018 awareness of the legal requirement to apply fair proce- (the 2018 Act) and specifically under its provisions that dures and what it takes to bring cases over the line and transpose the law enforcement directive. The case con- the DPC remains focussed on this job. As we have consis- cerned the deployment of CCTV and Automatic Number tently said, there would be little benefit in mass producing Plate Recognition by An Garda Síochána and a range of decisions only to have them overturned by the courts. corrective powers were exercised by the DPC to drive When EU competition law rules were first introduced in compliance. A number of other linked investigations into 1962, it was a further number of years before the first the deployment of surveillance technologies by Local Au- significant decision in the Grundig case issued and a thorities in Ireland is underway and once the first of these number of years beyond that again before the first fine conclude, the DPC intends to publish guidance based on was issued. Equally, EU competition investigations (and I the findings to better ensure all State authorities un- mention competition law because the fining regime in the derstand the requirements of the 2018 Act and that the GDPR is based on EU competition law) on average take a public understand how their rights are protected. number of years to complete. As a responsible regulato- The DPC concluded a detailed investigation into the ry body, we are wary of demands for quick-fix solutions personal data processing elements of Ireland’s national and calls for the summary imposition of heavy penalties Public Services Card and published its findings in August on organisations for data protection infringements, at 2019. These included a finding that there is no lawful ba- least some of which may be based on the application of sis for the mandating of registration for a Public Services principles on which there is not always consensus. While Card by organisations other than by the Department of acknowledging that the administrative fines mechanism Employment Affairs and Social Protection when issuing represents an important element of the drive toward the welfare payments. The Department rejected the DPC’s kind of meaningful accountability heralded by the GDPR, findings. The DPC issued an Enforcement Notice and an we must also recognise that, like any other part of our appeal by the Department to the Circuit Court was lodged laws, data protection principles operate within a broader before the end of 2019. legal context and so, for example, the application and enforcement of such principles by a statutory regulator A number of other appeals were heard in challenges to will always be subject to the due process requirements decisions of the DPC during 2019 and the decision of the mandated by our constitutional laws and by EU law. DPC was upheld in each case, as detailed on page 53. These are constraints that cannot (and should not) be set to one side in some arbitrary fashion or for the sake of Investigations into big tech companies continued to prog- expediency. ress in 2019 with the first two inquiries moving from the investigative stage to the decision-making phase. Much
8 sign that“enoughisnowenough” intermsoftolerating US toimplementmoreand privacylegislationisa conduct tobetterprotectchildren online.Thedriveinthe facilitated theprogressionof big techtowardsacodeof last twodecades.Weaimbythe endof2020tohave suffer fromtheproblemswe sleep-walkedintooverthe the nextgenerationoftechnologiesweallusedoesnot into themeatof“dataprotectionbydesign”,toensure GDPR (lawfulbasis,controller/processor)andreallymove it cancreatethespacetomoveoff“firstprinciples”of spotlight onpoorpersonaldatapractices.TheDPChopes continue theoutstandingworktheyaredoinginshininga protection authorities,andacademicsthemediawill DPC throughtheconsultationprocesswithotherEUdata decisions onbigtechinvestigationswillbebroughtbythe of theCJEUinSCCsdatatransfercase;firstdraft going tobeanimportantyear.Weawaitthejudgment they believedeeplyindataprotectionrights.2020is These areprofessionalswhoworkfortheDPCbecause currently deliveringandwhatwewilldeliverinthefuture. ly excitedabouttheworkDPCdoes,whatweare I amprivilegedtoworkwithateamthataregenuine Outlook 2020 are missedbyallofusattheDPC. exceptional contribution,workethicandfunpersonality Mullin, passedawayduringthesummerof2019andhis home, anesteemedcolleagueattheDPCinIreland,Mark have beenrightlywelldocumentedinIreland.Closerto 2019 andhisoutstandingachievementscontribution McDermott, verysadlyalsopassedawayinDecember judicial reviewandCJEUreferencematters,PaulAnthony much missed.ExpertcounselfortheDPCinmanyappeal, and agiantofleaderinourcommunityheisvery utes paidtohimrecognisethathewasagiantofperson Giovanni Buttarelli,inAugust2019.Theenormoustrib passing ofthethenEuropeanDataProtectionSupervisor, No look-backat2019couldavoidthesadreminderof Sad goodbyes Rules inIrelandratherthantheUK. lishment andarrangeoversightoftheirBindingCorporate a rangeoforganisationsseekingtocreatemainestab arrangements tocoverano-dealscenarioanddealtwith ber ofgovernmentdepartmentsandagenciesonlegal on theissues,providedfeedbackanddirectiontoanum scenarios, gavetalksatalargenumberofsectoralevents organisations toprepareforboth“deal”and“no-deal” to anon-EUcountry.TheDPCissuedguidancehelp what wouldbecomerestrictedpersonaldatatransfers of workfortheDPCin2019givenimplications Preparations for”Brexit”havebeenaconsiderablebody Brexit - - - - quarters tofindabetterpathwayforward. to thedialogueandharnessingofexpertisefromall solution usingitsfullrangeofpowersandtocontribute ogies. TheIrishDPCisgoingtocontinuebepartofthe unnecessarily privacyinvasivedatapracticesandtechnol Commissioner forDataProtection Helen Dixon -
9 Annual Report 1 January — 31 December 2019 1 Roles and Responsibilities
10 This isthesecondannualreportofDataProtectionCommission.Ithasbeen The corefunctionsoftheDPC,underGDPRand The DPCisthenationalindependentauthorityinIreland The DPCalsoactsassupervisoryauthorityforperson- 25 May 2018, as well as in relation to complaints and 25 May2018,aswellinrelation tocomplaintsand Although the DPC regulates under the GDPR and Data Although theDPCregulatesunderGDPRandData and 2003 in respect of complaints and investigations into and 2003inrespectofcomplaintsinvestigationsinto and enforcementfunctionsinrelationtotheprocessingof al-data processingunderseveraladditionallegalframe- of theGDPR(Regulation(EU)2016/679). data protected.Accordingly,theDPCisIrishsupervi cessing occurred before or after 25 May 2018. cessing occurredbeforeorafter 25May2018. categories ofprocessing,irrespective ofwhetherthatpro- out from 25 May 2018 onwards, it continues to perform its enforcement) personaldataprocessingoperationscarried or prosecutionofcriminaloffencesexecutioncrimi- sory authorityresponsibleformonitoringtheapplication Functions oftheDPC period from01January2019to31December2019. prepared inaccordancewithSection24oftheDataProtectionAct2018andcovers GDPR inIreland,include: responsible forupholdingthefundamentalrightofindi potential infringements that relate to certain limited other potential infringementsthatrelate tocertainlimitedother potential infringementsthatrelatetotheperiodbefore regulatory functionsundertheDataProtectionActs1988 personal data in the context of electronic communications nal penalties.TheDPCalsoperformscertainsupervisory personal databybodieswithlaw-enforcementfunctions rective 2016/680,astransposedinIrelandundertheData Data ProtectionAct2018,whichgivesfurthereffecttothe Protection Act 2018 in respect of the majority of (non-law Protection Act2018inrespectofthemajority(non-law Protection Act2018)whichappliestotheprocessingof under the e-Privacy Regulations (S.I. No. 336 of 2011). under thee-PrivacyRegulations(S.I.No.336of2011). viduals intheEuropeanUnion(EU)tohavetheirpersonal In addition to specific data protection legislation, there are In additiontospecificdataprotection legislation,thereare in the region of 20 more pieces of legislation, spanning in theregionof 20morepiecesoflegislation, spanning in the context of the prevention, investigation, detection in thecontextofprevention,investigation,detection works. TheseincludetheLawEnforcementDirective(Di- • • • • • alleged infringementsinvolvingcross-borderprocess conducting inquiriesandinvestigationsregardingpo driving improvedcompliancewithdataprotection co-operating withdataprotectionauthoritiesinother potential infringementoftheirdataprotectionrights; public oftherisks,rules,safeguardsandrightsinrela promoting awarenessamongorganisationsandthe EU memberstatesonissues,suchascomplaintsand tential infringementsofdataprotectionlegislation; handling complaintsfromindividualsinrelationtothe tion toprocessingofpersonaldata;and ing. legislation bycontrolandprocesspersonaldata; - - - - - 110 atthestartofyearto 140at31December2019. The DPC’sSeniorManagementCommittee(SMC)compris The FinancialStatementinrespect oftheperiodcovered The DPCispreparingitsfinancial statementsfor2019. The DPCisfundedentirelyfromtheExchequer,tofulfilits OurSMCcomprises: a variety of sectoral areas, concerning the processing of a varietyofsectoralareas,concerningtheprocessing an auditbythe ComptrollerandAuditorGeneral. supervisory function assigned to it under that legislation. supervisory functionassignedtoitunderthatlegislation. DPC’s SeniorTeam Funding andAdministration effective oversightandcontroloftheorganisation. of theSMCoverseepropermanagementandgover es theCommissionerforDataProtectionandseven out intheCodeofPracticeforGovernanceState personal data, where the DPC must perform a particular personal data,wheretheDPCmustperformaparticular mandate astheindependentsupervisorybodyinIreland million, bringingitstotalallocationto€15.2millionforthe nance oftheorganisation,inlinewithprinciplesset DPC welcomedanincreasedbudgetallocationof€3.5 Deputy Commissioners.TheCommissionerandmembers Bodies (2016).TheSMChasaformalscheduleofmatters year basis.Theincreasedfundingfortheenabled year andthisallocationoffundingwasprovidedonafull- for theupholdingofdataprotectionrights.In2019, for considerationanddecision,asappropriate,toensure the DPCtocontinuegrow its staffcomplement,from by thisreportwillbeappended followingtheconductof • • • • • • • • of RegulatoryActivity); of Strategy,Operations&International); Corporate Affairs,Media&Communications); Mr GrahamDoyle(DeputyCommissioner—Headof Mr DaleSunderland(DeputyCommissioner—Head Regulatory Activity). Mr ColumWalsh(DeputyCommissioner —Headof Legal); Ms AnnaMorgan(DeputyCommissioner—Headof Ms HelenDixon(CommissionerforDataProtection); Regulatory Activity). Mr TonyDelaney(DeputyCommissioner —Headof Regulatory Activity);and Mr JohnO’Dwyer(DeputyCommissioner—Headof Ms JenniferO’Sullivan(DeputyCommissioner—Head - -
11 Annual Report 1 January — 31 December 2019 2 Review of 2019
12 to complaint- 1,098 proceeded • • • • • handling and 2003. 311 complaintsundertheDataProtectionActs1988 6,904 29% oftotalcomplaintsreceived. single categorybeing“AccessRights”,countingfor Total Complaintsreceivedwas these, under theDataProtectionActs1988&2003.Of The DPCissued Regulations. respect ofatotal Prosecutions wereconcluded against successful DistrictCourtprosecutions bytheDPC. A numberoftheseinvestigationsconcludedwith telephone marketing. to SMS(textmessage)marketing;and marketing: of 2011inrespectvariousformselectronicdirect 165 complaint and newcomplaintswereinvestigatedunderS.I.336 1,252 complaintsweredealtwithunderGDPRand 13 fullyupheldthecomplaint, assessed actively
77 relatedtoemailmarketing; 9 partiallyupheldthecomplaint. 29 Section10statutorydecisions 9 offencesundertheE-Privacy 4,554 concluded 7,215 , withthelargest 7 rejectedthe 4 entitiesin 7 relatedto 81 related • • • December 2019, 1,252 Of the Protection Acts1988and2003. 620 the DPChad2,582complaintsonhandatyear-end. 5,496 complaint-handling and 7,215 email marketing complaintswerealsoconcludedundertheData complaints complaintswereactivelybeingassessedon31 complaintsintotalwereconcluded2019and received 6,904 related 77 GDPR-relatedcomplaintsreceived, marketing telephone related 1,098
7 complaints hadproceededto 4,554
in “AccessRights” hadbeenconcluded. SMS marketing 29% category related 81
13 Annual Report 1 January — 31 December 2019 • 457 cross-border processing complaints were received by the DPC through the One-Stop-Shop mechanism that were lodged by individuals with other EU data protection authorities. • 207 data-breach complaints were handled by the DPC from affected individuals. • 6,069 valid data security breaches were recorded, 6,069 with the largest single category being “Unauthorised Disclosures”. valid data security breaches recorded
• Information and Assessment received almost 48,500 contacts comprising approximately 22,300 emails, 22,300 22,200 telephone calls and almost 4,000 items of emails correspondence via post. 22,200 • 6 statutory inquiries were opened in relation to mul- telephone tinational technology companies’ compliance with the calls GDPR, bringing the total number to 21. 4,000 by post
Over
• The number of general consultation queries received was 1,420. 1,420 consultations
14 • • • • • • • • The DPCreceived The DPCpublisheditsfindingsoncertainaspectsofthe The DPCcarriedoutanextensiveconsultationonthe Twitter, LinkedInandInstagram,atyear-endhada The DPCexpandeditssocialmediaactivitiesacross The DPCwasleadreviewerin19BindingCorporate An appealtotheDublinCircuitCourtagainst and thisappealislistedtocomebeforetheCourtfor enforcement noticewasissuedinlate2019bythe data isprocessedandtransparency. comes andfocusgroupswithindividuals. dren’s data,whichisaDPCpriorityfor2020. combined followershipofover Work ontheDPC’snewRegulatoryStrategycontinued responses andtheresultsofthatconsultationwillfeed processing ofchildren’spersonaldata,yielding Public ServicesCard(“PSC”)followingalengthyinves monthly reachinthehundredsofthousands. Minister forEmploymentAffairsandSocialProtection DPC staffspokeorpresentedatover Rules (BCRs)applications tions, bringingthenumberto tigation. Thepublishedfindingsweretargetedattwo the firsttimeinMarch2020. key issues,namelythelegalbasisunderwhichpersonal into thedevelopmentofguidanceonprocessingchil individual organisationsfromabroadrangeofsectors. including conferences,seminars,andpresentationsto with aconsultationdocumentontheDPC’sTargetOut 712 DataProtectionOfficernotifica 1,596 20,000 . 180 andanorganic events, 80 - - - - 20,000 followers Data Protection notifications 712 Officer Spoke andpresented at events onover 180 occasions
15 Annual Report 1 January — 31 December 2019 Information 3 and Assessment
16 A key objective of the DPC is to provide a responsive and high-quality information service information high-quality and responsive a provide to is DPC the of objective key A and receives and responds to queries from individuals and organisations by means of email, almost 48,500contactscomprisingapproximately22,300 online form or telephone. In addition, it carries out early-stage assessment, determining assessment, early-stage out carries it addition, In telephone. or form online service, helpdesk public-information a provides DPC the at Assessment and Information continue tobeapriorityin2020. er efficienciesforallusers.Enhancingthequalityand correspondence viapost. emails, 22,200telephonecallsandalmost4,000itemsof protection legislation. Responding toQueriesandComplaints route fordoingso. whether a communication needs to be escalated within the DPC and the most appropriate o niiul ad raiain rgrig hi rgt ad epniiiis ne data under responsibilities and rights their regarding organisations and individuals to responsiveness oftheservice providedbytheDPCwill to lookatitsprocesseswithaviewdeliveringgreat tinued todealwithasignificantnumberofcontactsfrom In ordertoprovideanefficientservice,theDPCcontinues In thefirstfullcalendaryearofGDPR,DPCcon individuals andorganisations.In2019,theDPCreceived 22,200 telephone calls items viapost 4,000 22,300 emails - - Topics ofparticularinterestwheretheDPCprovidedsup The DPC,throughanalysisoftheissuesbroughttoits attention, alsoidentifiesemergingtrendsandpatterns communications throughout2020. Emerging TrendsandPatterns port toindividualsduringtheyearincluded: the mostpertinentissuesandwillhelpguideDPC’s that areofconcerntoindividualsandorganisations.This helps theDPCtofocusitsexternalcommunicationson • • • • • • • access requestsonbehalfofchildren —queriesfrom access requests; exemption; examiner’s notes;and exam Information —inparticularqueriesrelatingto surveillance butalsoconcernsaboutsharingof publication andartisticexemptions. photography — Particularlyasitrelatestoconsent, redaction ofthirdpartydatainresponsetoemployee now incontroloftheirpersonaldata; practices thathaveclosed(oftenwhereapractitioner priately andinthechild’sbestinterests; Public ServicesCard; HR/employment disputes —specificallyworkplace the useofCCTV —particularlyincontextneigh tion astohowtheyshouldrespondaccurately,appro both individualsandorganisationsseekingclarifica bour disputesandtheapplicationofdomestic has died)andpatientsareunabletoestablishwhois individual concernsrelatingtotheroleanduseof information inthecontextofthosedisputesand where ismydata? —requestsrelatingtomedical - - - -
17 Annual Report 1 January — 31 December 2019 4 Complaints
18 The DPCprocessescomplaintsreceivedundertwomain This trendcontinuedinthefirstfullcalendaryearof The term“complaint”hasaveryspecificmeaningunder Since theapplicationofGDPR,DPChasseena application oftheGDPR.In2019,7,215complaintswere Complaints receivedundertheGDPR How Complaintsarehandled significant increaseinthenumberofcomplaintsreceived. received bytheDPC. Note: thetopfivecomplaintsrepresent76%oftotalreceived. plaint-handling obligations —itmustfallunderoneofthe For acommunicationtoconstitutecomplaint —and Protection 2018thatimplementthoselaws. following categories: therefore triggertheDPC’sparticularstatutorycom the GDPR(andLED)andprovisionsofData legal frameworksduringthisperiod: • • • Access Request e MarketingComplaints Complaints ReceivedDuring2019—Top5Categoriesof Disclosure Fair Processing Right toerasure 2018; and Acts 1988and2003. a complaintfromanindividualrelatingtotheprocess complaints andinfringementsoccurringbefore25 dealt withundertheGDPR,LawEnforcementDirec complaints receivedfrom25May2018onwardsare May 2018aredealtwithundertheDataProtection tive, andtheprovisionsofDataProtectionAct ing oftheirownpersonaldata; - - - As inpreviousyears,thecategoryofAccessRequestswas an obligationtoprovidethecomplainantwithprogress of Data(16%)andDisclosure(19%)werealsoonceagain obligations. complainants everythreemonthsinaccordancewithits outcome ofthecomplaint.TheDPCissuesupdatesto GDPR complaints,while311werecomplaintshandled Of the7,215complaintsreceivedbyDPC.6,904were partially upheldthecomplaint. received inhighvolumes. During thecomplaint-handlingprocessDPChas upheld thecomplaint,7rejectedcomplaintand9 under theDataProtectionActs1988to2003. updates andultimatelyinformtheindividualof the DataProtectionActs1988&2003.Ofthese,13fully the highestcomplaint-typereceivedbyDPCbetween In 2019,theCommissionerissued29decisionsunder it isdropping.ComplaintsrelatingtoUnfairProcessing in 2019(29%),thoughproportiontooverallcomplaints • • advocacy groupsactingaspermittedwithinthe a legallyauthorisedentitycomplainingonbehalfofan parameters laidoutintheGDPR,LEDandData Protection Act2018. individual; and 1,320 1,074 1,971 No 353 532 % oftotal 19% 16% 29% 5% 8%
19 Annual Report 1 January — 31 December 2019 Complaints received under the 1988 & 2003 Acts Note: the top 5 represents 83% of total complaints received.
Complaints Received During 2019 — Top 5 Categories of Complaints No % of total
Access Request 93 30%
Fair Processing 87 28%
Disclosure 57 18%
Fair Obtaining 13 4%
Specified Purpose 9 3%
Complaints received 2014–2019
8
7
6
5