July 24, 2024
The EU-US Data Privacy Framework: What You Need to Know
With the final approval of the EU-U.S. Data Privacy Framework, data can once again flow across the Atlantic. Learn more about the new rules at TrueVault.
In September 2023, Ireland’s Data Protection Commission (DPC), which enforces the General Data Protection Regulation (GDPR) and other similar laws, published a book of case studies in order to give insight as to how the DPC operates and provide guidance on key compliance issues.
With 126 cases spanning five years, the publication is far from a complete list of enforcement actions—according to its 2022 annual report, the DPC processed over 9,000 new cases in that year alone. Instead, the case studies are short summaries selected for the purpose of “illustrating how data protection law is applied, how non-compliance is identified, and how corrective measures are imposed.”
Here are some important takeaways from the DPC case studies.
The DPC receives a lot of complaints from data subjects in Ireland and beyond. Even if the DPC doesn’t always side with the complainants, the case studies show that people have a high degree of awareness of their GDPR rights and are willing to pursue them aggressively against data controllers.
A man who belonged to a sporting club attended its annual meeting via Zoom, and later made an access request for video footage of the meeting. The club first provided a copy of the meeting minutes (stating that the footage had been accidentally deleted), then a transcript of the recording, and eventually the full video recording.
The DPC noted that this case required “extensive” communication among the parties and could have been avoided entirely if the organization had simply been more aware of its GDPR obligations.
A data subject submitted a deletion request to Airbnb. The company refused to act on the request until the data subject submitted a photocopy of an official ID, even though no ID had been provided to Airbnb up to that point.
The DPC determined that this ID requirement violated the GDPR’s data minimization principle and Airbnb had no lawful basis for requesting the ID. Airbnb was ordered to revise its internal policies and refrain from requiring ID for future deletion requests.
A healthcare patient formally requested a hospital to correct the spelling of his name to include a síneadh fada, an accent mark that is part of the Irish language. The hospital refused to do so on the basis that its patient administration system did not allow for the use of such characters. The DPC launched an extensive inquiry into the hospital’s obligations in the matter, not only under the GPDR but under national laws protecting the Irish language.
The complaint was ultimately resolved when the hospital agreed to investigate the use of other software that would allow for the use of a síneadh fada and added an addendum to the patient’s file noting the correct spelling of his name.
Complaints made by current and former employees against their employers made up a considerable portion of the case studies. Organizations that have treated the GDPR rights of their staff as a secondary concern should reconsider that approach.
In the context of a workplace investigation, a person alleged a number of GDPR violations, including failure to respond to their access request, failure to correct inaccurate information (in the form of witness statements), unauthorized disclosure of personal data, and unfair processing of their data.
The DPC found that the business had responded adequately to the access request (though not within the required timeline), and that a request to correct does not apply to statements of opinion if the statements are accurately recorded and based on matters the person reasonably believes to be true. The disclosure of the complainant’s personal data to a consulting firm and internal staff did fall under the GDPR, but the business had a lawful basis for the processing, i.e., it was necessary for the legitimate business purpose of investigating the complaint. The DPC did find, however, that the business had not processed the complainant’s personal data fairly because it had not provided sufficient disclosures about how the data could be used.
This case illustrates why organizations must be conscious of their GDPR obligations during a workplace dispute, and should be prepared in advance.
A public agency published an employee’s photo in an article for its workplace newsletter without first obtaining consent. The DPC determined that the agency should have obtained consent to publish the photo and should institute measures to get consent in the future.
An employee who took long-term sick leave complained that specific information about their medical condition had been shared with HR staff at the local office where the complainant worked. The DPC determined that the processing of the complainant’s medical information was necessary for the purposes of administering health benefits and managing employees on sick leave. However, the DPC also determined that it was excessive to share details of the complainant’s medical condition with HR staff at the local office, because it wasn't necessary for the business's legitimate purposes.
Though it may be a blind spot for many organizations’ GDPR compliance, video footage captured by security cameras is considered personal data. Judging by the Irish case studies, these recordings are at the heart of many investigations.
During the COVID pandemic, a parish church offered a live streaming service for funerals so that those unable to attend would still be able to view the funeral remotely. An attendee at one such funeral took exception to the processing of their personal data via the recording, the church’s failure to give notice, and the fact that the recordings were publicly available on the church’s website.
Working with the DPC, the church resolved the situation by posting a notice regarding the presence of cameras, updating its privacy policy, and restricting online access to recordings.
An employer used CCTV footage from the workplace to evaluate the complainant’s job performance, leading to an allegation that the employer was unlawfully processing personal data. The employer had a CCTV policy in place which stated that the footage was only used for security and safety purposes.
The DPC determined that using the video recordings to evaluate employees was secondary processing that was incompatible with the original purpose for collecting the data (i.e., security and safety). The employer revised its CCTV policy and now only reviews the footage in the event of a security incident or accident.
At a workplace social event hosted at a bar, the complainant allegedly assaulted another person. The bar manager reported the incident to police, and provided CCTV footage of the incident to the police upon request. The complainant’s employer also requested (and received) a copy of the footage. The complainant alleged that the bar had unlawfully disclosed his personal data.
The DPC determined it was lawful for the bar to disclose the footage both to the police and the complainant’s employer. The bar had a legitimate interest in protecting the welfare of its employees and patrons, and the complainant’s employer had a legitimate interest in investigating dangerous behavior at a sponsored work event.
Even for those businesses that are prepared for GDPR compliance, simple human error can still lead to a violation.
A person lodged a complaint against their former employer for adding their personal email address to the CC line of a group email, claiming that this was an unlawful disclosure of personal data.
The DPC agreed that this was a data breach under the GDPR, though it identified the cause as human error rather than systemic deficiencies.
A Pinterest user’s account was suspended due to suspected spam activity. The user appealed Pinterest’s decision and simultaneously submitted access and erasure requests for their personal data. The user’s correspondence was sent to Pinterest’s spam operations team, which ultimately re-activated the account but failed to take action on the privacy requests.
The DPC determined that Pinterest had violated the complainant’s rights by ignoring their access and erasure requests, emphasizing that a simple error like forwarding an email to the wrong department can lead to complaints and investigation.
The complainant’s family was on vacation at a leisure facility, where staff repeatedly asked them for their booking information in order to access restaurants and activities areas. The complainant was not given a choice to object to this processing, and access to the facility was conditioned on providing the information.
Upon investigation by the DPC, the data controller stated that the information was used to better understand how guests used the facility, and that a “training gap” had led staff to think that guests were required to provide their booking information in order to have access to all areas. The data controller agreed to retrain its staff in order to address the situation.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get monthly updates on the latest updates on policy & the shifting privacy landscape.
Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.
