Highlights from the Data Protection Commission's 2021 GDPR Report

On February 24th, the Data Protection Commission (DPC) in Ireland published its Annual Report under the General Data Protection Regulation (GDPR).

This marks the third report produced by the DPC since the implementation of GDPR on May 25th, 2018.

Some of the key highlights from this report which outlines the work completed by the Data Protection Commission throughout 2021 are:

• 10,888 queries and complaints were received. A 7% increase on figures from 2020 (10,151) and a 36% increase on the 2019 figures (7,215).
• 6,549 valid data breach notifications. This was down by 2% on 2020 figures.
• 71% of reports are due to unauthorised disclosure. A reduction of 15% on the previous year.
• 81 statutory inquiries, including 30 cross border inquiries, compared to 83 statutory enquiries and 27 cross-border enquiries in 2020.
• 7,081 queries and 3,564 complaints were concluded by the DPC in 2021.
• The DPC’s staff numbers increased to 190 in 2021, compared to 145 in 2020. In addition, their budget increased from €16.9 million in 2020 to €19.1 million in 2021.
  
  

Top 5 Complaints Received Under GDPR

Complaint Type	No. of Complaints	% of Total
Access Request	1,232	42%
Fair Processing	560	19%
Disclosure	291	10%
Right to Erasure	263	9%
Direct Marketing	128	4%

Top Inquiries of 2021

Throughout 2021, the DPC completed 5 large scale enquiries:

WhatsApp

The DPC imposed a fine of €225 million on WhatApp for failures relating to its’ provision of information and transparency for both users and non-users of the app.

Irish Credit Bureau (ICB)

The breach of GDPR related to a code change to its database that created a technical error.

Due to the error, the ICB database inaccurately updated the records of 15,120 closed accounts. This caused the bureau to disclose the information of 1,062 inaccurate account records to financial institutions as part of their credit checks.

The DPC found that the inaccuracy was an infringement on Article 25(1)(Data Protection by Design and Default). The DPC noted that the company failed to implement the appropriate organisational and technical measures designed to implement the principle of accuracy to protect the rights of the data subjects.

As a result, the DPC imposed an administrative fine of €90,000 on the company and issued them with a reprimand in respect to the infringements.

MOVE Ireland

The breach of GDPR in this case related to the loss of 18 SD cards that may have contained information on group sessions in which attendees discussed their behaviour and attitudes towards domestic violence with a programme facilitator.

The DPC found that MOVE infringed on GDPRs Article 5(1)f(Principles relating to the processing of personal data) and 32(1) (Security of processing).

The DPC imposed an administrative fine on MOVE for €1,500 in respect of the infringements.

Limerick City and County Council

The DPC investigated a breach that involved the installation of more than 250 cameras with no lawful basis. The cameras were said to be used for a purpose other than intended and had advanced technology installed including automatic number plate recognition (ANPR).

The DPC found that Limerick City and County Council failed to comply with GDPR on several instances including:

• Article 15 (Right of access by the data subject) - Subject access requests concerning the CCTV camera footage were rejected.
• Article 13 (Information to be provided where personal data are collected from the data subject) - Failure to erect signage in regards to its CCTV processing operations.
• Article 12 (Transparent information, communication and modalities for the exercise of the rights of the data subject) - Failure to make certain that the CCTV policy was easily accessible and transparent.

In respect to the breach, the DPC imposed an administrative fine of €110,000 and the Council was reprimanded by the DPC in respect of the infringements.

The Teaching Council

A fine was imposed on the Teaching Council for a data breach that exposed the personal information of over 9,700 people.

The breach occurred due to a phishing email that was opened by two staff members which facilitated the creation of an auto-forward rule. The rule allowed emails to be forwarded from the council’s servers to a malicious Gmail address.

The result of the phishing scam caused the council to infringe on Article 5(1)(Principles relating to the processing of personal data), Article 32(1) (Security of processing) and Article 33(1) (Notification of a personal data breach to the supervisory authority).

The DPC imposed an administrative fine on the Council for €60,000, reprimanded the Council and ordered them to bring its processing operations into compliance with Articles 5(1)(f) and 32(1) of the GDPR.

Fundamentals for Child-Oriented Approach to Data Protection

Towards the end of 2021, the DPC published its finalised Fundamentals for Child-Oriented Approach to Data Processing.

The document outlines the principle and recommended measures that will enhance the level of protection to children's information in terms of processing their data both on and offline.

Additionally, the fundamentals outline an organisation's obligations under GDPR and clarify the main principles organisations should follow.

Regulatory Strategy 2022 - 2027

The DPC also published their 5-year Regulatory Strategy for 2022 - 2027.

The document provides clarity on the direction of regulatory priorities of the Data Protection Commission over the next 5 years. It includes areas such as the evolution of data protection law, regulation and culture.

If you have any questions on GDPR, or would like to learn more about how the information detailed in the report may affect your organisation, do get in touch.