DPC 2019 Annual Report

Home , NOYB

Annual Report 1 January — 31 December 2019 1 Annual Report 1 January — 31 December 2019 2 International Activities Data ProtectionOfficers Supervision � Legal Affairs Inquiries Breaches Complaints Information andAssessment Review of2019 Roles andResponsibilities Foreword � � Table ofContents Appendix 1:CourtofJusticetheEuropeanUnion(CJEU)CaseLaw APPENDICES Corporate Affairs Key DPCProjects � Communications Processing Children’sPersonalData by DEASPinrelationtothePublicServicesCard Appendix 3:InvestigationbytheDPCintoprocessingofpersonaldata Appendix 2:LitigationconcerningStandardContractualClauses Commission in2019 Appendix 5:ReportonProtectedDisclosuresreceivedbytheDataProtection for theperiod1January2019to31December Appendix 4:StatementofInternalControlsinRespecttheDPC Appendix 6:FinancialStatementsfortheYear1Januaryto31December2019

� � � � � � � � � � � �

� � � � � �

�

� 81 95 93 98 97 62 12 16 10 56 52 38 34 18 76 74 70 64 68 89 6

3 Annual Report 1 January — 31 December 2019

Foreword

6 with bytheDPC aresetoutonpage36.Media queries being concise).Breachesnotified andindividuallydealt how todeliversufficienttransparency touserswhilealso long entrencheddataprotection challenges(forexample, with globalcounterpartstofind real-worldsolutionsto meetings inBrussels(87 in2019)andengaging DPC makesservicingEuropeanDataProtectionBoard the amountoftravelandinternationalcommitment also consumeconsiderableresources.Page65shows The larger-scaleinquiriesaredetailedonpage40and opposed tolarge-scaleandmoresystemicinvestigations). are devotedtothehandlingofindividualcomplaints(as resolved bytheoffice.Atleast40%ofourresources lodged withusandthenumberofindividualcomplaints of thenewlaw.Page19detailsvolumecomplaints of generalguidancetheDPCissuedtohelpinterpretation of GDPR.Page71thisreportdetailstherecordlevels Volume wasakeywordfortheDPCinthisfirstfullyear Quantity andQuality which willassistindrivingthisforward. cooperation withtheCroatianDataProtectionAuthority, an EU-fundedprojectonawarenessraisingforSMEs,in sectoral focuswithguidance.TheDPCisnowengagedin appropriate implementationmeasuresandformoreofa SMEs areaskingformorehelptoidentifyreasonableand GDPR anda key takeaway was that across Europe, smaller organised bytheEUCommissiontomarkoneyearof I participatedinausefulstock-takingeventBrussels has beensomethingofathemeduring2019.InJune, more guidancefromdataprotectionauthorities(DPAs) ence inDublinMarch2020.Callsfortheprovisionof DPC andthewillhostitsfirstDPONetworkconfer they arekeenformoreresourcesandsupportfromthe subjects’ rightsareconsideredinallprojects.DPOstellus tor andlargedataprocessingorganisationsensuring to theDPCandtheyareengageddailywithinpublicsec 1,500 dataprotectionofficers(DPOs)havebeennotified able datapracticesacrosstheirorganisations.InIreland, been quietlygettingonwithembeddingmoreaccount Law EnforcementDirectiveandmanyorganisationshave full calendaryearoftheoperationGDPRand Away fromthehigherprofileheadlines,it’sbeenfirst Facebook), itwasn’tayearthatwasshortonbignews. privacy financialpenalty(the$5bnimposedbytheFTCon SCCs datatransferlitigation,totheworld’slargest and Planet49)theAdvocateGeneral’sopinionon including instructiveCJEUjudgments(suchasFashionID sciousness. FromarangeofimportantEUdevelopments moved tobeinganestablishedfixtureofpubliccon- protection hadabigmomentin2018,ithasnowclearly ments, such has been the pick-up in developments. If data full-time staffsolelytomonitorcaselawandlegaldevelop- legal practicessaytheyhadfounditnecessarytohire 2019 wasthefirstyearIheardmultipledataprotection First fullyearofGDPR - - - up toacodeof conductonchildren’sdataprocessing. these partiesasweencourage bigtechplatformstosign of children’sdigitalrightsand willcontinuetoworkwith engaged heavilywithexpertstakeholders inthearea principles forcontrollers.Throughout 2019,theDPC personal dataandisnowpreparing topublishguiding The DPCalsocompleteditsconsultation onchildren’s ies anddirectmarketing. harmonise EUlawsonprivacyofcommunications,cook to tryconcludeamodernisede-privacyregulation on page28.Inthemeantime,EUlegislaturecontinues pursued rigorouslybytheofficein2019andaredetailed E-privacy prosecutionsfordirectmarketingoffenceswere under GDPRandkeentoknowhowexercisethem. couraging isthatpeoplearebroadlyawareoftheirrights of view,aswellthatthecontroller.Whatisreallyen ies andtodrawoutthelessonsfromaconsumerpoint intends toincreaseitseffortsproducemorecasestud understand theirapplicationinthereal-world.TheDPC more worked-throughscenariosfromtheDPC,tobetter with regardtotheirpersonaldataandwouldwelcome are thatmanypeoplefeelconfusedabouttheirrights expectations ofthedataprotectionauthority.Keyfindings groups withthepublictoestablishtheirawarenessand gy for2020to2025,theDPCengagedin2019focus In preparationforourpending5-yearregulatorystrate their rightstodataerasurewhentheyleaveaplatform. management ofindividuals’accountsandinparticular grown involume,withthemainissuescentringaround heard. Complaintsagainstinternetplatformshavealso to lodgecomplaintswiththeDPCasameansofbeing out withinthosesectors,withouttheneedforconsumers at their core consumer protection issues cannot be sorted sectors inIreland,itisdisappointingthatmoreofwhatare istration andcharges.Giventheseareheavilyregulated with complaintsessentiallyfocussingonaccountadmin- among themostcomplainedaboutsectorstoDPC, central tomanyofthesecases.Telcosandbanksremain reliance onaccessrequestsasadjudicatedbytheDPC can orderdiscoveryinemploymentclaims,whichmakes Workplace RelationsCommissionnortheLabourCourt This isundoubtedlydrivenbythefactthatneither of thelitigationDPCissubjecttoincourtstoday. in factbreachedatallmakeupasignificantproportion DPC decisionsthattheirdataprotectionrightswerenot a disputedaccessrequest.Litigationbyindividualsagainst lodged withtheDPC,battleoftenstagedaround employers remainasignificantthemeofthecomplaints Disputes betweenemployeesandemployersorformer the volumeofactivityisonlygoingtogrow. of processingentitiesunderthesupervisioneachDPA, ubiquitous asblinkingand,withhundredsofthousands automated personaldataprocessinginparticularnowas committee engagementsaredetailedonpage71.With responded toandmedia,conferenceparliamentary - - - -

7 Annual Report 1 January — 31 December 2019 Creating a larger team and driving forward To manage the increased volumes of work, the DPC has has been made of the fact that across the EU only three continued to hire additional staff, increasing our staff relatively minor cross-border cases have so far resulted numbers from 110 at the start of the year to 140 at the in fines, and very modest in size at that, since 25th May end of 2019. Regulatory lawyers, legal researchers, inves- 2018 up to the end of 2019. A new legal framework and tigators and technologists all joined the DPC team last one that contemplates very significant penalties, not year. The ongoing dialogue the DPC maintains with the to mention legal novelty in terms of the ‘cooperation broad and international community on data protection and consistency’ provisions set down, is always going matters remains an important facet of our role in driving to take time to implement correctly. But have no doubt better solutions to both old and newly emerging data that intensive work is underway. We currently have: 30 protection challenges. In 2019, the DPC was honoured to live litigation cases as of the end of 2019; a large-scale have been visited by the Commissioners from New Zea- and complex investigation into Facebook’s transfers of land, Australia, Iceland, and the UK, as well as teams of personal data; an appealed Enforcement Notice by the staff from the Swedish, Dutch, Icelandic, Luxembourg and Department of Employment Affairs and Social Protection Regional German DPAs. In addition, the DPC hosted study in Ireland regarding the Public Services Card; further visits by a group of US Congress staffers studying lessons pending e-privacy prosecutions; new corrective powers from the GDPR in the context of a potential US Federal under the 2018 Act exercised with certain controllers; Privacy Bill and Californian State Senators examining the progress and resolution of thousands of complaints issues of technology and data protection. resolved through driving compliance with controllers in 2019. There is certainly no shortage of commitment and In 2019, the DPC concluded its first investigation and capability at the Irish DPC. But equally there is a keen decision under the new Irish Data Protection Act 2018 awareness of the legal requirement to apply fair proce- (the 2018 Act) and specifically under its provisions that dures and what it takes to bring cases over the line and transpose the law enforcement directive. The case con- the DPC remains focussed on this job. As we have consis- cerned the deployment of CCTV and Automatic Number tently said, there would be little benefit in mass producing Plate Recognition by An Garda Síochána and a range of decisions only to have them overturned by the courts. corrective powers were exercised by the DPC to drive When EU competition law rules were first introduced in compliance. A number of other linked investigations into 1962, it was a further number of years before the first the deployment of surveillance technologies by Local Au- significant decision in the Grundig case issued and a thorities in Ireland is underway and once the first of these number of years beyond that again before the first fine conclude, the DPC intends to publish guidance based on was issued. Equally, EU competition investigations (and I the findings to better ensure all State authorities un- mention competition law because the fining regime in the derstand the requirements of the 2018 Act and that the GDPR is based on EU competition law) on average take a public understand how their rights are protected. number of years to complete. As a responsible regulato- The DPC concluded a detailed investigation into the ry body, we are wary of demands for quick-fix solutions personal data processing elements of Ireland’s national and calls for the summary imposition of heavy penalties Public Services Card and published its findings in August on organisations for data protection infringements, at 2019. These included a finding that there is no lawful ba- least some of which may be based on the application of sis for the mandating of registration for a Public Services principles on which there is not always consensus. While Card by organisations other than by the Department of acknowledging that the administrative fines mechanism Employment Affairs and Social Protection when issuing represents an important element of the drive toward the welfare payments. The Department rejected the DPC’s kind of meaningful accountability heralded by the GDPR, findings. The DPC issued an Enforcement Notice and an we must also recognise that, like any other part of our appeal by the Department to the Circuit Court was lodged laws, data protection principles operate within a broader before the end of 2019. legal context and so, for example, the application and enforcement of such principles by a statutory regulator A number of other appeals were heard in challenges to will always be subject to the due process requirements decisions of the DPC during 2019 and the decision of the mandated by our constitutional laws and by EU law. DPC was upheld in each case, as detailed on page 53. These are constraints that cannot (and should not) be set to one side in some arbitrary fashion or for the sake of Investigations into big tech companies continued to prog- expediency. ress in 2019 with the first two inquiries moving from the investigative stage to the decision-making phase. Much

8 sign that“enoughisnowenough” intermsoftolerating US toimplementmoreand privacylegislationisa conduct tobetterprotectchildren online.Thedriveinthe facilitated theprogressionof big techtowardsacodeof last twodecades.Weaimbythe endof2020tohave suffer fromtheproblemswe sleep-walkedintooverthe the nextgenerationoftechnologiesweallusedoesnot into themeatof“dataprotectionbydesign”,toensure GDPR (lawfulbasis,controller/processor)andreallymove it cancreatethespacetomoveoff“firstprinciples”of spotlight onpoorpersonaldatapractices.TheDPChopes continue theoutstandingworktheyaredoinginshininga protection authorities,andacademicsthemediawill DPC throughtheconsultationprocesswithotherEUdata decisions onbigtechinvestigationswillbebroughtbythe of theCJEUinSCCsdatatransfercase;firstdraft going tobeanimportantyear.Weawaitthejudgment they believedeeplyindataprotectionrights.2020is These areprofessionalswhoworkfortheDPCbecause currently deliveringandwhatwewilldeliverinthefuture. ly excitedabouttheworkDPCdoes,whatweare I amprivilegedtoworkwithateamthataregenuine Outlook 2020 are missedbyallofusattheDPC. exceptional contribution,workethicandfunpersonality Mullin, passedawayduringthesummerof2019andhis home, anesteemedcolleagueattheDPCinIreland,Mark have beenrightlywelldocumentedinIreland.Closerto 2019 andhisoutstandingachievementscontribution McDermott, verysadlyalsopassedawayinDecember judicial reviewandCJEUreferencematters,PaulAnthony much missed.ExpertcounselfortheDPCinmanyappeal, and agiantofleaderinourcommunityheisvery utes paidtohimrecognisethathewasagiantofperson Giovanni Buttarelli,inAugust2019.Theenormoustrib passing ofthethenEuropeanDataProtectionSupervisor, No look-backat2019couldavoidthesadreminderof Sad goodbyes Rules inIrelandratherthantheUK. lishment andarrangeoversightoftheirBindingCorporate a rangeoforganisationsseekingtocreatemainestab arrangements tocoverano-dealscenarioanddealtwith ber ofgovernmentdepartmentsandagenciesonlegal on theissues,providedfeedbackanddirectiontoanum scenarios, gavetalksatalargenumberofsectoralevents organisations toprepareforboth“deal”and“no-deal” to anon-EUcountry.TheDPCissuedguidancehelp what wouldbecomerestrictedpersonaldatatransfers of workfortheDPCin2019givenimplications Preparations for”Brexit”havebeenaconsiderablebody Brexit - - - - quarters tofindabetterpathwayforward. to thedialogueandharnessingofexpertisefromall solution usingitsfullrangeofpowersandtocontribute ogies. TheIrishDPCisgoingtocontinuebepartofthe unnecessarily privacyinvasivedatapracticesandtechnol Commissioner forDataProtection Helen Dixon -

9 Annual Report 1 January — 31 December 2019 1 Roles and Responsibilities

10 This isthesecondannualreportofDataProtectionCommission.Ithasbeen The corefunctionsoftheDPC,underGDPRand The DPCisthenationalindependentauthorityinIreland The DPCalsoactsassupervisoryauthorityforperson- 25 May 2018, as well as in relation to complaints and 25 May2018,aswellinrelation tocomplaintsand Although the DPC regulates under the GDPR and Data Although theDPCregulatesunderGDPRandData and 2003 in respect of complaints and investigations into and 2003inrespectofcomplaintsinvestigationsinto and enforcementfunctionsinrelationtotheprocessingof al-data processingunderseveraladditionallegalframe- of theGDPR(Regulation(EU)2016/679). data protected.Accordingly,theDPCisIrishsupervi cessing occurred before or after 25 May 2018. cessing occurredbeforeorafter 25May2018. categories ofprocessing,irrespective ofwhetherthatpro- out from 25 May 2018 onwards, it continues to perform its enforcement) personaldataprocessingoperationscarried or prosecutionofcriminaloffencesexecutioncrimi- sory authorityresponsibleformonitoringtheapplication Functions oftheDPC period from01January2019to31December2019. prepared inaccordancewithSection24oftheDataProtectionAct2018andcovers GDPR inIreland,include: responsible forupholdingthefundamentalrightofindi potential infringements that relate to certain limited other potential infringementsthatrelate tocertainlimitedother potential infringementsthatrelatetotheperiodbefore regulatory functionsundertheDataProtectionActs1988 personal data in the context of electronic communications nal penalties.TheDPCalsoperformscertainsupervisory personal databybodieswithlaw-enforcementfunctions rective 2016/680,astransposedinIrelandundertheData Data ProtectionAct2018,whichgivesfurthereffecttothe Protection Act 2018 in respect of the majority of (non-law Protection Act2018inrespectofthemajority(non-law Protection Act2018)whichappliestotheprocessingof under the e-Privacy Regulations (S.I. No. 336 of 2011). under thee-PrivacyRegulations(S.I.No.336of2011). viduals intheEuropeanUnion(EU)tohavetheirpersonal In addition to specific data protection legislation, there are In additiontospecificdataprotection legislation,thereare in the region of 20 more pieces of legislation, spanning in theregionof 20morepiecesoflegislation, spanning in the context of the prevention, investigation, detection in thecontextofprevention,investigation,detection works. TheseincludetheLawEnforcementDirective(Di- • • • • • alleged infringementsinvolvingcross-borderprocess conducting inquiriesandinvestigationsregardingpo driving improvedcompliancewithdataprotection co-operating withdataprotectionauthoritiesinother potential infringementoftheirdataprotectionrights; public oftherisks,rules,safeguardsandrightsinrela promoting awarenessamongorganisationsandthe EU memberstatesonissues,suchascomplaintsand tential infringementsofdataprotectionlegislation; handling complaintsfromindividualsinrelationtothe tion toprocessingofpersonaldata;and ing. legislation bycontrolandprocesspersonaldata; - - - - - 110 atthestartofyearto 140at31December2019. The DPC’sSeniorManagementCommittee(SMC)compris The FinancialStatementinrespect oftheperiodcovered The DPCispreparingitsfinancial statementsfor2019. The DPCisfundedentirelyfromtheExchequer,tofulfilits OurSMCcomprises: a variety of sectoral areas, concerning the processing of a varietyofsectoralareas,concerningtheprocessing an auditbythe ComptrollerandAuditorGeneral. supervisory function assigned to it under that legislation. supervisory functionassignedtoitunderthatlegislation. DPC’s SeniorTeam Funding andAdministration effective oversightandcontroloftheorganisation. of theSMCoverseepropermanagementandgover es theCommissionerforDataProtectionandseven out intheCodeofPracticeforGovernanceState personal data, where the DPC must perform a particular personal data,wheretheDPCmustperformaparticular mandate astheindependentsupervisorybodyinIreland million, bringingitstotalallocationto€15.2millionforthe nance oftheorganisation,inlinewithprinciplesset DPC welcomedanincreasedbudgetallocationof€3.5 Deputy Commissioners.TheCommissionerandmembers Bodies (2016).TheSMChasaformalscheduleofmatters year basis.Theincreasedfundingfortheenabled year andthisallocationoffundingwasprovidedonafull- for theupholdingofdataprotectionrights.In2019, for considerationanddecision,asappropriate,toensure the DPCtocontinuegrow its staffcomplement,from by thisreportwillbeappended followingtheconductof • • • • • • • • of RegulatoryActivity); of Strategy,Operations&International); Corporate Affairs,Media&Communications); Mr GrahamDoyle(DeputyCommissioner—Headof Mr DaleSunderland(DeputyCommissioner—Head Regulatory Activity). Mr ColumWalsh(DeputyCommissioner —Headof Legal); Ms AnnaMorgan(DeputyCommissioner—Headof Ms HelenDixon(CommissionerforDataProtection); Regulatory Activity). Mr TonyDelaney(DeputyCommissioner —Headof Regulatory Activity);and Mr JohnO’Dwyer(DeputyCommissioner—Headof Ms JenniferO’Sullivan(DeputyCommissioner—Head - -

11 Annual Report 1 January — 31 December 2019 2 Review of 2019

12 to complaint- 1,098 proceeded • • • • • handling and 2003. 311 complaintsundertheDataProtectionActs1988 6,904 29% oftotalcomplaintsreceived. single categorybeing“AccessRights”,countingfor Total Complaintsreceivedwas these, under theDataProtectionActs1988&2003.Of The DPCissued Regulations. respect ofatotal Prosecutions wereconcluded against successful DistrictCourtprosecutions bytheDPC. A numberoftheseinvestigationsconcludedwith telephone marketing. to SMS(textmessage)marketing;and marketing: of 2011inrespectvariousformselectronicdirect 165 complaint and newcomplaintswereinvestigatedunderS.I.336 1,252 complaintsweredealtwithunderGDPRand 13 fullyupheldthecomplaint, assessed actively

77 relatedtoemailmarketing; 9 partiallyupheldthecomplaint. 29 Section10statutorydecisions 9 offencesundertheE-Privacy 4,554 concluded 7,215 , withthelargest 7 rejectedthe 4 entitiesin 7 relatedto 81 related • • • December 2019, 1,252 Of the Protection Acts1988and2003. 620 the DPChad2,582complaintsonhandatyear-end. 5,496 complaint-handling and 7,215 email marketing complaintswerealsoconcludedundertheData complaints complaintswereactivelybeingassessedon31 complaintsintotalwereconcluded2019and received 6,904 related 77 GDPR-relatedcomplaintsreceived, marketing telephone related 1,098

7 complaints hadproceededto 4,554

in “AccessRights” hadbeenconcluded. SMS marketing 29% category related 81

13 Annual Report 1 January — 31 December 2019 • 457 cross-border processing complaints were received by the DPC through the One-Stop-Shop mechanism that were lodged by individuals with other EU data protection authorities. • 207 data-breach complaints were handled by the DPC from affected individuals. • 6,069 valid data security breaches were recorded, 6,069 with the largest single category being “Unauthorised Disclosures”. valid data security breaches recorded

• Information and Assessment received almost 48,500 contacts comprising approximately 22,300 emails, 22,300 22,200 telephone calls and almost 4,000 items of emails correspondence via post. 22,200 • 6 statutory inquiries were opened in relation to mul- telephone tinational technology companies’ compliance with the calls GDPR, bringing the total number to 21. 4,000 by post

Over

• The number of general consultation queries received was 1,420. 1,420 consultations

14 • • • • • • • • The DPCreceived The DPCpublisheditsfindingsoncertainaspectsofthe The DPCcarriedoutanextensiveconsultationonthe Twitter, LinkedInandInstagram,atyear-endhada The DPCexpandeditssocialmediaactivitiesacross The DPCwasleadreviewerin19BindingCorporate An appealtotheDublinCircuitCourtagainst and thisappealislistedtocomebeforetheCourtfor enforcement noticewasissuedinlate2019bythe data isprocessedandtransparency. comes andfocusgroupswithindividuals. dren’s data,whichisaDPCpriorityfor2020. combined followershipofover Work ontheDPC’snewRegulatoryStrategycontinued responses andtheresultsofthatconsultationwillfeed processing ofchildren’spersonaldata,yielding Public ServicesCard(“PSC”)followingalengthyinves monthly reachinthehundredsofthousands. Minister forEmploymentAffairsandSocialProtection DPC staffspokeorpresentedatover Rules (BCRs)applications tions, bringingthenumberto tigation. Thepublishedfindingsweretargetedattwo the firsttimeinMarch2020. key issues,namelythelegalbasisunderwhichpersonal into thedevelopmentofguidanceonprocessingchil individual organisationsfromabroadrangeofsectors. including conferences,seminars,andpresentationsto with aconsultationdocumentontheDPC’sTargetOut 712 DataProtectionOfficernotifica 1,596 20,000 . 180 andanorganic events, 80 - - - - 20,000 followers Data Protection notifications 712 Officer Spoke andpresented at events onover 180 occasions

15 Annual Report 1 January — 31 December 2019 Information 3 and Assessment

16 A key objective of the DPC is to provide a responsive and high-quality information service information high-quality and responsive a provide to is DPC the of objective key A and receives and responds to queries from individuals and organisations by means of email, almost 48,500contactscomprisingapproximately22,300 online form or telephone. In addition, it carries out early-stage assessment, determining assessment, early-stage out carries it addition, In telephone. or form online service, helpdesk public-information a provides DPC the at Assessment and Information continue tobeapriorityin2020. er efficienciesforallusers.Enhancingthequalityand correspondence viapost. emails, 22,200telephonecallsandalmost4,000itemsof protection legislation. Responding toQueriesandComplaints route fordoingso. whether a communication needs to be escalated within the DPC and the most appropriate o niiul ad raiain rgrig hi rgt ad epniiiis ne data under responsibilities and rights their regarding organisations and individuals to responsiveness oftheservice providedbytheDPCwill to lookatitsprocesseswithaviewdeliveringgreat tinued todealwithasignificantnumberofcontactsfrom In ordertoprovideanefficientservice,theDPCcontinues In thefirstfullcalendaryearofGDPR,DPCcon individuals andorganisations.In2019,theDPCreceived 22,200 telephone calls items viapost 4,000 22,300 emails - - Topics ofparticularinterestwheretheDPCprovidedsup The DPC,throughanalysisoftheissuesbroughttoits attention, alsoidentifiesemergingtrendsandpatterns communications throughout2020. Emerging TrendsandPatterns port toindividualsduringtheyearincluded: the mostpertinentissuesandwillhelpguideDPC’s that areofconcerntoindividualsandorganisations.This helps theDPCtofocusitsexternalcommunicationson • • • • • • • access requestsonbehalfofchildren —queriesfrom access requests; exemption; examiner’s notes;and exam Information —inparticularqueriesrelatingto surveillance butalsoconcernsaboutsharingof publication andartisticexemptions. photography — Particularlyasitrelatestoconsent, redaction ofthirdpartydatainresponsetoemployee now incontroloftheirpersonaldata; practices thathaveclosed(oftenwhereapractitioner priately andinthechild’sbestinterests; Public ServicesCard; HR/employment disputes —specificallyworkplace the useofCCTV —particularlyincontextneigh tion astohowtheyshouldrespondaccurately,appro both individualsandorganisationsseekingclarifica bour disputesandtheapplicationofdomestic has died)andpatientsareunabletoestablishwhois individual concernsrelatingtotheroleanduseof information inthecontextofthosedisputesand where ismydata? —requestsrelatingtomedical - - - -

17 Annual Report 1 January — 31 December 2019 4 Complaints

18 The DPCprocessescomplaintsreceivedundertwomain This trendcontinuedinthefirstfullcalendaryearof The term“complaint”hasaveryspecificmeaningunder Since theapplicationofGDPR,DPChasseena application oftheGDPR.In2019,7,215complaintswere Complaints receivedundertheGDPR How Complaintsarehandled significant increaseinthenumberofcomplaintsreceived. received bytheDPC. Note: thetopfivecomplaintsrepresent76%oftotalreceived. plaint-handling obligations —itmustfallunderoneofthe For acommunicationtoconstitutecomplaint —and Protection 2018thatimplementthoselaws. following categories: therefore triggertheDPC’sparticularstatutorycom the GDPR(andLED)andprovisionsofData legal frameworksduringthisperiod: • • • Access Request e MarketingComplaints Complaints ReceivedDuring2019—Top5Categoriesof Disclosure Fair Processing Right toerasure 2018; and Acts 1988and2003. a complaintfromanindividualrelatingtotheprocess complaints andinfringementsoccurringbefore25 dealt withundertheGDPR,LawEnforcementDirec complaints receivedfrom25May2018onwardsare May 2018aredealtwithundertheDataProtection tive, andtheprovisionsofDataProtectionAct ing oftheirownpersonaldata; - - - As inpreviousyears,thecategoryofAccessRequestswas an obligationtoprovidethecomplainantwithprogress of Data(16%)andDisclosure(19%)werealsoonceagain obligations. complainants everythreemonthsinaccordancewithits outcome ofthecomplaint.TheDPCissuesupdatesto GDPR complaints,while311werecomplaintshandled Of the7,215complaintsreceivedbyDPC.6,904were partially upheldthecomplaint. received inhighvolumes. During thecomplaint-handlingprocessDPChas upheld thecomplaint,7rejectedcomplaintand9 under theDataProtectionActs1988to2003. updates andultimatelyinformtheindividualof the DataProtectionActs1988&2003.Ofthese,13fully the highestcomplaint-typereceivedbyDPCbetween In 2019,theCommissionerissued29decisionsunder it isdropping.ComplaintsrelatingtoUnfairProcessing in 2019(29%),thoughproportiontooverallcomplaints • • advocacy groupsactingaspermittedwithinthe a legallyauthorisedentitycomplainingonbehalfofan parameters laidoutintheGDPR,LEDandData Protection Act2018. individual; and 1,320 1,074 1,971 No 353 532 % oftotal 19% 16% 29% 5% 8%

19 Annual Report 1 January — 31 December 2019 Complaints received under the 1988 & 2003 Acts Note: the top 5 represents 83% of total complaints received.

Complaints Received During 2019 — Top 5 Categories of Complaints No % of total

Access Request 93 30%

Fair Processing 87 28%

Disclosure 57 18%

Fair Obtaining 13 4%

Specified Purpose 9 3%

Complaints received 2014–2019

1 15 16 17 18 1

20 The DPCexaminedthissubmissionandconcludedthat The healthcaregroupinformedtheDPCthatpatient The othersystemsacrossthecurrenthealthcaregroup Complaint case studies Complaint casestudies under theDataProtectionAct2018 An CoimisinéirTeangaadvised thereisnosuchobligation any updateofthecomputersystemwouldleadtocosts administration systemisduetobereplacedin2019/2020. arising fromtheOfficialLanguages Act2003butsuchan about itsadvicetopublicsector organisationswithre advised theDPCthattheyidentifypatientswithPatientID at alaterpoint,therebyavoidingpotentialforerrors. access thisinformationacrossdifferentunitswithina and Cardiology.Thehealthcaregroupinformedthecom at laterpointsofpatientcare,i.e.Laboratory,Radiology obligation canarisefromalanguage scheme—anagree different systems.Thiswouldenableprofessionalsto on thePAS,impactingwaydataisstoredand cord patient data which is then shared with other systems spect tocomputersystemssupporting thesíneadhfada. storage andmatchingofrecords.TheDPCalsoengaged group useapatientadministrationsystemtoinitiallyre numbers ratherthanisolatednames. processed. plainant thatitisnotpossibletorecordthesíneadhfada network and/orwiderhospitaldonotsupport However, thegroup’snewsystemwillnotallowfor Hospitals undertheadministrationofthishealthcare use ofthesíneadhfada.Thehealthcaregroupinformed the DPCthiswasforpurposeofenablingastream- the useofsíneadhfada.Thehealthcaregroupfurther hospital orgroupwithoutre-enteringthedata because syntaxcharactersarerecordedascommands in termsofsignificantcostsandtime,alongwitherrors with AnCoimisinéirTeanga(Irish LanguageRegulator) lined single point of contact for patient information across We receivedacomplaintagainsthealthcaregrouparisingfromitsrefusalof CASE STUDY1 system bynotincludingthesíneadhfada,anaccentthatformspartofwrit Right torectificationrequestahealthcaregroup request forrectificationunderArticle16oftheGDPR.Thecomplainantalleged (Applicable Law —GDPR&DataProtectionAct2018) that thehealthcaregroupwasincorrectlyspellinghisnameonitscomputer ten Irishlanguage.

- -

- - The DPChadregardtoArticle16and5(1)(d)of The DPCqueriedthehealthcaregrouponexistence The healthcaregroupadvisedtheDPCtheyarecom of alanguageschemeandwasprovidedcopy.This control orprocesspersonaldataarerequiredtotakerea of theGDPRisnotanabsoluteright.Organisationsthat out therightsofindividualssubjectto“thepurposes systems toachieve“languagecompliancy”.Thereisno scheme alsoprovidesacommitmenttoupdatecomputer scheme setsoutarespectforpatientchoicesregarding síneadh fada.Theyalsoadvisedthattheywillbetesting sharing andstoringinformationacrossothersystems on linguisticrightsand/ornaming.Thiscaselawreflects such, theDPCreiterated purpose oftheprocessingin sonable stepsinthecircumstances.TheDPChadregard ment putinplacebetweenapublicbodyandtheMinister names, addressesandtheirlanguageofchoice.The mitted topatientsafetyasaprimary,coreconcernand use ofPatientID numbers.Thenameofthe complainant for Culture,HeritageandtheGaeltacht. further advisedtheDPCofdifficultiesassociatedwith timeframe providedforthefulfilmentofthiscommitment the processing”.TherighttorectificationunderArticle16 the GDPRinexaminingthiscomplaint.Botharticlesset their computersystem. the possibilityofusingsíneadhfadainanyupdate tion ofhealthcaretothecomplainant andinvolvedthe the circumstancesofcomplaint wastheadministra the Courtadoptsarestrictive approachinthisregard.As 8 oftheEuropeanConvention onHumanRightsbutthat that thespellingofnamesfallsunderambitArticle to caselawfromtheEuropeanCourtofHumanRights in thelanguagescheme. if theyupdatedtheirsystemtoallowfortheuseof

- - - -

21 Annual Report 1 January — 31 December 2019 was not the isolated means of identification and there- Under section 109(5) (f) of the Data Protection Act 2018 fore the purpose of the processing is being achieved (the 2018 Act), the DPC requested the healthcare group without the use of diacritical marks. to inform the complainant of its actions in the implementation of a computer system enabled to reflect the The DPC had regard to any risks to the complainant in síneadh fada. Also, the DPC requested that the group add the refusal of their Article 16 request also. The DPC noted an addendum to the individual’s file to show the síneadh the risk to the complainant would increase because of fada forms part of the individual’s name. the difficulties associated with cross-system handling of the síneadh fada and the impact this would have on The DPC, under section 109(5)(c) of the 2018 Act, advised any health care decision making for the individual. In the the complainant that he may contact An Coimisinéir Te- circumstances, the non-use of the síneadh fada would not anga about the language scheme and any contravention constitute an interference with the fundamental rights of of same. the individual.

22 The complainant,duringapreviousemployment,asked The complainantsubsequentlysubmittedacomplaintto This enabledthecomplainanttoavailofadiscount Complaint case studies Complaint casestudies under theDataProtectionActs1988&2003 account waseventuallyseparatedfromthatofherformer account fromthatofherformeremployer.Followingthis access tohermobilephonerecords;and(ii)separatethe associated withher(then).Whilethisstepresultedinthe Background employer andneitherdiditprevent herformeremployer company acknowledgedthat the initialactiontakenby employer. company discovereditserrorandthecomplainant’s employer. Thecomplainant,however,becameawarethat, company toaskthatit(i)restrictherformeremployer’s subsequent toherrequest,formeremployercon Investigation rate thecomplainant’saccount fromthatofherformer request, anaccountmanagertookanumberofstepsin remained responsibleforpaymentofanybills. mained associatedwiththeaccountandcomplainant name onthecomplainant’saccountchangingtothatof mobile phonenumbertoher(then)employer’saccount. referred acomplainttothisoffice. restriction request.Inthecircumstances,complainant During ourinvestigation,the telecommunications Following terminationoftheemploymentrelationship, from accessing here-billingrecords.Thecompany further tinued toaccessheraccountrecords.Onfootoffurther tion ofthecomplainant’saccountfromthatherformer the mistakenbeliefthatthiswouldresultinsepara the complainantcontactedtelecommunications the telecommunicationscompanytolinkherpersonal that itdidnothavearecordoftheoriginalaccount the complaint,companyinformedcomplainant the telecommunicationscompany.Havinginvestigated her (then)employer,thecomplainant’shomeaddressre its accountmanagerwasinsufficient asitdidnotsepa inquiries fromthecomplainant,telecommunications CASE STUDY2 Unauthorised disclosureofmobilephonee-billingrecords,containing (Applicable law:DataProtectionActs1988and2003(“theActs”)) personal data,byatelecommunicationscompany,tothedata subject’s formeremployer

- - -

- 1. This officefurthernotedtheobligation,setoutinSec This officefoundthatthetelecommunicationscompany The issuesfordetermination,therefore,werewhetherthe 2. Appropriate SecurityMeasures security measuresaforesaid…” access by,anddisclosureto,herformeremployer.This acknowledged thatitsrecordswereincompletewhenit obligations in this regard. Again, this was self-evident from separation ofthecomplainant’s accountfromthatofher despite theinitialactionstakenbytelecommunica did notimplementappropriatesecuritymeasurestopro reasonable stepstoensurethat —(a)personsemployed mer employercontinuedtoaccesshere-billingrecords by himorher…areawareofandcomplywiththerelevant former employer. the complainant’srequestwas operatingonthemistaken the factthataccountmanagerwhoinitiallyactioned telecommunications companyhadnotcompliedwithits tion 2C(2)oftheActs,foradatacontrollerto belief thattheactionstakenwere sufficienttoachieve tions company. tect thecomplainant’spersonaldatafromunauthorised this regard,thatithadsincelocatedthecomplainant’s telecommunication company,asdatacontroller: initial restriction/separationrequest. investigated thecomplainant’scomplaint.Itconfirmed,in was self-evidentfromthefactthatcomplainant’sfor authorised accessby,anddisclosureto,athirdparty regard toSections2(1)(d)and2C(1)oftheactsinorder to protectthecomplainant’spersonaldataagainstun to date,asrequiredbySection2(1)(b)oftheActs. kept thecomplainant’sdataaccurate,completeandup (i.e. thecomplainant’sformeremployer);and implemented appropriatesecuritymeasures,having . Thisofficefoundthatthe “…takeall - - - - -

23 Annual Report 1 January — 31 December 2019 Accurate, complete and up to date Key Takeaways This office also considered the fact that, at the time when The above case study highlights the fact that the obliga- the complainant referred her complaint to the telecom- tion to keep personal data safe and secure is an ongoing munications company, the company could not locate her one. Data controllers must ensure that they continuously initial account restriction request. The result of this was monitor and assess the effectiveness of their security that the outcome of the company’s own investigation measures, taking account of the possibility that the into the individual’s complaint was incorrect. Accordingly, circumstances or arrangements surrounding its data and notwithstanding the subsequent rectification of the processing activities may change from time to time. In this position, this office found that the telecommunications case, the data controller failed to take the required action company failed to comply with its obligations under to reflect the change in circumstances that was notified to Section 2(1)(b) of the Acts in circumstances where the it by the complainant when she requested the restriction complainant’s records, at the relevant time, were inaccu- and separation of her account from that of her former rate, incomplete and not up to date. employer. The case study further highlights the importance of effective training for employees in relation to any internal protocols.

CASE STUDY 3 Reliance on consent in the use of child’s photograph in the form of promotional material by a State Agency (Applicable law — Data Protection Acts 1988 and 2003)

We received a complaint from a parent in respect of their child. The parent had attended a festival organised by a state agency with their child, where a profes- sional photographer took the child’s photograph. The following year the state agency used this photograph in promotional material. The child’s parent, while accepting that they had conversed with the photographer, had understood at the time of the photograph that they would be contacted prior to any use of the image.

During the investigation, the state agency indicated that the image. The DPC welcomed the state agency’s indica- they had relied upon consent pursuant to section 2A(1) tions that it would immediately review their practices and (a) of the Acts as the photographer had obtained verbal procedures. permission from the child’s parent. However, the state agency also accepted that it was not clear to the child’s In conclusion, the DPC found that the state agency had parent that the image would be used for media/PR pur- not provided the child’s parent with adequate information poses. The state agency further accepted that the parent in order to consent to the processing of the image used was not adequately informed regarding the retention of in promotional material.

24 16 theActs,andwhetherexemptionslistedin The complaintallegedinfringementsoftheActson The DPCfirstconsideredwhetherareceiverwasrequired Acts, theDPCestablishedthatreceiverwasappointed appointed aseparatecompanyastheirmanagingagent and thefinancialinstitution.Onbeingappointed, applied tothereceiver.Regulation 3(1)(g)exempteddata a receiverwasnotrequiredtoregister,astheexemption aging theincomefromproperty.Thebankaccount exemption appliedinrespect ofthereceiver’sactivities customers. Havingconsidered therelationshipbetween controllers whowereprocessing datainrelationtoits property andprovidedacopyoftheDOA.Thereceiver receiver wrotetothecomplainantinformingthemof pursuant tothemortgagedeedbetweencomplainant powers pursuanttotheConveyancingAct1881,and ment ofReceiver(DOA)whichgrantedthereceiver receiver openedabankaccountforthepurposeofman pay anyoutstandingtaxesontheproperty,suchas receivership, thereceiverliaisedwithRevenueinorderto regarding thecomplainant. respect oftheproperty.Thisinsurancepolicyreferredto name includedtheofcomplainant.Itwasfur Following aninvestigationpursuanttosection10ofthe Local PropertyTax(LPT).Itwasalsoestablishedthatthe Data ProtectionAct1988(Section16(1))Regulations2007 under regulation3(1)(g)oftheRegistrationRegulations their appointmentasthereceiverovercomplainant’s basis thatthereceiver: to assistinthemanagingofproperty.During the complainantandreceiver, theDPCheldthat by thefinancialinstitutiononfootofaDeedAppoint to registerasadatacontrollerinaccordancewithsection the complainant’sname. ther established that an insurance policy was taken out, in (the “RegistrationRegulations”)applied.TheDPCheldthat • • • • • • “managing agent”); 16 oftheActs; al onlineRevenueaccount;and obtained thepropertyIDandPINfromRevenuewhich opened abankaccountinthecomplainant’sname; closing informationtoacompanyappointedbythe gave thereceiveraccesstocomplainant’sperson receiver tomanagethereceivership(thereceiver’s personal datafromthefinancialinstitution; further processedpersonaldataunlawfullybydis had nolawfulbasisforobtainingthecomplainant’s insured thepropertyincomplainant’sname. was notregisteredasacontrollerpursuanttosection financial institutionoverthecomplainant’sproperty. We receivedacomplaintagainstprivatereceiverwhowasappointedby CASE STUDY4 Receivers andfairprocessing

- - - - - “for theperformanceofacontracttowhichdatasubject The DPCassessedwhetherthereceiverhadalawfulbasis This wasspecific,explicitandalegitimatepurpose.The The DPCalsofoundthatthereceiverhadalawfulbasis 1 Acts. TheDPCconsideredwhetherthereceiverotherwise appoint areceiveroncethedebtonmortgagehad and whethersuchprocessingconstitutedfurtherpro financial institution,disclosingittothemanagingagent, financial institutiontothereceiver,andbyreceiver financial institutionobtainedthecomplainant’spersonal financial institutionwasnecessaryfortheperformanceof disclosure ofthecomplainant’spersonaldataby data forthepurposesofenteringintoaloanagreement. day managingofthereceivership.TheDPCfoundthat circumstances wherethetermsofcontractwerenot come due.Section2A(1)(b)(i)oftheActspermitsprocess complainant hadamortgagewiththefinancialinstitution obtained pursuanttosection2(1)(c)(ii)oftheActs.The cessing incompatiblewiththeoriginalpurposeitwas of theActs,onbasislegitimateinterests.Toassess complainant submittedthatthisaccountwasopened sonal datatoitsmanagingagent,assistintheday pursuant tosection2A(1)(b)(i)oftheActsdiscloseper processing duringthereceivershipdidnotconstitutefur purpose forwhichthepersonaldatawasobtained.This Next theDPCconsideredwhetherreceiverhada is party”.Themortgagedeedwasacontractbetween basis oflegitimateinterests,as follows: the datasubjectandfinancialinstitution,in the ConveyancingAct1881,financialinstitutioncould tice oftheEuropeanUnion(CJEU)casein this lawfulbasis,theDPCtookaccountofCourtJus the lawfulbasesforprocessingpersonaldataunder to openabankaccountinthecomplainant’sname.The ther processingpursuanttosection2(1)(c)(ii)oftheActs. to themanagingagentwasinaccordancewithinitial the financialinstitution. the contact.TheDPCheldthatreceiverhadalawful being adheredto,theappointmentofreceiverby had alawfulbasisforprocessingundersection2A(1)(d) basis forobtainingthecomplainant’spersonaldatafrom ing ofpersonaldatawheretheprocessingisnecessary which setsoutathreesteptestforprocessingonthe which hadfallenintoarrears.Undersection19(1)(ii)of without theirknowledgeorconsent.Consentisoneof lawful basisforobtainingthepersonaldatafrom Valsts policijasRīgasreģionapārvaldes Kārtībaspolicijaspār valde vRīgaspašvaldības SIA‘Rīgassatiksme’Case C-13/16 Rīgas C-13/16 - 1

- - - - -

25 Annual Report 1 January — 31 December 2019 • the processing of personal data must be for the pur- During the course of the investigation the DPC also suit of a legitimate interest of the controller or a third examined whether the receiver had complied with the party; data protection principles under section 2 of the Acts. In • the processing must be necessary for the purpose this regard, the DPC examined the initial correspondence and legitimate interests pursued; and the receiver had sent to the complainant notifying them of their appointment. This correspondence consisted of a • the fundamental rights and freedoms of the individual cover letter and a copy of the DOA. The cover letter and concerned do not take precedence. DOA were assessed in order to determine whether the The DPC held that the opening of the bank account was a receiver had met their obligation to process the personal reasonable measure to manage the income and expendi- data fairly. Section 2D of the Acts required an organisa- ture during a receivership. The receiver submitted that re- tion in control of personal data to provide information ferring to complainant’s name as part of the bank account on the identity of the data controller, information on the name was necessary to ensure the receivership was intended purposes for which the data may be processed, carried out efficiently and to avoid confusion between dif- the categories of the data concerned as well as any other ferent receiverships. While it would have been possible to information necessary to enable fair processing. The DPC open an account without using the complainant’s name, held that the correspondence was sufficient in informing the DPC took account of the CJEU’s judgment in Huber v the complainant of the identity of the data controller Bundesrepublik C-524/062 where the Court held that pro- (and original data controller). However, the DPC held that, cessing could be considered necessary where it allowed while a receiver was not required to provide granular the relevant objective to be more effectively achieved. information on each purpose for which personal data was The DPC held that the reference to the complainant’s to be processed, the receiver should have given a broad name on the bank account was therefore necessary, as outline of the purposes for which the personal data was it allowed for the more effective pursuit of the receiver’s intended to be processed, and this was not done in this legitimate interests. case. It was also held that the receiver should have provided the categories of personal data they held in relation With regard the third element of the legitimate interests to the complainant, but this was not done. In light of this, test (which requires a balancing exercise, taking into the DPC held that the receiver had not complied with account the fundamental rights and freedoms of the section 2D of the Acts. data subject) the DPC held that the reference to the complainant’s name on the account would have identified This decision of the DPC demonstrates that private them to individuals who had access to the bank account receivers and their agents may lawfully process personal or been supplied with the bank account name. The DPC data of borrowers, where such processing is necessary in balanced these concerns against the administrative and order to manage and realise secured assets. Individuals financial costs which would result from the need for should be aware that their information may be processed the receiver to implement an alternative procedure for without their consent in circumstances where a deed of naming accounts. On balance, the DPC did not find that mortgage provides for the appointment of a receiver. At the complainant’s fundamental rights took precedence the same time, receivers must comply with their obliga- over the legitimate interests of the receiver and as a tions under the Acts and GDPR to provide individuals with result, the receiver had a lawful basis for processing the information on processing at the outset of the receiver- complainant’s name, for the purpose of the receiver’s ship. legitimate interests. The decision is currently the subject of an appeal by the With regard to the allegation that the receiver had gained complainant to the Circuit Court access to the personal Revenue account of the complainant, the DPC found that the receiver did not gain access to the complainant’s personal online Revenue account as alleged. The receiver was acting as a tax agent in relation to the LPT and this did not allow access to a personal Revenue account. In relation to the insurance policy being taken out in the complainant’s name the DPC held that the receiver did not process personal data in this instance.3

2 Heinz Huber v Bundesrepublik Deutschland Case C-524/06 3 The processing of personal data was considered in a similar case where the same complainant made a complaint against the managing agent in this case. In that decision the DPC held that the managing agent had legitimate interest in processing the complainant’s personal data for the purposes of insuring the property

26 The GDPRbroadenstheextentofsubjectaccessright 2019 anincreasednumberofcomplaintsreceivedwere Access RightsComplaints Although animportantfundamentalright,therightof a mechanisminArticle23topermittherestrictionsof access isnotanabsoluteright.TheGDPRprescribes against banksandsolicitorspractices,aswellcom all theappropriatedataonfootofanaccessrequest.In of accesstoexamresults,Section56the2018Act of applicationstotheStateExaminationsCommission enhanced rightwaspossiblyevidentintheincreasedlevel compared withthepreviouslegalframeworkandthis clubs torespondaccessrequests. data torespondanaccessrequest,orfailurerelease scripts ofexaminationsandresultsappeal. scripts. Whereaspreviouslegislationdealtwiththeright personal datawhichtheStateExaminationsCommission plaints concerningthefailureofschoolsandsporting During 2019,theDPCreceived2,064complaintsrelating the firsttimespecificallyaddressesrightofaccessto to therightofaccess,ahighproportionwhichdealt holds andthisrightofaccessextendstoexamination in August2019.Anindividualhasarighttocopyofthe with thefailureoforganisationsincontrolpersonal - Article 15oftheGDPRrequiresthatwhenrespondingto and freedomsbeanecessaryproportionate ables memberstatestointroducetheirownexemptions access requestshallnotadverselyaffecttherightsand and states“Therighttoobtainacopyinresponsean an accessrequest,third-partydatamustbeprotected disclosure onthepartofcontrollers. controllers torememberthattherightofaccessisa examined bytheDPCinanycasewhereexemptionsare objectives ofgeneralpublicinterest.Thisissuewillbe software”. Upon receiptofanaccessrequest,itisimportantfor relied on. measure inademocraticsocietytosafeguardimportant must respecttheessenceoffundamentalrights rights inparticularandspecificcircumstances.Thisen fundamental right,sothereisapresumptioninfavourof freedoms ofothersincludingtradesecretsorintellec tual propertyandinparticularcopyrightprotectingthe through Section60ofthe2018Act. In additiontotherestrictionscontainedinSection60, Importantly, anyrestrictionrelieduponbycontrollers, in nationallegislation.InIrelandthishasbeenachieved - -

27 Annual Report 1 January — 31 December 2019 Direct Marketing Complaints

The DPC received 165 new complaints in relation to direct Prosecutions in relation to electronic electronic marketing in 2019, some 77 in relation to unsolicited email, 81 in relation to unsolicited text messages direct marketing (SMS) and 7 in relation to unsolicited telephone calls. A The DPC prosecuted 4 entities in relation to direct elec- number of the complaints related to more than one type tronic marketing without consent. These included the of unsolicited marketing from the same organisation. telecommunications provider Vodafone Ireland Limited, food ordering service Just-Eat Ireland Limited, and online A total of 130 direct marketing complaint investigations retailers Cari’s Closet Limited and Shop Direct Ireland were concluded during the year. Limited (t/a Littlewoods Ireland).

CASE STUDY 5 Prosecution of Vodafone Ireland Limited

In April 2019 the DPC received two separate complaints from an individual who had received unsolicited direct marketing communications by text and by email from the mobile network operator Vodafone. The individual stated that Vodafone had ignored their customer preference settings, which recorded that they did not wish to receive such marketing.

During our investigation, Vodafone confirmed that the The DPC had also received a separate complaint in complainant had been opted-out of direct marketing February 2019 from another individual who was a former contact but that communications were sent to them due customer of Vodafone. This customer had ceased to be a to human error in the case of both the text message and Vodafone customer more than five years earlier and they the email marketing campaigns. still continued to receive promotional text messages. In the course of our investigation, Vodafone confirmed that In the case of the SMS message, Vodafone confirmed that the direct marketing messages were sent to the com- a text offering recipients the chance to win tickets to an plainant in error. It said that in this exceptional case, the Ireland v France rugby match was sent to approximately complainant’s mobile number was not removed from the 2,436 customers who had previously opted-out of re- platform used to send marketing communications when ceiving direct marketing by text. This was as a result of a their number was no longer active on the network. failure to apply a marketing preferences filter to the SMS advertising campaign before it was sent. As the DPC had previously prosecuted Vodafone in 2011, 2013 and 2018 in relation to direct electronic marketing In the case of the email received by the complainant, an offences, we decided to initiate prosecution proceedings application that was intended to be used to send direct in relation to these complaints. marketing to prospective customers was used in error and the message was sent to existing Vodafone custom- At Dublin Metropolitan District Court on 29 July 2019, ers. While Vodafone was unable to definitively confirm Vodafone pleaded guilty to five charges of sending the number of customers who were contacted by email unsolicited direct marketing communications in contra- contrary to their preference, the marketing email was vention of S.I. No. 336 of 2011 (‘the ePrivacy Regulations’). sent to 29,289 existing Vodafone customers. The compa- The company was convicted and fined €1,000 on each ny confirmed that some 2,523 out of 7,615 of these were of three charges and convicted and fined €750 each in contacted in error. However, it was unable to link the re- respect of the two remaining charges. maining 21,674 customers who were sent the same email with their marketing preferences in Vodafone’s data ware- house to confirm the total number contacted in error.

28 As theDPChadissuedawarninginApril2018relation As Just-EatIrelandLimitedhadpreviouslybeenwarned on itsbehalf. scribe thecomplainantfromemailstoagenuinemistake Cari’s Closetattributedthefailuretoproperlyunsub prosecution proceedings. unsolicited directmarketingemails,wedecidedtoinitiate tion proceedingsagainstthecompany. to theearliercomplaint,wedecidedinitiateprosecu by theDPCin2013onfootofcomplaintsrelationto This issueaffected391customersinIreland. We receivedacomplaintfromanindividualinNovember2018regardingunso Closet fromanindividualwhohadinthepastplacedonlineorderwith CASE STUDY7 CASE STUDY6 a coupleofoccasions. January 2018aboutunsolicitedemailsfromthatcompany.Onoccasion, company. Thecomplaintconcernedthereceiptofthreeunsoliciteddirect In May2018,wereceivedacomplaintagainsttheonlinefashionretailerCari’s of thiscomplaintthecompanyinformedusthatcomplainant’sattemptto Prosecution ofCari’sClosetLimited Prosecution ofJust-EatIrelandLimited month alone.Thepersonhadattempted,withoutsuccesss,tounsubscribeon marketing emails.ThesamepersonhadpreviouslycomplainedtotheDPCin had unsubscribedfromthecompany’sdirectmarketingemailsbutseveral the complainantsaidtheyhadreceivedoverfortymarketingemailsinone unsubscribe wasunsuccessfulduetoatechnicalissuewithitsemailplatform. days laterreceivedanunsolicitedmarketingemail.Duringourinvestigation licited directmarketingemailsfromJust-EatIrelandLimited.Thecomplainant

- - At DublinMetropolitanDistrictCourton29July2019, At DublinMetropolitanDistrictCourton29July2019,Just- Act inlieuofaconvictionandfineonthebasisthat charity. company donate€600totheLittleFlowerPennyDinners of theProbationOffendersActonbasisthat company donate€600tothePeterMcVerryTrustcharity. court appliedsection1(1)oftheProbationOffenders Cari’s Closetpleadedguiltytoonechargeofsendingan Eat IrelandLimitedpleadedguiltytoonechargeinrela unsolicited directmarketingemailtothecomplainant.In tion tosendinganunsoliciteddirectmarketingemail.The lieu ofaconvictionandfine,thecourtappliedsection1(1) - -

29 Annual Report 1 January — 31 December 2019 CASE STUDY 8 Prosecution of Shop Direct Ireland Limited t/a Littlewoods Ireland

In May 2019, the DPC received a complaint from an individual who said they had been receiving direct marketing text messages from Littlewoods since March. The complainant stated that they had followed the instructions to unsubscribe by texting the word ‘STOP’ on five occasions to a designated number known as a short code, but they had not succeeded in opting out and they continued to get marketing text messages.

In the course of our investigations, Shop Direct Ireland to unsubscribe from direct marketing emails. On that Limited (t/a Littlewoods Ireland) confirmed it had a record occasion, the court outcome resulted in the company of the complainant’s opt-out from direct marketing texts making a donation of €5,000 to charity in lieu of a convic- submitted through their account settings on the Little- tion and fine. woods website on 8 May 2019. It did not, however, have a record of their attempts to opt-out of direct marketing The DPC decided to prosecute the company in respect of texts on previous occasions using the SMS short code. direct electronic marketing offences in relation to the May This was due to human error in setting up the content for 2019 complaint. the SMS marketing messages. The company said that the At Dublin Metropolitan District Court on 29 July 2019, individual responsible for preparing and uploading con- Shop Direct Ireland Limited (t/a Littlewoods Ireland) tent relating to marketing texts had mistakenly included entered guilty pleas to two charges relating to sending the opt-out keyword ‘STOP’ instead of ‘LWISTOP’ at the unsolicited direct marketing text messages. The court end of the marketing texts. ruled that the company would be spared a conviction and Shop Direct Ireland Limited had previously been pros- fine if it donated €2,000 each to the Peter McVerry Trust ecuted by the DPC in 2016 in relation to a similar issue and the Little Flower Penny Dinners charities and section which resulted in a customer attempting, without success, 1(1) of the Probation of Offenders Act was applied.

30 The One-Stop-Shopmechanism(OSS)wasestablished The DPCistheLeadSupervisoryAuthorityforabroad The OSSrequiresthattheseorganisationsaresubject One-Stop-Shop Complaints authorities. Inaddition,theDPCcontinuedandcom and socialmediacompanieswhosemainestablishment organisations thatdobusinessinmorethanoneEU of theirviewsandseekconsensusonourdraft data protectionsupervisoryauthoritiesandkeepthem on theDPC’sownvolitionandthatrelatetocross-border decision making.Inthecaseofadataprocessorthathas gatory processes.Inparticular,wemusttakedueaccount member stateengagewithdataprotectionauthorities range ofmultinationals,includingmanylargetechnology responsibility, wemustconsultextensivelywiththeother processing. AlthoughtheDPChasprimarysupervisory menced severallarge-scaleinquiriesthatwereinitiated number ofcomplexcross-bordercomplaintsweretrans ment willbewhereitsmainprocessingactivitiesintheEU no placeofcentraladministration,thenitsmainestablish member state.Themainestablishmentofanorganisa under theGDPRwithobjectiveofstreamlininghow updated throughoutourcomplainthandlingandinvesti ferred totheDPCbyotherdataprotectionsupervisory thorities, inadditiontohandlingcomplaintsthatpeople take place. tion isgenerallyitsplaceofcentraladministrationand/or to regulationbythedataprotectionauthoritiesofeach to regulatoryoversightbyjustoneDPA,wherethey have a‘mainestablishment’,ratherthanbeingsubject (called ‘supervisoryauthorities’undertheGDPR). is locatedinIrelandandithandlescomplaintsoriginally lodge directlywiththeDPC.Inpastyear,asignificant lodged withotherEEAdataprotectionsupervisoryau ------The DPCwillbedeemedaconcernedsupervisoryauthor The roleoftheleadsupervisoryauthority(LSA)includes The leadsupervisoryauthoritymustshareitsdraft a draftdecisiononthematter.Itthenmustcoordinate, cooperation mechanism. decisions onthesecross-bordercases,undertheGDPR’s supervisory authorities’. complaints throughtheOSSmechanismthatwerelodged on thedisputedissuesindraftdecision. decision. Wherethisisnotpossible,theGDPRprovides consult with,andconsidertheirviews,infinalisingthe decision with GDPR relatingtocross-borderprocessingandpreparing protection authoritieswhoaredeemedtobe‘concerned Data ProtectionBoard(EDPB)makingamajoritydecision for adispute-resolutionmechanismtobetriggeredthat by individualswithotherEUdataprotectionauthorities. In 2019,theDPCreceived457cross-borderprocessing ity where: investigating acomplaintorallegedinfringementofthe where possible,aconsensusdecisionwithotherEUdata will ultimatelyresultinthemembersofEuropean • • • • or wherethecontroller/processorisestablishedin a cross-borderprocessingcomplainthasoriginally or tion Authority(DPA)istheleadsupervisoryauthority; been lodgedwiththeDPCbutanotherDataProtec Ireland. is likelytosubstantiallyaffect,individualsinIreland; where theprocessinginquestionsubstantiallyaffects; all concernedsupervisoryauthoritiesand - -

31 Annual Report 1 January — 31 December 2019 Law Enforcement Complaints

The EU Directive known as the LED (EU 2016/680) was To distinguish, the LED would apply if a convicted offender transposed into Irish law on 25 May 2018 with the en- complained to, for example, the Irish Prison Service that actment of the Data Protection Act 2018. In broad terms, the data recorded about them was inaccurate. However, LED applies where the organisation that is in control of if the prison service received an access request from an the personal data is deemed a “competent authority” and employee about their own personal data, GDPR would the processing of personal data is carried out for the apply. purposes of the prevention, investigation, detection or prosecution (PIDP) of criminal offences, or the execution In 2019, the DPC received 37 LED complaints, the majori- of criminal penalties. ty relating to An Garda Síochána as the data controller, as well as the Irish Prison Service, the Revenue Commission- ers, Veolia, Irish Rail and several local authorities.

Section 95 Reviews

Section 94 of the 2018 Act allows data controllers to re- input in relation to any data which may have been strict access to personal data on grounds such as the pre- processed leading to the arrest of an Irish citizen at vention of crime and to avoid prejudicing an investigation an airport outside of this jurisdiction. On foot of the or prosecution. Where an individual is made aware that section 95 review, the DPC conveyed this additional their rights have been restricted under the provisions of information to the individual. Section 94, they may request that the DPC independently • A section 95 review was conducted in connection with review their case under Section 95. an individual who wanted a change made to records In 2019, three reviews under Section 95 of the 2018 Act held about them by AGS. On inspection by the DPC, were conducted by the DPC in order to verify whether the it was noted that the record related to unsolicited restrictions imposed by the data controllers in question contact with a minor, resulting in an alert being raised. were lawful. In all four cases, the officers were satisfied Officers from the DPC considered that the data the restrictions were lawful. recorded by AGS was in compliance with Part 5 of the Data Protection Act 2018. • One case concerned an individual who sought full • A section 95 review was conducted based on a com- access to their file. An Garda Síochána (AGS) had plaint in which a couple alleged their data had been provided the individual with a copy of their data as disclosed to their landlady by An Garda Síochána. An recorded on PULSE but relied upon 94(3)(a) of the Act authorised officer from the DPC examined the file in to restrict certain AGS communications concerning question. Taking into account that An Garda Síochána routine inter-agency operations as they were deemed had previously stated to the couple that no personal to demonstrate operational methods and procedures data was disclosed by them to their landlady, the DPC employed by AGS. Upon review of the file, authorised was satisfied based on the file viewed that all personal officers of the DPC considered the processing was data inspected was in compliance with Part 5 of the Part 5 of the Data Protection Act in compliance with Data Protection Act 2018. 2018 — Processing of Personal Data for Law Enforcement Purposes. During the review, the data controller (AGS) clarified to authorised officers that it had no role or

32 The complaintwassubsequentlywithdrawnbythesolici The majorityofcomplaintsrelatedtounauthoriseddisclo The DPChasnorolewhatsoever indealingwithcompen 31 2018.Trendsindicateasignificantriseinthenumber Data-Breach Complaints Act 2018toanindividualfordamagesiftheyfail any suchproceedingsunder Section 117ofthe2018Act of breachcomplaintsbeingmadebyindividuals. data intheirpossession. observe thedutyofcaretheyoweinrelationtopersonal sures, predominantly: or intheprovisionofanysuch legaladvice. sary forallstaff inrelationtotheirobligations underdata sation claimsandnofunction inrelationtothetakingof What thiscaseillustratesisthat ongoingtrainingisneces may beliableunderSection117oftheDataProtection from affectedindividuals,incomparisontothe48da ta-breach complaintsbetween25May2018–December tal/healthcare agency.Datacontrollers/dataprocessors tor actingonbehalfofthewomanfollowingasettlement In 2019,theDPChandled207data-breachcomplaints being agreedbetweentheaffectedpartyandhospi • • • • • administrative processingerrors; emails/letters toincorrectrecipient; place. papers lostorstolen;and unauthorised accesstopersonaldatainthework verbal disclosures; CASE STUDY9 Early PregnancyUnitofahospital.Uponexaminationthecomplaint,HSE via Facebookmessengerbyahospitalporterregardingherattendanceatthe vide agencystafftoworkinthehospital,ultimatelyHSEisdatacontrol clarified totheDPCthathospitalporterwhodisclosedpersonalinfor In 2019,theDPCreceivedacomplaintaboutdisclosureofpatient’sdata HSE Hospital/HealthcareAgency by theHSE.TheDPCcontactedagencyandsoughtanupdateinrelationto mation ofthepatientwasinfactemployedbyahealthcareagencycontracted its internalinvestigation,detailsofanyremedialactionaswell the DPCadvisedHSEthat,asitcontractscompanyconcernedtopro disciplinary actiontakenagainsttheemployeeinquestion.Atsametime, ler forthepersonaldatainthisinstance.

------2019, theofficehasnotedincreasedcorrespondence Section 109(2)oftheDataProtectionAct2018wouldlead actions thecontrollerhastaken.Greateradherenceto and satisfythemselvesthatanycontractors/processors Over thecourseofitsengagementwithindividualsin regarding databreachesandthesubsequentremedial personal datahavecommunicatedwiththem,particularly protection lawandthatcontrollersmustdoduediligence from individualsexpressingdissatisfactionwiththeway the DPC. tion inthenumberofqueriesbeingbroughtforwardto to earlierresolutionsinmanysuchinstancesandareduc businesses andorganisationswhocontrolorprocess they engagearefullytrainedandpreparedtocomply with dataprotectionlaws. - - - -

33 Annual Report 1 January — 31 December 2019 5 Breaches

34 The introductionoftheGDPRbroughtwithitmandatory 2019, representinganincreaseof71%onthenumbers Some ofthetrendsandissuesidentifiedinclude: A totalof6,069validdatabreacheswerereceivedduring al dataassetoutinarticle4.12oftheGDPR. fied asnon-breachesduetotheinformationinvolvednot data-breach notificationobligationsforalldatacontrol Data-Breach Notifications sectors — 83%ofallbreaches. received fromareaswithinthepublicandprivatesector, notifications andprocessesavastnumberof reported in2018.Unauthoriseddisclosuresrepresent meeting thecriteriatofallunderdefinitionofperson under article33oftheGDPR.Ofthese188wereclassi the highestclassificationofnotifiedbreachesacrossall In 2019,theDPCreceived6,257data-breachnotifications including: lers. TheDPCundertakesaweeklyanalysisofbreach • • • • • • • • • • • difficulty inassessingriskratings; repeat breachnotifications;and failure tocommunicatethebreachindividuals; the multi-nationalsector;and the healthcareindustry; the telecommunicationsindustry; the insurancesector; the financialsector; inadequate reporting. late notifications; law enforcement. - - - and, ensuringthatallcomputerdevicesareregularlyup and webfilteringenvironmentsarecorrectlyconfigured; anti-virus andanti-malwaresoftware;ensuringthatemail financial sector,wherethemajorityofbreachesappearto are abletodemonstratethatthepersonaldatabreach any personaldatabreachthathasoccurred,unlessthey can takesimplestepstoattemptmitigatetheserisks dated withmanufacturers’softwareandsecuritypatches. such asrunningstafftrainingandawarenessprograms; data haveanobligationtomitigateagainstallpotential of naturalpersons’.Thismeansthatthedefaultposition of thebreach,assessmentthereof,itseffects,and sessed thebreachasbeingunlikelytopresentanyrisk GDPR. Under GDPRacontrollerisobligedtonotifytheDPCof risk — controllersmustrecordatleastthebasicdetails Businesses andorganisationsincontrolofpersonal tor authenticationforremoteaccess;habituallyupdate future breaches.TheDPChasobservedanincreasein be relatedtounauthoriseddisclosures.Datacontrollers for controllersisthatalldatabreachesshouldbenotified the numberofrepeatbreachesasimilarnatureby the stepstakeninresponse,asrequiredbyArticle33(5) they havebeenassessedasbeingunlikelytoresultina those thatarenotnotifiedtotheDPConbasis this conclusion.Inanyevent,forallbreaches —even to theDPC,exceptforthosewherecontrollerhasas implementing stringentpasswordpoliciesandmultifac individuals andthecontrollercanshowwhytheyreached is ‘unlikelytoresultinarisktherightsandfreedoms large numberofcompanies.Thisismostapparentinthe - - -

35 Annual Report 1 January — 31 December 2019 Data breach notifications by category Private Public Total

Disclosure (unauthorised) 3,249 1,939 5,188

Hacking 98 10 108

Malware 22 2 24

Phishing 138 23 161

Ransomware/denial of service 17 0 17

Software Development Vulnerability 13 0 13

Device lost or stolen (encrypted) 14 27 41

Device lost or stolen (unencrypted) 16 30 46

Paper lost or stolen 140 205 345

E-waste (personal data present on an obsolete device) 0 1 1

Inappropriate disposal of paper 20 24 44

System Misconfiguration 43 10 53

Unauthorised Access 67 64 131

Unintended online publication 44 41 85

Total 3,881 2,376 6,257

CASE STUDY 10 Loss of control of paper files

A public sector health service provider notified the DPC that a number of files containing patient medical information had been found in a storage cabinet on a hospital premises which was no longer occupied.

The records were discovered by a person who had gained This breach highlights the importance of having appropri- illegally accessed a restricted premises and subsequently ate records management policies; including mechanisms posted photographs of the cabinet containing the files on for tracking files, appropriate secure storage facilities and social media. The public sector organisation in question full procedures for the retention or deletion of records. informed the DPC that, having become aware of the breach, a representative of the organisation was sent to The DPC issued a number of recommendations to the locate and secure the files. The files were removed from organisations to improve their personal data processing the premises and secured. practices.

36 The videotakenwassubsequentlysharedviaWhatsApp analysis ofitsICTinfrastructuretoestablishiffurthermal duct employeetrainingtoencompasscybersecurityrisks. surrounding theprocessingofpersonaldata,andtocon oversight andsupervisiontoensurecompliancewith ed nofurtherdisseminationofthevideo. measures toensurethereisanadequatelevelofsecurity number ofrecommendationstotheorganisation.The policies andproceduresdidexist,howeverappropriate rity companywereabletodemonstratethatadequate received thefootagethattheymustdeleteitandrequest DPC recommendedthattheorganisationconductan Following examinationoftheincident,DPCissueda Both thepropertymanagementcompanyandsecu these policiesandprocedureswerelacking. the DPCthattheycommunicatedtostaffwhomayhave to alimitednumberofindividuals.Thebusinessadvised ware waspresent,toreviewandimplementappropriate An organisationoperatingintheleisureindustrynotifiedDPCthatithad A commercialandresidentialpropertymanagementcompanynotifiedthe CASE STUDY12 CASE STUDY11 agement company’ssecuritycameras. DPC thatanemployeeofasecuritycompanywhoseservicestheyretainedhad server). Disclosure ofCCTVfootageviasocialmedia Ransomeware Attack had beencompromised(backupdatawashoweverstoredsecurelyviaacloud been thevictimofaransomwareattackwhichpotentiallyencrypted/disclosed used theirpersonalmobilephonetorecordCCTVfootageoftwomembers tions server.Therouteoftheinfiltrationwastracedtoamodemrouterthat the personaldataofupto500customersandstaffstoredonorganisa the publicengagedinanintimateact,whichhadbeencapturedbyman

- - - - The DPChasreceivedregularupdatesfromtheorganisa concerning shortfallsinthesecurityoftheirICTinfrastruc confines oftheCCTVcontrolroom. data breaches.Inaddition,furthersignagewasdisplayed data protectiontrainingwithanemphasisonpersonal subsequently engagedwithitsstafftodeliverfurther prohibiting theuseofpersonalmobiledeviceswithin property managementcompany,thecompanyhas Following recommendationsmadebytheDPCto tion andissatisfiedthatsignificantstepstoimprove training planforallstaffinthisarea. ture havebeentaken,includingthedevelopmentofa implement bothorganisationalandtechnicalmeasures - - - -

37 Annual Report 1 January — 31 December 2019 6 Inquiries

38 110 inordertoestablishwhetheraninfringementofthe The decisionmakingprocessiscarriedoutbyaseparate The objectiveofanyinquiryisto: 4 A statutoryinquiryessentiallyconsistsoftwodistinct duct two different types of statutory inquiry under Section senior decision-makerintheDPCwhohashadnorole GDPR orthe2018Acthasoccurred: Under theDataProtectionAct2018,DPCmaycon Statutory InquiriesbytheDPC processes: Data Protection. the investigatoryprocess,usuallyCommissionerfor • • • • • • • • Corrective powersincludeimposing anadministrativefine or asuspensionofinternational data transfersoradirection (not applicableforinfringements oftheLED),issuingawarn ing, areprimand,temporaryor definitivebanonprocessing to bringprocessing intocompliance,amongstothers. an inquiryoftheDPC’s“ownvolition”. a complaint-basedinquiry;and and/or 2018Actasapplicableinordertoanalyse apply thefactsasfoundtoprovisionsofGDPR establish thefactsastheyapplytomattersunder make aformaldecisionoftheDPCinrelationto rective power,andifso,whichcorrectivepower. formal decisiononwhetherornottoexerciseacor the decision-makingprocess. the investigatoryprocess,whichiscarriedoutbyan has beenidentified; investigator oftheDPC;and investigation; whether aninfringementoftheGDPRand/or2018Act where aninfringementhasbeenidentified,makea whether ornotthereisaninfringement;and 4 - - - Act inthecontextofaninquiry.Inadditiontogeneral a premisesinordertoexercisetheauthorisedofficer assistance tobeprovidedtheminrelationaccess exercise arangeofinvestigatorypowersunderthe2018 officers maybeappointedbytheDPCandthey officer hasabroadrangeofinvestigatorypowersathis/ documents andrecordsequipment.Thereisalsoa of documentsandrecords,requiringinformation documents andinformation,theremovalretention of entry,searchandinspectionpremises,equipment, 5 On 31December2019,theDPChad70statutoryinqui power toissueaninformationnoticecompellingthepro ries onhand,including21cross-borderinquiries. powers. power toapplytheDistrictCourtforawarrantenter During theinvestigatoryprocessofaninquiry,authorised vision ofspecifiedinformationtotheDPC,anauthorised tion, documentsandmaterials her disposalenablingthemtogatherrelevantinforma In the context of an existinginquiry, theDPCmayalsolaunch any Section137 investigations. a statutory“investigation”under Section 137.A137 such asthepowerofauthorised officerconductingitto hold anoralhearing.Todatethe DPChasnotcommenced investigation carriesspecificadditional investigatorypowers, 5 . Theseincludepowers - - -

39 Annual Report 1 January — 31 December 2019 Multinational Technology Company Statutory Inquiries commenced since 25 May 2018

Company Inquiry type Issue being examined

Facebook Ireland Limited Complaint-based Right of Access and Data Portability. inquiry Examining whether Facebook has discharged its GDPR obligations in respect of the right of access to personal data in the Facebook ‘Hive’ database and portability of “observed” personal data.

Facebook Ireland Limited Complaint-based Lawful basis for processing in relation to Facebook’s Terms of Service inquiry and Data Policy. Examining whether Facebook has discharged its GDPR obligations in respect of the lawful basis on which it relies to process personal data of individuals using the Facebook platform.

Facebook Ireland Limited Complaint-based Lawful basis for processing. inquiry Examining whether Facebook has discharged its GDPR obligations in respect of the lawful basis on which it relies to process personal data in the context of behavioural analysis and targeted advertising on its platform.

Facebook Ireland Limited Own-volition Facebook September 2018 token breach. inquiry Examining whether Facebook Ireland has discharged its GDPR obligations to implement organisational and technical measures to secure and safeguard the personal data of its users.

Facebook Ireland Limited Own-volition Facebook September 2018 token breach. inquiry Examining Facebook’s compliance with the GDPR’s breach notification obligations.

Facebook Inc. Own-volition Facebook September 2018 token breach. inquiry Examining whether Facebook Inc. has discharged its GDPR obligations to implement organizational and technical measures to secure and safeguard the personal data of its users.

Facebook Ireland Limited Own-volition Commenced in response to large number of breaches notified to inquiry the DPC during the period since 25 May 2018 (separate to the token breach). Examining whether Facebook has discharged its GDPR obligations to implement organisational and technical measures to secure and safeguard the personal data of its users.

Facebook Ireland Limited Own-volition Facebook passwords stored in plain text format in its internal servers. inquiry Examining Facebook’s compliance with its obligations under the relevant provisions of the GDPR.

WhatsApp Ireland Limited Complaint-based Lawful basis for processing in relation to WhatsApp’s Terms of Service inquiry and Privacy Policy. Examining whether WhatsApp has discharged its GDPR obligations in respect of the lawful basis on which it relies to process personal data of individuals using the WhatsApp platform.

WhatsApp Ireland Limited Own-volition Transparency. inquiry Examining whether WhatsApp has discharged its GDPR transparency obligations with regard to the provision of information and the transparency of that information to both users and non- users of WhatsApp’s services, including information provided to data subjects about the processing of information between WhatsApp and other Facebook companies.

40 Twitter International Twitter International Twitter International Verizon Media/Oath

Apple Distribution Apple Distribution Apple Distribution Google IrelandLimited Quantcast International Company Company Company Company Limited LinkedIn IrelandUnlimited Company International International International Ireland Limited) Instagram (Facebook Own-volition Own-volition Own-volition Complaint-based Own-volition Own-volition Complaint-based Complaint-based Complaint-based Complaint-based Complaint based inquiry inquiry inquiry inquiry inquiry inquiry inquiry inquiry inquiry inquiry inquiry Inquiry type Green indicates inquiriesopenedbetween25May2018–31December2018. Transparency. Transparency. as wellGoogle’sretention practices, willalsobeexamined. Right ofAccess. of theGDPR.TheGDPRprincipletransparencyandretention on itsplatform. data inthecontextofbehaviouralanalysisandtargetedadvertising of theGDPR. Data Policy. safeguard thepersonaldataofitsusers. of therightaccesstolinksaccessedonTwitter. of theGDPRinrelationtoanaccessrequest. data ofusersitsservices. obligations inrespectoftheinformationcontaineditsprivacy on itsplatform. data inthecontextofbehaviouralanalysisandtargetedadvertising data ofindividualsusingtheInstagramplatform Commenced inresponsetosubmissionsreceived. GDPR. TheGDPRprinciplesoftransparencyanddataminimisation, Commenced inresponsetoasubmissionreceived. Commenced inresponsetoabreachnotification. provisions ofArticles12-14GDPR. Commenced inresponsetothelargenumberofbreachesnotified practices willalsobeexamined. Examining thecompany’scompliance withtherequirements Lawful basisforprocessing. Examining Google’scompliancewiththerelevantprovisions ofthe Examining Quantcast’scompliancewiththerelevantprovisions Lawful basisforprocessinginrelationtoInstagram’sTermsofUseand Examining whetherLinkedInhasdischargeditsGDPRobligations Lawful basisforprocessing. Examining anissuerelatingtoTwitter’scompliancewithArticle33 Examining whetherTwitterhasdischargeditsGDPRobligationsto Examining whetherTwitterhasdischargeditsobligationsinrespect Right ofAccess. policy andonlinedocumentsregardingtheprocessingofpersonal Examining whetherApplehascompliedwiththerelevantprovisions Examining whetherApplehasdischargeditsGDPRtransparency respect ofthelawfulbasisonwhichitreliestoprocesspersonal Examining whetherApplehasdischargeditsGDPRobligationsin Examining whetherInstagramhasdischargeditsGDPRobligations to providetransparentinformation todatasubjectsunderthe to theDPCduringperiodsince25May2018. in respectofthelawfulbasisonwhichitreliestoprocesspersonal implement organisationalandtechnicalmeasurestosecure in respectofthelawfulbasisonwhichitreliestoprocesspersonal Issue beingexamined

White indicatesinquiriesopenedin2019.

41 Annual Report 1 January — 31 December 2019 Ongoing Cross-Border Inquiries

Apple Distribution International (transparency Facebook Ireland Limited (legal basis for obligations) processing and transparency in relation to This complaint-based inquiry arises from a complaint Terms of Service and Data Policy) initially lodged by the complainant in Germany but then This complaint-based inquiry arose from a complaint transferred to the DPC, as the lead supervisory authority received from the Austrian privacy advocacy organisation for the controller in question, as the main establishment NOYB (None of Your Business) which focused on Face- of Apple is in Ireland. The complainant alleges that the book’s Terms of Service and Data Policy for its users. The controller is contravening Articles 12 and 13 of the GDPR inquiry is examining whether Facebook has complied with by failing to provide certain required information to the obligation to have a legal basis to process personal individuals, such as the identity and contact details of the data of individuals using the Facebook platform. The controller’s representative and data protection officer, inquiry also includes an examination of whether Face- the legal basis for processing and the storage period of book provided the data subject with information on its any personal data collected. The inquiry is focused on an legal basis for processing in connection with its Terms examination of the controller’s compliance with its trans- of Service, and addresses the complainant’s contention parency obligations, looking at the information which is that processing in connection with Facebook’s Terms of provided to users by the controller on its website. This in- Service was conducted on the basis of the data subject’s cludes assessing the manner in which a layered approach consent but that that consent was not valid having regard to provision of information can/should be used, as well as to the nature of the consent which is required under the the timing of provision of information to individuals. GDPR.

Apple Distribution International (access request Facebook Ireland Limited (legal basis for issues) processing in context of targeted advertising to This complaint-based inquiry relates to an access request users) made by the complainant for customer service records This complaint-based inquiry is examining whether from Apple where the complainant was dissatisfied with Facebook has complied with its obligations in respect Apple’s response to his access request. In this case, the of the requirement to have a legal basis for processing controller’s position is that the request by the com- personal data in the context of behavioural analysis and plainant was ‘manifestly excessive’. The inquiry involves targeted advertising of Facebook users on its platform. an examination of the extent to which a data controller The complaint in question was lodged by a French digital may refuse to act on an access request, in circumstances advocacy organisation, La Quadrature du Net. Amongst where that controller believes that the request is “mani- other things, this inquiry involves a detailed examination festly unfounded or excessive”, as referred to in Article 12 of the processing operations underpinning the analysis GDPR. of users’ behaviour/ activities (including profiling) on the Facebook platform and how that relates to the delivery of Apple Distribution International (legal basis for targeted advertisements to the user. Co-operation with processing in context of targeted advertising to the CNIL (the French supervisory authority with which the users) complaint giving rise to this inquiry was originally filed) is ongoing. This complaint-based inquiry is examining whether the controller has discharged its GDPR obligations in respect Facebook Ireland Limited (security incident of the lawful basis on which it relies to process personal data in the context of behavioural analysis and targeted concerning storage in plain text of user advertising on its platform. The complaint in question passwords) was lodged by a French digital advocacy organisation, This is an inquiry examining whether Facebook com- La Quadrature du Net, through Article 80 of the GDPR plied with its obligations under the GDPR in relation to whereby a data subject can mandate a not-for-profit body a security incident which occurred in early 2019. In this to lodge a complaint and act on his/her behalf. The issues case, Facebook confirmed to the DPC that user pass- under investigation include whether or not the process- words had been inadvertently stored in plaintext on ing of personal data, in this context, is supported by a its internal systems. This inquiry is examining whether legal basis, as required by Article 6 of the GDPR, and, if so, Facebook’s conduct in relation to this incident amounted which one(s). This entails consideration of the condition- to an infringement of any provision(s) of the GDPR, and in ality and limitations associated with reliance on certain particular whether Facebook, in storing user passwords in legal bases, such as consent and the legitimate interests plaintext format, complied with its obligations in relation of the data controller or a third party. Co-operation with to data security. The inquiry is also examining whether the CNIL (the French supervisory authority with which the the storage of user passwords in this manner amounted complaint giving rise to this inquiry was originally filed) is to a personal data breach for the purposes of Article 33 ongoing. of the GDPR.

42 This acomplaint-basedinquirywasinitiatedonfootof This complaint-basedinquiryarisingfromacomplaint This isanown-volitioninquiry,whichwascommenced, Google AuthorisedBuyerssystem) Google IrelandLimited(legalbasisfor,and Article 12GDPR. and dataportabilityrequestmadebyhim.Theinquiry complaint madetotheDPCbyadatasubject,regarding data ofindividualsusingtheInstagram platform.The quiry isexaminingwhetherInstagram hascompliedwith examining howGooglefulfilsitstransparencyobligations data, whichmayincludespecialcategoryviathe examining theprocessingofpersonaldataincon of targetedadvertising.Morespecifically,theinquiryis copy ofspecificpersonaldatarelatingtohim,including obligations inrelationtothecomplainant’sexerciseof scope, theinquiryisexamining,amongstotherthings, stances wherethatcontrollerbelievestherequest sonal datathathadbeenprovidedbyorobservedabout certain technicalinformation) gram’s TermsofUseandDataPolicyforitsusers.Thein Google AuthorisedBuyersmechanism.Theinquiryisalso User IDwhichwasheldinrawformat;andacopyofper Facebook IrelandLimited(accessrequestfor personal datainthecontextofGoogleAuthorized provided thedatasubjectwith informationonInstagram’s received fromtheAustrianprivacyadvocacyorganisation processing ofpersonaldatabyGoogleinthecontext made toitbyDrJohnnyRyanofBrave,isexaminingthe may refusetoactonadatasubjectrequestincircum portability undertheGDPR,havingregardtoArticle12of personal dataheld,indexedalongsideorrelatedtohis requested, amongstotherthings,tobeprovidedwitha portability inrespectofpersonaldataheldacertain right ofaccesstohispersonaldataandthe Buyers AdExchange. Facebook’s handlingofadatasubjectaccessrequest NOYB (NoneofYourBusiness)whichfocusedonInsta transparency of,Google’srealtimebiddingand relation toTermsofUseandDataPolicy) basis forprocessingandtransparencyin Instagram (FacebookIrelandLimited)(legal following thereceiptbyDPCofcertainsubmissions the obligationtohavealegal basis toprocesspersonal text ofthe‘Real-TimeBidding’(RTB)processfacilitated the GDPR,includingextenttowhichadatacontroller technical databasebyFacebook.Thecomplainanthad by Google’sproprietaryAuthorisedBuyersmechanism, him inamachinereadableformat.Thisinquiryisexam inquiry includesanexamination ofwhetherInstagram in relationtotheprocessingofsuchpersonaldata,as is “manifestlyunfoundedorexcessive”,asreferredtoin ining theextentofdatasubjectrightstoaccessand is examiningwhetherFacebookhascompliedwithits well asitsobligationsconcerningtheretentionofsuch whether Googlehasalegalbasisforprocessingpersonal which facilitatestargetedadvertising.Intermsofits legal basisforprocessing inconnectionwith itsTerms ------This complaint-basedinquiryintoLinkedInisfocusedon This complaint-basedinquiry arisesfromacomplaint This own-volitioninquirywascommencedbytheDPC Twitter InternationalCompany(rightofaccess Service wasconductedonthebasisofdatasubject’s another legalbasiscanberelieduponjointlyforprocess a complaintandactonhis/herbehalf.Issuesthatthe advertising. Theinquiryisexamininghow,andtowhat consent butthatwasnotvalidhavingregard of Use.Italsoaddressesthecomplainant’scontention originally filed)isongoing. eration withtheCNIL(theFrenchsupervisoryauthority delivery oftargetedadvertisementstotheuser.Co-op examination thetechnologicalframeworkunderpinning data subjectcanmandateanot-for-profitbodytolodge on itsplatform.Thecomplaintinquestionwaslodged context ofbehaviouralanalysisandtargetedadvertising obligations, inparticularrespectoftherequirement examining whetherLinkedInhascompliedwithitsGDPR examining whetherQuantcasthasdischargeditsobliga operating intheadtechsector.Inparticular,DPCis concerning Quantcastwhichprovidesservicestoentities extent, Quantcastfulfilsitsobligationtobetransparent of personaldatawhichitconductsforthepurposes sought certaintechnicalinformation (relatedtouser occurs. examine thelawfulbasispursuanttowhichprocessing Quantcast InternationalLimited(legalbasisfor and righttodataportability) GDPR. LinkedIn IrelandUnlimitedCompany(legalbasis request whichwasmadetoTwitter wherebytheuser profiling andutilisingtheprofilesgeneratedfortargeted personal dataretentionpractices.Theinquirywillalso DPC isspecificallyexamining,andwhichformedpartof Privacy International,aprivacyadvocacyorganisation, to users) targeted advertising) for processingincontextoftargetedadvertising processing andtransparencyinprofiling following asubmissionwhichwasmadetotheDPCby to thenatureofconsentwhichisrequiredunder that processinginaccordancewithWhatsApp’sTermsof the analysisofusers’behaviour/activities(includingprofil the complaint,includeissueofwhetherconsentand ture duNet,throughArticle80oftheGDPRwherebya to havealegalbasisforprocessingpersonaldata,inthe tions inconnectionwiththeprocessingandaggregating by aFrenchdigitaladvocacyorganisation,LaQuadra by aTwitteruserinrelationto anaccessandportability the dataavailabletoitscustomers)aswellQuantcast’s (including sourcesofcollection,combiningandmaking ing) ontheLinkedinplatformandhowthatrelatesto ing. Amongstotherthings,thisinquiryinvolvesadetailed interaction with weblinksgeneratedbyTwitter). This individuals inrelationtowhatitdoeswithpersonaldata with whichthecomplaintgivingrisetothisinquirywas - - - - -

43 Annual Report 1 January — 31 December 2019 request was refused by Twitter. The inquiry examines and 5 of the GDPR, to implement appropriate technical whether Twitter has discharged its obligations in respect and organizational measures and amongst other things, of the right of access and the right to data portability to involves an assessment of the information provided by personal data having regard to Article 12 of the GDPR Facebook to the DPC in relation to the incident and an and the extent to which a data controller may refuse to assessment the policies and procedures Facebook had in act on a data subject request in circumstances where that place at the time the incident occurred. controller believes that the request is “manifestly unfounded or excessive”, as referred to in Article 12 GDPR. Facebook, Inc. (technical and organisational measures — “token” breach) WhatsApp Ireland Limited (legal basis for This own-volition inquiry was commenced following the processing and transparency in relation to same breach notification made to the DPC by Facebook Terms of Service and Privacy Policy) as in the two preceding inquiries, where an external actor This complaint-based inquiry arose from a complaint obtained Facebook user tokens. (User tokens enable the received from the Austrian privacy advocacy organisa- authentication of the related Facebook user account i.e. tion NOYB (None of Your Business) which focused on they keep the user logged into Facebook so that they do Whatsapp’s Terms of Service and Privacy Policy for its not need to re-enter their password every time they use users. The inquiry is examining whether WhatsApp has the Facebook app). As referred to above, following the complied with the obligation to have a legal basis to incident, Facebook reset millions of user tokens for Face- process personal data of individuals using the WhatsApp book accounts. This inquiry is examining Facebook Inc.’s platform. The inquiry includes an examination of whether compliance with its obligations, pursuant to articles 32 WhatsApp provided the data subject with information and 5 of the GDPR, to implement appropriate technical on WhatsApp’s legal basis for processing in connection and organisational measures and amongst other things with its Terms of Service. The inquiry also addresses the involves an assessment of the information provided by complainant’s contention that processing in accordance Facebook Inc. to the DPC in relation to the incident and with WhatsApp’s Terms of Service was conducted on the an assessment the policies and procedures Facebook Inc. basis of the data subject’s consent but that that consent had in place at the time the incident occurred. was not valid having regard to the nature of the consent which is required under the GDPR. Facebook Ireland Limited (multiple breaches) This own-volition inquiry was commenced following a Facebook Ireland Limited (breach notification number of breach notifications made to the DPC by Face- obligations — “token” breach) book Ireland Limited concerning unauthorised disclosure of personal data. The inquiry is examining Facebook’s This own-volition inquiry was commenced following a compliance with its obligations, pursuant to articles 32, 24, breach notification made to the DPC by Facebook con- and 5 of the GDPR, to implement appropriate technical cerning an incident where an external actor obtained and organisational measures and amongst other things, Facebook user tokens. (User tokens enable the authen- involves an assessment of the information provided by tication of the related Facebook user account i.e. they Facebook to the DPC in relation to the incidents and an keep the user logged into Facebook so that they do not assessment the policies and procedures Facebook had in need to re-enter their password every time they use the place at the time the incidents occurred. Facebook app). Following the incident, Facebook reset millions of user tokens for Facebook accounts. The inquiry is examining Facebook’s compliance with the breach Twitter International Company (multiple notification obligations in Article 33 GDPR and amongst breaches) other things, involves an assessment of the information This own-volition inquiry was commenced following a provided by Facebook to the DPC in relation to the inci- number of breach notifications made to the DPC by dent, the timing of same and the internal documentation Twitter concerning unauthorised disclosure of personal of the data breach by Facebook. data. The inquiry is examining Twitter’s compliance with its obligation, pursuant to articles 32, 24, and 5 of the Facebook Ireland Limited (technical and GDPR, to implement appropriate technical and organisa- organisational measures — “token” breach) tional measures and amongst other things, involves an assessment of the information provided by Twitter to the This own-volition inquiry was commenced following the DPC in relation to the incidents and an assessment the same breach notification made to the DPC by Facebook policies and procedures Twitter had in place at the time as in the preceding inquiry, where an external actor the incidents occurred. obtained Facebook user tokens. (User tokens enable the authentication of the related Facebook user account i.e. they keep the user logged into Facebook so that they Oath (EMEA) Ltd/Verizon Media (transparency) do not need to re-enter their password every time they This own-volition inqiuiry was opened into Verizon Media/ use the Facebook app). As referred to above, following Oath (EMEA) Limited in respect of the company’s com- the incident, Facebook reset millions of user tokens for pliance with its transparency obligations under Articles Facebook accounts. This inquiry is examining Facebook’s 12, 13 and 14 of the GDPR. This inquiry was commenced compliance with its obligations, pursuant to articles 32, 24, under section 110(1) of the Data Protection Act 2018

44 13 and14oftheGDPR.Theinvestigativestage This own-volitioninquirywascommencedfollowinga and transparencysurroundingitsuseofnon-userdata, any correctivepowerswillbeexercised,andifso,what data sharingwiththeFacebookfamilyofcompanies on whethertheGDPRhasorisbeinginfringed, circulated tootherEuropeanDPAsforcommentpursuant Commissioner willprepareadraftdecisionwhichbe number ofcomplaintsmadebydatasubjectsthroughout passed totheCommissioner,whoisdecision-maker process beingcomplete,thefinalinquiryreporthasbeen Europe aboutthetransparencyofWhatsAppIreland’s WhatsApp IrelandLimited(transparency) under Section111oftheDataProtectionAct2018.The focusing ontransparencyobligationsunderArticles12, following assessmentofanumbercomplaintsregard to Article60GDPR.Afinaldecisionwillthenbemadeby those correctivepowerswillbe. the information-gatheringphaseasofend2019. individuals inotherEUmemberstates.Theinquirywas ing Oathproductsandservices,includingsomefrom - 111 oftheDataProtectionAct2018.TheCommissioner This own-volitioninquirywascommencedfollowinga Twitter InternationalCompany(breach other EuropeanDPAsforcommentpursuanttoArticle60 complete, thefinalinquiryreporthasbeenpassedto of theGDPR.Theinvestigativestageprocessbeing obligation todocumentdatabreachesunderArticle33(5) changed theemailaddressassociatedwiththeiraccount cerning abuginTwitter’sAndroidapp,whereuserswho GDPR hasorisbeinginfringed,whetheranycorrective GDPR. Afinaldecisionwillthenbemadeonwhetherthe Commissioner, whoisthedecision-makerunderSection powers willbe. powers willbeexercised,andifso,whatthosecorrective notification) timely mannerunderArticle33(1)oftheGDPR,and had alloftheirprotectedtweetsmadepublic.Thefocus breach notificationmadetotheDPCbyTwittercon is ontheobligationtomakebreachnotificationsina will prepareadraftdecisionwhichbecirculatedto -

45 Annual Report 1 January — 31 December 2019 Ongoing National Inquiries

Domestic Statutory Inquiries commenced since 25 May 2018

Green indicates inquiries opened between 25 May 2018 – 31 December 2018. White indicates inquiries opened in 2019.

Organisation Inquiry type Issue being examined

31 local authorities and Own Volition Examining surveillance of citizens by the state sector for law enforcement An Garda Síochána purposes through the use of technologies such as CCTV, body-worn cameras, automatic number plate recognition (ANPR) enabled systems, drones and other technologies. The purpose of these inquiries is to probe whether the processing of personal data that occurs in those circumstances is compliant with data protection law.

An Garda Síochána Own Volition Examining governance and oversight with regard to disclosure requests within AGS and within organisations processing such requests, as well as examining the actual requests made by AGS to third parties.

Bank of Ireland Own Volition Commenced in response to the large number of breaches notified to the DPC during the period since 25 May 2018.

Catholic Church Own Volition Multiple complaints re right to rectification & right to be forgotten

DEASP Own Volition Examining the position of the Data Protection Officer under Article 38 of the GDPR.

SUSI Own Volition Commenced in response to a breach notified to the DPC.

Irish Credit Bureau Own Volition Commenced in response to a breach notified to the DPC.

Irish Prison Service Own Volition Examining whether it has discharged its GDPR obligations in respect of the lawful basis on which it relies to process personal data.

Maynooth University Own Volition Commenced in response to a breach notified to the DPC in relation to a phishing incident.

UCD Own Volition Commenced in response to a number of breaches notified to the DPC during the period since 25 May 2018.

University of Limerick Own Volition Commenced in response to a breach notified to the DPC in relation to a phishing incident.

Slane Credit Union Own Volition Commenced in response to a breach notified to the DPC in relation to an unauthorised disclosure.

HSE Mid Leinster Own Volition Commenced in response to a breach notified to the DPC. (Tullamore Labs)

HSE Our Lady of Lourdes Own Volition Examining the security of processing data, appropriate organisational and technical measures following the loss of sensitive personal data.

HSE South Own Volition Commenced in response to a breach notified to the DPC.

TUSLA Own Volition Commenced in response to a number of breaches notified to the DPC.

TUSLA Own Volition Commenced in response to a number of breaches notified to the DPC during the period since 25 May 2018.

TUSLA Own Volition Commenced in response to a breach notified to the DPC.

46 “haveibeenpwnd.com”. This inquirycommencedinNovember2019andis The universityreportedthatemailaccountsacross This inquiryrelatestosevenbreachnotificationsreceived This inquiryrelatestoanotifiedbreachaboutanincident This inquiryrelatesto22breach notificationsfromBank The attackedemailaccountwasonlyoneofsixaccounts Trojan oftenusedasalaunchpadtodownloadmalicious This inquiryrelatestoaninstanceofhackingauni The inquirycommencedinJuly2019.Asiteinspection €28,823.40 tobediverted. 379 individualswereimpactedintheNovember2018 An on-siteinspectionwillbecarriedoutinearly2020. an employeeatMaynoothUniversitywashackedand account credentialshadbeenpostedpubliclyonline ongoing. detected tobesendingspam.Someofthebreaches commenced inJuly2019.Afurtherphishingbreachwas es notifiedinFebruary,AprilandMay2018.Theinquiry of phishingwhichthecontrollerbecameawareinNo of Ireland,inwhichthebankwas sendinginaccuratedata counts. Forallsixaccountsthereisariskthatwere od usedtoplacethatmalwareonthepersonalcomputer. substituted, causingamoneytransferoflumpsum substantial amountsofpersonaldatawithintheemails software. Theuniversityfoundnoindicationofthemeth University CollegeDublin University ofLimerick Maynooth University Bank ofIreland phishing, buttherewasnoindicationofanysuccess related tousersfurnishingtheircredentialsonexternal multiple universityschoolswerecompromisedand notified inAugust2019. potentially accessed.However,theuniversityhasnot malware onitsince2017.Theparticularwasa prepared. versity’s employeeemailaccount.Theaccountof vember 2018,alongwiththreepreviousphishingbreach found anyevidenceofexploitationtheotherfiveac ful phishing.Theemployee’spersonalcomputerhad forwarding ruleswereset.Subsequentcorrespondence for someusers.Othercredentialswereidentifiedin to theCentralCredit Register,withacorresponding risk that mayhavebeendisclosed/accessed. to identifyhowitssystemswerecompromised.The Initial analysisbytheuniversityindicatedattempted between September2018andJanuary2019. breach. between thatemployeeandanotherstaffmember has beencarriedoutandaDraftInquiryReportisbeing was interceptedandbogusbankaccountdetailswere websites and,inothercases,thecontrollerwasunable

------The inquirycommencedinNovember2019andis The issueimpactedonthecreditratingsof15,238indi The inquirycommencedinJuly2019andanon-site This inquiryrelatestoabreachnotificationreceivedfrom The inquirycommencedinJuly2019.nextstepofthe This inquiryrelatestoabreachnotificationthattheDPC This inquiryrelatestothediscoveryofhospitalrecords This inquirycommencedinOctober2019.ADraftInquiry This inquiryrelatestothediscoveryofhospitalrecordsby Slane CreditUnion,wherethecreditunionpublically

A DraftInquiryReportisinpreparation. agement. ThenextstepistoissueaDraftInquiryReport. account recordsoffinancialinstitutes’customers. as adataprocessor. a memberofthepublic.Hospitaldocumentscontaining ongoing. curate informationrecorded. directly fromtheICBwhiledatawasincorrect. data integrityissue.AchangetotheICBsysteminadver documents relatingto15patientsbeingdiscoveredbya disclosed personaldataof78accountholdersviageneral searches aboutSlanevillage.Oversightofthewebsite searches ontheinternet.Aplug-increditunion’s HSE (OurLadyofLourdesHospital) HSE (South) processor werequestionedaboutdataprotectionman received fromtheIrishCreditBureau(ICB)inrelationtoa road outsidethesamehospital. notes oneightpatientswere discovered onthepublic member ofthepublicinherfrontgarden.Averysimilar personal data(name,dateofbirth,clinicaldetails,and Report hasbeenissuedtotheHSE. DPC forthesameHSEArea. Slane CreditUnion union pagesandmadeitavailableaspubliccontent, viduals. 118individualshadrequestedtheircreditreport Irish CreditBureau that thecreditratingofcertainbankcustomershadinac tently allowedincorrectupdatestobeappliedtheloan there hadbeensevensimilarbreachesreportedtothe the publicatarecyclingfacilityinCork.Previously, treatment) of56patientswerefoundbyamember had beenoutsourcedtoaseparatecompany,whoacted by amemberofthepublic.Theinquirywascommenced inspection hastakenplacewherethedatacontrollerand inquiry istofurnishaDraftInquiryReporttheICB. incident hadoccurredinMarch2019whenhandover in November2019asaresultofhospitalwardhandover which couldsubsequentlybeaccessedusinggeneric website hadindexedtheprivatecontentofcredit

- - - -

47 Annual Report 1 January — 31 December 2019 HSE Mid-Leinster (Tullamore) Department of Employment Affairs This inquiry relates to a breach notification about ransom- and Social Protection (DEASP) DPO ware activated on the computers within the HSE Labo- This inquiry relates to potential infringements of Article 38 ratories in Tullamore. The data controller understood of the GDPR in relation to the Department’s interactions that ICT security measures had been delegated to a data with its Data Protection Officer in the Department of -Em processor. The inquiry commenced in October 2019 and ployment Affairs and Social Protection. The inquiry began is ongoing. in December 2018. A Draft Inquiry Report was issued to the Department in May 2019 and the controller made Tusla (November 2018) submissions on it. These have been analysed by the DPC and the Final Inquiry Report is in preparation. This inquiry relates to 71 personal data disclosure breaches notified by Tusla — The Child and Family Agency to the DPC. The inquiry began in November 2018. Catholic Church This inquiry relates to the lawful basis for processing the The subject matter of the breaches included inappro- personal data of individuals who no longer want to have priate system access, disclosure by email and post and their personal data so processed. The DPC received a security of personal data. number of complaints from individuals who were mem- The DPC conducted site inspections at Tusla head- bers of the Catholic Church and many of whom no longer quarters and at regional offices in Dublin Central, Naas, wished to remain as members. In the absence of a way to Swords, Waterford, Galway and Cork. In the course of the defect formally from the Catholic Church, the individuals inspections, a number of other data protection issues expressed dissatisfaction with the ongoing processing of came to light which fell outside the original scope of the their personal data by the Catholic Church, in particular Inquiry. However, as these issues have relevance with the retention of their personal data on sacramental reg- regard to the protection of personal data, they will be isters. As a consequence, each individual had requested highlighted in the Draft Inquiry Report. the erasure of their church records, including those contained in baptism, confirmation and marriage registers. In The DPC is currently preparing the Draft Inquiry Report. all instances the request for erasure had been refused by the relevant parish offices. Tusla (October 2019) Having considered the issue at a preliminary level, the This inquiry relates to three breach notifications received DPC has opened an own-volition inquiry pursuant to sec- between February and May 2019 relating to unauthorised tion 110(1) of the Data Protection Act 2018. This inquiry disclosure of personal data. is directed to the Archdiocese of Dublin and will examine In one breach, Tusla accidently disclosed the contact and whether there is a lawful basis for the processing of the location data of a mother and child victim to an alleged personal data of individuals who no longer want to have abuser. their personal data so processed. In the next breach, Tusla accidently disclosed contact, An Garda Síochána location and school details of foster parents and children to a grandparent. As a result, that grandparent made con- This inquiry relates to the process and procedures gov- tact with the foster parent about the children. erning disclosure requests to external third party data controllers by An Garda Síochána (AGS). The inquiry com- In the third breach, Tusla accidently disclosed the address menced in April 2019. Within the context of the inquiry, of children in foster care to their imprisoned father, who pursuant to section 136 of the Data Protection Act 2018, used it to correspond with his children. 8 data protection audits were conducted of AGS and a The inquiry commenced in October 2019. A Draft Inquiry selection of organisations processing disclosure requests Report has issued to Tusla. received from AGS. The next step of the inquiry is to furnish a Draft Inquiry Tusla (November 2019) Report to AGS. This inquiry relates to a breach notification received from Tusla in November 2019 regarding an unauthorised Irish Prison Service disclosure of sensitive personal data. The disclosure The DPC opened an own-volition inquiry into the Irish was made to an individual against whom an allegation of Prison Service, specifically into the governance proce- abuse had been made. dures in place regarding the processing of personal data The disclosed data was subsequently posted on social by the work of the Operational Support Group. This inqui- media. ry is in its initial stages. This inquiry commenced in December 2019. Student Universal Support Ireland (SUSI) This inquiry relates to a breach notification received from the City of Dublin Education and Training Board (CDETB) in relation to its Student Universal Support Ireland (SUSI)

48 16 October2018.Theinquiryisexaminingthetechnical The firstmodulefocuseson the 31localauthoritiesin These own-volitioninquiriesarebeingconductedunder The typeofCCTVcamerausedmayalsoraisedata These concernspromptedtheDPCtocommencea 2018 andtheyhavebeensplit intoanumberofmodules. Section 110and123oftheDataProtectionAct State Sectorbuttheabsenceofdataprotectionpolicies Síochána. Furthermodulesare likelytobeaddedasthe Surveillance systemsthatcaptureimagesofpeopleand As suchitisessentialthatorganisationsincontrolof an increasinglyprevalentpartofCCTVsystems.Thereare and othertechnologiessuchasAutomaticNumber-Plate and organisationalmeasuresinplaceatthetimeof and whiletheremaybeaperceptionbymanythatsur and theDataProtectionAct,2018.Whileuseofsuch examining thelegalbasisunderpinninguseofthese of ANPRcamerasisbecomingmorecommonplaceinthe data controllerfollowingthebreach.Theinquirycom code (aweb-shell)wasdetectedbytheSUSIITteamon surveillance technologiesforlaw-enforcementpurposes. several otheraspectstotheseongoingown-volitioninqui diminish theobligationsplacedonorganisationsprocess of information,cantriggertheapplicabilityGDPR sector forlaw-enforcementpurposesthroughtheuseof systems candemonstratethattheirareoperat security relevantincidents,surveillancesystemsoperating governing theuseofsuchtechnologyinStateSector ries suchasanexaminationoftheuseCCTVcameras risks toindividuals’privacy.Furthermore,thedeployment protection concerns.Pan-Tilt-Zoom(PTZ)camerasmay number ofown-volitioninquiriesundertheDataPro menced inJuly2019andisongoing. purposes maybeobvious,i.e.thedetectionofspecific rectly orindirectly,i.e.whencombinedwithotherpieces Recognition (ANPR)enabledsystems,whichisbecoming use ofcovertcamerastodetectoffendersintheactlit Surveillance bytheStateSector for LawEnforcementPurposes veillance hasbecomethenorm,thisperceptiondoesnot to monitorcertainlocal-authorityhousingestatesandthe tering andunlawfulwastedisposal.Theinquiriesarealso technologies suchasCCTV,body-worncameras,drones tection Act2018intosurveillanceofcitizensbythestate be usedtozoominfromaconsiderabledistanceon technologies forsurveillancepurposesbythestate breach, andhowSUSIhasdischargeditsobligationsasa Ireland, andthesecondmodule focussesonAnGarda individuals andtheirpropertysotheymayposehigher ing incompliancewithdataprotectionlegislation. is notable. in publicplacescanimpactontheprivacyofindividuals. inquiries progress.Thefirst and secondmodulescom ing personaldatathroughthesemeans.Furthermore, in turnleadtotheidentificationofindividualseitherdi website. Thewebsitehadabreach,wheremalicious while theusefulnessofsuchtechnologyforsurveillance law-enforcement functions has become more widespread

------The inquiriesdonotapplytosecuritycamerassuchasthose To date,theDPChasconductedinspectionsinseven 38(3)(a) oftheGardaSíochánaAct2005providesa Separate totheongoinginquiriesinlocalauthority Síochána toelicitinformationinrelationtheirrespec An GardaSíochána Another keyaspectoftheseinquiriesinvolvesauditing deployed fornormalsecuritypurposes.Eachofthelocal at GardaStationsinTullamore,HenryStreetLimerick, also examininghowdatacontrollerobligationsarebeing approved allsuchschemesinoperationatpresent(to and meaningfulgovernance. approximately 38separateschemesthatoperateunder authorities inspectedhaditsownuniqueapproachto and SouthDublinCountyCouncil.Betweenthem,these da Síochána.Theinquiryconductedinvolvedinspections date theGardaCommissionerhasauthorisedCommuni examining whetherornottheGardaCommissionerhas data controllerandthatpriorauthorisationoftheGarda examining whetherSection38(3)(c)oftheGardaSíochá sector, aninquirywasconductedintoAnGardaSíochána set upatlocallevelrequirethattheauthoritybea schemes undercertainconditions)isbeingfullycomplied cameras inoperationforsurveillancepurposes. questionnaire toall31localauthoritiesandAnGarda on-site inspections. ering phase,beganinSeptember2018withaseriesof seven localauthoritieshavemorethan1,000CCTV separate localauthorities.Theauthoritiesinspected systems, dronesandothertechnologiesforsurveillance Waterford CityandCountyCouncil,KerryCouncil Commissioner isrequired.Inparticular,theinquiriesare Council, GalwayCountySligo made 13findingsinrespect of infringementstheData met bythelocalauthoritiesasrequiredunderthatAct na Act2005(whichprovidesalegislativebasisforsuch protection policiesaswellevidenceofactiveoversight record-keeping ofdownloads, retentionperiods,train number ofmatterssuchasgovernance issues(including menced usingthedataprotectionauditpowerprovided purposes. Thesecondphase,i.e.theinformationgath Following thesubmissionoffinalinquiryreportto Pearse StreetDublin,DuleekandAshbourneCo.Meath. Protection Act,2018.Theseinfringements relatetoa the CommissionerforDataProtection, theCommissioner towns andvillagesacrosstheState).Theinquiriesare ty-based CCTVschemesinapproximatelyseventycities, this legislationthataresolelyunderthecontrolofAnGar the deploymentofcommunity-basedCCTVsystemsby for inSection136oftheDataProtectionAct2018. how itconductedsurveillanceoncitizens.Aspartofthe tive usageofCCTV,body-worncameras,ANPR-enabled In thefirstphaseofaudits,DPCissuedadetailed in relationtoGarda-operatedCCTVschemes(Section inquiry process,theDPCsoughtevidenceofrobustdata ing, auditingof accesslogs);transparencyin relation with. Community-basedCCTVschemesthathavebeen legislative basisforsuchschemes).Currentlythereare were KildareCountyCouncil,LimerickCityand Note: - - . - - - -

49 Annual Report 1 January — 31 December 2019 to informing the general public by signage and other website, without any engagement by the user with a means; the absence of data processor contracts; and the consent management platform or cookie banner. These deployment of ANPR cameras on one Garda scheme in included third-party cookies from social media companies, the absence of the implementation of appropriate data payment providers and advertisers. protection policies by An Garda Síochána and its failure to carry out a data protection impact assessment before Many organisations categorised the cookies deployed on rolling out the scheme. Note: As the matters under exam- their websites as having a ‘necessary’ or ‘strictly neces- ination related to the law enforcement provisions of the Data sary’ function, or a ‘performance’, ‘functional’ or ‘analytics’ Protection Act 2018 only, infringements of the GDPR did not function. arise in these instances. However, some cookies defined by controllers in their The Commissioner decided to exercise three corrective responses as ‘strictly necessary’ appear not to meet either powers in accordance with Section 127 of the Data Pro- of the two consent exemption criteria set down in the tection Act, 2018. In summary, a reprimand was issued to ePrivacy Regulations. An Garda Síochána in circumstances where the process- There was some level of awareness, particularly among ing was not in compliance with the 2018 Act and in such larger organisations, of recent or pending rulings by the instances the Commissioner ordered the processing to Court of Justice of the European Union (CJEU) in the ePri- be brought into compliance. Furthermore a temporary vacy area, which may impact on their practices. Some are ban was imposed on processing in one region where reassessing issues of joint controllership that may arise such processing involves the operation of ANPR cameras in respect of the use of third-party plugins and social ‘like’ until such time as their necessity and justification can be buttons in light of the Fashion ID judgment of 29 July 2019. demonstrated. An Garda Síochána switched off these ANPR cameras as ordered by the Commissioner within On 1 October, shortly after the DPC commenced this seven days. sweep, another significant judgment from the CJEU in the Planet49 case clarified that consent for the placement of cookies is not valid if it is obtained by way of pre-checked Cookies Sweep 2019 (Carried out under the boxes which users must deselect to refuse their consent. GDPR and ePrivacy Regulations) The use of pre-checked boxes and sliders set by default In August 2019, the DPC commenced an examination of to the ‘on’ position was a feature on a number of the web- the use of cookies and similar technologies on a selection sites we examined. In addition, many organisations relied of websites across a range of sectors, including media on implied consent to set cookies, or they directed users and publishing, the retail sector, restaurants and food to their browser settings to control cookies. ordering services, insurance, sport and leisure and the public sector. There were also examples of pre-checked boxes which opted users in to analytics and marketing cookies by The purpose of the sweep survey was to request informa- default, but with the organisation failing to honour any tion to allow us to examine the deployment of such tech- choice expressed by the user if they unchecked the nologies and to establish how, and whether, organisa- boxes. A lack of clarity on how users could withdraw their tions are complying with the law. In particular, we wanted consent to cookies was also a feature on some sites. to examine how controllers obtain the consent of users for the use of cookies and other tracking technologies. During 2020, the DPC will produce updated guidance on cookies and other technologies which will take account of The standard of consent that controllers must obtain the judgments in Planet49 and Fashion ID. This guidance from users or subscribers for the use of cookies must will underpin our future enforcement strategy and activity. now be read in light of the GDPR standard of consent, i.e. it must be obtained by means of a clear, affirmative act Given the pervasive nature and scope of online tracking, and be freely given, specific, informed and unambiguous. and the inextricable links between such tracking and cookie technologies and adtech, we will place a strong There was a good level of cooperation with the sweep focus on compliance in this area. and most organisations were keen to demonstrate compliance. In some cases they signalled their awareness that they may not currently be compliant with S.I. No. Other Investigations (Under the Data 336/2011 — the European Communities (Electronic Com- munications Networks and Services) (Privacy and Elec- Protection Acts 1988 and 2003) tronic Communications) Regulations 2011 (‘the ePrivacy Regulations’) and they wished to obtain guidance from Tusla Child and Family Agency Investigation the DPC on how to amend their practices, if required. In November, the DPC concluded an investigation that The quality of information provided to users in relation had commenced in March 2017 (under the Data Protec- to cookies varied widely. Some organisations provided tion Acts 1988–2003 which were applicable at the time) detailed and layered information about the technologies into the governance of personal data within the Child and in use, and others provided little detail about the use of Family Agency, Tusla. cookies, or about how to reject them. The investigatory phase, which included physical inspec- We also established that many organisations are setting tions by our Authorised Officers at Tusla locations around a wide range of cookies as soon as a user lands on their the country, had been completed in December 2017.

50 The agencyisalsoseekingtoreviewitsuseof“inperpetu Tusla alsoconfirmedthatitexpectstoreviseitscurrent The DPCcontinuedtoengagewithTuslathroughout2018 The DPCinvestigationofIndependentNewsandMedia The agencyconfirmedthatanumberoforganisational 2003 and anticipatesadecisionoftheDPCwillissuefollowing and 2019inrelationtoanumberofourfindings,includ advancing whattheagencydescribesas“asignificant and technicalmeasureshavebeenputinplacesincethe conclusion. TheDPChasraisedqueriesandreceivedsub contraventions oftheDataProtectionActsisnearinga on companyserverstothirdpartiesandotherpotential offices withfacilitiesalsooccupiedbytheHealthService (INM) undertheDataProtectionActs1988and record managementpolicywiththeaimofaligningit process thatwaswidelyreportedinthemediaandwhich mation aboutthefactssurroundingdataextraction missions fromvariousstakeholderstogathertheinfor relation tothepossibleunlawfuldisclosureofdataheld DPC’s siteinspectionsinlate2017.Tusla’sICTunitisalso Executive (HSE). Investigation ofIndependentNewsandMedia formed partofthebasisforappointmentHighCourt the necessityandproportionalityprinciplesofGDPR. this. Inspectors. TheDPCisfinalisingtheInvestigationReport ICT environmentwhollymanagedandcontrolledbyTusla. (INM) undertheDataProtectionActs1988and2003in ity” recordretentionperiods. ing inrelationtoissuesrelatedtheco-locationofTusla work programme”whichwillseetheestablishmentofan - - - - 2003. A detailedreportoftheInvestigationbyDPCinto Card underTheDataProtectionActs,1988and ment AndSocialProtection(DEASP)inrelationtothePub processing ofpersonaldatabyDepartmentEmploy Investigation inrelationThePublicServices lic ServicesCardcanbefoundinAppendix3onpage93. - -

51 Annual Report 1 January — 31 December 2019 7 Legal Affairs

52 This caseconcernedanappeal,broughtby a cardealership,againstdecisionoftheDPC The workoftheDPC’sLegalteamhasalwaysbeen The DPCcommencedaninvestigation intothecomplaint, sonal datatoathirdpartybankforthepurpose ofenablingthecarryingoutacredit and therighttogoodadministration,shouldoperatein and operatedinharmonywithEuropeanlegislationas and proceduresundertakenbytheDPC.Inorderto as wellchallengestothefairnessofprocesses check ontheindividualwiththatbank.The allegedthatthiscreditcheck,and challenges beingraisedbyrespondentdatacontrol complex issues,includingacertainlevelofprocedural during 2019.Theprogressionofthefirstinquiries,partic challenging anddiversebutperhapsneversomuchas during thecourseofwhich dealershipassertedthat consider howlegislativeprovisionsmightbeinterpreted determine thevariousissuesarising,DPChashadto context ofrequestsforaccesstotheinquiryfile;claims conducted bytheDPCsuchas:howbesttobalance of legalproceduralissuesraisedbypartiestoprocesses Procedural lawissues his consent. the processingofhispersonaldatabydealership forthispurpose,tookplacewithout dealership. Inhiscomplaint,theindividualalleged thatthedealershipprovidedhisper dated 21December2017inrelationtoacomplaint madebyanindividualagainstthat personal dataforthepurpose ofacreditcheck.While made overmaterialsubmittedbypartiestoinquiries; rights andentitlementsofthepartiesconcernedin previously arisenunderIrishlaw. novel pointsoflaw,particularlyconcerningtheinteraction representative bodies.Thesechallengesoftenconcern During 2019,theDPChashadtoconsideramultiplicity ularly thoseconcerningcross-borderprocessingissues, towards completionhasgivenrisetonovelandhighly the dealershipassertedthat it normallyrecordsan the individualhadconsented totheprocessingofhis the contextofanIrishregulatoryinquiry.Similarlythere between theGDPRandIrishnationalimplementing individual’s consent bywayofa“ticked”checkbox onan well ashowrightsderivingfromtheEuropeanUnion’s legal privilege,confidentialityandcommercialsensitivity legislation, theDataProtectionAct2018,whichhavenot lers, aswellindividualcomplainantsand(Article80) legal framework,suchastherightofaccesstofile 4 February2019).Note:thisjudgmentwasreservedandsubsequently An appealtotheCircuitCourtincaseofYoung’sGaragevTheData Protection Commissioner(judgmentofNenaghCircuitCourt,delivered delivered orallyonlyandthebelowisasummaryofthatoraljudgment). - - 2003. application form,the formrelatingtothecom at apracticalleveltoensurethehighestdegreepossible conflict ofothernationaladministrativelaws(insofaras conclusion ofitsfirstwavesstatutoryinquiries(particu of harmonisationGDPRimplementationnationally.The Litigation involvingtheDPC sequently, atEDPBlevel,supervisoryauthoritiescontinue plainant individualdidnotcontain a“ticked”checkbox.In phenomenon isonewhichoccurringinthecontextof national level)withtheDataProtectionAct2018.This many suchcomplexlegalissueswhichwillflowfromthe practical termsofmanytheoreticallegalandprocedural performance oftheDPC’sfunctionsunderprevious DPC anticipatesthat2020willinvolvethereconciliationof Between 1Januaryand31December2019,substantive for thepurpose ofacreditcheck.Accordingly, theDPC the circumstances,dealership hadnowayofproving the workofsupervisoryauthoritiesacrossEU.Con they implementandgivefurthereffecttotheGDPRat to workthroughhowresolvetheseproceduralissues the LeadSupervisoryAuthority)andcrystallisationin the OneStopShopmechanismsi.e.whereDPCis the followingproceedings,towhichDPCwasaparty. by wayofdocumentaryevidence thattheindividualhad, have beenmanyissuesarisingconcerningthepotential It shouldbenotedthattheseproceedingsrelatedtothe in fact,consentedtotheprocessing ofhispersonaldata inquiries. issues whichhavebeenraisedduringthosefirstnovel judgments ondataprotectionissuesweredeliveredin larly thosewhichmustprogresstofinalresolutionunder legislative regimeoftheDataProtectionActs1988and - - - -

53 Annual Report 1 January — 31 December 2019 found that the dealership breached Section 2A of the Court found that the investigation process, as carried by Data Protection Acts, 1988 and 2003. the DPC, had been properly conducted and noted that there were two different accounts of the facts put forward The DPC’s decision noted that Section 2A of the Data by the dealership and the complainant. The Court found Protection Acts, 1988 and 2003 requires consent to be that the DPC’s decision was correct based on the evidence “freely given, specific, informed and unambiguous”. As the before her. On the consent issue, the Court noted that the checkbox on the form used to process the individual’s affidavit sworn on behalf of the dealership in this appeal personal data had not been “ticked”, and there was no was silent on the issue of consent and that no evidence further documentary evidence available to support the had been put forward as to consent having been provided assertion that the individual consented to the processing, by the complainant to his details being forwarded to the the DPC concluded that the requisite elements of ‘consent’ bank. Further, in relation to the question of controllership, were not satisfied in this case and the dealership could the Court found that there was no question but that the not show that it had a lawful basis to support the process- dealership was a data controller, and that it was clear that ing of the individual’s personal data. The issue of control- the dealership could not be a processer as it did not act lership was also raised by the dealership during the DPC’s for the bank in question. It was noted that the dealership’s investigation with the dealership claiming that it was not solicitor had previously seemed to agree with this position the controller and instead was a processor for the third in earlier correspondence; therefore it seemed to follow party bank to whom the complainant’s personal data had that the dealership’s solicitor accepted that it was not a been passed. This argument was not accepted by the DPC. processor, and it also followed from this that the dealer- The dealership appealed the decision to the Circuit Court. ship was a data controller. Therefore the Court did not In the oral judgment delivered by the Circuit Court, the allow the dealership’s appeal.

An appeal to the Circuit Court in the case of Doolin v The Data Protection Commissioner (judgment of Dublin Circuit Court, delivered 1 May 2019). Note: the judgment in this appeal was delivered ex tempore only and the below is a summary of that judgment). This case concerned an appeal, brought by an individual, against a Decision of the DPC dated 27 July 2018. In the complaint that formed the basis for the Decision, the individual alleged that his employer used CCTV footage of him to sanction him for taking unauthorised breaks at work.

During the course of the investigation, it was established regard, which stated that the purpose of the CCTV system that the employer discovered a threatening message was to prevent crime and promote staff security and carved into a table in the break room at the place of em- public safety. ployment. The employer reported the matter to An Garda Síochána for investigation. An Garda Síochána requested In examining the individual’s complaint, the DPC consid- the employer to examine all fob usage records and CCTV ered two issues relating to the processing of his personal footage from a corridor leading to the break room in data by way of the CCTV system, as follows: question. The CCTV footage was used to identify those 1. Whether the employer had a lawful basis under Sec- persons who entered/left the break room. The employer tion 2A of the Acts for processing the individual’s data; then interviewed the identified members of staff with a and view to establishing whether or not the message was on 2. Whether the employer complied with the statutory the table during the time they were present in the room requirements set out in Section 2(D) of the Acts in rela- (so as to narrow down the time that the incident could tion to the fair processing of the individual’s data, with have taken place). The employer advised that a number particular reference to the requirement to provide no- of staff, when interviewed, admitted that they had been tice of the processing of the individual’s personal data. taking an unofficial break from their duties. The employer asserted that disciplinary action was taken on the basis The DPC firstly noted that it was apparent from the inves- of those admissions and that the CCTV footage was not tigation that the employer had a legitimate justification to used for the purpose of the disciplinary hearing. The access and view the CCTV footage in order to make en- employer reiterated that the only purpose for the use of quiries as to who had carved the offensive and threaten- the CCTV was the investigation into a criminal matter that ing material into the table of the staff break room. It was had been referred to An Garda Síochána. a serious security issue which potentially gave rise to a The individual alleged that the employer breached Section threat to staff and it had to be investigated. This included 2 of the Data Protection Acts, 1988 and 2003 (“the Acts”) the necessity to view CCTV footage as part of the investi- when it used the CCTV footage for disciplinary purposes. gation. Under Section 2A(1)(d) of the Acts, the processing The individual relied on the employer’s CCTV policy, in this of personal data is permitted if it is necessary for the

54 1. The DPCfurtherconsideredwhethertherequirements The DPChadregardtotheOpinionofAdvocateGeneral 2. 3. Accordingly, theDPCfoundthatemployerhada AG Bobeknotedthat,whenconsideringwhetherthe‘le Applying theabovetomattersestablishedduring area. TheDPCthereforeconcludedthattheviewingwas on theCCTVsystem,wereprocessed inconnectionwith employer. Thisprovisionrequiresthatpersonaldatamust of Section2(1)(c)(ii)theActshadbeensatisfiedby out inSection2A(1)(d)oftheActs,forverylimited context. over theindividual’srightsandinterestsinthatlimited essary forthispurposeanddidnotgobeyondthestated downloading orfurtherprocessingofanykindwasnec of alimitedviewingtherelevantCCTVfootage,without course oftheinvestigation,DPCwasfirstlysatisfied staff memberswhowerepresentaroundthetimethat security riskpresented. gitimate interests’groundapplies,athree-steptestmust C-13/16, satiksme’) and,inparticular,AGBobek’sconsiderationof not beprocessedforpurposesotherthanthepurpose place inthiscase. processing oftheindividual’spersonaldatawhichtook proportionate inallofthecircumstancesandprevailed room andwasnotmonitoringemployeesinaprivate purpose. TheCCTVcamerawaslocatedoutsidethestaff processing oftheindividual’spersonaldatainform purposes ofthelegitimateinterestsdatacontrol members whoshouldbeinterviewedinrelationtothe rights andfreedomsoftheindividual. particular casebyreasonofprejudicetothefundamental Bobek intheRīgasregionalsecuritypolicecase(Case viewing theCCTVfootageinordertoidentifystaff for whichitwasoriginallycollected.Inthiscase,theDPC the investigationofasecurity incidentwhentheywere the incidentoccurred.TheDPCwassatisfiedthat the DPCfoundthatviewingofCCTVfootage the scopeandmeaningofterm‘legitimateinterests’. that theemployerdemonstratedithadalegitimate In relationtothesecondandthirdlimbsoftest, be followed: interest inprocessingtheindividual’spersonaldataby bas policijaspārvaldevRīgaspašvaldībasSIA‘Rīgas was satisfiedthattheindividual’simages,ascaptured was acrucialinvestigativestepinordertoidentifythe lawful basis,underthelegitimateinterestsprovisionset ler, exceptwherethatprocessingisunwarrantedinany The necessityofprocessingthepersonaldatafor That interestmustprevailovertherightsandinterests There mustbetheexistenceofalegitimateinterest of theindividual;and the realisationoflegitimateinterests. justifying processing; Valsts policijasRīgasreģionapārvaldesKārtī - - - - Accordingly, theDPCfoundthatlimitedviewingof and thatnocontraventionofSection2(1)(c)(ii)occurred. against theindividualwastakenforsecuritypurposes. and significanterrororseriesofsucherrors.TheCourt at thepremises.Accordingly,DPCwassatisfiedthat operation intheemployer’spremises.Thiswasthrough occur inthisparticularcaseandnofurtherprocessingof on securityconcernsarisingfromthegraffitiincident overturned. Accordingly,theCourtdismissedindivid employer inrespectoftheCCTVfootage.Tosucceedon satisfied bytheemployerinthisparticularcase.TheDPC given everyopportunitytomakesubmissions(anddid,in CCTV imageswerenotfurtherprocessedforthatsecond requirements setoutinSection2DoftheActswere purpose forwhichtheimageswereoriginallycollected may subsequentlyhavebeenusedforanotherpurpose, pose alone.Theinformationgatheredfromthatviewing ployer saidwasissuedtoeveryemployeeduringinduc purpose. Iftheimageshadbeenfurtherprocessedfor notice party(theemployer). meet thetestaswouldrequireDPC’sDecisiontobe Limited vTheDirectorofTelecommunications Finally, theDPCconsideredwhetherfairprocessing DPC, didnotconstituteadifferentpurpose,becausethe Note: thisCircuitCourtdecisionisnowunderappealto use inthedisciplinaryproceedings,itmayconstitute ual’s appeal.CostswereawardedtotheDPCand found thatitwasevident,fromtheinformationprovided further processingforadifferentpurpose.Thisdidnot fact, makesuchsubmissions).TheCourtalsoaccepted found thattheDPCcarriedoutasignificantinvestigation facts, theCourtwassatisfiedthatindividualdidnot the individualwasonnoticethatCCTVfootagein the individual’simagesoccurredforsecondpurpose. that secondpurpose,forexamplebydownloadingand that therehadonlybeenoneinvestigationandnottwo this claim,andbyreferencetothetestsetoutin that therewasnobreachofSection2theActsbyhis that theDPChaderredinfactorlawdetermining the fairprocessingrequirements,assetoutinSection2D, tion. ItwasalsoevidentthroughCCTVsignageondisplay the HighCourt. by boththeemployerandindividualthemselves,that In allofthecircumstances,andtakingintoaccount been put on full notice of the employer’s position and was In hisappealtotheCircuitCourt,individualalleged individual’s imagestookplaceexclusivelyforthesecurity information providedinthestaffhandbookwhichem i.e. disciplinaryproceedings,butthis,intheviewof initially viewedbytheinvestigationteamforthatpur in questionandthedisciplinaryactionbyemployer investigations. Theinvestigationundertakenwasbased into theindividual’scomplaintandthatindividualhad individual hadtoestablishthattherebeenaserious were satisfiedbytheemployerinthisparticularcase. , the Orange - - - -

55 Annual Report 1 January — 31 December 2019 8 Supervision

56 The DPCengagedwithseverallocalauthoritiesin2019on The DPCreceived1,420generalconsultationqueries Supervision contactwithcompanies,organisations,policymakersandlegislatorsenables A keyfocusin2019wasthepromotionof‘Guidelineson ant rolethatlocalcouncillorsprovidefortheirconstitu ents inaccessingtheservicesoftheirlocalauthorities. engagement andguidance.Thesectoralbreakdownof during 2019.Thesequeriesactasastartingpointfor ect whichfocusedonusingEircodes ofhouseholdsina of wastemanagementenforcementactivities.Activityin ciation ofIrishLocalGovernmentannualconference,and Public Sector sors ofpersonaldata,andprovidesanimportantinsight potential problemsinadvanceofthecommencementprocessingpersonaldata. products orservices,ensuringorganisationsareawareofcomplianceobligationsand helps theDPCinproactivelyidentifyingdataprotectionconcernsand,caseofnew the DPCtobetterunderstandwaysinwhichpersonaldataisprocessedbycontrol lers andprocessors,theactionstheytaketomeettheirdataprotectionobligations.It much oftheDPC’ssupervisioncontrollersandproces particular region inordertofocusenforcement activities personal datainordertomore effectivelyenforceexisting published bytheDPCatendof2018. Protection OfficersNetwork,inrecognitionoftheimport Presentations weremadetolocalcouncillorsattheAsso these queriesisasfollows: took twodifferentforms;one wasthedevelopmentof the localgovernmentsectoraroundwasteenforcement the topic of the processing of personal data in the context to membersoftheOireachtasandtheirstaff.Theguide tives underSection40oftheDataProtectionAct2018’ the processingofpersonaldatabyElectedRepresenta byelaws thatsoughttoallow for increasedsharingof into thetypesofissueswhichcouldbenefitfromfurther waste legislation,andtheother wasbywayofapilotproj lines werealsopresentedtotheLocalGovernmentData TOTAL Voluntary/Charity Sector Public Sector Private/Financial Sector Law EnforcementSector Health Sector Sector 1,420 Number 194 629 472 90 35 14% 33% 44% 2% 6% % ------The NationalNewbornBloodspot The DPCalsocontinuedtoengagewithseveralkey Screening Programmeasitcurrently operatesdoesnot archive (pre2012)ofnationalnew-bornscreeningtest a Ministerialorderforthedestructionofarchivehas as wellaperiodoftimeduringwhichmembersthe as partoftheNationalNewbornBloodspotScreening a clearstatutoryunderpinningforthiscomplexproject, assessments (DPIAs)ascentraltosuccessinthisarea. cards. Thesecardsareusedinscreeningnewbornbabies cards fromthearchive.TheDPChasbeeninformedthat of Utilities(CRU)andtheelectricitysuppliers.As ect, includingESBN,theCommissionforRegulation er stakeholderconsultationandfullconsiderationofdata stakeholders ofthenationalsmartmeterrolloutproj Screening Programme present anydataprotectionconcerns. retention policyin2012,theNational NewbornBloodspot process willbecompletedinthefirstquarterof2020. now beensignedandweunderstandthedestruction public wereaffordedtheopportunitytoextracttheir protracted periodofstakeholderconsultationandreview public policyreasons,theDPCemphasisedneedfor protection implicationsbywayofdataimpact DPC directedthevariousstakeholderstofindaresolu Programme. Theoriginalindefiniteretentionpolicyof for arangeofhealthconditionsshortlyaftertheirbirth the matterofindefiniteretentionhistoric tion tothebreach,eitherbywayofestablishingalawful the programmewasfoundbyDPCin2010tobe In 2019,theDPCsteppedupregulatoryengagement It shouldbenotedthat,followingrevisionofitsdata basis fortheretentionofarchiveoritsdestruction.A breach ofdataprotectionlaw.Followingthisfinding,the in thatarea.TheDPChighlightedtheimportanceofprop implications oftheprojectasitdevelops. in accordancewiththeDataProtectionAct2018,and implementation ofthisprojectisbeingprogressedfor with theDepartmentofHealthtobringaconclusion within theDepartmentofHealthwasthenundertaken, will continuetoprovideguidanceonthedataprotection - - - -

57 Annual Report 1 January — 31 December 2019 Prior Consultation Under the GDPR and the Data Protection Act 2018, there þ Judicial Council Act 2019 is a mandatory obligation to consult with the DPC on þ Microchipping of Dogs Regulations 2019 legislative proposals involving the processing of personal Monuments and Archaeological Heritage Bill 2019 data. In this area we encourage early engagement so that þ we have a clear understanding of the legislation and what þ Parental Leave (Amendment) Bill 2017 it is trying to achieve at the earliest opportunity. This also þ Residential Tenancies Amendment Bill 2018 allows us to encourage government departments to ad- þ Data Protection Act 2018 (Section 60(6)) (Health Pro- here to the principle of ‘data protection by design’, and to fessionals’ Regulators) Regulations 2018 carry out effective Data Protection Impact Assessments. þ Amendments to the Data Protection Act 2018 (Section In 2019 the DPC was consulted by a range of government 36(2)) (Health Research) Regulations 2018 departments and other stakeholders on legislative mat- þ Social Welfare Spring Bill 2019 ters including, but not limited to, the following: þ Transposition of EU Shareholders Rights Directive (providing for the identification of shareholders and Sample of Legislative Consultations: remuneration of directors) as amendments to the þ Adoption (Information and Tracing) Bill 2016 Companies Act þ Proposals on The Future Funding of Public Service þ Waste Presentation Byelaws Broadcasting Sample of Non-legislative Observations: þ Proposals to extend the circumstances in which recording devices, including Body worn cameras, can be þ Public Consultation on the Potential Introduction of used by An Garda Síochána Open or Semi-Open Adoption in Ireland þ Report on the Collection of Tuam Survivors’ DNA þ National Action Plan of Business and Human Rights Publication þ Draft National Risk Assessment 2019 — Overview of þ Affordable Childcare Scheme — prescribing persons Strategic Risks Report who may process personal data þ Revenue Statement of Strategy þ CervicalCheck Tribunal Bill 2019 þ Public Consultation on National Cyber Security Strategy þ Amendments to the Electoral Act 1992 to allow for the þ EU Commission Survey on Internet Connected radio establishment of the Citizens Assembly 2019 and the equipment and wearable radio equipment Dublin Citizens Assembly þ National Artificial Intelligence Strategy The Civil Registration Bill 2019 þ þ Public Consultation and launch of updated Central Bank þ Defence Forces (Evidence) Bill 2019 of Ireland guidance, on policies and procedures for en- þ Disabled Drivers and Disabled Passengers Fuel Grant tities, in complying with Anti Money Laundering laws þ Registrar of Beneficial Ownership of Companies and þ Proposal for a Fraud Sharing Database in the Banking Industrial and Provident Societies sector þ Proposal for the Establishment of a Statutory Electoral þ Proposal for an Insurance Fraud Database Commission þ Proposal by Dept of Transport Tourism & Sport, to set þ Draft General Scheme of the Sea-Fisheries (Amend- up a ‘Motor Third Party Liability Database’, to record ment) Bill 2019 the insurance status of registered vehicles þ Amendment to the Gaming & Lotteries Act 1956 þ Gender Pay Gap Information Bill 2019 þ European Union (Hague Maintenance Convention) Regulations 2019 þ Housing (Regulation of Approved Housing Bodies) Bill 2019 þ Investment Limited Partnerships (Amendment) Bill 2019 þ S.I. to establish A Beneficial Ownership Register for ICAVs (Irish Collective Asset-Management Vehicles) and Credit Unions þ S.I. to create a beneficial ownership register for the beneficial owners of Trusts þ Regulations to add the Registrar of Beneficial Owner- ship of Companies and Industrial and Provident Soci- eties as a specified body to Schedule 5 of the Social Welfare Consolidation Act 2005

58 The firstproposalfromInsurance Irelandistoexpand Supervision ofprivatesectorentitiesandorganisations additional datafields.InsuranceLink containsdetailsof an existingdatabase,calledInsuranceLink, toinclude exchange ofinformationbetween insurancecompanies customer forthe purposeofidentifyingfraud where connected withthefinancial,bankingandinsurancesec engaged during2019included: Private andFinancialSector Law Enforcement Over 2019theDPCwasinvolvedinextensiveconsulta reviewing dataprotectionimpactassessmentsforits protection issues.TheorganisationswithwhomtheDPC Electronic ContentManagement(ECM)platformand to modernisecoretechnologyplatforms.Thisincluded tions withAnGardaSíochánainrespectofitsprogramme to datacontrollersonabroadrangeofcomplex tors continuedin2019providingdirectionandguidance insurance claimsmadebyindividuals tofacilitatethe when aclaimforcompensation hasbeenmadebya • • • • • • • • • • • • • • • • • • • • • • The IrishAssociationofPensionFunds SIPTU An GardaSíochána Accountancy Ireland Aer Lingus Western Union Central BankofIreland Ulster Bank Revenue Commissioners Department ofFinance National RecruitmentFederation Money AdviceandBudgetingService(MABS) Banking PaymentsFederationIreland Lidl Prudential Assurance Permanent TSB Bank ofIreland Irish PetrolRetailersAssociation Insurance Ireland IBEC (TelecommunicationandInternetFederation) Irish FarmersAssociation Irish Rail CASE STUDY13 During 2019theDPCwasconsultedonproposals forthecreationoftwosepa Proposals forFraudSharingDatabases rate fraudinformation-sharingdatabases.

- - The second proposal was from Banking and Payments The secondproposalwasfrom BankingandPayments 2019 sawcontinuedemergenceofnewtechnologies 2019, amongstothers,included: Services Directive2(PSD2)withnewFintechstart-ups and asthesharingofaccountinformationpersonal engagement withtheprivateandfinancialsector. data isthecornerstoneofDirectivethiswillbeacore or trustedthird-parties(TPPs)settingupoperationsin of thecorerecurringconcernsforcompaniesthroughout engaged withAnGardaSíochánaonitsdataprotection such aswitnessestoaccidents. so contributingtothereductioninqueriesreceivedsome sector organisationsofdataprotectionobligationsand Whilst itcanbeseensincetheintroductionofGDPR priority forthecomingyearDPC’sconsultation most notablyintheFintechandpaymentsindustrywith proposed additionaldatasets isthirdpartypersonaldata Federation Ireland (BPFI) on behalf of the main retail Federation Ireland(BPFI)onbehalf ofthemainretail false claimsarebeingpotentially processed.Oneofthe the adventofOpenBankingandEuropeanPayment Ireland. Thisisexpectedtogathermomentumin2020 tion Systemsecondgenerationproject(SISII). banks, whowish tocreateafraudinformation-sharing da- Investigative Managementsystem(IMS).TheDPCalso in May2018thereisgreaterawarenessamongstprivate impact assessmentinrespectoftheSchengenInforma • • • • • • Transferring ofemployeedatainmergersandtake data protectionobligations. overs Use oftechnologiesintheworkplacesuchasbio metric clocking/GPSvehicletrackingandCCTVinthe New technologiesandtheirimpactoncontroller’s Effectively dealingwithSubjectAccessRequests Direct MarketingrulesundertheePrivacyDirective Personal datatransfersfollowingaNo-DealBrexit workplace - - - -

59 Annual Report 1 January — 31 December 2019 tabase that would be operated by an independent trusted processing is in the public interest and/or involves data third party. Each bank that establishes fraudulent activity relating to offences or alleged offences. would, according to predefined rules, transmit that information to the database and all participant banks would be It is the DPC’s view that both proposals raise significant permitted to check client details against the database for risks for individuals, in particular to persons who may be the purposes of identifying and preventing fraud. wrongly identified as participating in fraudulent activity, or, in the case of insurance claims, to persons who are The DPC has emphasised to both Insurance Ireland and not directly linked to a claim such as a witness. We have BPFI that industry fraud databases, involving the process- advised the parties that these risks must be fully as- ing of significant volumes of sensitive data, must meet sessed and mitigated, including by building in very robust necessity and proportionality requirements under EU law safeguards, rules and procedures and ensuring that the and jurisprudence. We have also emphasised that the principles of data protection such as data minimisation operation of each database must, as necessary, have a are complied with. Furthermore, we have highlighted the statutory underpinning to ensure compliance with data importance of public consultation and awareness on the protection obligations under the GDPR and the Data scope and purpose of these proposals. Protection Act 2018, such as, for example, where the

Multinational Supervision In 2019, the DPC attended over 100 meetings with vari- • seeking improvements to processing activities such as ous multinational companies in its supervisory capacity. In location tracking; addition, the DPC issued formal requests seeking detailed • reviewing potential new features and products, e.g. a information on compliance with the GDPR on a broad suicide & self-harm prevention feature; and range of matters such as: • assisting our European counterparts in relation to • discrepancies in privacy policies; concerns raised by them, e.g. the use of diagnostic • media reports outlining security issues, e.g. human data. review of voice recordings;

Certification and Codes of Conduct

Certification The DPC is also currently in the process of finalising a cooperation agreement with INAB, regarding accreditation During 2019, the DPC continued with its preparation for operations. Work has also commenced on the operation- the implementation of the GDPR’s certification approval aspects of assessing schemes’ data protection criteria al mechanisms. GDPR certification is intended as an that stakeholders may submit to DPC and on the detailed accountability mechanism for organisations’ specific pro- communication, cooperation and interaction the DPC will cessing operations, to demonstrate compliance efforts to have with INAB, scheme ‘owners’, and the EDPB during individuals and ultimately to support individuals’ trust in the approval process. personal data processing. Finally, in late 2019, the DPC co-hosted with INAB an The GDPR allows for the Supervisory Authority or the initial information session with a group of certification member state’s National Accreditation Board (NAB) to bodies and other stakeholders to raise awareness of the accredit certification bodies to “data protection certifica- parameters of GDPR certification mechanisms and to en- tion mechanisms” in accordance with ISO 17065/2012 and courage development of such mechanisms among certifi- with additional requirements established by DPC. Section cation bodies. This was the first in a series of information 35 of the Irish Data Protection Act, 2018, sets out that the sessions with further expected to take place in 2020. Irish National Accreditation Board (INAB) will be the sole accrediting body for Ireland. As a result, the DPC will not be undertaking the role of an accreditation body in Ireland. Codes of Conduct Rules around the drafting and monitoring of ‘Codes of As part of implementing Article 43 of the GDPR, the DPC Conduct’ are set out in Articles 40 and 41 of the GDPR, must set out “additional requirements” to that of ISO representing a practical and meaningful method of achiev- 17065/2012 that INAB will apply during accreditation of ing greater levels of compliance with the principles of data certification bodies to certification mechanisms that have protection and of protection for data protection rights. DPC approved data protection criteria. The DPC have just Codes of Conduct can, in particular, provide an oppor- finalised these additional requirements which are now to tunity for specific sectors to reflect upon common data be submitted to the EDPB in the early part of 2020. These processing activities and to agree to context-specific and will be subject to an EDPB consistency opinion. Once this practical rules and procedures, which will meet the needs opinion is adopted by the EDPB and any adjustments of the sector as well as the requirements of the GDPR. accounted for by the DPC they will be made publically available. The DPC led on the development of EDPB guidelines on the drafting of Codes of Conduct and appointing Monitor- ing Bodies for those Codes, as set out by the GDPR, which

60 The DPClooksforwardtothedevelopmentofCodes accreditation criteriafortheofMonitoring organisations indrawingupCodesofConduct,alongside criteria bytheEDPBandtheirapprovalpublication Conduct asawaytoimprovestandardsofdataprotec Bodies whichwillbetaskedwithmonitoringcompliance tion andtransparencyforparticularsectorsorprocessing following publicconsultation.TheDPChascompileddraft the previouslypublishedEDPBguidelines. in 2020willbeanimportantsteptowardssupporting with anyproposedCodesofConduct.Thereviewthese were approvedandpublishedbytheEDPBinJune2019, - obligations ofcertainsectorsandcontrollers.Fol operations. CodesofConduct,properlymonitoredby suitable MonitoringBodies,willbringmorecompre protection totheprocessingofchildren’spersonaldata DPC willencouragethedrawingupofCodesConduct DPC intheareaofchildren’sdataprotectionrights, found onpage66). hensive, context-specificclaritytothedataprotection (more informationontheChildren’s’Consultationcanbe intended tocontributetheproperapplicationofdata lowing theextensiveconsultationworkundertakenby - -

61 Annual Report 1 January — 31 December 2019 9 Data Protection Officers

62 The DPC’s DPO can be reached via [email protected]. The DPC’sDPOactsasa‘criticalfriend’totheDPC.By The roleoftheDPOinadataprotectionsupervisory The GDPRrequirestheappointmentofaDPOwith The DataProtectionOfficer(DPO)ofanorganisationisa and consistentapproachtocompliancewiththeGDPR. also advisesonsomeoftheDPC’swiderstrategicprojects, authority suchastheDPCisbroadlysimilartorole addition, asaseniormemberofstafftheDPC(Assis of allEUdatasupervisoryauthorities,todiscussthe queries fromDPCstaffmembersandensuressecurity of theDPOinanyotherdatacontroller.Itcaninvolve compliance withtheGDPR.ItisessentialthatDPC,as DPC’s DPO specific anduniqueaspectsoftheDPOroleintheseor set upitsownDPONetworktobringtogethertheDPOs such astheDPC’sAccountingOfficerProject. standard ofdataprotectioncomplianceinrespectthe ganisations. Asamemberofthisnetwork,theDPC’sDPO proactively takingproportionateactionwhenrequired, practices withtheDPOsofotherdatasupervisoryauthor measures anddataprotectionpoliciesarerelevant responding tosubjectaccessrequestsandotherqueries required bytheGDPR. practical compliancewithdataprotectionobligations necessary professionalqualitiesand,inparticular,refers personal dataitprocesses. practices. Theirroleistohelptheorganisationmonitor person withexpertknowledgeofdataprotectionlawand DPC withDataProtectionImpactAssessments.TheDPO up-to-date. TheDPOensuresthattheRecordofProcess from multipleperspectives. tection, butalsoaddressesorganisational-riskexposure the DPC’sDPOnotonlyservescauseofdatapro from membersofthepublic.TheDPOalsorespondsto from anorganisationalperspective,theDPC’sDPOhas the highestlevelofmanagementDPC(itsSMC),as tant Commissioner),theDPC’sDPOreportsdirectlyto the requiredexpertknowledgeofdataprotectionlaw.In tice. Asaqualifiedsolicitorwithexperienceinensuring to expertknowledgeofdataprotectionlawandprac the Irishregulatorfordataprotection,meetshighest has anopportunitytoshareknowledgeanddevelopbest In November2019,theEuropeanDataProtectionBoard identifying keydataprotectionissues,understandingthe ities withtheobjectiveofimplementingacoordinated ing Activitiesisaccurateandprovidesassistancetothe legal matrix,theoperationalcontext,measuringriskand ------The DPCiscommittedtoengagingfullywithDPOsand 2020, withfurtherinitiativessuchaswebinars,regional

authority.” Article 37.7oftheGDPRstatesthat and practice.DPCstaffspokeatmanyeventsforDPOs events andthepublicationoffurtherguidanceplanned. shows theindustrysectorsfromwhichnotificationswere DPO NotificationstotheDPC Engagement withDPOs developed inlate2019.MobilisingthisNetworkisaprior during theyearandaDPC-facilitatedDPONetworkwas protection officerandcommunicatethemtothesupervisory DPO notificationsfor2019 made. programmes translatesintolastingorganisationalculture DPC forthisNetworkisaDPOconferenceon31March the processorshallpublishcontactdetailsofdata foster peer-to-peerengagementandknowledge-sharing the onlinewebformonDPCwebsite.Thetablebelow In 2019,theDPCreceived712DPOnotificationsthrough that theprogressmadetodateinimplementingGDPR their teams,inrecognitionofkeyroleensuring between DPOs.Thefirstinitiativebeingrolled-outbythe ity fortheDPC2020.ThepurposeofNetworkisto Total in2019 Not-for-Profit Public Private “the controlleror 712 577 49 86 -

63 Annual Report 1 January — 31 December 2019 10 International Activities

64 The EDPBissuedArticle64opinionson2BCRapplica The procedureforapprovalofBCRshaschangedfroma The DPCalsoassistedotherEuropeanDataProtection 2019. Weexpecttoseeksimilaropinionsonanumberof Article 64procedure. Agencies (DPA’s)byactingasco-revieweron5BCRsin A keyfocusintheareaofinternationaltransfersfor acting asleadreviewerinrelationto19BCRapplications approach todataprotectionwheremanyorganisations approval ofBindingCorporateRulesapplicationsfrom cations, whichresultsinaslightlylongerco-operation current system,whereallBCRsmustbesubmittedtothe once the UK has left the EU and those companies with an once theUKhasleftEUandthosecompanieswithan of BCRsthattheDPCwillhandleincreasein2020, companies enquiringaboutmovingtheirleadauthorityfor system ofmutualrecognitionundertheDirectiveto consisted ofseveralsubsidiarieslocatedaroundthe expert subgroupoftheEuropeanDataProtectionBoard engagements andmeetingsoftheInternationalTransfers Brexit Binding CorporateRules globe, transferringdataonalargescale.Theinclusionof general transfersmatters;attendingeventsandspeaking International Transfers procedure. ThisprocedurewillassisttheEDPBindrafting priate safeguardtolegitimisetransfersThirdCountries. response totheneedoforganisationshaveaglobal multi-national companies.Italsohasanadvisoryroleon DPAs getanopportunitytocommentonallBCRappli EDPB foranArticle64opinion.Thisprocessmeansall BCR purposes to the DPC. It is expected that the numbers BCR purposestotheDPC.Itisexpectedthatnumbers European Union,wehavehadcontactfromanumberof Due totheupcomingdepartureofUKfrom DPC-led BCRsinthefirstquarterof2020. During 2019,theDPCcontinuedtoactorcommenced BCR intheGDPRfurthersolidifiestheiruseasanappro Binding CorporateRules(BCR)wereintroducedin Data ProtectionCommissionistheassessmentand from 12differentcompanies. ticipated injoint eventswithIBEC,Enterprise Irelandand to theUKineventofano-deal Brexit.TheDPCpar the impactonIrishcompanies transferringpersonaldata tions submittedthroughtheUKandBelgianDPAsin this period. holders andprovidinginformation onBrexit,particularly ICO-approved BCRneedanewleadauthority. In 2019,theDPCspentalotof timeengagingwithstake (EDPB). its opinionifallissuesaredealtwithinadvanceofthe - - - - - Tasks This sub-groupoftheEDPBmeetstoconsider,adviseand The DPCalsodirectlyadvisedandparticipatedinevents The GDPR’sconsistencymechanismintroducedseveral These tasksaremainlydeliveredthroughtheworkof Staff fromtheDPCattended7meetingsofEDPB additional tasksfortheEDPBandallofitsmembers,in Other InternationalTransferIssues Consistency MechanismandEDPB concern wasthatsmallercompanieswhodidnotroutine delivered toasmanycompaniespossible.Themain cluding theDPC,toensurethatgoalofharmonisation enforce theGDPRinawaythatachievesconsistency. DPC’s EURole GDPR. prepare documentationonmattersconcerningInterna people acrosstheEuropeanEconomicArea(EEA). Local EnterpriseBoardstoensurethatinformationwas Like allotherEEAdataprotectionsupervisoryauthorities, During 2019,theDPCcontinuedtoplayacentralrole EDPB’s expertsubgroupsandplenarymeetings,inwhich DPC holdstheseincreasedresponsibilitiesarisingfrom used intheeventofUKbecomingathirdcountry from thepointofviewdatatransfers. tional Transfers. tion oftheGDPRiftheycontinuedtodosopost-Brexit the DPCmustensurethatweinterpret,superviseand tasks. During2019,DPCstaffmembersattendedover80 the DPCparticipatesfully,givenimportanceofthese the cooperationandconsistencymechanismsunder International Transfersexpertsub-group(ITES)in2019. 6 in safeguardingthedataprotectionrightsofmillions including thoseofthetwelveEDPBexpertsubgroups: in-person meetingsinBrusselsrelatedtoEDPBactivities, is reached. without applyingtherelevantsafeguardstotransfer. within thepublicsectortogiveadvicewhichcouldbe ly transferdatatothirdcountriescouldbeincontraven • • • • • The European Economic Areaincludes allEuropeanUnion (EU) memberstates andIceland,Liechtenstein, Norway. Compliance, eGovernmentandHealth; Cooperation; Financial Matters; Enforcement; Borders, TravelandLawEnforcement; 6 The - - - -

65 Annual Report 1 January — 31 December 2019 • Fining Taskforce; dium Enterprises (SMEs) in Europe, on the principles of • International Transfers; data protection, so that their future compliance levels are strengthened. The programme will start in early 2020. • IT Users; • Key Provisions; • Social Media; International Engagement • Strategic Advisory; and The DPC engages with supervisory authorities, interna- • Technology. tional organisations and legislators from outside of the EU, to share information on the DPC’s practices and DPC staff members have contributed extensively to the experiences. This engagement helps to ensure that our development of guidelines and opinions across all of own regulatory approach is understood, and it also helps the EDPB expert subgroups during 2019. The DPC is the us to understand the differences in regulatory approach co-ordinator of the Social Media expert subgroup and in other countries, including in how this affects people was co-rapporteur of that subgroup’s work on regulatory and organisations. priorities relating to the processing of personal data by social media companies, in the past year. The Commissioner appeared before the US Senate Com- mittee on Commerce, Science and Transportation in May, During 2019, the DPC hosted counterparts from the UK, as part of the Committee’s examination of consumer ex- Iceland, the Netherlands, Luxembourg and Sweden, and pectations on data privacy. She also appeared before the visited colleagues in the UK, Germany and Belgium. These International Grand Committee on Disinformation and bilateral discussions and exchange of experiences have ‘Fake News’ at its hearing held in Dublin in November, at- been very valuable towards ensuring consistency. These tended by parliamentarians from ten countries. The DPC meetings will continue in 2020. hosted delegations throughout the year from countries including Australia, New Zealand and the United States, amongst others. European Data Protection Supervisory Also as part of this activity, senior DPC staff attended the Bodies International Conference of Data Protection and Privacy During 2019, the DPC continued to actively participate in Commissioners (ICDPPC) in Tirana, Albania, which took the work programmes of the European Supervisory Bod- place in October. The ICDPPC is a global forum for data ies for large-scale EU IT systems such as Europol, Eurodac, protection authorities to share knowledge and insights. Eurojust, the Customs Information System (CIS) and the Following the conference, the name of the ICDPPC forum Internal Market Information (IMI) system. In addition, we was changed to the Global Privacy Assembly (GPA). The continued to participate as observers to the coordinated DPC also attended the meeting of the British Isles and supervision of the Schengen and Visa Information Sys- Islands Data Protection Authorities (BIIDPA) in Jersey June tems (SIS II and VIS). 2019. The DPC will host the next BIIDPA annual conference in Dublin in June 2020. With regard to SIS II, during the course of 2019, the DPC continued to work alongside An Garda Síochána and the Department of Justice & Equality in relation to Ireland’s

imminent participation in certain non-border aspects of the Schengen acquis and connection to SIS II. The work programme to progress Ireland’s participation will continue in 2020.

Other European Engagement Representatives of the DPC spoke at conferences and events in many EEA Member States during 2019, including Belgium, Germany, France, the UK and Slovenia. Several DPC members of staff participated in the annual case-handling workshop for European data protection supervisory authorities, from both EEA and non-EEA countries, which was hosted by the European Data Protection Supervisor (EDPS) in Brussels in November. We were also very pleased to host a colleague from the Rhineland-Pa- latinate supervisory authority, who spent a week at the DPC in October.

In December 2019, the DPC signed up to a two-year programme in collaboration with our Croatian counterparts and Vrije University Belgium, mainly funded by the EU Commission. The aim of the programme is to increase the awareness, knowledge and understanding of Small-Me-

11 Processing of Children’s Personal Data and the Rights of Children as Data Subjects under GDPR

68 academia and trade associations.Stream2 of theconsul panies, children’srightscharities, publicsectorbodies, stakeholders includingtechnology andsocialmediacom In total,theDPCreceived30 submissions fromadult Feedback andpreliminary reports DPC viaemailandpost. questions onfeedbackpostersandreturnthemtothe were theninvitedtogivetheiranswersaseriesofsix the termsandconditionsofthisfictitiousapp.Students explore theirdataprotectionrightswhilelearningabout DPC foreducationalpurposes,andencouragedthemto students to“SquadShare”,afictitiousappcreatedbythe protection inthecontextofsocialmedia.Itintroduced with theirstudentsandhadaparticularfocusondata designed tohelpteachersdiscussdataprotectionissues of pilotworkshopsinOctober2018.Thelessonplanwas the OmbudsmanforChildren’sOffice(OCO),inaseries rials thathadpreviouslybeentested,withthesupportof take part. The DPC distributed a pack of lesson plan mate informing themoftheconsultationandinvitingto school inIreland —aswellallYouthreachcentres — The DPCreachedouttoeveryprimaryandpost-primary The consultationwasdividedintotwostreams: provisions intheGDPRrelationtochildren. wished toputthepubliconinterpretationofkey April 2019.ItfocussedonseveralquestionsthattheDPC subjects undertheGDPRranfromDecember2018to dren’s personaldataandtherightsofchildrenas The DPC’spublicconsultationontheprocessingofchil Launch oftheconsultation ers, mostimportantlychildrenthemselves,wasrequired. consultation togathertheviewsofallrelevantstakehold- tributed tochildrenundertheGDPRmeantthataspecial work inearly2018,itbecameclearthatthesignificanceat- rights ofchildrenasdatasubjects.Followingexploratory for theprotectionofchildren’spersonaldata,and children’s personaldata,thespecificstandardsrequired and understandingofissuesconcerningtheprocessing DPC’s obligationundertheGDPRtopromoteawareness In 2018,theDPClaunchedaninitiativeaspartof Background Subjects undertheGDPR and theRightsofChildrenasData Processing ofChildren’sPersonalData • • plan andconsultationprocess. through aninnovativeandspeciallydesignedlesson children andyoungpeopledirectlyintheclassroom tection Day(28January2019)andsoughttoinvolve Stream 2waslaunchedonInternationalDataPro document thatwaspublishedontheDPC’swebsite. or allofthe16questionssetoutinconsultation tions, andothers —tosubmittheirresponsesany cluding, parents,educators,children’srightsorganisa stakeholders andinvitedallinterestedparties —in Stream 1,launchedinDecember2018,targetedadult ------child-focused consultationinitiative. Awareness categoryofthe2019ICDPPCAwardsforits listed asoneoftwofinalistsintheEducationandPublic digital rightsbythechildrenthemselves”. DEWG’s ActionPlanfor Group (DEWG)asacoreinternationalinitiativeunderthe It wascitedbytheICDPPCDigitalEducationWorking has todatereceivedconsiderablepraiseandrecognition. the DPC’sinterpretationoftheseresults.Theconsultation observed acrossallresponsestotheconsultationand Each reportpresentedqualitativeandquantitativetrends to KeepPrivate!”and“WhoseRightsAreTheyAnyway?”). and September2019(called“SomeStuffYouJustWant arate streamoftheconsultation,werepublishedinJuly dents. Twopreliminaryreports,eachfocusingonasep consultation analysingthesubmissionsofallrespon The DPCspentseveralmonthsfollowingthecloseof positive developments. represented acrossallagegroups,whichwerealsovery represented acrossallsectorsandchildrenwerewell a highlevelofinterest.Adultstakeholderswerewell to seebothstreamsoftheconsultationgeneratesuch and youngpeopleacrossIreland.Itwasveryencouraging tation gatheredtheviewsofapproximately1,200children Next steps DPC in2020. ment ofcodesconductinthis areaisapriorityforthe Data ProtectionAct2018.Working towardsthedevelop ing ofchildren’spersonaldata, asperSection32ofthe drawing upofcodesconduct inrelationtotheprocess tive bodiesonfootoftheconsultationtoencourage and voluntarysectorstakeholderstheirrepresenta Finally, theDPCwillalsoworkwithindustry,government may arisewhentheydisclosetheirpersonaldataonline. their rightsunderdataprotectionlawandtherisksthat separate child-friendlyguidewhichwillexplaintochildren In tandemwiththeguidance,DPCwillbepublishinga it. take accountoftheviewsstakeholdersbeforefinalising will runafurtherpublicconsultationonthisdocumentto The DPCplanstopublishthisguidanceinearly2020and guidance willshedlightonthefollowingquestions: account thefeedbackfromparticipants.Specifically,this issues highlightedintheDPC’sconsultation,takinginto controllers andinterestedpartiesonhowtoaddressthe children’s data.Thisisintendedtobeaguidefordata children’s dataprotectionrightsandtheprocessingof The DPCisnowfinalisingitsguidancedocumenton • • • • for advertisingormarketingpurposespermissible? Under whatcircumstancesistheprofilingofchildren ed forprocessingbasedonconsent? How theageofdigitalconsentshouldbeimplement the useoftheirpersonaldata? What informationshouldbegiventochildrenabout role ofparentsorguardiansinthisregard? their dataprotectionrightsforthemselvesandthe How andwhenshouldchildrenbeabletoexercise “Awareness-raising ontheexerciseof It wasalsoshort ------

69 Annual Report 1 January — 31 December 2019 12 Communications

70 7 180 occasionsduringtheyear.Forexample: The DPCcontinuedanactiveoutreachscheduleduring 2019 engagingwithabroadbaseofIrishandinternation al stakeholders.TheCommissionerandherstaffspoke, Direct Engagement Parliamentary Committees(Oireachtas): National: presented orotherwisecontributedateventsonover International: • • • • • • • • • • • • • • • • • • • • *Not an Oireachtascommittee,an interparliamentary com mittee towhichtheOireachtassends delegates.Hostedby the Oireachtason 7November. Taking CareofBusiness2019; The EurofiFinancialForum2019; Technology LawCommitteeoftheInternationalBar Summit WashingtonDC;and Sooner thanyouthink —ABloombergtechnology AmCham 7thAnnualTransatlanticDigitalEconomy Association —6thBiennialTechnologyLawConfer and Environment; and FakeNews. ence andTransportation. ence; series; Committee ofPublicAccounts; UCD StudentLegalConvention2019. Conference; United StatesSenateCommitteeonCommerce,Sci pals DataProtectionSeminar; National AssociationofPrincipalsandDeputyPrinci PDP 2019AnnualDataProtectionConference; Research reportlaunchof‘FallingThroughtheCracks’; NSSO AnnualConference;and Early ChildhoodIrelandAnnualConference; Digital Summit2019; Joint CommitteeonCommunications,ClimateAction Joint CommitteeonJusticeandEquality; IIEA YoungProfessionals’Network; International AssociationofPrivacyProfessionals International GrandCommitteeonDisinformation IAPP CongressBrussels. 7

- - - - - The profileof,andthemediainterestin,DPCcon The DPCcontinuedtoupdate,produceanddisseminate There wasalsosignificantinternationalmediaattention Some ofthetopicsonwhichDPCproducedguidance Guidance, blogsandpodcasts August. Onotheroccasions,theDPCengagedininter around theDPC’sappearancesatvariousOireachtas and issuesthataroseinthetechsectorduringyear. of that,theDPC producedbotha‘quickguide’ tobreach during 2019included: covered generaltopics,aswellprovidingmoredetailed data protectionlawanditsvariousrightsobligations. comprehensive guidanceonawidevarietyoftopicsin Media engagement events andtherewasalsosignificantmediaattention concern/interest suchastakingphotographsatschool emanated frominvestigations,e.g.thepublishingof during 2019.Domestically,theCommissionerandother on theoperationofOneStopShopandstat staff engagedregularlywithawiderangeofmediaoutlets, senior staffappearedonnationaltelevision,and surrounding theDPC’sattendanceataUSSenateCom guidance oncertaintopicalorcomplexissues. Under theGDPRmandatorybreach notificationregime, On theinternationalfront,CommissionerandDPC Committee hearingsthroughouttheyear. receiving, analysing,andacting onbreachnotifications regional radioandcontributedtoprintdigitalmedia name afew.Alargeamountofthisengagementfocussed mittee hearinginMay2019. DPC’s reportintothePublicServicesCardinvestigationin utory inquiriesthattheDPChasopenintomultinational views totalkthroughpracticalissuesthatwereofpublic has beenasignificantareaof growthfortheDPC.Inlight blogs andreleased8podcastsin2019.Thisguidance the formofpodcasts,blogs,andformalguidance,for throughout theyear.Muchofmediaengagement tinued togrowatbothnationalandinternationallevel In totaltheDPCpublished33guidancedocuments,18 both thepublicandorganisations,toraiseawarenessof technology companies,aswelldealingwithbreaches Journal, theNewYorkTimesandFinancialTimes,to including Bloomberg,BBC,CNN,Politico,theWallStreet • • • • • guidance ontheprinciplesof dataprotection. guidance regardingrequestingpersonaldatafrom guidance forbothorganisationsandindividualson prospective tenants; FAQ forindividualsonaccessrequests;and the useofCCTV; the basicsofdataprotection; - - - -

71 Annual Report 1 January — 31 December 2019 notification obligations and a more detailed ‘practical Social media guide’ which provided further practical guidance based on the experiences of the DPC and controllers following The DPC has continued to utilise social media in support the first year of the GDPR. of its awareness-raising and communications activities. In 2019, the DPC continued to grow its social media activities The DPC also continued to both produce and update across Twitter, Instagram and LinkedIn. Our combined technical guidance, focusing mainly on online and digital followers across the three platforms has more than dou- security, as well as the data protection implications on bled, exceeding 20,000 by the end of 2019. There was an new and emerging technologies. The DPC published secu- organic reach of almost 3.3 million, reaching hundreds of rity-focused guidance on phishing and social engineering thousands of accounts each month. attacks, portable storage devices, and cloud service providers, as well as a guide to common online risks which The DPC has continued to enhance its engagement individuals may encounter. on social media through producing visually impactful infographics, videos and gifs, which have been effective In light of developments regarding the UK’s planned tools in disseminating guidance and supporting the DPC’s withdrawal from the EU, the DPC published guidance on awareness-raising activities. international transfers of personal data in the case of a ‘No Deal’ Brexit scenario and a Brexit FAQ, as well as up- dating our general guidance on transfers of personal data DPC Website to third countries or international organisations. The DPC website, www.dataprotection.ie, is an important The production and dissemination of podcasts and blogs resource for individuals and organisations. The DPC’s were a key element of the DPC’s external communica- webforms provide website users with a convenient tions strategy for 2019, with a regular podcast ‘Know Your means of submitting complaints, breach notifications, and Data’, as well as a series of myth-busting and topical blogs, general queries directly to the DPC. In addition to press shedding light on areas of interest to the general public, releases and statements, guidance, blogs and podcasts as well as highlighting relevant guidance published by the on topical issues of relevance to our stakeholders were DPC. Topics covered included: published frequently throughout 2019.

• Does the GDPR Really Say That?; • Taking photos at school events; • Video surveillance in the home; • What to do if you find personal data in a public place?; • Representing account-holders; and • Christmas myth-busting blog.

EDPB Guidance The DPC also worked closely with our fellow data protection authorities through the EDPB to produce guidance documents on EU data protection law. During 2019, the EDPB published guidelines and draft guidelines on topics including:

• Codes of Conduct and monitoring bodies; • Video devices; • Data protection by design and by default; and • The right to be forgotten and search engines.

Links to EDPB guidelines and publications are also available on the DPC website.

72 73 Annual Report 1 January — 31 December 2019 13 Key DPC Projects

74 The secondkeyconsultationexerciseduring2019was The keyoutputfromthisfirstconsultationwasadocu 2019. ThefirstconsultationexercisewasruninJuly2019 Secretary GeneraloftheDJE has thereforeincludedthe As partofouranalysisthecontextinwhichweregulate, A StrategyImplementationandMeasurementPlanwill ability fortheregularityandpropriety ofexpenditurein and Equality(DJE),withthatbudgetbeingvotedoneach and involvedaseriesoffocusgroupswithmembers also bepublished,laterin2020,whichwillsetouthow accessible tothepublic,humanrightsandequality continues tochange,fromthepointofviewchangesin can bestsetourselvesuptodeliverthatimpactoverthe ect isanopportunitytore-examinehowourworkcould od from2020to2025,continuedduring2019.Thisproj cuses onthetargetoutcomestowhichweaspireand DPC AccountingOfficer Regulatory Strategy2020–2025 society, technology,lawandtheEU. end ofJanuary2020.Thesubmissionsreceivedarenow comes, whichcommencedinDecemberandranuntilthe during 2020.Wemayalsoconsultdirectlywithrepresen Work ontheDPC’snewRegulatoryStrategy,forperi Up toandincluding2019,theDPC’sfundinghasbeen next fiveyearsevenwhileourregulatoryenvironment resources, andforthesystems, proceduresandpractices ment ontheDPC’sTargetOutcomes.Thisdocumentfo projects andinitiatives.ThisPlanwillalsosetouthowthe proposed planstoaddresstheseissues. DPC’s expendituretodate,in termsofholdingaccount DJE’s Voteuntilnow.TheAccounting Officerremitofthe Regulatory Strategyitself.Thedraft Duty, ourRegulatoryStrategywillsetout,inamanner used toevaluate theeffectivenessofoperations. year bytheDáil;thatis,DPChasbeenincludedin to people’srights.Italsoensuresweconsiderhow the DJE’sVote,foreconomyand efficiencyintheuseof the public.Thepurposeofthesefocusgroupswasto: have availabletous,takingaccountofthegreatestrisks have thebiggestimpactpossiblewithinresourceswe the openpublicconsultationonDPC’sTargetOut how theDPC’sactivitieshelptoachievethoseoutcomes. tative bodies,advocacygroupsandotherorganisations. the strategicprioritieswillbeimplementedthroughkey being analysedaspartofthedevelopmentdraft In linewithourPublicSectorEqualityandHumanRights included withinthebudgetofDepartmentJustice impact toourtargetoutcomeswillbemeasured. issues whicharerelevanttotheworkofDPCandour we commencedtwomainconsultationinitiativesduring will thenbesubjecttoafurtheropenpublicconsultation • • • • encouraged, facilitatedandmaximised; understand people’sviewsondataprotectionrights; the roleofDPC; how non-complianceshouldberegulated. how compliancewithdataprotectionlawshouldbe ------The DataProtectionAct2018includedachangetothis Services Office(NSSO)onthechanges. All oftheseinitiativeshavebeen keybuildingblocksto A keyoutputoftheprojecthasbeenDPC’sCorpo and managementinformation,forexample: accountability directly.Theseweremainlyintheareasof an AccountingOfficerprojectteamduring2019,with and accountability. fits possiblefromournewCase ManagementSystem,on and additionalactivitiesthatoursupportingcorporate Operational ChangeProgramme cused onDPC’sinternalprocedures,processes,systems ed severalinitiativesandimprovementsthatwerefo own separateVote(Vote44)toenablethisdirectcontrol commenced witheffectfrom1January2020,theCom during 2020,mainlylinkedtotheHRandPayrollimpact. officer obligationsfully. onwards, sothattheDPCcandischargeitsaccounting changes. WealsoengagedwiththeDepartmentofPublic structure. UnderSection25ofthe2018Act,whichwas governance arrangements,includingtheestablishmentof responsibility toprepareandimplementthechanges now managesitsownexpendituredirectlyandDPCfund missioner, ortheChairpersonofCommission,isnow rate GovernanceFrameworkwhichsetsouttheDPC’s During 2019,ouroperationalchangeprogrammeinclud Finance, Governance,ProcurementandCorporateSer Phase 2oftheAccountingOfficerchangeswillcontinue Expenditure andReform(DPER)theNationalShared vices, andweworkedwithcounterpartsfromthoseareas functions mustnowprovidemeanthattheDPCis that wereneededfortheDPCtotakeonthiscontroland the Accounting Officer forthe DPC’sexpenditure. The DPC the DPC’snewAuditandRiskCommittee.Theextended In preparationforthischangeofstatus,theDPCformed ing hasbeenmovedfromtheDJE’sVoteintoDPC’s incurring additionalpayandnon-paycostsfrom2020 in theDepartmentdefiningandimplementing which wewillbegin phasedimplementation during2020. wards ensuringthattheDPC derives themaximumbene • • • • • al changes,processimprovementsandoperational arounds intheEUInternalMarketsInformation(IMI) adopting somepracticalimprovementsandwork our powersunderthe2018Act; organisational expansionandfurtherclarificationsof our ongoingrefinementofinternalstandard serve ourgrowingstaffnumbers. support managementinformation needsandtobetter system tomanageinformation-sharingwithother reinforcing ourexistingcasemanagementtoolsto planned forearly2020;and priorities; procedures, totakeaccountofourcasevolumes, EDPB dataprotectionsupervisoryauthorities; key statistics,andusingthemtoinformorganisation increase theirusability,withfurtherimprovements improving thewebformsonDPCwebsiteto increasing ouruseofmanagementinformationand ------

75 Annual Report 1 January — 31 December 2019 14 Corporate Affairs

76 The DPC engaged with the Public Appointments Service to The fundingoftheDPCbygovernmenthasincreased This Agreementsetsoutthebroadcorporategovernance The DPCisanindependentbodyestablishedunderthe 2019 (comprising€8.9millioninpayand€6.3 As partoftherequirementsCodePractice, As aresultoftheserecruitmentcampaigns,theDPChas abled theDPCtocontinuegrowitsstaffcomplement, annual StatementonInternalControl.TheDPC’sState Corporate Governance —Codeof opment oftheDataProtection Commission’sCorporate ensure thatitfollowstherequirementssetoutforall DPC FundingandStaffing Bodies Practice fortheGovernanceofState ship betweentheDPCandDJE.Asisinde Governance Framework. Civil Service(2015)andwork began in2019thedevel Governance ofStateBodies(2016),havingregardtothe ments undertheCorporateGovernance Standardforthe ment covering2019issetout atAppendixIV. recruit staffthroughthefollowingcompetitionsin2019: non-pay allocation).Theincreasedfundingfor2019en public-sector bodiesintheCodeofPracticefor requirements aresetoutinthatAct.TheDPCapplies nance ofStateBodies,theDPCisrequiredtoproducean provisions oftheGDPRandDataProtectionAct2018, pendent intheperformanceofitsfunctionsunder From 1January2020,theDPC willfollowtherequire DPC hasaCorporateGovernanceAssuranceAgreement DPC’s specificstatutorygovernancestructure. Data ProtectionAct2018,anditsstatutorygovernance year-on-year from€1.7millionin2013to€15.2 from 110atthestartof2019to140year-end. framework withinwhichtheDPCoperates,anddefines ther recruitmentofstaffwithawiderangespecialisms high standardsofcorporategovernanceandworksto In accordancewiththeCodeofPracticeforGover key rolesandresponsibilitiesthatunderpintherelation it isnotsubjecttoaPerformanceDeliveryAgreement in placewiththeDepartmentofJusticeandEquality(DJE). in 2020isapriorityfortheDPC. increased itsresourcesandexpertiseinkeyareas.Fur with theDepartmentofJusticeandEquality. • • • • • Assistant PrincipalOfficer —SeniorRegulatoryLawyer and Communications Principal Officer —HeadofCorporateAffairs,Media Principal Officer —HeadofRegulatoryActivity Higher ExecutiveOfficer —BusinessSystemsAnalyst Higher ExecutiveOfficer —LegalResearcher ------The DPCcontinuestoprovideIrishlanguageservicesas The RiskManagementPolicyoftheDPCoutlinesits The DPC’sfourthIrishLanguageSchemeundertheOffi This includescarryingoutanappropriateassessmentof also outlinesthekeyaspectsofrisk-management approach toriskmanagementandtherolesrespon Official LanguagesAct cial LanguagesAct2003commencedwitheffectfrom1 outlined initsrisk-managementpolicyandmaintainsa Risk Management sibilities oftheSeniorManagementCommittee(SMC), control andmitigatetheserisks.Theriskregisterisre per ourCustomerCharterandIrishlanguageinformation risk registerinlinewithDepartmentofFinanceguidelines. process, andhowtheDPCdeterminesrecordsrisks managed bytheofficeduring2019wereasfollows: risk andassociatedmeasuresorstrategiestoeffectively November 2017andremainsineffectuntilOctober2020. Reflecting thekeyprioritiesofDPC,mainrisks via itswebsite. viewed bymembersoftheSMConaregularbasis. to theorganisation.TheDPCimplementsprocedures heads ofareas,aswellmanagersandstaff.Thepolicy the DPC’sprincipalrisks,whichinvolvesdescribing • • • • and responsibilitiessetoutintheGDPR,LEDData directly managefunctionssuchasfinancial,payroll, dation ofeffectiveandefficientregulatorystructures, ensuring ongoingeffectiveintegrationandconsoli putting inplacebusinessprocessesandpoliciesto national legislation.Thisincludedthedevelopmentof HR, ICT,andinternalauditinpreparationfortheDPC Protection Act2018;and from 1January2020. functions oftheorganisationunderGDPRand transitioning tobecomingitsownAccountingOfficer tion; the requirementsofDPCasagrowingorganisa the identificationofsuitableaccommodationtomeet tinued recruitmentofnewstaffwithlegal,specialist the expertiseofDPC’sstaffaswellcon business processesandfunctionsacrosstheDPCasit building organisationalcapacitytomeettheenhanced implements newandenhancedsupervisoryfunctions investigatory, andinformationtechnologyskillset; ------

77 Annual Report 1 January — 31 December 2019 Public Sector Human Rights and pliance with accessibility principles including Website Equality Duty Accessibility Initiative (WAI), Web Content Accessibility Guidelines 2.0 AAA, and ARIA standards. The DPC also The DPC seeks to meet its obligations under Section operates a helpdesk to facilitate customers. 42 of the Irish Human Rights and Equality Commission Act 2014 and has put in place measures to ensure that The DPC has an Accessibility Officer who acts as liaison for consideration is given to human rights and equality in the the customer and the relevant section of the organisation. development of policies, procedures and engagement with stakeholders in fulfilling its mandate to protect the EU fundamental right to data protection. Freedom of Information The DPC has been partially subject to the Freedom of The Public Sector Equality and Human Rights Duty is Information (FOI) Act 2014 since 14 April 2015 in respect referenced in the DPC’s Strategy Statement for 2019 and of records relating to the general administration of the its budget submission for 2020 funding. The Public Sector Office only. Information on making a request under FOI Equality and Human Rights Duty was reflected upon is available on the DPC’s website. A disclosure log for all in the drafting of the public consultation on the DPC’s non-personal information requests under the FOI Act Regulatory Strategy 2020–2025 — Consultation on Target is available under our FOI Publication Scheme on the Outcomes. website. The DPC has developed and implemented a number of During 2019, the DPC received a total of 46 requests ways in which to communicate with stakeholders, both under the FOI Act. Of these, 33 were deemed to be out on an individual basis and in the provision of guidance of scope on the basis that they related to records held by in an accessible manner. The DPC website content along the DPC other than those relating to the general admin- with other published information is designed with regard istration of the office. A summary of the FOI requests to the principles of plain English, and the DPC has also received by the DPC between during 2019 is included in published audio resources. The DPC’s commitment to the table below. No cases were appealed to the Office of the principles of plain English has been recognised with the Information Commissioner. a ‘highly commended’ award at the NALA Plain English Awards. The website is designed with regard to com-

Request by type Category total Outcome

Administrative Issues 9 6 granted 1 partially granted 2 dealt with outside of FOI

Matters outside the scope of the Acts 37 33 out of scope 4 withdrawn FOI

In relation to the European Communities (Access to Information on the Environment) Regulation 2007, S.I. No. 133 of 2007, the DPC received no requests in 2019.

78 The energyusagefortheoffice2018(lastvalidated The headofficeoftheDPCislocatedat21Fitzwilliam The DPCparticipatesintheSEAIonlinesystemfor The PortarlingtonofficeoftheDPChasanarea444sq. The energyratingforthebuildingisC1. The energyratingforthebuildingisB2. 21 FitzwilliamSquareisaprotectedbuildingandthere 2009) Energy Report2019 —OverviewofUsage SEAI figuresavailable)isasfollows: Square, Dublin2.Energyconsumptionfortheofficeis Actions Undertaken 21 FitzwilliamSquare

and EnergyServices)Regulations2009(S.I.No542of and equipmentusagenaturalgasforheating. equipment usage. office wassourcedbyOPWandDPCtookoccupancyin Dublin solely electricity,whichisusedforheating,lightingand October 2018.Thisofficewillbemaintaineduntilanew Portarlington purpose ofreportingitsenergyusageincompliancewith metres andislocatedontheupperfloorofatwo-storey metres insize. permanent headofficeisreadytofacilitatetheDPC’s Energy consumptionfortheofficeiselectricitylighting Energy consumptionforthebuildingissolelyelectricity, Dublin-based staffandoperations.Theofficeis828sq. DPC currentlymaintainsadditionalofficespaceinDublin Satellite office fore exemptfromtheenergyratingsystem. the EuropeanCommunities(EnergyEnd-useEfficiency to accommodatetheincreaseinstaffnumbers.This building, builtin2006. which isusedforheating,lightingandequipmentusage. Portarlington Dublin Satellite Office Fitzwilliam Sq. 14,687KwH * 40,102KwH Electrical 88,440KwH Natural Gas 51,308 - The DataProtectionCommissioniscommittedtooperate Shredded paperisrecycled. are providedatmultiplelocationsthroughouttheoffices. Outline ofenvironmental Overview ofEnvironmentalpolicy/ Maximisation ofRecycling Reduction ofWasteGenerated sustainability policies. Catering contractsstipulatethe exclusionofsingleuse Sustainable Procurement plastics. DPC procurementsandprocessesarefullycompliant DPC policyistosecurelyshredallwastepaper.Consoles in linewithGovernmentofIrelandenvironmentaland with SustainableProcurement. sustainability initiatives statement fortheorganisation • • • • • • • • • • 2019 & FitzwilliamSquare. Sensor lightinginuseoneoffice(Satellite) Green Committee2019established. double-sided. stations throughouttheoffices. ment bulbs pare againstotherdocumentationduringcasework. reduce theneedtoprintdocumentsreview/com Review ofheatingsysteminoneofficeunderway removal oflights. Replacement offluorescentlightingwithLED Purchase ofsingleuseplasticsceasedsinceJanuary DPC provideGeneralWasteandRecyclingbinsat DPC hasalsointroduceddualmonitorsforstaffto DPC useadefaultprintersettingtoprintdocuments New Tendercompetitionrunforbincollectionser Reduction ofapprox.10%inlightingcostsFitzwil vices toincludecompostbinserviceforPortarlington (Fitzwilliam Square) in Portarlingtonofficeasunitsfailorrequirereplace liam SquarefollowingDSEEnvironmentaltestingand - - - -

79 Annual Report 1 January — 31 December 2019 15 Appendicies

80 There wereanumberofsignificantjudgmentsdeliveredbytheCJEUduring2019which Union (CJEU)CaseLaw This caserelatestothelawfulbasisofavideosurveillance Appendix I Court of Justice of the European Court ofJusticetheEuropean concerned theinterpretationofEUlawasitrelatestodataprotection.Keyaspects of hisrighttorespectforprivatelifeandabreachthe on manyoccasions,theassociationofco-owners system installedinthecommonareasofanapartment safety andprotectionofindividuals andpropertyispro these judgments,insofarastheyrelatetoissuesofdataprotection,aresummarisedbe Court ofBucharestaskedanumberquestionsrefer low. Facts ring totheunderlyingRomanianlawandqueriedas repeat offencesofthesamenaturebeingcommitted.On necessary forsuchdataprocessing. portionate or, alternatively, whether individuals’ consent is poses ofpursuingthelegitimate interestsofensuringthe Romanian lawprovidedforthispossibility.Measures By wayofpreliminaryreferencetotheCJEU,Regional Romanian law. foot ofthis,theowneroneapartmentin this videosurveillancesystem,arguinganinfringement the apartmentbuildingandlifthadbeenvandalised thefts inseveralapartmentsandthecommonareasof the commonareasofaresidential buildingforthepur building soughtaninjunctionorderfortheremovalof building decidedtoinstallavideosurveillancesystem building inRomania.Astherehadbeenburglariesand intercom/magnetic cardentrysystem,hadnotprevented in ordertomonitorwhoenteredandleftthebuilding. which weretakenpreviously,namelytheinstallationofan whether theinstallationofavideosurveillancesystemin TK vAsociaţiadeProprietariblocM5A-ScaraA(CaseC-708/18) Key issues:videosurveillancesysteminaprivateproperty,legalbasis,consent, repealed) DataProtectionDirective(Directive95/46/EC). legitimate interest,proportionality.Thiscasewasconsideredunderthe(now

- - - The CJEUheldthattheprocessingofpersonaldatain The CJEU’sdecisionwasdeliveredon11December2019. at thetimeofdataprocessing. Secondly,theremust are lessrestrictiveofthefundamental rightsandfree doms ofdatasubjects. Thirdly,becauseunder Article7(f) controller orathirdparty(Article7(f)).TheCJEUopined context ofavideosurveillancesystemmustcomplyfirst, sonably beaseffectivelyachieved byothermeanswhich satisfied. Thefirstconditionisthatthelegitimateinterests set outintheDataProtectionDirective. preted strictly,inotherwords, thepurposecannotrea pursued bythecontrollermustbepresentandeffective processing, theremustbethreecumulativeconditions personal datamayberegardedasbeinglawful.Oneof noted thatArticle7setsoutanexhaustiveandrestric Referring topreviousdecisions,theCJEUreiteratedthat, Directive 95/46(DataProtectionDirective))and,secondly, Judgment the legitimateinterestspursued. Thisneedmustbeinter to thelawfulnessofprocessingpersonaldataor that MemberStatescannotaddnewprinciplesrelating these basesispursuanttothelegitimateinterestsof tive listofsixbasespursuanttowhichtheprocessing be theneedtoprocesspersonal dataforthepurposeof in ordertorelyonlegitimateinterestslegitimisedata impose additionalrequirementsotherthanthosealready with oneofthecriteriatolegitimisedataprocessing(as with theprinciplesrelatingtodataquality(Article6of listed inArticle7ofDataProtectionDirective).TheCJEU - - - - -

81 Annual Report 1 January — 31 December 2019 the rights of a data subject may override the legitimate system seeks to ensure that the property, health and life interests pursued by the controller, this condition neces- of those co-owners are protected. sitates a balancing of the opposing rights and interests concerned which depends on the individual circumstanc- The Court also confirmed that a data subject’s consent is es. In the context of processing of data from non-public not required when processing of personal data occurs sources, it is essential to assess the seriousness of the pursuant to the legitimate interests of a controller or infringements of a data subject’s rights, taking account of, third party in this context. among the other things, the nature of the personal data The CJEU concluded that provisions of Romanian law at issue such as the potentially sensitive nature of those which authorise the installation of a video surveillance data, the nature and specific methods of processing of system in the common areas of a residential building for the data such as the number of persons having access the purpose of pursuing the legitimate interests of ensur- to those data and the methods of accessing them, and ing the safety and protection of individuals and property the data subject’s reasonable expectations that his or her were not therefore precluded by the Data Protection personal data will not be processed. The CJEU said that in Directive — as long as the processing by the video surveil- the present case, those factors must be balanced against lance system fulfilled the conditions laid down in Article the importance of the legitimate interests pursued by the 7(f). It was for the referring Court to make this assessment. co-owners of the apartment building in relation to the video surveillance system, insofar as this video installation

Bundesverband der Verbraucherzentralen und Verbraucherverbände — Verbraucherzentrale Bundesverband eV v Planet49 GmbH (Case C-673/17)

Key issues: cookie consent, pre-ticked checkboxes. This case was considered under both the (now repealed) Data Protection Directive (Directive 95/46/EC) and the GDPR, as well as in relation to Directive 2002/58, as amended by Direc- tive 2009/136 (E-Privacy Directive).

Facts that users must provide their consent for the storage of, and access to, information in the form of cookies on their The German Federation of Consumer Organisation (Ver- terminal equipment. braucherzentrale Bundesverband eV) sought an injunc- tion against an online gaming company, Planet49 GmbH, ordering it to refrain from using a pre-ticked checkbox to Judgment gather users’ consent to the storage of or access to in- The CJEU’s decision was delivered on 1 October 2019. formation in the form of cookies installed on those users’ While the preliminary reference was made before the terminal equipment. Planet49 organised a promotional GDPR came into force, the judgment of the CJEU was lottery in which participants were required to enter their delivered after the GDPR came into force. The German names and addresses on a web page registration form. Federation of Consumer Organisation had also sought an The form contained two statements of agreement; one of order in the German Courts that Planet49 refrain from the statements included a pre-ticked box and the other future action. The CJEU determined first that the ques- did not. The pre-ticked statement sought to affirm the tions referred must be answered having regard to both participants’ agreement to the placement of cookies. The the Data Protection Directive and the GDPR. cookies placed on the participants’ terminal equipment were linked to names and addresses of the participants On the issue of the validity of the consent to the cook- provided in the registration form thus the pre-ticked ies, the CJEU noted that the E-Privacy Directive defines statement was intended to authorise the processing of ‘consent’ as corresponding to the definition in the Data personal data rather than anonymous data. Protection Directive, however the GDPR had repealed the Data Protection Directive and provided that references The matter came before the German Federal Court which to that Directive must be construed as references to the decided to stay the proceedings and to refer a number of GDPR. The CJEU decided that only active behaviour can questions to the CJEU for a preliminary ruling concerning fulfil the requirement of consent. First, the CJEU relied the requirement in Article 5(3) of the Directive 2002/58, on the requirement that consent must be ‘unambigu- as amended by Directive 2009/136 (E-Privacy Directive) ously given’ (Article 7(a) of the Data Protection Directive),

82 The CJEUdeterminedfirstlythat thequestionsreferred The CJEU’sdecisionwasdelivered on24September2019. The CJEUalsoconsideredwhethertheE-PrivacyDirective The CJEUconsideredthattherequirementofactivebe Second, theCJEUconsideredthatconsentcannotbe As anoperatorofasearchengine,Googlerefusedtoac a formerpublicrelationsofficeroftheChurchScien and expresslyexcludethepossibilityofusingpre-ticked an operatorofasearchenginewhenhandlingrequest erence variouslinkstothird-partywebpages(including convicted ofsexualoffencesagainstchildren)tode-ref cede totherequestsoffourindividuals(alocalpolitician; definition ofconsent,theCJEUheldthatconsentisnot definition ofconsentisevenmorestringentintheGDPR should beinterpreteddifferentlyaccordingtowhether seil d’État(FrenchAdministrativeSupremeCourt)andthe Conseil d’ÉtataskedtheCJEUtoclarifyobligationsof Facts response tosearchesagainsttheirnames.Thoseindivid press articles)inthelistofresultsdisplayedbyGoogle refuse consent. pre-checked checkboxwhichtheusermustde-selectto presumed butmustbetheresultofactivebehaviour. reasoning thatonlyactivebehaviourcandispelambiguity. Planet49 usedwerelinkedtothenamesandaddresses uals complainedtotheFrenchDataProtectionAuthority vestigation intopoliticalfunding;andapersonpreviously valid ifcookiesarepermittedtobeplacedbywayofa Judgment tology; apersonquestionedinthecontextofjudicial the information stored or accessed in terminal equipment that theGDPR’srecitalsexpresslyrequireactiveconsent than itisintheDataProtectionDirectiveonbasis to carryoutthede-referencingrequested.Thecasewas for de-referencingunderthe Data ProtectionDirective. boxes forthecollectionofvalidconsent.Applyingthis haviour isalsoconfirmedbytheGDPRandnotedthat brought bythefouraffectedindividualsbeforeCon (CNIL) whichrefusedtoserveformalnoticesonGoogle is personaldataornon-personaldata.Thecookiesthat ators ofasearchengine,specialcategoriespersonaldata,informationon G. C.andOthersvCommissionNationaledel’Informatiqueetdes Data ProtectionDirective(Directive95/46/EC)andtheGDPR). Key issues:righttobeforgotten,de-referencing,obligationsonoper criminal proceedings.Thiscasewasconsideredunderboththe(nowrepealed) C-136/17) Libertés (CNIL)(Déréférencementdedonnéessensibles),(Case ------The CJEUnotedthatArticle5(3)E-PrivacyDirectiveapplies The firstissuebeforetheCJEUwaswhetherprohi The CJEUalsoconsideredthescopeofinformationthat Article 5(3)E-PrivacyDirectivethatthoseusersmustbe and restrictionsrelatingtotheprocessingofspecialcat any otherdatacontroller.However,theCourtreiterated any consentthattheusermayprovideandtounderstand egories ofdataapplytotheoperator ofasearchengine operator ofasearchengineisonlyresponsibleforthe curity measures,alsoappliestooperatorsofasearchen origin, politicalopinions,religiousorphilosophicalbeliefs, of personaldata,suchasthoserevealingracialorethnic duration oftheoperationcookiesandwhetheror of whetherornotitispersonaldata. of theparticipantsinpromotionallottery,andthus, gine. TheCJEUheldthattheprohibitionandrestrictions reference toathirdpartywebpage.Thus,theprohibition relating tospecialcategories of data,theCJEUstatedthat, plies tooperatorsofasearchengineinthesamewayas relating totheprocessingofspecialcategoriesdataap must beansweredhavingregardtoboththeDataProtec not thirdpartiesmayhaveaccesstothecookies. provided withclearandcomprehensiveinformationprior must beprovidedtousersinlightoftherequirement from adatasubject. trade-union membership,dataconcerninghealthorsex the functioningofcookiesemployed.Additionally, to providingconsent.TheCourtstatedthattheusermust to informationstoredinterminalequipment,regardless their storageconstitutedtheprocessingofpersonaldata. In relationtotheissueofarequest forde-referencing bition andrestrictionsonprocessingspecialcategories tion DataProtectionDirectiveandtheGDPR. be inapositiontoeasilydeterminetheconsequencesof in thecontextofanyrequest forde-referencingreceived its decisioninGoogleSpain,C‑131/12andnotedthatthe information thatmustbeprovidedtousersincludesthe when theoperator ofasearchenginereceives suchre life, datarelatingtooffences,criminalconvictionsorse ------

83 Annual Report 1 January — 31 December 2019 quest, it is in principle required, subject to certain excep- In the specific context of a request for de-referencing tions, to accede to that request. However, the operator data relating to criminal proceedings brought against the may refuse a request for de-referencing if it establishes data subject where that information is now out of date that the relevant links lead to data which are manifestly relative to the developments in the proceedings, the CJEU made public by the data subject. In any event, the oper- held that, based on the circumstances of the request, the ator must ascertain whether the inclusion of the link to operator of a search engine must assess whether, at the a web page on which special categories of data are pub- time of the request, the data subject has the right to the lished in the list of results displayed following a search of information in question no longer being linked with the that data subject’s name is strictly necessary for protect- data subject’s name by a list of results displayed following ing the freedom of information of internet users, who a search of his/her name. Even in this case, the operator may be interested in accessing that web page by means must apply a balancing test between a data subject’s of such a search. The CJEU pointed out that a balancing rights to privacy and the protection of personal data and test between, on the one hand, the data subject’s rights the freedom of information of internet users. However, to privacy and the protection of personal data and, on whenever the inclusion of the link in question is strictly the other, the freedom of information of internet users, necessary, the operator of a search engine is required is necessary based on the specific circumstances of each to adjust the list of results in such a way that the overall request and considering the nature of the information picture it gives the internet user reflects the current legal in question and its sensitivity in the context of that data position, which means, in particular, that links to web subject’s private life as well as the interest of the public in pages containing information in this respect must appear having that information. The CJEU noted that the interest in first place on the list. of the public may vary according to the role played by the data subject in public life.

Google LLC, successor in law to Google Inc. v Commission Nationale de l’Informatique et des Libertés (CNIL), (Case C-507/17)

Key issues: right to be forgotten, right to de-referencing, obligations of oper- ators of a search engine, removal of the links in all, or only European domain name extensions. This case was considered under both the (now repealed) Data Protection Directive (Directive 95/46/EC) and the GDPR).

Facts Judgment In 2015 the French Data Protection Authority (CNIL) The CJEU’s decision was delivered on 24 September 2019. served formal notice on Google to the effect that, when The CJEU determined firstly that the questions referred granting a request from a natural person for links to web must be answered having regard to both the Data Protec- pages to be removed from the list of results displayed fol- tion Directive and the GDPR. lowing a search conducted on the basis of that person’s On the issue of the territorial scope of the right to name, Google must apply that removal to all its search de-referencing and reiterating the principles of the right engine’s domain name extensions. Google refused to to de-referencing as affirmed previously in the decision comply with that formal notice, but rather only removed Google Spain C‑131/12, the CJEU considered that the the links in question from the results displayed following operator of a search engine is required to carry out the searches conducted in the domain name extensions de-referencing only on those versions of the search en- corresponding to the versions of its search engine in EU gine corresponding to Member States. In order to ensure Member States. a consistent and high level of protection throughout the In 2016, after finding that Google had failed to comply EU, the CJEU held that the operator must carry out the with that formal notice within the prescribed period, the requested de-referencing not only on the version of the CNIL imposed a penalty on Google. Google lodged an search engine corresponding to the Member State of res- application with the Conseil d’État (French Administrative idence of the person benefitting from that de-referencing Supreme Court) for the annulment of that penalty. By but on the versions of the search engine corresponding way of a preliminary reference, the Conseil d’État referred to all of the EU Member States. certain questions to the CJEU in this context for consideration. The CJEU also emphasised that although EU law does not require the operator of a search engine to carry out

84 The associationsoughtaninjunctionbeforeDüsseldorf A Germanpublic-serviceassociationtaskedwithsafe dicial authorityofaMemberStateremainscompetentto example, pursuanttoderogationsavailableintheData embedded Facebook’s‘Like’socialplugin.Whenaninter domain nameextensions,itdoesnotprohibitsucha of thedatacollectedbysocialpluginevenifitwas questions centredonwhetherFashionIDwasacontroller of theassociation.FashionIDsubsequentlyappealed consent andinbreachofthedutytoinformvisitors entrale NRW)criticisedFashionIDfortransmittingthe or notheshewasamemberofFacebook,whether occurred withoutthatvisitorbeingawareoftheirdatabe sonal datawastransmittedtoFacebookasaresultofthe site. TheRegionalCourtgrantedaninjunctioninfavour site. Onthebasisoffactscontainedinpreliminary guarding theinterestsofconsumers(Verbraucherz Facts mation may vary from Member State to Member State (for net uservisitedFashionID’swebsite,thatvisitor’sper practice. AccordinglytheCourtopinedthatinlightof processing whenanoperator ofthewebsiteembedsa possible torelyonthelawful basis oflegitimateinterests practice ofembeddingthe“Like”socialpluginonitsweb relevant dataprocessingassetoutinprotectionlaw. personal dataofvisitorstoitswebsiteFacebookon reference totheCJEU,itappearedthatsuchtransmission Protection DirectiveandtheGDPR),asupervisoryorju Fashion IDisanonlineclothingretailerwhosewebsite Higher RegionalCourtthenreferredanumberofques Regional CourtagainstFashionIDtoforceitstopthe unable toinfluencethisdataprocessing;whetheritwas the fact,thatinterestofpublicinaccessinginfor the requestedde-referencingonallsearchengine’s third party’ssocialplugin. to collectconsentofdatasubjects totheprocessing;and to embedthesocialpluginor whetheritwasnecessary tions bywayofpreliminaryreferencetotheCJEU.These this decisiontoDüsseldorfHigherRegionalCourt.The the basisthatthistransmissionoccurredwithouttheir he orsheclickedontheFacebook‘Like’button. inclusion ofFacebook’s“Like”socialplug-inontheweb ing transmittedtoFacebookandirrespectiveofwhether who shouldfulfilthedutyto inform datasubjectsof Directive (Directive95/46/EC). Key issues:socialplugins,controllership,legitimateinterests,consent,dutyto C-40/17) Fashion IDGmbH&Co.KGvVerbraucherzentraleNRWeV(Case inform. Thiscasewasconsideredunderthe(nowrepealed)DataProtection ------The CJEU’sdecisionwasdeliveredon29July2019. and, inparticular,therighttoprivacywithrespect consider adatasubject’srighttoprivacyandtheprotec of protectionforthoserights.Assuch,asupervisoryor operator tocarryoutade-referencingrequestinrelation or defendinglegalproceedingsagainstapersonallegedly of awebsiteembedssocial plugin onitswebsitecausing objectives ofthatprotection,butrathercontributestothe of thevisitor,canbeconsideredtoajointcontroller, CJEU consideredfirstlywhethernationallegislationmay CJEU determinedthat,inasituation inwhichtheoperator On theissueoflegitimateinterests andsocialplugins,the CJEU heldthatanoperatorofawebsite(suchasFashion On theissueofcontrollershipsocialplugin, responsible foraninfringementofdataprotectionlaw. prohibit consumerprotectionassociationsfrombringing realisation ofthoseobjectives. processing ofpersonaldata,theCJEUheldthatfact Recalling theunderlyingobjectivesofdataprotection purposes andmeansi.e.thecollectiondisclosureby request contentfromtheproviderofthatpluginand,to Judgment to freedomofinformationinlightnationalstandards tion ofpersonaldataconcerninghimorherandtheright to allversionsofthatsearchengine. from theproviderofthatplugin and,tothatend, for thepossibilityaconsumerprotectionassociation fundamental rightsandfreedomsofnaturalpersons, the browserofavisitortothat websitetorequestcontent to commencelegalproceedingsdoesnotunderminethe that aMemberStateprovidesinitsnationallegislation transmission ofthedataatissue. the Courtconsideredthatliabilityofoperator that end,totransmitproviderthepersonaldata the browser[inadevice]ofvisitortothatwebsite ID), whichembedsasocialpluginofthirdpartyonits involving theprocessingofpersonaldatainrespect judicial authoritycouldorder,whereappropriate,the law toensureeffectiveandcompleteprotectionofthe which theoperatorofwebsiteactuallydetermines website islimitedtotheoperationorsetofoperations with thethirdpartythatownssocialplugin.However, website (suchastheFacebook“Like”button),causing -

85 Annual Report 1 January — 31 December 2019 transmit to that provider personal data of the visitor, it is because it would not be in line with efficient and timely necessary that that operator and that provider each pur- protection of the data subject’s rights if the consent were sue a legitimate interest for the purpose of the respective given only to the joint controller that is involved later, processing operations in order for those operations to be namely the provider of the social plugin. It is the visiting justified in respect of each of them. by the visitor of that website triggers the processing of the personal data. However, the consent that must be On the issue of consent and provision of information given to the operator relates only to the operation or set related to social plugins, the CJEU firstly recalled that the of operations involving the processing of personal data duty to obtain the consent of the data subject and the in respect of which the operator actually determines duty to inform are incumbent on that controller which ac- the purposes and means. With reference to the duty to tually determines the purposes and means of the relevant inform, this duty is similarly incumbent on the operator of operation or set of operations involving the processing of the website but the information that must be provided to personal data. The CJEU held that consent must be given the data subject need relate only to the operation or set prior to the collection and disclosure (in other words of operations involving the processing of personal data the onward transmission) of the data subject’s data to in respect of which that operator actually determines the third party. In such circumstances, the CJEU said, it is for purposes and means. the operator of the website, rather than for the provider of the social plugin, to obtain that consent. This was

Sergejs Buivids v Datu valsts inspekcija (Case C-345/17)

Key issues: video recording in a police station, publication of video, journalistic exemption. This case was considered under the (now repealed) Data Protec- tion Directive (Directive 95/46/EC).

Facts recorded video on the internet are matters which come within the scope of Data Protection Directive and whether Mr Buivids made a video recording in a police station of those activities may be regarded as processing of person- the Latvian national police while he was making a state- al data for journalistic purposes. ment in the context of administrative proceedings which had been brought against him. He later published the video on the Youtube internet site. Following the publica- Judgment tion of the video, the National Data Protection Agency of The CJEU’s decision was delivered on 14 February 2019. Latvia found that Mr Buivids had infringed data protection The CJEU held firstly that the once-off act of recording a law because he had not informed the police officers of video using a digital photo camera and publishing the the intended purpose of the processing of personal data video recording containing personal data on a video concerning them and he did not provide any information website on which users can send, watch and share videos, to the National Data Protection Agency of Latvia as to constitutes processing of those data wholly or partly by the purpose of the recording and its publication. Conse- automatic means. quently, the National Data Protection Agency requested that Mr Buivids remove the video from YouTube and from The CJEU considered that the recording and publication other websites. of the video in question can be regarded as a processing of personal data which falls within the scope of the Data Mr Buivids brought an action before the Latvian Dis- Protection Directive. The Court said that such a video did trict Administrative Court seeking a declaration that the not constitute a processing operation which concerns decision of the National Data Protection Agency was public security, defence, State security or the activities of unlawful. Mr Buivids also claimed compensation for the the State in areas of criminal law, as it was the result of harm he suffered. The Latvian District Administrative activity of a private individual. Moreover, such an activity Court dismissed the action and subsequently the Latvian could not be considered to be purely personal within the Regional Administrative Court dismissed the subsequent context of or household activities because, as a matter of appeal. Mr Buivids filed an appeal in the Latvian Supreme fact, Mr Buivids had published the video in question on a Court invoking his right to freedom of expression. By way video website on which users can send, watch and share of preliminary reference to the CJEU, the Latvian Supreme videos, thereby permitting access to the personal data in Court asked a number of questions regarding whether the video to an indefinite number of people. the act of filming police officers while carrying out their duties in a police station and the act of publishing this

86 The DüsseldorfFinanceCourt thenreferredcertain activities. TheCJEUindicatedthatitwasforthereferring and itspublicationonavideowebsitewhichusers a professionaljournalistdidnotseemtoexcludethe are thosewhichhaveastheirpurposethedisclosureof about owners,shareholders,directorsandotherofficers allows anentitytobenefitfromcertainsimplificationsun question thatthesolepurposeofrecordingandpub court todeterminewhetheritappearedfromthevideoin can send,watchandsharevideos,couldcomewithinthe of themediumwhichisusedtotransmitsuchinforma obligation tosendthetaxidentificationnumbersof stated thatnotallinformationpublishedontheinternet scope ofthejournalisticexemption.However,CJEU of DeutschePost,includingthoseresponsibleforcus certain information(includingtaxidentificationnumbers) der customslegislation).Underthisassessmentprocess, economic operator(AEO)authorisation.(TheAEOstatus of customsrules),theGermanauthority(the sessing whetherDeutschePostshouldhaveauthorised self-evaluation questionnaireforthepurposesofas CJEU reiteratedthattherighttofreedomofexpression On footofthisrequest,DeutschePostbroughtanaction Court soughttoascertainwhether, inthelightofArticle On theissueofprocessingpersonaldataforjournalis Facts possibility thattherecordingofvideoinquestion must beinterpretedbroadlyandthatjournalisticactivities matters forapreliminaryruling totheCJEU.TheGerman responsible fortheirtaxation totheHauptzollamt. persons concernedandthedetailsoftaxoffices Hauptzollamt) requestedthatDeutschePostreplytoa Pursuant toCommissionImplementingRegulation the CourtdecidedthatfactMrBuividswasnot tion, opinionsorideas.Inthecircumstancesofcase, the Hauptzollamt couldrequestpersonaldata, suchas 8(1) oftheCharterandprinciple ofproportionality, to dataprotectionagainstfreedomofexpression,the tic purposes,afterrecallingtheneedtobalanceright before theDüsseldorfFinanceCourt,challenging tax officesresponsibleforthetaxationofthosepersons. toms matters,wasrequested,togetherwithdetailsofthe (EU) 2015/2447(whichrelatestotheimplementation involving personaldatacanbecategorisedasjournalistic information, opinionsorideastothepublic,irrespective lication ofthevideowastodiscloseinformation,opinion Protection Directive(Directive95/46/EC)andtheGDPR. Key issues:personaldata,taxidentificationnumber,customsauthorityauthori sation process.Thiscasewasconsideredunderboththe(nowrepealed)Data Deutsche PostAGvHauptzollamtKöln(CaseC496/17) ------The judgmentinterpretedRegulation2015/2447byrefer The CJEU’sdecisionwasdeliveredon16January2019. The CJEUfirstlyrecalledthattaxdata,suchasiden as thenationalGermancustomsauthority,mustcomply according totheRegulation2015/2447,Hauptzollamt, authority (suchastheHauptzollamt) inordertomakea concerned, thecontent,formandconsequencesof other things,contributiontoadebateofpublicinterest, claimed. Inordertoverifyifthejournalisticexemption or ideastothepublicparticularlytakingintoaccount of incometaxpayablebythosepersons. details ofthetaxofficesresponsibleforassessment of dataprocessingwheneveritprocessespersonal ence toboththeDataProtectionDirectiveandGDPR. decision onanapplicationfor thepurposeofAEOstatus collection ofthatpersonaldata byanationalcustoms obligation todeductandcollect incometaxatsource.In ensure compliancewithincometaxlegislationand,more specifically, toensurethattheemployercouldfulfilits sons wereinitiallycollectedbytheemployerinorderto publication, andthemannercircumstancesinwhich relation tothebalancingofthesetwofundamentalrights, privacy andtherighttofreedomofexpression,only reconcile twofundamentalrights,namely,therightto may apply,thereferringCourtwouldhavetoconsider Judgment factual circumstancesandwhetherthevideoinquestion the informationwasobtainedanditsveracity. the degreeofnotorietypersonaffected,sub that thereferringCourtmusttakeintoaccount,amongst this exemptiononlywhereitisnecessaryinorderto the taxidentificationnumbersofdatasubjectsand highlighting theallegedpolicemalpracticethatMrBuivids tification numbers,constitutespersonaldata.However, those circumstances,theCJEU foundthatthesubsequent In thiscase,thetaxidentificationnumbersofnaturalper in sofarasisstrictlynecessary.TheCJEUalsoheld, in theconductofitsactivities. in relationtoan entity(i.e.inthiscase,Deutsche Post) ject ofthenewsreport,priorconductperson was publishedonaninternetsiteforthepurposeof with principlesrelatingtodataqualityandthelegitimacy - - - - -

87 Annual Report 1 January — 31 December 2019 was necessary to comply with Regulation 2015/2447. In The CJEU concluded that the data collection by a national particular, a national customs authority must ascertain customs authority, such as Hauptzollamt, from an appli- not only whether an applicant for the purpose of AEO sta- cant for AEO status, of tax identification numbers which tus complies with Regulation 2015/2447, but also whether are allocated for income tax purposes, which solely relate relevant natural persons within the organisation of that to the natural persons who are in charge of the applicant applicant have committed any serious infringement or re- or who exercise control over its management and those peated infringements of that legislation or of the tax rules who are in charge of the applicant’s customs matters, and having regard to the level of their responsibility within the the details of the tax offices responsible for the taxation applicant’s organisation, irrespective of whether those in- of all those persons, is permissible only to the extent that fringements have any connection to the economic activity such data enables those authorities to obtain informa- of the applicant. To that extent, the CJEU noted that data tion on serious or repeated infringements of customs is collected and therefore processed for specified, explicit legislation or of tax rules, or on serious criminal offences and legitimate purposes. Moreover, the CJEU underlined committed by those natural persons related to their that the data collected by national customs authorities, economic activity. namely, the tax identification numbers of natural persons listed in Regulation 2015/2447, are adequate, relevant and not excessive in relation to the purposes for which that data is collected.

88 The CJEUrulingof6October 2015 madeitclearthat The proceedingstakenbytheDPChavetheirrootsin The CJEUruledthatthisprocedure(involvingseekinga Litigation concerning Standard Litigation concerningStandard Appendix II Contractual Clauses Safe HarbourEUtoUSpersonaldatatransferregime). about FacebookbyMrMaximillianSchremsconcerning a datasubjectconcerninganEUinstrument,suchas against thedecisionnottoinvestigatehiscomplaintand established byanumberofEUCommissiondecisions, dard contractualclauses”(SCCs).SCCsareamechanism, clined toinvestigatethatcomplaintonthegrounds decision. MrSchremsbroughtajudicialreviewaction existing nationalandEUlawtoapplythatCommission ence totheCJEU,whichinturndelivereditsdecisionon6 Commission decisions Court seekingareferencetotheofJustice Commissioner) commencedproceedingsintheIrishHigh On 31May2016,theDPC(thenDataProtection (2) CJEUprocedureoncomplaints concerningEU (1) Background October 2015. parent company,FacebookInc.,intheUS.MrSchrems protection authoritytobewellfounded. protection authoritywhereacomplaintwhichismadeby reference totheCJEU)mustbefollowedbyanEUdata notably aprogrammecalled“PRISM”.TheDPChadde personal datawasthenbeingaccessed(oratriskof European Union(CJEU)inrelationtothevalidityof“stan EU Commissiondecision,isconsideredbythedata Mr Schrems’concernsaroseinlightofthedisclosures under which,atpresent,personaldatacanbetransferred from theEUtoUS.TheDPCtooktheseproceedings the transferofpersonaldatabyFacebookIrelandtoits the originalcomplaintmadeinJune2013toDPC to beoperatedbytheUSNationalSecurityAgency,most transferred fromFacebookIrelandtoInc.,his the EUtoUS)andonthatbasishewasboundunder by EdwardSnowdenregardingcertainprogrammessaid being accessed)unlawfullybyUSstatesecurityagencies. that actionresultedintheIrishHighCourtmakingarefer its 6October2015judgment(whichalsostruckdownthe in accordancewiththeproceduresetoutbyCJEU it concernedanEUCommissiondecision(whichestab where acomplaint ismadetoanEUdataprotection was concernedthat,becausehispersonaldatabeing lished theSafeHarbourregimefortransferringdatafrom Data ProtectionCommissionerv.FacebookIrelandLimitedandMaximilian Schrems [RecordNo.2016/4809P]

- - - - 47 insofarastheypurportto legitimise thetransferof aside ordisapplythatdecision.TheCJEUruledifthe authority whichinvolvesaclaimthatanEUCommission and theDPCagreedtoproceedonbasisofthatrefor al datatransferregime,MrSchremsreformulatedand Articles 7and8oftheCharter. TheDPCalsoformedthe an effectiveArticle47-compatible remedyandthatSCCs finding thatalegalremedycompatiblewithArticle47of decision, thenationalCourtmustthenmakeareference data protectionauthorityconsidersthecomplainttobe decision isincompatiblewithprotectionofprivacyand complaint inlightofcertainarticlestheEUCharter of investigatingMrSchrems’reformulatedcomplaint, doms guaranteedbyEUlawareviolated).Inthecourse decision of24May2016andsubjecttoreceiptfurther data istransferredtotheUSwhereitmaybeatriskof submissions fromtheparties)thatMrSchrems’complaint CJEU initsjudgmentof6October2015alsostruckdown (3) DPC’sdraftdecision protection authoritymustexaminethatcomplainteven mulated complaint.TheDPCthenexaminedMrSchrems’ resubmitted hiscomplainttotakeaccountofthisevent EU Commissiondecisioninquestion.Asnotedabove,the reliance inlargepartontheuseofSCCs.Arisingfromher Following thestrikingdownofSafeHarbourperson Harbour EUtoUSdatatransferregime. personal dataofEUcitizensto theUS. Fundamental Rights(theCharter),includingArticle47 preliminary viewthatSCCsdo notaddressthislackof national securitypurposesinamannerincompatiblewith DPC formedthepreliminaryview(asexpressedinadraft fundamental rightsandfreedoms,therelevantdata to theCJEUforapreliminaryrulingonvalidityof those doubtsastothevalidityofEUCommission though thedataprotectionauthoritycannotitselfset the EUCommissiondecisionwhichunderpinnedSafe before the national Court and, if the national Court shares to transferpersonaldataFacebookInc.intheUS the DPCestablishedthatFacebookIrelandcontinued themselves arethereforelikely tooffendagainstArticle the CharterisnotavailableinUStoEUcitizenswhose being accessedandprocessedbyUSStateagenciesfor (the righttoaneffectiveremedywhererightsandfree investigation ofMrSchrems’reformulatedcomplaintthe well founded,thenitmustengageinlegalproceedings was wellfounded.ThisbasedontheDPC’sdraft - - -

89 Annual Report 1 January — 31 December 2019 (4) The Proceedings and the Hearing (which, the Court noted, applies to the data of all EU data subjects whose data has been transferred to the US) The DPC therefore commenced legal proceedings in the were well-founded. Irish High Court seeking a declaration as to the validity of the EU Commission decisions concerning SCCs and In her judgment of 3 October 2017, Ms. Justice Costello a preliminary reference to the CJEU on this issue. The also decided that, as the parties had indicated that they DPC did not seek any specific relief in the proceedings would like the opportunity to be heard in relation to against either Facebook Ireland or Mr Schrems. However, the questions to be referred to the CJEU, she would list both were named as parties to the proceedings in order the matter for submissions from the parties and then to afford them an opportunity (but not an obligation) to determine the questions to be referred to the CJEU. The fully participate because the outcome of the proceedings parties to the case, along with the amicus curiae made would impact on the DPC’s consideration of Mr Schrems’ submissions to the Court, amongst other things, on complaint against Facebook Ireland. Both parties chose the questions to be referred, on 1 December 2017 and to participate fully in the proceedings. Ten interested on 16, 17 and 18 January 2018. During these hearings, third parties also applied to be joined as amicus curiae submissions were also made on behalf of Facebook and (“friends of the court”) to the proceedings and the Court the US Government as to “errors” which they alleged had ruled four of those ten parties (the US Government, BSA been made in the judgment of 3 October 2017. The Court The Software Alliance, Digital Europe and EPIC (Electronic reserved its judgment on these matters. Privacy Information Centre)) should be joined as amici.

The hearing of the proceedings before Ms Justice Costello (6) Questions referred to the CJEU in the Irish High Court (Commercial Division) took place On 12 April 2018, Ms. Justice Costello notified the parties over 21 days in February and March 2017 with judg- of her Request for a Preliminary Ruling from the CJEU ment being reserved at the conclusion of the hearing. In pursuant to Article 267 of the TFEU. This document sets summary, legal submissions were made on behalf of: (i) out the 11 specific questions to be referred to the CJEU, each of the parties, being the DPC, Facebook Ireland and along with a background to the proceedings. Mr Schrems; and (ii) each of the “friends of the Court”, as noted above. The Court also heard oral evidence from a On the same date, Ms Justice Costello also indicated that total of 5 expert witnesses on US law, as follows: she had made some alterations to her judgment of 3 Oc- tober 2017, specifically to paragraphs 175, 176, 191,192, • Ms Ashley Gorski, expert witness on behalf of Mr 207, 213, 215, 216, 220, 221 and 239. During that hearing, Schrems; Facebook indicated that it wished to consider whether it • Professor Neil Richards, expert witness on behalf of would appeal the decision of the High Court to make the the DPC; reference to the CJEU and if so, seek a stay on the refer- • Mr Andrew Serwin, expert witness on behalf of the DPC; ence made by the High Court to the CJEU. On that basis, the High Court listed the matter for 30 April 2018. • Professor Peter Swire, expert witness on behalf of Facebook; and When the proceedings came before the High Court on • Professor Stephen Vladeck, expert witness on behalf 30 April 2018, Facebook applied for a stay on the High of Facebook. Court’s reference to the CJEU pending an appeal by it against the making of the reference. Submissions were In the interim period between the conclusion of the trial made by the parties in relation to Facebook’s application and the delivery of the judgment on 3 October 2017 (see for a stay. below), a number of updates on case law and other developments were provided by the parties to the Court. On 2 May 2018, Ms. Justice Costello delivered her judgment on the application by Facebook for a stay on the High Court’s reference to the CJEU. In her judgment, Ms (5) Judgment of the High Court Justice Costello refused the application by Facebook for Judgment was delivered by Ms Justice Costello on 3 a stay, holding that the least injustice would be caused October 2017 by way of a 152 page written judgment. An by the High Court refusing any stay and delivering the executive summary of the judgment was also provided by reference immediately to the CJEU. the Court. (7) Appeal to the Supreme Court In the judgment, Ms Justice Costello decided that the concerns expressed by the DPC in her draft decision of On 11 May 2018, Facebook lodged an appeal, and ap- 24 May 2016 were well-founded, and that certain of the plied for leave to appeal to the Supreme Court, against issues raised in these proceedings should be referred the judgments of 3 October 2017, the revised judgment to the CJEU so that the CJEU could make a ruling as to of 12 April 2018 and the judgment of 2 May 2018 refusing the validity of the European Commission decisions which a stay. Facebook’s application for leave to appeal to the established SCCs as a method of carrying out personal Supreme Court was heard on 17 July 2018. In a judgment data transfers. In particular the Court held that the DPC’s delivered on 31 July 2018, the Supreme Court granted draft findings as set out in her draft decision of 24 May leave to Facebook allowing it to bring its appeal in the 2016 that the laws and practices of the US did not respect Supreme Court but leaving open the question as to what the right of an EU citizen under Article 47 of the Charter was the nature of the appeal which was allowed to be to an effective remedy before an independent tribunal brought to the Supreme Court. During late 2018, there

90 The appointedJudgeRapporteur isJudgeThomasvon The CJEU(GrandChamber)held anoralhearinginrespect Schrems. Thecentralquestionsarisingfromtheappeal and MrJusticeO’Donnell.Oralargumentsweremadeon of thereferencemadetoitby theIrishHighCourton9 could revisitthefactsfoundbyHighCourtrelating so, theSupremeCourtdecidedthat: On 31May2019theSupremeCourtdelivereditsmain Charleton, MsJusticeDunne,FinlayGeoghegan (8) HearingbeforetheCJEU preme CourtdismissedFacebook’sappealinfull.Indoing related towhether,asamatteroflaw,theSupremeCourt posed oftheChiefJustice—MrClarke, underpinned thereferencemadetoCJEU,contained various factualerrorsconcerningUSlaw. the USGovernmentthatHighCourtjudgment,which to USlaw.ThisarosefromallegationsbyFacebookand tive hearingoftheappealtookplaceover21,22and23 July 2019.TheCJEUsatwitha compositionof15judges, behalf ofFacebook,theDPC,USGovernmentandMr January 2019beforea5judgeSupremeCourtpanelcom including thePresidentof CJEU,JudgeKoenLenaerts. in preparationforthesubstantivehearing.Thesubstan judgment, whichranto77pages.Insummary,theSu were severalproceduralhearingsintheSupremeCourt • • • SCC decision.Thiswasbecausethisissueinex analysis whichledtothedecisionthatitshared findings offactwhichwereunsustainable.Accordingly, or whetherthosefactsshouldbeoverturned. concerns oftheDPCinrelationtovalidity open totheSupremeCourtentertainanyappeal sider whetherthefactsfoundbyHighCourt(i.e. specific questionswhichtheHighCourthadreferred US law,onthebasisofexpertevidencebefore Court tomakeareferencetheCJEU.Neitherwasit proper characterisationoftheunderlyingfactsrather reference totheCJEUanditwasnotopenFace not appropriatefortheSupremeCourttoconsider, matter solelyfortheIrishHighCourt.Thereforeitwas High Court,theSupremeCourthadnotidentifiedany However itwasopentotheSupremeCourtcon found bytheHighCourt.InsteadSupremeCourt than theactualfacts. the SupremeCourtdidnotoverturnanyoffacts Insofar asFacebookdisputedcertainkeyissuesoffact to theCJEU)weresustainablebyreferenceev those factswhichunderpinnedthereferencemade book topursuethisasapointofappeal. tricably linkedtotheHighCourt’sdecisionmakea to theCJEU).TheSupremeCourtdecidedthat had madeoftheHighCourtjudgmentconcerned to entertainanyappealagainstadecisionoftheHigh It wasnotopentoitasamatterofIrishandEUlaw idence whichhadbeenplacedbeforetheHighCourt, in thecontextofFacebook’sappeal,HighCourt’s issue ofwhethertomakeareferencetheCJEUis in relationtothetermsofsuchareference(i.e. which hadbeenfoundbytheHighCourtconcerning was oftheviewthatcriticismswhichFacebook ------The AGconsideredthatEUlawappliestoatransferof The OpinionofAdvocateGeneralSaugmandsgaardØe SCCs, theAGopinedthatSCCsrepresentageneral SCCs Decisionmustbeexaminedwithreferencetothe Schrems’ complaintbeforethenationalreferringCourt At thehearing,DPC,MrSchremsandFacebookmade As regardsthetestforlevel ofprotectionwhichis al securityofthatcountry.Asregardsthenature addressed theCJEUonspecificissues. allow interactionwithotherpartsoftheworldand ation tothevalidityofCommissionDecisionunderly admissible. also foundthattherequestforapreliminaryrulingwas oral submissionsbeforetheCJEU.The4partieswhowere of thatthirdcountryforthepurposeprotectingnation data transferredmaybeprocessedbypublicauthorities of theGDPRessentiallyreproducecorresponding erlands, andtheUnitedKingdom)whoeachintervened of FundamentalRights.Hewasalsotheviewthat show areasonabledegreeofpragmatisminorderto of 6October2015(asdescribedfurtherabove).TheAG guaranteed there. GDPR wherepersonaldatais beingtransferredoutofthe GDPR andtheAGalsonotedthatrelevantprovisions General notedthathisanalysisintheOpinionwasguided (9) OpinionoftheAdvocateGeneral provided bySCCs)contemplated byArticle46ofthe required inrelationtothesafeguards (whichmaybe personal datafromaMemberStatetothirdcountry provisions oftheDataProtectionDirective. mechanism applicabletotransfersirrespectiveofthe provisions oftheGDPR(asopposedtoDataProtec need toassertthefundamentalvaluesrecognisedin Member States(Austria,France,Germany,Ireland,Neth Parliament, theEuropeanCommissionandanumberof Henrik SaugmandsgaardØe. Danwitz. TheAdvocateGeneralassignedtothecaseis to makeoralsubmissions.Inaddition,theEuropean transfer ofthisnatureregardlesswhetherthepersonal third countryofdestinationandthelevelprotection before theIrishCourt(theUSA,EPIC,BSABusinessSoft the CJEU,EuropeanDataProtectionBoard(EDPB) In thisregard,theAG’sviewwasthatEUlawappliestoa tion Directive(Directive95/46))inlinewithArticle94(2) hearing beforetheCJEU.Additionally,atinvitationof by thedesiretostrikeabalancebetweenneed that theDPChadbroughtproceedingsinrelationtoMr Irish HighCourt,theAGexpresslylimitedhisconsider In relationtothequestionsreferredCJEUby In thisOpinion,aspreliminarymatters,theAGnoted (the AG)wasdeliveredon19December2019. in theproceedingsalsomadeoralsubmissionsat ing theSCCs(SCCsDecision).Atoutset,Advocate in accordancewithparagraph65oftheCJEU’sjudgment joined asamicuscuriae(“friendsofthecourt”)tocase ware AllianceInc.andDigitalEurope)werealsopermitted where thattransferformspartofacommercialactivity. legal ordersoftheEU,itsMemberStatesandCharter ------

91 Annual Report 1 January — 31 December 2019 EU to a third country which does not have an adequacy Although noting that the question as to the validity of the finding, the AG’s opinion was that the level of protection Privacy Shield was not explicitly referred to the CJEU by as offered by such safeguards must be essentially equiv- the Irish High Court, the AG considered that some of the alent to that offered to data subjects in the EU by the questions raised by the Irish High Court indirectly raised GDPR and the Charter of Fundamental Rights. As such, the validity of the finding of adequacy which the Europe- the requirements of protection of fundamental rights an Commission made in respect of the Privacy Shield. The guaranteed by the Charter do not vary according to the AG considered that it would be premature for the Court legal basis for the data transfer. to rule on the validity of the Privacy Shield in the context of this reference although he noted that answers to the Following a detailed examination of the nature and questions raised by the Irish High Court in relation to the content of the SCCs, the AG concluded that the SCCs Privacy Shield could ultimately be helpful to the DPC later Decision was not invalid with reference to the Charter. In in determining whether the transfers in question should his view, because the purpose of the SCCs was to com- actually be suspended because of an alleged absence of pensate for any deficiencies in the protection of personal appropriate safeguards. However the AG also referred data offered by the third country, the validity of the SCCs to the possibility that the DPC could in the subsequent Decision could not be dependent on the level of protec- examination of Mr Schrems’ complaint, following the tion in the third country. Rather the question of validity delivery of the Court’s judgment, decide that it could not must be evaluated by reference to the soundness of the determine the complaint unless the CJEU first ruled on safeguards offered by the SCCs to remedy the deficien- whether the existence of the Privacy Shield itself was an cies in protection in the third country. This evaluation obstacle to the DPC exercising the power to suspend the must also take account of the safeguards consisting of transfers in question. The AG noted that in such circum- the powers of supervisory authorities under the GDPR. stances, if the DPC had doubts about the validity of the As the SCCs place responsibility on the controller (the Privacy Shield, it would be open to the DPC to bring the exporter), and in the alternative supervisory authorities, matter before the Irish Court again in order to seek that this meant that transfers must be assessed on a case by another reference on this point be made to the CJEU. case basis by the controller, and in the alternative by the supervisory authority, to assess whether the laws in the However, despite the AG taking the position that the third country were an obstacle to having an adequate Court should, in the context of this reference, refrain level of protection for the transferred data, such that data from ruling on the validity of the Privacy Shield in its transfers must be prohibited or suspended. judgment, he went on to express, in the alternative, some “non-exhaustive observations” on the effects and validity The AG then went on to consider the nature of the of the Privacy Shield decision. These observations were obligations on the controller carrying out the export of set out over approximately 40 pages of detailed analysis, the personal data, which included, according to the AG, a including an analysis of the scope of what the “essential mandory obligation to suspend a data transfer or termi- equivalence” of protection in a third party state involved, nate a contract with the importer if the importer could the possible interferences with data subject rights in re- not comply with the provisions of the SCCs. The AG also lation to data transferred to the US as posed by national considered the obligations on the importer in this regard intelligence agencies, the necessity and proportionality and made certain observations about the nature of the of such interferences and the laws and practices of the examination of the laws of the third country which should US, including those relating to the question of whether be carried out by the exporter and the importer. there is an effective judicial remedy in the US for persons The AG also referred to the rights of data subjects who whose data has been transferred to the US and whose believe there has been a breach of the SCC clauses to data protection rights have been subject to interferenc- complain to supervisory authorities, and went on to es by the US intelligence agencies. Having carried out consider what he considered the role of the supervisory this analysis, the AG ultimately concluded by expressing authority was in this context. In essence, the AG consid- doubts as to the conformity of the Privacy Shield with ered that where, following an examination, a supervisory provisions of EU law. authority considers that data transferred to a third coun- The AG’s Opinion is not binding on the CJEU. It is expected try does not benefit from appropriate protection because that the CJEU will deliver its judgment on the matters re- the SCCs are not complied with, adequate measures ferred to it by the Irish High Court at some point in 2020. should be taken by the authority to remedy this illegality, if necessary by ordering suspension of the transfer. The AG noted the DPC’s submissions that the power to sus- Materials relating to the proceedings pend transfers could only be exercised on a case by case The various judgments referred to above, the questions basis and would not address systemic issues arising from referred to the CJEU, the expert evidence on behalf of the an adequate lack of protection in a third country. On this DPC, and the transcripts of the trial before the High Court point, the AG pointed to the practical difficulties linked are available on the DPC’s website. to a legislative choice to make supervisory authorities responsible for ensuring data subjects’ rights are observed in the context of transfers or data flows to a specific recipient but said that those difficulties did not appear to him to render the SCC Decision invalid.

92 1988 and2003ratherthantheGDPR.(Thisisspecifically The DPC’sreport This firstpartoftheDPC’sinvestigationfocusedona the processing of personal data the processing ofpersonaldata Services Card Services Card Investigation by the DPC into Investigation bytheDPCinto Appendix III by DEASP in relation to the Public by DEASPinrelationtothePublic aspects ofprocessingbyDEASPinconnectionwiththe findings weremadebyreferencetoparticularobligations connection withthePublicServicesCard(PSC),toinclude of EmploymentAffairsandSocialProtection(DEASP)in cessing ofpersonaldatacarriedoutbytheDepartment elements of the GDPR at national level). For completeness, context satisfiedapplicablelegalrequirementsintermsof defined andlimitednumberofspecificissues.Inparticu Legal frameworkfortheDPC’s 9 On 15August2019,theDPCdelivereditsreportin mandated bytheDataProtectionAct2018whichwasin relation tothefirstpartofitsinvestigationintopro pre-dated thecomingintoeffectofGDPR(theinves relation totheprocessingoftheirpersonaldatainthat DEASP publishedthereportonitswebsite DEASP’s “SAFE2”registrationprocess. Because thePSCscheme(andDPC’sinvestigation) PSC isongoing,asdetailedbelow). investigation troduced in2018tofacilitatetheapplicationofparticular tigation wascommencedinOctober2017),theDPC’s tember 2019,alongwithitsownresponse. the GDPR. (non-binding) materialaddressingapplicableprovisionsof imposed oncontrollersundertheDataProtectionActs, transparency. (TheDPC’sinvestigationincertainother 8 it shouldbenotedthatthereportalsoincludedsome is processedbyDEASPinconnectionwiththePSC,and whether theinformationprovidedtodatasubjectsin lar, itexaminedthe Under applicablelegislation,itwas notopentotheDPC Available athttp://m.welfare.ie/en/pressoffice/Pages/ and summarising thereport’sfindings. on itsownwebsiteoutliningthescope oftheinvestigation publish thereportitself.Astatement wasissuedbytheDPC pr170919.aspx legal basisonwhichpersonaldata

8 9 on17Sep

- - - - - Three ofthoserelatetothe A totalof enced above),theDPChasdeterminedthatPSCsalready of dataprotectionlaw. or hasbeen,non-compliancewithapplicableprovisions Findings maining using theirPSCwillremainfree todoso.) vanced byDEASPinsofarastheDPCfoundthatthereis, In summaryterms,theDPCfoundthat: (As pertheDPC’sstatementof16August2019(refer individuals whoaccessbenefits — includingfreetravel — issued by DEASP will not be treated as invalid and likewise, Seven • • • • The processingofpersonaldatabyDEASPinconnec The processingofcertainpersonaldatabyDEASPin 2(1)(c)(iv) oftheDataProtectionActs,1988and2003 2A oftheDataProtectionActs,1988and2003. adequate. and 2003,inthattheinformationprovidedbyDEASP actions betweenindividualsandotherspecifiedpublic data inconnectionwiththeissuingofPSCswasnot collected. on ablanketandindefinitebasiscontravenesSection or presentingforpaymentofabenefit,has connection withtheissuingofPSCsforpurpose ply withSection2DoftheDataProtectionActs,1988 DEASP’s validating theidentityofapersonclaiming,receiving to thepublicaboutprocessingoftheirpersonal tion withtheissuingofPSCsforpurposestrans than isnecessaryforthepurposeswhichitwas have a bodies (i.e.otherthanDEASPitself)does In termsof because suchdataisbeingretainedforperiodslonger information providedbypersonsapplyingforaPSC basis underapplicabledataprotectionlaw. laws; specifically,suchprocessingcontravenesSection ofthe five relatetoissuesaroundtransparency. eight findingsweremadeintheDPC’sreport. legal basisunderapplicabledataprotection retention eight findingswereadversetopositionsad transparency, theschemedoesnotcom ofunderlyingdocumentsand legal basisissue;there legal not ------

93 Annual Report 1 January — 31 December 2019 Requirements to address that, in light of the rejection of the report’s findings, and contraventions identified in the report the Minister’s stated determination to continue to operate the PSC scheme, without modification, there could When delivering its report, the DPC notified DEASP that be no basis for engagement between the parties in the enforcement action would be deferred to afford the manner — or for the purpose — suggested. The letter Department an opportunity to identify the measures concluded by noting that, since DEASP was refusing to ac- it would need to implement to bring the PSC scheme cept the report’s findings, and where it was clear that no into compliance with data protection legislation and to implementation plan would be formulated or implement- remedy the contraventions identified in the report. The ed by DEASP to address the points of non-compliance DPC called on DEASP to develop and submit its imple- identified within those findings, the basis on which the mentation plan within a period of 6 weeks, and to ensure DPC had deferred enforcement action no longer applied. that the measures necessary to bring the scheme into Accordingly, the letter indicated that the DPC would now compliance would be in place no later than 31 December proceed to enforcement. 2019. Separately, however, the DPC called on DEASP to take two specific steps within a period of 21 days: Following a further exchange of correspondence between the parties in the intervening period, DEASP published its (1) Cease all processing of personal data carried out response to the DPC’s report on its website on 17 Sep- in connection with the issuing of PSCs, where a PSC is tember 2019 together with a statement by the Minister. issued solely for the purpose of a transaction between a As well as restating that the Minister and DEASP did not member of the public and a specified public body (i.e. a accept the findings contained in the DPC’s report, the re- public body other than DEASP itself). sponse and statement reiterated the stated views of the Minister and DEASP to the effect that the PSC has a ro- (2) Notify all public bodies who require production of a bust legal basis and so DEASP will continue to issue PSCs PSC as a pre-condition to entering into a transaction with for use by a number of public bodies across the public (or providing a public service to) a member of the public sector. DEASP’s response to the report also criticised vari- that, going forward, DEASP would not be in a position to ous aspects of the report, the investigation process which issue PSCs to such persons. had been followed by the DPC, as well as the process the DPC had called on DEASP to engage with to identify measures to remedy the contraventions of data protec- DEASP’s response to the DPC’s findings tion law identified in the report. DEASP also reiterated, DEASP wrote to the DPC on 3 September 2019, noting in categoric terms, its position that it would continue to that, having carefully considered the contents of the operate the PSC and SAFE registration process as it had report, along with advices received from the Attorney done to that point. General’s office, the Minister was satisfied that, contrary to the position of the DPC, the processing of personal data in connection with the PSC has a strong legal basis. Enforcement action by the DPC The letter also noted the Minister’s position that the Ultimately an enforcement notice was issued under information provided to users of the scheme satisfies Section 10 of the Data Protection Acts 1988 and 2003 applicable statutory requirements relating to transpar- on 6 December 2019. That notice, which was directed to ency. Against that backdrop, the letter noted that the the Minister (acting through DEASP), directs the taking of Minister considered that it would be inappropriate and a range of steps in order to remedy the contraventions potentially unlawful to take the measures required by the identified in the DPC’s report. DPC. Accordingly, the letter indicated that the Minister had determined that DEASP would continue to operate The enforcement notice has since been appealed by the PSC scheme and the SAFE 2 identity authentication the Minister to the Circuit Court. It is expected that the process, without modification. appeal will be heard at some point during 2020.

Notwithstanding its rejection of the report, and its refusal to formulate and implement measures to bring the Continuation of the DPC’s scheme into compliance, the letter of 3 September proposed that DEASP and the DPC should nonetheless meet investigation into other aspects to explore whether measures could be agreed that would of processing obviate the requirement for enforcement proceedings. Separately, the DPC is continuing its investigation into A statement was issued by the Minister (along with the certain other aspects of processing carried out by DEASP Minister for Public Expenditure and Reform) on the same in connection with the issuing of PSCs and the SAFE 2 date, in terms that reflected the contents of the letter of 3 registration system, including the security of processing, September. facial matching processing by DEASP in connection with the PSC and specific use cases of the PSC. The DPC replied to DEASP by letter dated 5 September 2019, explaining the reasons why the DPC considered

94 1 January 2019to31December The DPC’sseniormanagementteamhasdevelopeda The InternalAuditfunctioncarriesoutauditsonfinancial The SMCoftheDPCactsasriskcommitteefor The systemofinternalcontrol,whichaccordswithguid The systemofinternalcontroltheDPCisdesignedto Statement of Internal Controls Statement ofInternalControls Appendix IV in Respect of the DPC for the period in Respect oftheDPCforperiod an auditattheDPCduring2019. assume responsibilityforrisks andcontrolswithintheir agement ofemergingrisksand controlweaknessesand and othercontrolsintheDPC,linewithitsannualpro ance issuedbytheDepartmentofPublicExpenditureand and notabsoluteassurancethatassetsaresafeguarded, Control Capacity toHandleRisk own areaofwork. organisation. or detectedinatimelyway. count oftherequirementsCodePracticefor ensuring thataneffectivesystemofinternalcontrolis Purpose oftheSystemInternal gramme ofaudits.TheDJEInternalAuditUnitcarriedout Governance ofStateBodies(2016). On behalfoftheDPC,Iacknowledgeresponsibilityfor Scope ofResponsibility responsibilities ofstaffinrelationtorisk.Thepolicyhas risk-management processesinplaceandtheroles risk-management policythatsetsoutitsriskappetite,the period. period of1stJanuaryto31December2019andup manage risktoatolerablelevelratherthaneliminate maintained andoperated.Thisresponsibilitytakesac Reform, hasbeeninplacetheofficeofDPCfor the DPC’srisk-managementpolicies,andtoalertman the dateofapprovalfinancialstatementsforthat that materialerrorsorirregularitiesareeitherprevented transactions areauthorisedandproperlyrecorded, been issuedtoallstaffwhoareexpectedworkwithin it. Thesystemcanthereforeonlyprovidereasonable

- - - - The DPChasimplementedarisk-managementsystem The riskregisterdetailsthecontrolsandactionsneeded A riskregisteridentifiesthekeyrisksfacingDPC; are inplace: and tomanagement,whererelevant, inatimelyway.I actions being taken to address and, to the extent possible, Ongoing MonitoringandReview confirm thatthefollowingongoing monitoringsystems control processes,and deficienciesarecommu Risk andControlFramework cording totheirsignificance.Theregisterisreviewedand nicated tothoseresponsible for takingcorrectiveaction mitigate thoserisks. Formal procedureshavebeen establishedformonitoring updated bytheSMConaquarterlybasis.Theoutcomeof that identifiesandreportskeyrisksthemanagement trols assignedtospecificstaff. to mitigaterisksandresponsibilityforoperationofcon to ensurethatrisksaremanagedanacceptablelevel. these assessmentsisusedtoplanandallocateresources these havebeenidentified,evaluated,andgradedac I confirmthatacontrolenvironmentcontainingthefol lowing elementsisinplace: • • • • • • The NationalSharedServicesOfficeprovidesHuman There aresystemsinplacetosafeguardtheDPC’s There aresystemsaimedatensuringthesecurity There isanappropriatebudgetingsystemwith Shared ServicesOfficeprovidesannualassurances Financialresponsibilitieshavebeenassignedatman assets. Nograntfundingtooutsideagenciesoccurs. annual budgetthatiskeptunderreviewbysenior over theservicesprovided.Theyareauditedunder agement levelwithcorrespondingaccountability. of theinformationandcommunicationtechnology systems. TheICTDivisionoftheDJEprovidesDPCwith documented. Resource andPayrollSharedservices.TheNational ment outliningthecontrolprocessesinplace2019. management. Procedures forallkeybusinessprocesseshavebeen the ISAE3402certificationprocesses. ICT services.Theyhaveprovidedanassurancestate ------

95 Annual Report 1 January — 31 December 2019 • Key risks and related controls have been identified Review of Effectiveness and processes have been put in place to monitor the operation of those key controls and report any identi- I confirm that the DPC has procedures in place to monitor fied deficiencies. the effectiveness of its risk management and control procedures. The DPC’s monitoring and review of the effective- An annual audit of financial and other controls is • ness of the system of internal financial control is informed carried out by the DJE’s Internal Audit Unit. by the work of the internal and external auditors, the Au- • Reporting arrangements have been established at all dit Committee of the Department of Justice and Equality, levels where responsibility for financial management and the SMC. The senior management within the DPC is has been assigned. responsible for the development and maintenance of the • There are regular reviews by senior management internal financial control framework. of periodic and annual performance and financial The DPC’s Internal Audit function is carried out by the reports that indicate performance against budgets/ DJE Internal Audit Unit under the oversight of the Audit forecasts. Committee of Vote 24 (Justice) for assurance to internal controls and oversight.

Procurement The Internal Audit Unit carried out an audit at the DPC I confirm that the DPC has procedures in place to ensure during 2019 and reviewed the effectiveness of the compliance with current procurement rules and guide- internal controls. It should be noted that this extended lines, and that between 1st January and 31 December beyond financial controls and examined ICT controls, 2019 the DPC complied with those procedures. management practices and other governance processes. I confirm that the SMC of the DPC kept the effectiveness of internal controls under review between 1st January and 31 December 2019.

Helen Dixon

Commissioner for Data Protection

96 The policyoperatedbytheDataProtectionCommission(DPC)undertermsof 2019: Report on Protected Disclosures Report onProtectedDisclosures Appendix V Commission in2019 Section 22oftheProtectedDisclosuresAct2014requires received by the Data Protection received bytheDataProtection Protected DisclosuresAct2014isdesignedtofacilitateandencourageallworkers anonymised form. each year,areportinrelationtothepreviousyearan raise internallygenuineconcernsaboutpossiblewrongdoingintheworkplacesothat these concernscanbeinvestigatedfollowingtheprinciplesofnaturaljusticeandad dressed inamannerappropriatetothecircumstancesofcase. public bodiestoprepareandpublish,by30thJunein Pursuant tothisrequirement,theDPCconfirmsthatin 1/19/1/11 1/19/1/12 1/19/1/13 1/19/1/14 1/19/1/15 1/19/1/16 • Reference Number DPC) werereceived. No internalprotecteddisclosures(fromstaffofthe Section 7(external,to Section 7(external,to Section 7(external,to Section 7(external,to Section 7(external,to Section 7(external,to ‘prescribed person’) ‘prescribed person’) ‘prescribed person’) ‘prescribed person’) ‘prescribed person’) ‘prescribed person’) Type

6 November2019 4 February2019 Date Received 16 March2019 1 March2019 2 March2019 3 April2019 • Six protecteddisclosures(setoutinthetablebelow) other entities.ThesecaseswereraisedwiththeDPC der Section7oftheProtectedDisclosuresAct(listed relation toissuespertainingdataprotectionwithin in itsroleasa‘prescribedperson’providedforun in SI339/2014asamendedby448/2015). were receivedfromindividualsexternaltotheDPCin Article 57(1)(f)ofthe investigated under Open — under Open — Being examination Status Closed Closed Closed Closed GDPR complainant didnot complainant didnot to provideevidence complainant failed of dataprotection disclosure — to pursue matter. pursue matter a standardDP be handledas Closed — not a protected Outcome complaint breaches. Closed — Closed — Closed — - -

97 Annual Report 1 January — 31 December 2019 Appendix VI Financial Statements for the Year 1 January to 31 December 2019

The Account of Receipts and Payments of the Data Protection Commission for the year 1January to 31 December 2019 is in preparation by the DPC and will be appended to this report following completion of an audit in respect of that year by the Comptroller and Auditor General.

98 Organisation Chart Organisation Chart Appendix Appendix

Commissioner Helen Dixon

Corporate Affairs & Strategy, Operations Head of Regulatory Head of Regulatory Head of Regulatory Head of Regulatory Communications & International Head of Legal Activity Activity Activity Activity Graham Doyle Jennifer O’Sullivan Anna Morgan Dale Sunderland John O’Dwyer Tony Delaney Colum Walsh

International Affairs & Policy & Guidance; Amicable Resolution; First Response & Corporate Services Senior Legal Advisor Cross-Border Inquiries One Stop Shop Codes of Conduct; Breach Notifications & Complaints & Facilities Diarmuid Goulding Neasa Moore Operations Shane McNamee Assessment; Assessment Laura Flannery Breach Complaints; Deirdre McGoldrick Section 10 Decisions Sandra Skehan Recruitment, Staffing, Technology Policy; Cross-Border Senior Legal Advisor Induction & Training; Operational Certification Complaints Handling Complaints Nicola Harrison Communications & Performance Ultan O’Carroll Neill Dougan Handling Media; Emma Flood Access Request Anne Slowey DPO Network Complaints Handling & MB Donnelly Inquiries Public Sector, Health, & Senior Legal Advisor Maureen Kehoe Breach Inquiries Accounting Officer Voluntary Sector Project Alison McIntyre Niall Cavanagh Inquiries Consultation Kathleen O’Sullivan Aisling O’Leary David Murphy Finance & Procurement Concerned Supervisory Graham Geoghegan Authority Cases & Decisions Assessmt.; Senior Legal Advisor Accounting Officer Private & Financial Amicable Resolution; Breach Inquiries Fleur O’Shea Project & ICT Sector Consultation Complaints Handling & Garrett O’Neill Risk & Governance Tom Walsh Inquiries Anne Pickett Gráinne Hawkes Special Investigations; Senior Legal Advisor Multinational Joanne Neary Prosecutions; Regulatory Strategy Supervision & Law Enforcement e-Marketing Engagement; Directive Complaints & Complaint Handling Law Enforcement Inquiries; Consultation EU Databases; Senior Legal Advisor Cathal Ryan Borders, Transport, Law Meg MacMahon Enforcement; Direct Intervention Eunice Delaney DPC DPO Cathal Ryan Senior Investigator Nicola Bayly InternaLOTal Transfers including Binding Corporate Rules Nicola Coogan Children’s Data Protection Rights Jenny Dolan

99 Annual Report 1 January — 31 December 2019 DPC Senior Team

Ms. Helen Dixon Mr. Tony Delaney Mr. Graham Doyle Ms. Anna Morgan

Mr. John O’Dwyer Ms. Jennifer O’Sullivan Mr. Dale Sunderland Mr. Colum Walsh

100

Data Protection Commission, www.dataprotection.ie 21 Fitzwilliam Square, Email: [email protected] Dublin 2. Tel: 0761 104 800

104