annual report · 2020-02-19 · annual report first full year of gdpr 1 anuary 1 eeer 1 2019 was...
TRANSCRIPT
Annu
al R
epor
t 1
Janu
ary
— 3
1 D
ecem
ber
2019
Annu
al R
epor
t 1
Janu
ary
— 3
1 D
ecem
ber 2
019
1
2
Annu
al R
epor
t 1
Janu
ary
— 3
1 D
ecem
ber
2019
Table of Contents
Foreword � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � 6
Roles and Responsibilities � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � 10
Review of 2019 � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � 12
Information and Assessment � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � 16
Complaints� � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � 18
Breaches � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � 34
Inquiries � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � 38
Legal Affairs� � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � 52
Supervision � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � 56
Data Protection Officers � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � 62
International Activities � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � 64
Processing Children’s Personal Data � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � 68
Communications � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � 70
Key DPC Projects � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � 74
Corporate Affairs � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � 76
APPENDICES
Appendix 1: Court of Justice of the European Union (CJEU) Case Law � � � � � � � � � � � � � � � � 81
Appendix 2: Litigation concerning Standard Contractual Clauses � � � � � � � � � � � � � � � � � � � 89
Appendix 3: Investigation by the DPC into the processing of personal data by DEASP in relation to the Public Services Card � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � 93
Appendix 4: Statement of Internal Controls in Respect of the DPC for the period 1 January 2019 to 31 December 2019 � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � 95
Appendix 5: Report on Protected Disclosures received by the Data Protection Commission in 2019 � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � 97
Appendix 6: Financial Statements for the Year 1 January to 31 December 2019 � � � � � � 98
3
6
Foreword
Annu
al R
epor
t 1
Janu
ary
— 3
1 D
ecem
ber
2019
First full year of GDPR2019 was the first year I heard multiple data protection legal practices say they had found it necessary to hire full-time staff solely to monitor case law and legal develop-ments, such has been the pick-up in developments. If data protection had a big moment in 2018, it has now clearly moved to being an established fixture of public con-sciousness. From a range of important EU developments including instructive CJEU judgments (such as Fashion ID and Planet49) and the Advocate General’s opinion on the SCCs data transfer litigation, to the world’s largest data privacy financial penalty (the $5bn imposed by the FTC on Facebook), it wasn’t a year that was short on big news.
Away from the higher profile headlines, it’s been the first full calendar year of the operation of the GDPR and the Law Enforcement Directive and many organisations have been quietly getting on with embedding more account-able data practices across their organisations. In Ireland, 1,500 data protection officers (DPOs) have been notified to the DPC and they are engaged daily within public sec-tor and large data processing organisations ensuring data subjects’ rights are considered in all projects. DPOs tell us they are keen for more resources and support from the DPC and the DPC will host its first DPO Network confer-ence in Dublin in March 2020. Calls for the provision of more guidance from data protection authorities (DPAs) has been something of a theme during 2019. In June, I participated in a useful stock-taking event in Brussels organised by the EU Commission to mark one year of GDPR and a key takeaway was that across Europe, smaller SMEs are asking for more help to identify reasonable and appropriate implementation measures and for more of a sectoral focus with guidance. The DPC is now engaged in an EU-funded project on awareness raising for SMEs, in cooperation with the Croatian Data Protection Authority, which will assist in driving this forward.
Quantity and QualityVolume was a key word for the DPC in this first full year of GDPR. Page 71 of this report details the record levels of general guidance the DPC issued to help interpretation of the new law. Page 19 details the volume of complaints lodged with us and the number of individual complaints resolved by the office. At least 40% of our resources are devoted to the handling of individual complaints (as opposed to large-scale and more systemic investigations). The larger-scale inquiries are detailed on page 40 and also consume considerable resources. Page 65 shows the amount of travel and international commitment the DPC makes servicing European Data Protection Board meetings in Brussels (87 meetings in 2019) and engaging with global counterparts to find real-world solutions to long entrenched data protection challenges (for example, how to deliver sufficient transparency to users while also being concise). Breaches notified and individually dealt with by the DPC are set out on page 36. Media queries
responded to and media, conference and parliamentary committee engagements are detailed on page 71. With automated personal data processing in particular now as ubiquitous as blinking and, with hundreds of thousands of processing entities under the supervision of each DPA, the volume of activity is only going to grow.
Disputes between employees and employers or former employers remain a significant theme of the complaints lodged with the DPC, with the battle often staged around a disputed access request. Litigation by individuals against DPC decisions that their data protection rights were not in fact breached at all make up a significant proportion of the litigation the DPC is subject to in the courts today. This is undoubtedly driven by the fact that neither the Workplace Relations Commission nor the Labour Court can order discovery in employment claims, which makes reliance on access requests as adjudicated on by the DPC central to many of these cases. Telcos and banks remain among the most complained about sectors to the DPC, with complaints essentially focussing on account admin-istration and charges. Given these are heavily regulated sectors in Ireland, it is disappointing that more of what are at their core consumer protection issues cannot be sorted out within those sectors, without the need for consumers to lodge complaints with the DPC as a means of being heard. Complaints against internet platforms have also grown in volume, with the main issues centring around management of individuals’ accounts and in particular their rights to data erasure when they leave a platform.
In preparation for our pending 5-year regulatory strate-gy for 2020 to 2025, the DPC engaged in 2019 in focus groups with the public to establish their awareness and expectations of the data protection authority. Key findings are that many people feel confused about their rights with regard to their personal data and would welcome more worked-through scenarios from the DPC, to better understand their application in the real-world. The DPC intends to increase its efforts to produce more case stud-ies and to draw out the lessons from a consumer point of view, as well as that of the controller. What is really en-couraging is that people are broadly aware of their rights under GDPR and keen to know how to exercise them.
E-privacy prosecutions for direct marketing offences were pursued rigorously by the office in 2019 and are detailed on page 28. In the meantime, the EU legislature continues to try to conclude a modernised e-privacy regulation to harmonise EU laws on privacy of communications, cook-ies and direct marketing.
The DPC also completed its consultation on children’s personal data and is now preparing to publish guiding principles for controllers. Throughout 2019, the DPC engaged heavily with expert stakeholders in the area of children’s digital rights and will continue to work with these parties as we encourage big tech platforms to sign up to a code of conduct on children’s data processing.
7
8
Creating a larger team and driving forwardTo manage the increased volumes of work, the DPC has continued to hire additional staff, increasing our staff numbers from 110 at the start of the year to 140 at the end of 2019. Regulatory lawyers, legal researchers, inves-tigators and technologists all joined the DPC team last year. The ongoing dialogue the DPC maintains with the broad and international community on data protection matters remains an important facet of our role in driving better solutions to both old and newly emerging data protection challenges. In 2019, the DPC was honoured to have been visited by the Commissioners from New Zea-land, Australia, Iceland, and the UK, as well as teams of staff from the Swedish, Dutch, Icelandic, Luxembourg and Regional German DPAs. In addition, the DPC hosted study visits by a group of US Congress staffers studying lessons from the GDPR in the context of a potential US Federal Privacy Bill and Californian State Senators examining the issues of technology and data protection.
In 2019, the DPC concluded its first investigation and decision under the new Irish Data Protection Act 2018 (the 2018 Act) and specifically under its provisions that transpose the law enforcement directive. The case con-cerned the deployment of CCTV and Automatic Number Plate Recognition by An Garda Síochána and a range of corrective powers were exercised by the DPC to drive compliance. A number of other linked investigations into the deployment of surveillance technologies by Local Au-thorities in Ireland is underway and once the first of these conclude, the DPC intends to publish guidance based on the findings to better ensure all State authorities un-derstand the requirements of the 2018 Act and that the public understand how their rights are protected.
The DPC concluded a detailed investigation into the personal data processing elements of Ireland’s national Public Services Card and published its findings in August 2019. These included a finding that there is no lawful ba-sis for the mandating of registration for a Public Services Card by organisations other than by the Department of Employment Affairs and Social Protection when issuing welfare payments. The Department rejected the DPC’s findings. The DPC issued an Enforcement Notice and an appeal by the Department to the Circuit Court was lodged before the end of 2019.
A number of other appeals were heard in challenges to decisions of the DPC during 2019 and the decision of the DPC was upheld in each case, as detailed on page 53.
Investigations into big tech companies continued to prog-ress in 2019 with the first two inquiries moving from the investigative stage to the decision-making phase. Much
has been made of the fact that across the EU only three relatively minor cross-border cases have so far resulted in fines, and very modest in size at that, since 25th May 2018 up to the end of 2019. A new legal framework and one that contemplates very significant penalties, not to mention legal novelty in terms of the ‘cooperation and consistency’ provisions set down, is always going to take time to implement correctly. But have no doubt that intensive work is underway. We currently have: 30 live litigation cases as of the end of 2019; a large-scale and complex investigation into Facebook’s transfers of personal data; an appealed Enforcement Notice by the Department of Employment Affairs and Social Protection in Ireland regarding the Public Services Card; further pending e-privacy prosecutions; new corrective powers under the 2018 Act exercised with certain controllers; progress and resolution of thousands of complaints resolved through driving compliance with controllers in 2019. There is certainly no shortage of commitment and capability at the Irish DPC. But equally there is a keen awareness of the legal requirement to apply fair proce-dures and what it takes to bring cases over the line and the DPC remains focussed on this job. As we have consis-tently said, there would be little benefit in mass producing decisions only to have them overturned by the courts. When EU competition law rules were first introduced in 1962, it was a further number of years before the first significant decision in the Grundig case issued and a number of years beyond that again before the first fine was issued. Equally, EU competition investigations (and I mention competition law because the fining regime in the GDPR is based on EU competition law) on average take a number of years to complete. As a responsible regulato-ry body, we are wary of demands for quick-fix solutions and calls for the summary imposition of heavy penalties on organisations for data protection infringements, at least some of which may be based on the application of principles on which there is not always consensus. While acknowledging that the administrative fines mechanism represents an important element of the drive toward the kind of meaningful accountability heralded by the GDPR, we must also recognise that, like any other part of our laws, data protection principles operate within a broader legal context and so, for example, the application and enforcement of such principles by a statutory regulator will always be subject to the due process requirements mandated by our constitutional laws and by EU law. These are constraints that cannot (and should not) be set to one side in some arbitrary fashion or for the sake of expediency.
Annu
al R
epor
t 1
Janu
ary
— 3
1 D
ecem
ber
2019
BrexitPreparations for ”Brexit” have been a considerable body of work for the DPC in 2019 given the implications for what would become restricted personal data transfers to a non-EU country. The DPC issued guidance to help organisations to prepare for both “deal” and “no-deal” scenarios, gave talks at a large number of sectoral events on the issues, provided feedback and direction to a num-ber of government departments and agencies on legal arrangements to cover a no-deal scenario and dealt with a range of organisations seeking to create a main estab-lishment and arrange oversight of their Binding Corporate Rules in Ireland rather than the UK.
Sad goodbyesNo look-back at 2019 could avoid the sad reminder of the passing of the then European Data Protection Supervisor, Giovanni Buttarelli, in August 2019. The enormous trib-utes paid to him recognise that he was a giant of a person and a giant of a leader in our community and he is very much missed. Expert counsel for the DPC in many appeal, judicial review and CJEU reference matters, Paul Anthony McDermott, very sadly also passed away in December 2019 and his outstanding achievements and contribution have been rightly well documented in Ireland. Closer to home, an esteemed colleague at the DPC in Ireland, Mark Mullin, passed away during the summer of 2019 and his exceptional contribution, work ethic and fun personality are missed by all of us at the DPC.
Outlook 2020I am privileged to work with a team that are genuine-ly excited about the work the DPC does, what we are currently delivering and what we will deliver in the future. These are professionals who work for the DPC because they believe deeply in data protection rights. 2020 is going to be an important year. We await the judgment of the CJEU in the SCCs data transfer case; the first draft decisions on big tech investigations will be brought by the DPC through the consultation process with other EU data protection authorities, and academics and the media will continue the outstanding work they are doing in shining a spotlight on poor personal data practices. The DPC hopes it can create the space to move off “first principles” of GDPR (lawful basis, controller/processor) and really move into the meat of “data protection by design”, to ensure the next generation of technologies we all use does not suffer from the problems we sleep-walked into over the last two decades. We aim by the end of 2020 to have facilitated the progression of big tech towards a code of conduct to better protect children online. The drive in the US to implement more and more privacy legislation is a sign that “enough is now enough” in terms of tolerating
unnecessarily privacy invasive data practices and technol-ogies. The Irish DPC is going to continue to be part of the solution using its full range of powers and to contribute to the dialogue and the harnessing of expertise from all quarters to find a better pathway forward.
Helen DixonCommissioner for Data Protection
9
10
1 Roles and Responsibilities
Annu
al R
epor
t 1
Janu
ary
— 3
1 D
ecem
ber
2019
This is the second annual report of the Data Protection Commission. It has been prepared in accordance with Section 24 of the Data Protection Act 2018 and covers the period from 01 January 2019 to 31 December 2019.
Functions of the DPC The DPC is the national independent authority in Ireland responsible for upholding the fundamental right of indi-viduals in the European Union (EU) to have their personal data protected. Accordingly, the DPC is the Irish supervi-sory authority responsible for monitoring the application of the GDPR (Regulation (EU) 2016/679).
The core functions of the DPC, under the GDPR and the Data Protection Act 2018, which gives further effect to the GDPR in Ireland, include:
• driving improved compliance with data protection legislation by control and process personal data;
• handling complaints from individuals in relation to the potential infringement of their data protection rights;
• conducting inquiries and investigations regarding po-tential infringements of data protection legislation;
• promoting awareness among organisations and the public of the risks, rules, safeguards and rights in rela-tion to processing of personal data; and
• co-operating with data protection authorities in other EU member states on issues, such as complaints and alleged infringements involving cross-border process-ing.
The DPC also acts as supervisory authority for person-al-data processing under several additional legal frame-works. These include the Law Enforcement Directive (Di-rective 2016/680, as transposed in Ireland under the Data Protection Act 2018) which applies to the processing of personal data by bodies with law-enforcement functions in the context of the prevention, investigation, detection or prosecution of criminal offences or execution of crimi-nal penalties. The DPC also performs certain supervisory and enforcement functions in relation to the processing of personal data in the context of electronic communications under the e-Privacy Regulations (S.I. No. 336 of 2011).
Although the DPC regulates under the GDPR and Data Protection Act 2018 in respect of the majority of (non-law enforcement) personal data processing operations carried out from 25 May 2018 onwards, it continues to perform its regulatory functions under the Data Protection Acts 1988 and 2003 in respect of complaints and investigations into potential infringements that relate to the period before 25 May 2018, as well as in relation to complaints and potential infringements that relate to certain limited other categories of processing, irrespective of whether that pro-cessing occurred before or after 25 May 2018.
In addition to specific data protection legislation, there are in the region of 20 more pieces of legislation, spanning
a variety of sectoral areas, concerning the processing of personal data, where the DPC must perform a particular supervisory function assigned to it under that legislation.
DPC’s Senior Team The DPC’s Senior Management Committee (SMC) compris-es the Commissioner for Data Protection and the seven Deputy Commissioners. The Commissioner and members of the SMC oversee the proper management and gover-nance of the organisation, in line with the principles set out in the Code of Practice for the Governance of State Bodies (2016). The SMC has a formal schedule of matters for consideration and decision, as appropriate, to ensure effective oversight and control of the organisation.
Our SMC comprises:
• Ms Helen Dixon (Commissioner for Data Protection);
• Ms Anna Morgan (Deputy Commissioner — Head of Legal);
• Mr Colum Walsh (Deputy Commissioner — Head of Regulatory Activity).
• Mr Dale Sunderland (Deputy Commissioner — Head of Regulatory Activity);
• Mr Graham Doyle (Deputy Commissioner — Head of Corporate Affairs, Media & Communications);
• Ms Jennifer O’Sullivan (Deputy Commissioner — Head of Strategy, Operations & International);
• Mr John O’Dwyer (Deputy Commissioner — Head of Regulatory Activity); and
• Mr Tony Delaney (Deputy Commissioner — Head of Regulatory Activity).
Funding and Administration The DPC is funded entirely from the Exchequer, to fulfil its mandate as the independent supervisory body in Ireland for the upholding of data protection rights. In 2019, the DPC welcomed an increased budget allocation of €3.5 million, bringing its total allocation to €15.2 million for the year and this allocation of funding was provided on a full-year basis. The increased funding for the year enabled the DPC to continue to grow its staff complement, from 110 at the start of the year to 140 at 31 December 2019.
The DPC is preparing its financial statements for 2019. The Financial Statement in respect of the period covered by this report will be appended following the conduct of an audit by the Comptroller and Auditor General.
11
12
Review of 20192
Annu
al R
epor
t 1
Janu
ary
— 3
1 D
ecem
ber
2019
7,215complaints
received
• Total Complaints received was 7,215, with the largest single category being “Access Rights”, counting for 29% of total complaints received.
• 6,904 complaints were dealt with under GDPR and 311 complaints under the Data Protection Acts 1988 and 2003.
29%in “Access Rights”
category
• Of the 6,904 GDPR-related complaints received, 1,252 complaints were actively being assessed on 31 December 2019, 1,098 complaints had proceeded to complaint-handling and 4,554 had been concluded.
• 5,496 complaints in total were concluded in 2019 and the DPC had 2,582 complaints on hand at year-end.
• 620 complaints were also concluded under the Data Protection Acts 1988 and 2003.
77email marketing
related
7telephone marketing
related
81SMS marketing
related
• The DPC issued 29 Section 10 statutory decisions under the Data Protection Acts 1988 & 2003. Of these, 13 fully upheld the complaint, 7 rejected the complaint and 9 partially upheld the complaint.
• 165 new complaints were investigated under S.I. 336 of 2011 in respect of various forms of electronic direct marketing: 77 related to email marketing; 81 related to SMS (text message) marketing; and 7 related to telephone marketing.
• A number of these investigations concluded with successful District Court prosecutions by the DPC. Prosecutions were concluded against 4 entities in respect of a total of 9 offences under the E-Privacy Regulations.
4,554concluded
1,098proceeded
to complaint-handling
1,252actively assessed
13
14
• 457 cross-border processing complaints were received by the DPC through the One-Stop-Shop mechanism that were lodged by individuals with other EU data protection authorities.
• 207 data-breach complaints were handled by the DPC from affected individuals.
• 6,069 valid data security breaches were recorded, with the largest single category being “Unauthorised Disclosures”.
• Information and Assessment received almost 48,500 contacts comprising approximately 22,300 emails, 22,200 telephone calls and almost 4,000 items of correspondence via post.
• 6 statutory inquiries were opened in relation to mul-tinational technology companies’ compliance with the GDPR, bringing the total number to 21�
• The number of general consultation queries received was 1,420.
Over
1,420consultations
4,000by post
22,300emails22,200
telephone calls
6,069valid data security
breaches recorded
Annu
al R
epor
t 1
Janu
ary
— 3
1 D
ecem
ber
2019
• The DPC was lead reviewer in 19 Binding Corporate Rules (BCRs) applications
• DPC staff spoke or presented at over 180 events, including conferences, seminars, and presentations to individual organisations from a broad range of sectors.
• The DPC expanded its social media activities across Twitter, LinkedIn and Instagram, and at year-end had a combined followership of over 20,000 and an organic monthly reach in the hundreds of thousands.
• The DPC carried out an extensive consultation on the processing of children’s personal data, yielding 80 responses and the results of that consultation will feed into the development of guidance on processing chil-dren’s data, which is a DPC priority for 2020.
• Work on the DPC’s new Regulatory Strategy continued with a consultation document on the DPC’s Target Out-comes and focus groups with individuals.
• The DPC published its findings on certain aspects of the Public Services Card (“PSC”) following a lengthy inves-tigation. The published findings were targeted at two key issues, namely the legal basis under which personal data is processed and transparency.
• An appeal to the Dublin Circuit Court against the enforcement notice was issued in late 2019 by the Minister for Employment Affairs and Social Protection and this appeal is listed to come before the Court for the first time in March 2020.
• The DPC received 712 Data Protection Officer notifica-tions, bringing the number to 1,596�
712Data Protection
Officer notifications
Spoke and presented at events on over
180 occasions
20,000 followers
15
16
Information and Assessment 3
Annu
al R
epor
t 1
Janu
ary
— 3
1 D
ecem
ber
2019
A key objective of the DPC is to provide a responsive and high-quality information service to individuals and organisations regarding their rights and responsibilities under data protection legislation.
Information and Assessment at the DPC provides a public-information helpdesk service, and receives and responds to queries from individuals and organisations by means of email, online form or telephone. In addition, it carries out early-stage assessment, determining whether a communication needs to be escalated within the DPC and the most appropriate route for doing so.
Responding to Queries and ComplaintsIn the first full calendar year of the GDPR, the DPC con-tinued to deal with a significant number of contacts from individuals and organisations. In 2019, the DPC received almost 48,500 contacts comprising approximately 22,300 emails, 22,200 telephone calls and almost 4,000 items of correspondence via post.
In order to provide an efficient service, the DPC continues to look at its processes with a view to delivering great-er efficiencies for all users. Enhancing the quality and responsiveness of the service provided by the DPC will continue to be a priority in 2020.
Emerging Trends and Patterns The DPC, through analysis of the issues brought to its attention, also identifies emerging trends and patterns that are of concern to individuals and organisations. This helps the DPC to focus its external communications on the most pertinent issues and will help guide the DPC’s communications throughout 2020.
Topics of particular interest where the DPC provided sup-port to individuals during the year included:
• individual concerns relating to the role and use of the Public Services Card;
• the use of CCTV — particularly in the context of neigh-bour disputes and the application of the domestic exemption;
• access requests on behalf of children — queries from both individuals and organisations seeking clarifica-tion as to how they should respond accurately, appro-priately and in the child’s best interests;
• where is my data? — requests relating to medical practices that have closed (often where a practitioner has died) and patients are unable to establish who is now in control of their personal data;
• HR/employment disputes — specifically workplace surveillance but also concerns about sharing of information in the context of those disputes and the redaction of third party data in response to employee access requests;
• exam Information — in particular queries relating to examiner’s notes; and
• photography — Particularly as it relates to consent, publication and artistic exemptions.
22,200telephone calls
4,000items via post
22,300emails
17
18
Complaints4
Annu
al R
epor
t 1
Janu
ary
— 3
1 D
ecem
ber
2019
How Complaints are handled Since the application of the GDPR, the DPC has seen a significant increase in the number of complaints received. This trend continued in the first full calendar year of the application of the GDPR. In 2019, 7,215 complaints were received by the DPC.
The DPC processes complaints received under two main legal frameworks during this period:
• complaints received from 25 May 2018 onwards are dealt with under the GDPR, Law Enforcement Direc-tive, and the provisions of the Data Protection Act 2018; and
• complaints and infringements occurring before 25 May 2018 are dealt with under the Data Protection Acts 1988 and 2003.
The term “complaint” has a very specific meaning under the GDPR (and the LED) and the provisions of the Data Protection 2018 that implement those laws.
For a communication to constitute a complaint — and therefore trigger the DPC’s particular statutory com-plaint-handling obligations — it must fall under one of the following categories:
• a complaint from an individual relating to the process-ing of their own personal data;
• a legally authorised entity complaining on behalf of an individual; and
• advocacy groups acting as permitted within the parameters laid out in the GDPR, LED and the Data Protection Act 2018.
During the complaint-handling process the DPC has an obligation to provide the complainant with progress updates and ultimately inform the individual of the outcome of the complaint. The DPC issues updates to complainants every three months in accordance with its obligations.
Of the 7,215 complaints received by the DPC. 6,904 were GDPR complaints, while 311 were complaints handled under the Data Protection Acts 1988 to 2003.
As in previous years, the category of Access Requests was the highest complaint-type received by the DPC between in 2019 (29%), though in proportion to overall complaints it is dropping. Complaints relating to Unfair Processing of Data (16%) and Disclosure (19%) were also once again received in high volumes.
In 2019, the Commissioner issued 29 decisions under the Data Protection Acts 1988 & 2003. Of these, 13 fully upheld the complaint, 7 rejected the complaint and 9 partially upheld the complaint.
Complaints received under the GDPRNote: the top five complaints represent 76% of total complaints received.
Complaints Received During 2019 — Top 5 Categories of Complaints No % of total
Access Request 1,971 29%
Disclosure 1,320 19%
Fair Processing 1,074 16%
e Marketing Complaints 532 8%
Right to erasure 353 5%
19
20
Complaints received under the 1988 & 2003 ActsNote: the top 5 represents 83% of total complaints received.
Complaints Received During 2019 — Top 5 Categories of Complaints No % of total
Access Request 93 30%
Fair Processing 87 28%
Disclosure 57 18%
Fair Obtaining 13 4%
Specified Purpose 9 3%
Complaints received 2014–2019
2014 2015 2016 2017 2018 2019
8000
7000
6000
5000
4000
3000
2000
1000
0
Annu
al R
epor
t 1
Janu
ary
— 3
1 D
ecem
ber
2019
Complaint case studies under the Data Protection Act 2018
CASE STUDY 1 Right to rectification request to a healthcare group (Applicable Law — GDPR & Data Protection Act 2018)
We received a complaint against a healthcare group arising from its refusal of a request for rectification under Article 16 of the GDPR. The complainant alleged that the healthcare group was incorrectly spelling his name on its computer system by not including the síneadh fada, an accent that forms part of the writ-ten Irish language.
Hospitals under the administration of this healthcare group use a patient administration system to initially re-cord patient data which is then shared with other systems at later points of patient care, i.e. Laboratory, Radiology and Cardiology. The healthcare group informed the com-plainant that it is not possible to record the síneadh fada because syntax characters are recorded as commands on the PAS, impacting on the way data is stored and processed.
The healthcare group informed the DPC that the patient administration system is due to be replaced in 2019/2020. However, the group’s new system will not allow for the use of the síneadh fada. The healthcare group informed the DPC this was for the purpose of enabling a stream-lined single point of contact for patient information across different systems. This would enable professionals to access this information across different units within a hospital or hospital group without re-entering the data at a later point, thereby avoiding potential for later errors. The other systems across the current healthcare group network and/or wider hospital network do not support the use of the síneadh fada. The healthcare group further advised the DPC that they identify patients with Patient ID numbers rather than isolated names.
The DPC examined this submission and concluded that any update of the computer system would lead to costs in terms of significant costs and time, along with errors in storage and matching of records. The DPC also engaged with An Coimisinéir Teanga (Irish Language Regulator) about its advice to public sector organisations with re-spect to computer systems supporting the síneadh fada. An Coimisinéir Teanga advised there is no such obligation arising from the Official Languages Act 2003 but such an obligation can arise from a language scheme — an agree-
ment put in place between a public body and the Minister for Culture, Heritage and the Gaeltacht.
The DPC queried the healthcare group on the existence of a language scheme and was provided a copy. This scheme sets out a respect for patient choices regarding names, addresses and their language of choice. The scheme also provides a commitment to update computer systems to achieve “language compliancy”. There is no timeframe provided for the fulfilment of this commitment in the language scheme.
The healthcare group advised the DPC they are com-mitted to patient safety as a primary, core concern and further advised the DPC of the difficulties associated with sharing and storing information across other systems if they updated their system to allow for the use of the síneadh fada. They also advised that they will be testing the possibility of using the síneadh fada in any update of their computer system.
The DPC had regard to Article 16 and Article 5(1) (d) of the GDPR in examining this complaint. Both articles set out the rights of individuals subject to “the purposes of the processing”. The right to rectification under Article 16 of the GDPR is not an absolute right. Organisations that control or process personal data are required to take rea-sonable steps in the circumstances. The DPC had regard to case law from the European Court of Human Rights on linguistic rights and/or naming. This case law reflects that the spelling of names falls under the ambit of Article 8 of the European Convention on Human Rights but that the Court adopts a restrictive approach in this regard. As such, the DPC reiterated the purpose of the processing in the circumstances of the complaint was the administra-tion of health care to the complainant and involved the use of Patient ID numbers. The name of the complainant
21
22
was not the isolated means of identification and there-fore the purpose of the processing is being achieved without the use of diacritical marks.
The DPC had regard to any risks to the complainant in the refusal of their Article 16 request also. The DPC noted the risk to the complainant would increase because of the difficulties associated with cross-system handling of the síneadh fada and the impact this would have on any health care decision making for the individual. In the circumstances, the non-use of the síneadh fada would not constitute an interference with the fundamental rights of the individual.
Under section 109(5) (f) of the Data Protection Act 2018 (the 2018 Act), the DPC requested the healthcare group to inform the complainant of its actions in the imple-mentation of a computer system enabled to reflect the síneadh fada. Also, the DPC requested that the group add an addendum to the individual’s file to show the síneadh fada forms part of the individual’s name.
The DPC, under section 109(5)(c) of the 2018 Act, advised the complainant that he may contact An Coimisinéir Te-anga about the language scheme and any contravention of same.
Annu
al R
epor
t 1
Janu
ary
— 3
1 D
ecem
ber
2019
Complaint case studies under the Data Protection Acts 1988 & 2003
CASE STUDY 2 Unauthorised disclosure of mobile phone e-billing records, containing personal data, by a telecommunications company, to the data subject’s former employer (Applicable law: Data Protection Acts 1988 and 2003 (“the Acts”))
BackgroundThe complainant, during a previous employment, asked the telecommunications company to link her personal mobile phone number to her (then) employer’s account. This enabled the complainant to avail of a discount associated with her (then). While this step resulted in the name on the complainant’s account changing to that of her (then) employer, the complainant’s home address re-mained associated with the account and the complainant remained responsible for payment of any bills.
Following termination of the employment relationship, the complainant contacted the telecommunications company to ask that it (i) restrict her former employer’s access to her mobile phone records; and (ii) separate the account from that of her former employer. Following this request, an account manager took a number of steps in the mistaken belief that this would result in the separa-tion of the complainant’s account from that of her former employer. The complainant, however, became aware that, subsequent to her request, her former employer con-tinued to access her account records. On foot of further inquiries from the complainant, the telecommunications company discovered its error and the complainant’s account was eventually separated from that of her former employer.
The complainant subsequently submitted a complaint to the telecommunications company. Having investigated the complaint, the company informed the complainant that it did not have a record of the original account restriction request. In the circumstances, the complainant referred a complaint to this office.
InvestigationDuring our investigation, the telecommunications company acknowledged that the initial action taken by its account manager was insufficient as it did not sepa-rate the complainant’s account from that of her former employer and neither did it prevent her former employer from accessing her e-billing records. The company further
acknowledged that its records were incomplete when it investigated the complainant’s complaint. It confirmed, in this regard, that it had since located the complainant’s initial restriction/separation request.
The issues for determination, therefore, were whether the telecommunication company, as data controller:
1� implemented appropriate security measures, having regard to Sections 2(1)(d) and 2C(1) of the acts in order to protect the complainant’s personal data against un-authorised access by, and disclosure to, a third party (i.e. the complainant’s former employer); and
2. kept the complainant’s data accurate, complete and up to date, as required by Section 2(1)(b) of the Acts.
Appropriate Security MeasuresThis office found that the telecommunications company did not implement appropriate security measures to pro-tect the complainant’s personal data from unauthorised access by, and disclosure to, her former employer. This was self-evident from the fact that the complainant’s for-mer employer continued to access her e-billing records despite the initial actions taken by the telecommunica-tions company.
This office further noted the obligation, set out in Sec-tion 2C(2) of the Acts, for a data controller to “… take all reasonable steps to ensure that — (a) persons employed by him or her … are aware of and comply with the relevant security measures aforesaid …”. This office found that the telecommunications company had not complied with its obligations in this regard. Again, this was self-evident from the fact that the account manager who initially actioned the complainant’s request was operating on the mistaken belief that the actions taken were sufficient to achieve separation of the complainant’s account from that of her former employer.
23
24
Accurate, complete and up to dateThis office also considered the fact that, at the time when the complainant referred her complaint to the telecom-munications company, the company could not locate her initial account restriction request. The result of this was that the outcome of the company’s own investigation into the individual’s complaint was incorrect. Accordingly, and notwithstanding the subsequent rectification of the position, this office found that the telecommunications company failed to comply with its obligations under Section 2(1)(b) of the Acts in circumstances where the complainant’s records, at the relevant time, were inaccu-rate, incomplete and not up to date.
Key TakeawaysThe above case study highlights the fact that the obliga-tion to keep personal data safe and secure is an ongoing one. Data controllers must ensure that they continuously monitor and assess the effectiveness of their security measures, taking account of the possibility that the circumstances or arrangements surrounding its data processing activities may change from time to time. In this case, the data controller failed to take the required action to reflect the change in circumstances that was notified to it by the complainant when she requested the restriction and separation of her account from that of her former employer. The case study further highlights the impor-tance of effective training for employees in relation to any internal protocols.
CASE STUDY 3 Reliance on consent in the use of child’s photograph in the form of promotional material by a State Agency (Applicable law — Data Protection Acts 1988 and 2003)
We received a complaint from a parent in respect of their child. The parent had attended a festival organised by a state agency with their child, where a profes-sional photographer took the child’s photograph. The following year the state agency used this photograph in promotional material. The child’s parent, while accepting that they had conversed with the photographer, had understood at the time of the photograph that they would be contacted prior to any use of the image.
During the investigation, the state agency indicated that they had relied upon consent pursuant to section 2A(1)(a) of the Acts as the photographer had obtained verbal permission from the child’s parent. However, the state agency also accepted that it was not clear to the child’s parent that the image would be used for media/PR pur-poses. The state agency further accepted that the parent was not adequately informed regarding the retention of
the image. The DPC welcomed the state agency’s indica-tions that it would immediately review their practices and procedures.
In conclusion, the DPC found that the state agency had not provided the child’s parent with adequate information in order to consent to the processing of the image used in promotional material.
Annu
al R
epor
t 1
Janu
ary
— 3
1 D
ecem
ber
2019
CASE STUDY 4 Receivers and fair processing
We received a complaint against a private receiver who was appointed by a financial institution over the complainant’s property.
The complaint alleged infringements of the Acts on the basis that the receiver:
• was not registered as a controller pursuant to section 16 of the Acts;
• had no lawful basis for obtaining the complainant’s personal data from the financial institution;
• further processed personal data unlawfully by dis-closing information to a company appointed by the receiver to manage the receivership (the receiver’s
“managing agent”);
• opened a bank account in the complainant’s name;
• obtained the property ID and PIN from Revenue which gave the receiver access to the complainant’s person-al online Revenue account; and
• insured the property in the complainant’s name.
Following an investigation pursuant to section 10 of the Acts, the DPC established that the receiver was appointed by the financial institution on foot of a Deed of Appoint-ment of Receiver (DOA) which granted the receiver powers pursuant to the Conveyancing Act 1881, and pursuant to the mortgage deed between the complainant and the financial institution. On being appointed, the receiver wrote to the complainant informing them of their appointment as the receiver over the complainant’s property and provided a copy of the DOA. The receiver appointed a separate company as their managing agent to assist in the managing of the property. During the receivership, the receiver liaised with Revenue in order to pay any outstanding taxes on the property, such as the Local Property Tax (LPT). It was also established that the receiver opened a bank account for the purpose of man-aging the income from the property. The bank account name included the name of the complainant. It was fur-ther established that an insurance policy was taken out, in respect of the property. This insurance policy referred to the complainant’s name.
The DPC first considered whether a receiver was required to register as a data controller in accordance with section 16 the Acts, and whether the exemptions listed in the Data Protection Act 1988 (Section 16(1)) Regulations 2007 (the “Registration Regulations”) applied. The DPC held that a receiver was not required to register, as the exemption under regulation 3(1)(g) of the Registration Regulations applied to the receiver. Regulation 3(1)(g) exempted data controllers who were processing data in relation to its customers. Having considered the relationship between the complainant and the receiver, the DPC held that the exemption applied in respect of the receiver’s activities regarding the complainant.
Next the DPC considered whether the receiver had a lawful basis for obtaining the personal data from the financial institution, disclosing it to the managing agent, and whether such processing constituted further pro-cessing incompatible with the original purpose it was obtained pursuant to section 2(1)(c)(ii) of the Acts. The complainant had a mortgage with the financial institution which had fallen into arrears. Under section 19(1)(ii) of the Conveyancing Act 1881, the financial institution could appoint a receiver once the debt on the mortgage had come due. Section 2A(1)(b)(i) of the Acts permits process-ing of personal data where the processing is necessary
“for the performance of a contract to which the data subject is party”. The mortgage deed was a contract between the data subject and the financial institution, and in circumstances where the terms of the contract were not being adhered to, the appointment of the receiver by the financial institution was necessary for the performance of the contact. The DPC held that the receiver had a lawful basis for obtaining the complainant’s personal data from the financial institution.
The DPC also found that the receiver had a lawful basis pursuant to section 2A(1)(b)(i) of the Acts to disclose per-sonal data to its managing agent, to assist in the day to day managing of the receivership. The DPC found that the financial institution obtained the complainant’s personal data for the purposes of entering into a loan agreement. This was specific, explicit and a legitimate purpose. The disclosure of the complainant’s personal data by the financial institution to the receiver, and by the receiver to the managing agent was in accordance with the initial purpose for which the personal data was obtained. This processing during the receivership did not constitute fur-ther processing pursuant to section 2(1)(c)(ii) of the Acts.
The DPC assessed whether the receiver had a lawful basis to open a bank account in the complainant’s name. The complainant submitted that this account was opened without their knowledge or consent. Consent is one of the lawful bases for processing personal data under the Acts. The DPC considered whether the receiver otherwise had a lawful basis for processing under section 2A(1)(d) of the Acts, on the basis of legitimate interests. To assess this lawful basis, the DPC took account of the Court of Jus-tice of the European Union (CJEU) case in Rīgas C-13/161 which sets out a three step test for processing on the basis of legitimate interests, as follows:
1 Valsts policijas Rīgas reģiona pārvaldes Kārtības policijas pār-valde v Rīgas pašvaldības SIA ‘Rīgas satiksme’ Case C-13/16
25
26
• the processing of personal data must be for the pur-suit of a legitimate interest of the controller or a third party;
• the processing must be necessary for the purpose and legitimate interests pursued; and
• the fundamental rights and freedoms of the individual concerned do not take precedence.
The DPC held that the opening of the bank account was a reasonable measure to manage the income and expendi-ture during a receivership. The receiver submitted that re-ferring to complainant’s name as part of the bank account name was necessary to ensure the receivership was carried out efficiently and to avoid confusion between dif-ferent receiverships. While it would have been possible to open an account without using the complainant’s name, the DPC took account of the CJEU’s judgment in Huber v Bundesrepublik C-524/062 where the Court held that pro-cessing could be considered necessary where it allowed the relevant objective to be more effectively achieved. The DPC held that the reference to the complainant’s name on the bank account was therefore necessary, as it allowed for the more effective pursuit of the receiver’s legitimate interests.
With regard the third element of the legitimate interests test (which requires a balancing exercise, taking into account the fundamental rights and freedoms of the data subject) the DPC held that the reference to the complainant’s name on the account would have identified them to individuals who had access to the bank account or been supplied with the bank account name. The DPC balanced these concerns against the administrative and financial costs which would result from the need for the receiver to implement an alternative procedure for naming accounts. On balance, the DPC did not find that the complainant’s fundamental rights took precedence over the legitimate interests of the receiver and as a result, the receiver had a lawful basis for processing the complainant’s name, for the purpose of the receiver’s legitimate interests.
With regard to the allegation that the receiver had gained access to the personal Revenue account of the com-plainant, the DPC found that the receiver did not gain access to the complainant’s personal online Revenue account as alleged. The receiver was acting as a tax agent in relation to the LPT and this did not allow access to a personal Revenue account. In relation to the insurance policy being taken out in the complainant’s name the DPC held that the receiver did not process personal data in this instance.3
2 Heinz Huber v Bundesrepublik Deutschland Case C-524/06
3 The processing of personal data was considered in a similar case where the same complainant made a complaint against the managing agent in this case. In that decision the DPC held that the managing agent had legitimate interest in processing the complainant’s personal data for the purposes of insuring the property
During the course of the investigation the DPC also examined whether the receiver had complied with the data protection principles under section 2 of the Acts. In this regard, the DPC examined the initial correspondence the receiver had sent to the complainant notifying them of their appointment. This correspondence consisted of a cover letter and a copy of the DOA. The cover letter and DOA were assessed in order to determine whether the receiver had met their obligation to process the personal data fairly. Section 2D of the Acts required an organisa-tion in control of personal data to provide information on the identity of the data controller, information on the intended purposes for which the data may be processed, the categories of the data concerned as well as any other information necessary to enable fair processing. The DPC held that the correspondence was sufficient in informing the complainant of the identity of the data controller (and original data controller). However, the DPC held that, while a receiver was not required to provide granular information on each purpose for which personal data was to be processed, the receiver should have given a broad outline of the purposes for which the personal data was intended to be processed, and this was not done in this case. It was also held that the receiver should have pro-vided the categories of personal data they held in relation to the complainant, but this was not done. In light of this, the DPC held that the receiver had not complied with section 2D of the Acts.
This decision of the DPC demonstrates that private receivers and their agents may lawfully process personal data of borrowers, where such processing is necessary in order to manage and realise secured assets. Individuals should be aware that their information may be processed without their consent in circumstances where a deed of mortgage provides for the appointment of a receiver. At the same time, receivers must comply with their obliga-tions under the Acts and GDPR to provide individuals with information on processing at the outset of the receiver-ship.
The decision is currently the subject of an appeal by the complainant to the Circuit Court
Annu
al R
epor
t 1
Janu
ary
— 3
1 D
ecem
ber
2019
Access Rights Complaints
During 2019, the DPC received 2,064 complaints relating to the right of access, a high proportion of which dealt with the failure of organisations in control of personal data to respond to an access request, or failure to release all the appropriate data on foot of an access request. In 2019 an increased number of complaints received were against banks and solicitors practices, as well as com-plaints concerning the failure of schools and sporting clubs to respond to access requests.
The GDPR broadens the extent of the subject access right compared with the previous legal framework and this enhanced right was possibly evident in the increased level of applications to the State Examinations Commission in August 2019. An individual has a right to a copy of the personal data which the State Examinations Commission holds and this right of access extends to examination scripts. Whereas previous legislation dealt with the right of access to exam results, Section 56 of the 2018 Act the first time specifically addresses the right of access to scripts of examinations and results of appeal.
Although an important fundamental right, the right of access is not an absolute right. The GDPR prescribes a mechanism in Article 23 to permit the restrictions of
rights in particular and specific circumstances. This en-ables member states to introduce their own exemptions in national legislation. In Ireland this has been achieved through Section 60 of the 2018 Act.
Importantly, any restriction relied upon by controllers, must respect the essence of the fundamental rights and freedoms and be a necessary and proportionate measure in a democratic society to safeguard important objectives of general public interest. This issue will be examined by the DPC in any case where exemptions are relied on�
In addition to the restrictions contained in Section 60, Article 15 of the GDPR requires that when responding to an access request, third-party data must be protected and states “The right to obtain a copy in response to an access request shall not adversely affect the rights and freedoms of others including trade secrets or intellec-tual property and in particular copy right protecting the software”.
Upon receipt of an access request, it is important for controllers to remember that the right of access is a fundamental right, so there is a presumption in favour of disclosure on the part of controllers.
27
28
Direct Marketing Complaints
The DPC received 165 new complaints in relation to direct electronic marketing in 2019, some 77 in relation to un-solicited email, 81 in relation to unsolicited text messages (SMS) and 7 in relation to unsolicited telephone calls. A number of the complaints related to more than one type of unsolicited marketing from the same organisation.
A total of 130 direct marketing complaint investigations were concluded during the year.
Prosecutions in relation to electronic direct marketingThe DPC prosecuted 4 entities in relation to direct elec-tronic marketing without consent. These included the telecommunications provider Vodafone Ireland Limited, food ordering service Just-Eat Ireland Limited, and online retailers Cari’s Closet Limited and Shop Direct Ireland Limited (t/a Littlewoods Ireland).
CASE STUDY 5 Prosecution of Vodafone Ireland Limited
In April 2019 the DPC received two separate complaints from an individual who had received unsolicited direct marketing communications by text and by email from the mobile network operator Vodafone. The individual stated that Vodafone had ignored their customer preference settings, which recorded that they did not wish to receive such marketing.
During our investigation, Vodafone confirmed that the complainant had been opted-out of direct marketing contact but that communications were sent to them due to human error in the case of both the text message and the email marketing campaigns.
In the case of the SMS message, Vodafone confirmed that a text offering recipients the chance to win tickets to an Ireland v France rugby match was sent to approximately 2,436 customers who had previously opted-out of re-ceiving direct marketing by text. This was as a result of a failure to apply a marketing preferences filter to the SMS advertising campaign before it was sent.
In the case of the email received by the complainant, an application that was intended to be used to send direct marketing to prospective customers was used in error and the message was sent to existing Vodafone custom-ers. While Vodafone was unable to definitively confirm the number of customers who were contacted by email contrary to their preference, the marketing email was sent to 29,289 existing Vodafone customers. The compa-ny confirmed that some 2,523 out of 7,615 of these were contacted in error. However, it was unable to link the re-maining 21,674 customers who were sent the same email with their marketing preferences in Vodafone’s data ware-house to confirm the total number contacted in error.
The DPC had also received a separate complaint in February 2019 from another individual who was a former customer of Vodafone. This customer had ceased to be a Vodafone customer more than five years earlier and they still continued to receive promotional text messages. In the course of our investigation, Vodafone confirmed that the direct marketing messages were sent to the com-plainant in error. It said that in this exceptional case, the complainant’s mobile number was not removed from the platform used to send marketing communications when their number was no longer active on the network.
As the DPC had previously prosecuted Vodafone in 2011, 2013 and 2018 in relation to direct electronic marketing offences, we decided to initiate prosecution proceedings in relation to these complaints.
At Dublin Metropolitan District Court on 29 July 2019, Vodafone pleaded guilty to five charges of sending unsolicited direct marketing communications in contra-vention of S.I. No. 336 of 2011 (‘the ePrivacy Regulations’). The company was convicted and fined €1,000 on each of three charges and convicted and fined €750 each in respect of the two remaining charges.
Annu
al R
epor
t 1
Janu
ary
— 3
1 D
ecem
ber
2019
CASE STUDY 6 Prosecution of Just-Eat Ireland Limited
We received a complaint from an individual in November 2018 regarding unso-licited direct marketing emails from Just-Eat Ireland Limited. The complainant had unsubscribed from the company’s direct marketing emails but several days later received an unsolicited marketing email. During our investigation of this complaint the company informed us that the complainant’s attempt to unsubscribe was unsuccessful due to a technical issue with its email platform. This issue affected 391 customers in Ireland.
As Just-Eat Ireland Limited had previously been warned by the DPC in 2013 on foot of complaints in relation to unsolicited direct marketing emails, we decided to initiate prosecution proceedings.
At Dublin Metropolitan District Court on 29 July 2019, Just-Eat Ireland Limited pleaded guilty to one charge in rela-tion to sending an unsolicited direct marketing email. The court applied section 1(1) of the Probation of Offenders Act in lieu of a conviction and fine on the basis that the company donate €600 to the Peter McVerry Trust charity.
CASE STUDY 7 Prosecution of Cari’s Closet Limited
In May 2018, we received a complaint against the online fashion retailer Cari’s Closet from an individual who had in the past placed an online order with the company. The complaint concerned the receipt of three unsolicited direct marketing emails. The same person had previously complained to the DPC in January 2018 about unsolicited emails from that company. On that occasion, the complainant said they had received over forty marketing emails in one month alone. The person had attempted, without successs, to unsubscribe on a couple of occasions.
Cari’s Closet attributed the failure to properly unsub-scribe the complainant from emails to a genuine mistake on its behalf.
As the DPC had issued a warning in April 2018 in relation to the earlier complaint, we decided to initiate prosecu-tion proceedings against the company.
At Dublin Metropolitan District Court on 29 July 2019, Cari’s Closet pleaded guilty to one charge of sending an unsolicited direct marketing email to the complainant. In lieu of a conviction and fine, the court applied section 1(1) of the Probation of Offenders Act on the basis that the company donate €600 to the Little Flower Penny Dinners charity.
29
30
CASE STUDY 8 Prosecution of Shop Direct Ireland Limited t/a Littlewoods Ireland
In May 2019, the DPC received a complaint from an individual who said they had been receiving direct marketing text messages from Littlewoods since March. The complainant stated that they had followed the instructions to un-subscribe by texting the word ‘STOP’ on five occasions to a designated number known as a short code, but they had not succeeded in opting out and they continued to get marketing text messages.
In the course of our investigations, Shop Direct Ireland Limited (t/a Littlewoods Ireland) confirmed it had a record of the complainant’s opt-out from direct marketing texts submitted through their account settings on the Little-woods website on 8 May 2019. It did not, however, have a record of their attempts to opt-out of direct marketing texts on previous occasions using the SMS short code. This was due to human error in setting up the content for the SMS marketing messages. The company said that the individual responsible for preparing and uploading con-tent relating to marketing texts had mistakenly included the opt-out keyword ‘STOP’ instead of ‘LWISTOP’ at the end of the marketing texts.
Shop Direct Ireland Limited had previously been pros-ecuted by the DPC in 2016 in relation to a similar issue which resulted in a customer attempting, without success,
to unsubscribe from direct marketing emails. On that occasion, the court outcome resulted in the company making a donation of €5,000 to charity in lieu of a convic-tion and fine.
The DPC decided to prosecute the company in respect of direct electronic marketing offences in relation to the May 2019 complaint.
At Dublin Metropolitan District Court on 29 July 2019, Shop Direct Ireland Limited (t/a Littlewoods Ireland) entered guilty pleas to two charges relating to sending unsolicited direct marketing text messages. The court ruled that the company would be spared a conviction and fine if it donated €2,000 each to the Peter McVerry Trust and the Little Flower Penny Dinners charities and section 1(1) of the Probation of Offenders Act was applied.
Annu
al R
epor
t 1
Janu
ary
— 3
1 D
ecem
ber
2019
One-Stop-Shop Complaints
The One-Stop-Shop mechanism (OSS) was established under the GDPR with the objective of streamlining how organisations that do business in more than one EU member state engage with data protection authorities (called ‘supervisory authorities’ under the GDPR).
The OSS requires that these organisations are subject to regulatory oversight by just one DPA, where they have a ‘main establishment’, rather than being subject to regulation by the data protection authorities of each member state. The main establishment of an organisa-tion is generally its place of central administration and/or decision making. In the case of a data processor that has no place of central administration, then its main establish-ment will be where its main processing activities in the EU take place.
The DPC is the Lead Supervisory Authority for a broad range of multinationals, including many large technology and social media companies whose main establishment is located in Ireland and it handles complaints originally lodged with other EEA data protection supervisory au-thorities, in addition to handling complaints that people lodge directly with the DPC. In the past year, a significant number of complex cross-border complaints were trans-ferred to the DPC by other data protection supervisory authorities. In addition, the DPC continued and com-menced several large-scale inquiries that were initiated on the DPC’s own volition and that relate to cross-border processing. Although the DPC has primary supervisory responsibility, we must consult extensively with the other data protection supervisory authorities and keep them updated throughout our complaint handling and investi-gatory processes. In particular, we must take due account of their views and seek their consensus on our draft
decisions on these cross-border cases, under the GDPR’s cooperation mechanism.
The role of the lead supervisory authority (LSA) includes investigating a complaint or alleged infringement of the GDPR relating to cross-border processing and preparing a draft decision on the matter. It then must coordinate, where possible, a consensus decision with other EU data protection authorities who are deemed to be ‘concerned supervisory authorities’.
The DPC will be deemed a concerned supervisory author-ity where:
• a cross-border processing complaint has originally been lodged with the DPC but another Data Protec-tion Authority (DPA) is the lead supervisory authority;
• where the processing in question substantially affects; or
• is likely to substantially affect, individuals in Ireland;
• or where the controller/processor is established in Ireland.
The lead supervisory authority must share its draft decision with all concerned supervisory authorities and consult with, and consider their views, in finalising the decision. Where this is not possible, the GDPR provides for a dispute-resolution mechanism to be triggered that will ultimately result in the members of the European Data Protection Board (EDPB) making a majority decision on the disputed issues in the draft decision.
In 2019, the DPC received 457 cross-border processing complaints through the OSS mechanism that were lodged by individuals with other EU data protection authorities.
31
32
Law Enforcement Complaints
The EU Directive known as the LED (EU 2016/680) was transposed into Irish law on 25 May 2018 with the en-actment of the Data Protection Act 2018. In broad terms, LED applies where the organisation that is in control of the personal data is deemed a “competent authority” and the processing of personal data is carried out for the purposes of the prevention, investigation, detection or prosecution (PIDP) of criminal offences, or the execution of criminal penalties.
To distinguish, the LED would apply if a convicted offender complained to, for example, the Irish Prison Service that the data recorded about them was inaccurate. However, if the prison service received an access request from an employee about their own personal data, GDPR would apply�
In 2019, the DPC received 37 LED complaints, the majori-ty relating to An Garda Síochána as the data controller, as well as the Irish Prison Service, the Revenue Commission-ers, Veolia, Irish Rail and several local authorities.
Section 95 Reviews
Section 94 of the 2018 Act allows data controllers to re-strict access to personal data on grounds such as the pre-vention of crime and to avoid prejudicing an investigation or prosecution. Where an individual is made aware that their rights have been restricted under the provisions of Section 94, they may request that the DPC independently review their case under Section 95.
In 2019, three reviews under Section 95 of the 2018 Act were conducted by the DPC in order to verify whether the restrictions imposed by the data controllers in question were lawful. In all four cases, the officers were satisfied the restrictions were lawful.
• One case concerned an individual who sought full access to their file. An Garda Síochána (AGS) had provided the individual with a copy of their data as recorded on PULSE but relied upon 94(3)(a) of the Act to restrict certain AGS communications concerning routine inter-agency operations as they were deemed to demonstrate operational methods and procedures employed by AGS. Upon review of the file, authorised officers of the DPC considered the processing was in compliance with Part 5 of the Data Protection Act 2018 — Processing of Personal Data for Law Enforcement Purposes. During the review, the data controller (AGS) clarified to authorised officers that it had no role or
input in relation to any data which may have been processed leading to the arrest of an Irish citizen at an airport outside of this jurisdiction. On foot of the section 95 review, the DPC conveyed this additional information to the individual.
• A section 95 review was conducted in connection with an individual who wanted a change made to records held about them by AGS. On inspection by the DPC, it was noted that the record related to unsolicited contact with a minor, resulting in an alert being raised. Officers from the DPC considered that the data recorded by AGS was in compliance with Part 5 of the Data Protection Act 2018�
• A section 95 review was conducted based on a com-plaint in which a couple alleged their data had been disclosed to their landlady by An Garda Síochána. An authorised officer from the DPC examined the file in question. Taking into account that An Garda Síochána had previously stated to the couple that no personal data was disclosed by them to their landlady, the DPC was satisfied based on the file viewed that all personal data inspected was in compliance with Part 5 of the Data Protection Act 2018.
Annu
al R
epor
t 1
Janu
ary
— 3
1 D
ecem
ber
2019
Data-Breach Complaints
In 2019, the DPC handled 207 data-breach complaints from affected individuals, in comparison to the 48 da-ta-breach complaints between 25 May 2018–December 31 2018. Trends indicate a significant rise in the number of breach complaints being made by individuals.
The majority of complaints related to unauthorised disclo-sures, predominantly:
• emails/letters to incorrect recipient; • administrative processing errors; • verbal disclosures;• papers lost or stolen; and
• unauthorised access to personal data in the work-place.
Over the course of its engagement with individuals in 2019, the office has noted increased correspondence from individuals expressing dissatisfaction with the way businesses and organisations who control or process personal data have communicated with them, particularly regarding data breaches and the subsequent remedial actions the controller has taken. Greater adherence to Section 109(2) of the Data Protection Act 2018 would lead to earlier resolutions in many such instances and a reduc-tion in the number of queries being brought forward to the DPC.
CASE STUDY 9 HSE Hospital/Healthcare Agency
In 2019, the DPC received a complaint about the disclosure of a patient’s data via Facebook messenger by a hospital porter regarding her attendance at the Early Pregnancy Unit of a hospital. Upon examination of the complaint, the HSE clarified to the DPC that the hospital porter who disclosed the personal infor-mation of the patient was in fact employed by a healthcare agency contracted by the HSE. The DPC contacted the agency and sought an update in relation to its internal investigation, details of any remedial action as well as details of any disciplinary action taken against the employee in question. At the same time, the DPC advised the HSE that, as it contracts the company concerned to pro-vide agency staff to work in the hospital, ultimately the HSE is the data control-ler for the personal data in this instance.
The complaint was subsequently withdrawn by the solici-tor acting on behalf of the woman following a settlement being agreed between the affected party and the hospi-tal/healthcare agency. Data controllers/data processors may be liable under Section 117 of the Data Protection Act 2018 to an individual for damages if they fail to observe the duty of care they owe in relation to personal data in their possession.
The DPC has no role whatsoever in dealing with compen-sation claims and no function in relation to the taking of any such proceedings under Section 117 of the 2018 Act or in the provision of any such legal advice.
What this case illustrates is that ongoing training is neces-sary for all staff in relation to their obligations under data
protection law and that controllers must do due diligence and satisfy themselves that any contractors/processors they engage are fully trained and prepared to comply with data protection laws.
33
34
Breaches5
Annu
al R
epor
t 1
Janu
ary
— 3
1 D
ecem
ber
2019
Data-Breach NotificationsThe introduction of the GDPR brought with it mandatory data-breach notification obligations for all data control-lers. The DPC undertakes a weekly analysis of breach notifications and processes a vast number of notifications received from areas within the public and private sector, including:
• the financial sector;
• the insurance sector;
• the telecommunications industry;
• the healthcare industry;
• the multi-national sector; and
• law enforcement.
Some of the trends and issues identified include:
• late notifications;
• difficulty in assessing risk ratings;
• failure to communicate the breach to individuals;
• repeat breach notifications; and
• inadequate reporting.
In 2019, the DPC received 6,257 data-breach notifications under article 33 of the GDPR. Of these 188 were classi-fied as non-breaches due to the information involved not meeting the criteria to fall under the definition of person-al data as set out in article 4.12 of the GDPR.
A total of 6,069 valid data breaches were received during 2019, representing an increase of 71% on the numbers reported in 2018. Unauthorised disclosures represent the highest classification of notified breaches across all sectors — 83% of all breaches.
Under GDPR a controller is obliged to notify the DPC of any personal data breach that has occurred, unless they are able to demonstrate that the personal data breach is ‘unlikely to result in a risk to the rights and freedoms of natural persons’. This means that the default position for controllers is that all data breaches should be notified to the DPC, except for those where the controller has as-sessed the breach as being unlikely to present any risk to individuals and the controller can show why they reached this conclusion. In any event, for all breaches — even those that are not notified to the DPC on the basis that they have been assessed as being unlikely to result in a risk — controllers must record at least the basic details of the breach, the assessment thereof, its effects, and the steps taken in response, as required by Article 33(5) GDPR.
Businesses and organisations in control of personal data have an obligation to mitigate against all potential future breaches. The DPC has observed an increase in the number of repeat breaches of a similar nature by a large number of companies. This is most apparent in the financial sector, where the majority of breaches appear to be related to unauthorised disclosures. Data controllers can take simple steps to attempt to mitigate these risks such as running staff training and awareness programs; implementing stringent password policies and multifac-tor authentication for remote access; habitually update anti-virus and anti-malware software; ensuring that email and web filtering environments are correctly configured; and, ensuring that all computer devices are regularly up-dated with manufacturers’ software and security patches.
35
36
Data breach notifications by category Private Public Total
Disclosure (unauthorised) 3,249 1,939 5,188
Hacking 98 10 108
Malware 22 2 24
Phishing 138 23 161
Ransomware/denial of service 17 0 17
Software Development Vulnerability 13 0 13
Device lost or stolen (encrypted) 14 27 41
Device lost or stolen (unencrypted) 16 30 46
Paper lost or stolen 140 205 345
E-waste (personal data present on an obsolete device) 0 1 1
Inappropriate disposal of paper 20 24 44
System Misconfiguration 43 10 53
Unauthorised Access 67 64 131
Unintended online publication 44 41 85
Total 3,881 2,376 6,257
CASE STUDY 10 Loss of control of paper files
A public sector health service provider notified the DPC that a number of files containing patient medical information had been found in a storage cabinet on a hospital premises which was no longer occupied.
The records were discovered by a person who had gained illegally accessed a restricted premises and subsequently posted photographs of the cabinet containing the files on social media. The public sector organisation in question informed the DPC that, having become aware of the breach, a representative of the organisation was sent to locate and secure the files. The files were removed from the premises and secured.
This breach highlights the importance of having appropri-ate records management policies; including mechanisms for tracking files, appropriate secure storage facilities and full procedures for the retention or deletion of records.
The DPC issued a number of recommendations to the organisations to improve their personal data processing practices.
Annu
al R
epor
t 1
Janu
ary
— 3
1 D
ecem
ber
2019
CASE STUDY 11 Ransomeware Attack
An organisation operating in the leisure industry notified the DPC that it had been the victim of a ransomware attack which potentially encrypted/disclosed the personal data of up to 500 customers and staff stored on the organisa-tions server. The route of the infiltration was traced to a modem router that had been compromised (back up data was however stored securely via a cloud server).
Following examination of the incident, the DPC issued a number of recommendations to the organisation. The DPC recommended that the organisation conduct an analysis of its ICT infrastructure to establish if further mal-ware was present, to review and implement appropriate measures to ensure there is an adequate level of security surrounding the processing of personal data, and to con-duct employee training to encompass cyber security risks.
The DPC has received regular updates from the organisa-tion and is satisfied that significant steps to improve and implement both organisational and technical measures concerning shortfalls in the security of their ICT infrastruc-ture have been taken, including the development of a training plan for all staff in this area.
CASE STUDY 12 Disclosure of CCTV footage via social media
A commercial and residential property management company notified the DPC that an employee of a security company whose services they retained had used their personal mobile phone to record CCTV footage of two members of the public engaged in an intimate act, which had been captured by the man-agement company’s security cameras.
The video taken was subsequently shared via WhatsApp to a limited number of individuals. The business advised the DPC that they communicated to staff who may have received the footage that they must delete it and request-ed no further dissemination of the video.
Both the property management company and the secu-rity company were able to demonstrate that adequate policies and procedures did exist, however appropriate oversight and supervision to ensure compliance with these policies and procedures were lacking.
Following recommendations made by the DPC to the property management company, the company has subsequently engaged with its staff to deliver further data protection training with an emphasis on personal data breaches. In addition, further signage was displayed prohibiting the use of personal mobile devices within the confines of the CCTV control room.
37
38
Inquiries6
Annu
al R
epor
t 1
Janu
ary
— 3
1 D
ecem
ber
2019
Statutory Inquiries by the DPCUnder the Data Protection Act 2018, the DPC may con-duct two different types of statutory inquiry under Section 110 in order to establish whether an infringement of the GDPR or the 2018 Act has occurred:
• a complaint-based inquiry; and
• an inquiry of the DPC’s “own volition”.
A statutory inquiry essentially consists of two distinct processes:
• the investigatory process, which is carried out by an investigator of the DPC; and
• the decision-making process.
The decision making process is carried out by a separate senior decision-maker in the DPC who has had no role in the investigatory process, usually the Commissioner for Data Protection.
The objective of any inquiry is to:
• establish the facts as they apply to the matters under investigation;
• apply the facts as found to the provisions of the GDPR and/or 2018 Act as applicable in order to analyse whether an infringement of the GDPR and/or 2018 Act has been identified;
• make a formal decision of the DPC in relation to whether or not there is an infringement; and
• where an infringement has been identified, make a formal decision on whether or not to exercise a cor-rective power, and if so, which corrective power.4
4 Corrective powers include imposing an administrative fine (not applicable for infringements of the LED), issuing a warn-ing, a reprimand, a temporary or definitive ban on processing or a suspension of international data transfers or a direction to bring processing into compliance, amongst others.
During the investigatory process of an inquiry, authorised officers may be appointed by the DPC and they may exercise a range of investigatory powers under the 2018 Act in the context of an inquiry. In addition to the general power to issue an information notice compelling the pro-vision of specified information to the DPC, an authorised officer has a broad range of investigatory powers at his/her disposal enabling them to gather relevant informa-tion, documents and materials5. These include powers of entry, search and inspection of premises, equipment, documents and information, the removal and retention of documents and records, and requiring information and assistance to be provided to them in relation to access to documents and records and equipment. There is also a power to apply to the District Court for a warrant to enter a premises in order to exercise the authorised officer powers.
On 31 December 2019, the DPC had 70 statutory inqui-ries on hand, including 21 cross-border inquiries.
5 In the context of an existing inquiry, the DPC may also launch a statutory “investigation” under Section 137. A Section 137 investigation carries specific additional investigatory powers, such as the power of the authorised officer conducting it to hold an oral hearing. To date the DPC has not commenced any Section 137 investigations.
39
40
Multinational Technology Company Statutory Inquiries commenced since 25 May 2018
Company Inquiry type Issue being examined
Facebook Ireland Limited Complaint-based inquiry
Right of Access and Data Portability. Examining whether Facebook has discharged its GDPR obligations in respect of the right of access to personal data in the Facebook ‘Hive’ database and portability of “observed” personal data.
Facebook Ireland Limited Complaint-based inquiry
Lawful basis for processing in relation to Facebook’s Terms of Service and Data Policy. Examining whether Facebook has discharged its GDPR obligations in respect of the lawful basis on which it relies to process personal data of individuals using the Facebook platform.
Facebook Ireland Limited Complaint-based inquiry
Lawful basis for processing. Examining whether Facebook has discharged its GDPR obligations in respect of the lawful basis on which it relies to process personal data in the context of behavioural analysis and targeted advertising on its platform.
Facebook Ireland Limited Own-volition inquiry
Facebook September 2018 token breach. Examining whether Facebook Ireland has discharged its GDPR obligations to implement organisational and technical measures to secure and safeguard the personal data of its users.
Facebook Ireland Limited Own-volition inquiry
Facebook September 2018 token breach. Examining Facebook’s compliance with the GDPR’s breach notification obligations.
Facebook Inc. Own-volition inquiry
Facebook September 2018 token breach. Examining whether Facebook Inc. has discharged its GDPR obligations to implement organizational and technical measures to secure and safeguard the personal data of its users.
Facebook Ireland Limited Own-volition inquiry
Commenced in response to large number of breaches notified to the DPC during the period since 25 May 2018 (separate to the token breach). Examining whether Facebook has discharged its GDPR obligations to implement organisational and technical measures to secure and safeguard the personal data of its users.
Facebook Ireland Limited Own-volition inquiry
Facebook passwords stored in plain text format in its internal servers. Examining Facebook’s compliance with its obligations under the relevant provisions of the GDPR.
WhatsApp Ireland Limited Complaint-based inquiry
Lawful basis for processing in relation to WhatsApp’s Terms of Service and Privacy Policy. Examining whether WhatsApp has discharged its GDPR obligations in respect of the lawful basis on which it relies to process personal data of individuals using the WhatsApp platform.
WhatsApp Ireland Limited Own-volition inquiry
Transparency. Examining whether WhatsApp has discharged its GDPR transparency obligations with regard to the provision of information and the transparency of that information to both users and non-users of WhatsApp’s services, including information provided to data subjects about the processing of information between WhatsApp and other Facebook companies.
Annu
al R
epor
t 1
Janu
ary
— 3
1 D
ecem
ber
2019
Green indicates inquiries opened between 25 May 2018 – 31 December 2018. White indicates inquiries opened in 2019.
Company Inquiry type Issue being examined
Instagram (Facebook Ireland Limited)
Complaint based inquiry
Lawful basis for processing in relation to Instagram’s Terms of Use and Data Policy. Examining whether Instagram has discharged its GDPR obligations in respect of the lawful basis on which it relies to process personal data of individuals using the Instagram platform
Apple Distribution International
Complaint-based inquiry
Lawful basis for processing. Examining whether Apple has discharged its GDPR obligations in respect of the lawful basis on which it relies to process personal data in the context of behavioural analysis and targeted advertising on its platform.
Apple Distribution International
Complaint-based inquiry
Transparency. Examining whether Apple has discharged its GDPR transparency obligations in respect of the information contained in its privacy policy and online documents regarding the processing of personal data of users of its services.
Apple Distribution International
Complaint-based inquiry
Right of Access. Examining whether Apple has complied with the relevant provisions of the GDPR in relation to an access request.
Twitter International Company
Complaint-based inquiry
Right of Access. Examining whether Twitter has discharged its obligations in respect of the right of access to links accessed on Twitter.
Twitter International Company
Own-volition inquiry
Commenced in response to the large number of breaches notified to the DPC during the period since 25 May 2018. Examining whether Twitter has discharged its GDPR obligations to implement organisational and technical measures to secure and safeguard the personal data of its users.
Twitter International Company
Own-volition inquiry
Commenced in response to a breach notification. Examining an issue relating to Twitter’s compliance with Article 33 of the GDPR.
LinkedIn Ireland Unlimited Company
Complaint-based inquiry
Lawful basis for processing. Examining whether LinkedIn has discharged its GDPR obligations in respect of the lawful basis on which it relies to process personal data in the context of behavioural analysis and targeted advertising on its platform.
Quantcast International Limited
Own-volition inquiry
Commenced in response to a submission received. Examining Quantcast’s compliance with the relevant provisions of the GDPR. The GDPR principle of transparency and retention practices will also be examined.
Google Ireland Limited Own-volition inquiry
Commenced in response to submissions received. Examining Google’s compliance with the relevant provisions of the GDPR. The GDPR principles of transparency and data minimisation, as well as Google’s retention practices, will also be examined.
Verizon Media/Oath Own-volition inquiry
Transparency. Examining the company’s compliance with the requirements to provide transparent information to data subjects under the provisions of Articles 12-14 GDPR.
41
42
Ongoing Cross-Border Inquiries
Apple Distribution International (transparency obligations)
This complaint-based inquiry arises from a complaint initially lodged by the complainant in Germany but then transferred to the DPC, as the lead supervisory authority for the controller in question, as the main establishment of Apple is in Ireland. The complainant alleges that the controller is contravening Articles 12 and 13 of the GDPR by failing to provide certain required information to individuals, such as the identity and contact details of the controller’s representative and data protection officer, the legal basis for processing and the storage period of any personal data collected. The inquiry is focused on an examination of the controller’s compliance with its trans-parency obligations, looking at the information which is provided to users by the controller on its website. This in-cludes assessing the manner in which a layered approach to provision of information can/should be used, as well as the timing of provision of information to individuals.
Apple Distribution International (access request issues)
This complaint-based inquiry relates to an access request made by the complainant for customer service records from Apple where the complainant was dissatisfied with Apple’s response to his access request. In this case, the controller’s position is that the request by the com-plainant was ‘manifestly excessive’. The inquiry involves an examination of the extent to which a data controller may refuse to act on an access request, in circumstances where that controller believes that the request is “mani-festly unfounded or excessive”, as referred to in Article 12 GDPR.
Apple Distribution International (legal basis for processing in context of targeted advertising to users)
This complaint-based inquiry is examining whether the controller has discharged its GDPR obligations in respect of the lawful basis on which it relies to process personal data in the context of behavioural analysis and targeted advertising on its platform. The complaint in question was lodged by a French digital advocacy organisation, La Quadrature du Net, through Article 80 of the GDPR whereby a data subject can mandate a not-for-profit body to lodge a complaint and act on his/her behalf. The issues under investigation include whether or not the process-ing of personal data, in this context, is supported by a legal basis, as required by Article 6 of the GDPR, and, if so, which one(s). This entails consideration of the condition-ality and limitations associated with reliance on certain legal bases, such as consent and the legitimate interests of the data controller or a third party. Co-operation with the CNIL (the French supervisory authority with which the complaint giving rise to this inquiry was originally filed) is ongoing.
Facebook Ireland Limited (legal basis for processing and transparency in relation to Terms of Service and Data Policy)
This complaint-based inquiry arose from a complaint received from the Austrian privacy advocacy organisation NOYB (None of Your Business) which focused on Face-book’s Terms of Service and Data Policy for its users. The inquiry is examining whether Facebook has complied with the obligation to have a legal basis to process personal data of individuals using the Facebook platform. The inquiry also includes an examination of whether Face-book provided the data subject with information on its legal basis for processing in connection with its Terms of Service, and addresses the complainant’s contention that processing in connection with Facebook’s Terms of Service was conducted on the basis of the data subject’s consent but that that consent was not valid having regard to the nature of the consent which is required under the GDPR.
Facebook Ireland Limited (legal basis for processing in context of targeted advertising to users)
This complaint-based inquiry is examining whether Facebook has complied with its obligations in respect of the requirement to have a legal basis for processing personal data in the context of behavioural analysis and targeted advertising of Facebook users on its platform. The complaint in question was lodged by a French digital advocacy organisation, La Quadrature du Net. Amongst other things, this inquiry involves a detailed examination of the processing operations underpinning the analysis of users’ behaviour/ activities (including profiling) on the Facebook platform and how that relates to the delivery of targeted advertisements to the user. Co-operation with the CNIL (the French supervisory authority with which the complaint giving rise to this inquiry was originally filed) is ongoing.
Facebook Ireland Limited (security incident concerning storage in plain text of user passwords)
This is an inquiry examining whether Facebook com-plied with its obligations under the GDPR in relation to a security incident which occurred in early 2019. In this case, Facebook confirmed to the DPC that user pass-words had been inadvertently stored in plaintext on its internal systems. This inquiry is examining whether Facebook’s conduct in relation to this incident amounted to an infringement of any provision(s) of the GDPR, and in particular whether Facebook, in storing user passwords in plaintext format, complied with its obligations in relation to data security. The inquiry is also examining whether the storage of user passwords in this manner amounted to a personal data breach for the purposes of Article 33 of the GDPR.
Annu
al R
epor
t 1
Janu
ary
— 3
1 D
ecem
ber
2019
Facebook Ireland Limited (access request for certain technical information)
This a complaint-based inquiry was initiated on foot of a complaint made to the DPC by a data subject, regarding Facebook’s handling of a data subject access request and data portability request made by him. The inquiry is examining whether Facebook has complied with its obligations in relation to the complainant’s exercise of the right of access to his personal data and the right to data portability in respect of personal data held in a certain technical database by Facebook. The complainant had requested, amongst other things, to be provided with a copy of specific personal data relating to him, including personal data held, indexed alongside or related to his User ID which was held in raw format; and a copy of per-sonal data that had been provided by or observed about him in a machine readable format. This inquiry is exam-ining the extent of the data subject rights to access and portability under the GDPR, having regard to Article 12 of the GDPR, including the extent to which a data controller may refuse to act on a data subject request in circum-stances where that controller believes that the request is “manifestly unfounded or excessive”, as referred to in Article 12 GDPR.
Google Ireland Limited (legal basis for, and transparency of, Google’s real time bidding and Google Authorised Buyers system)
This is an own-volition inquiry, which was commenced, following the receipt by the DPC of certain submissions made to it by Dr Johnny Ryan of Brave, is examining the processing of personal data by Google in the context of targeted advertising. More specifically, the inquiry is examining the processing of personal data in the con-text of the ‘Real-Time Bidding’ (RTB) process facilitated by Google’s proprietary Authorised Buyers mechanism, which facilitates targeted advertising. In terms of its scope, the inquiry is examining, amongst other things, whether Google has a legal basis for processing personal data, which may include special category data, via the Google Authorised Buyers mechanism. The inquiry is also examining how Google fulfils its transparency obligations in relation to the processing of such personal data, as well as its obligations concerning the retention of such personal data in the context of the Google Authorized Buyers Ad Exchange.
Instagram (Facebook Ireland Limited) (legal basis for processing and transparency in relation to Terms of Use and Data Policy)
This complaint-based inquiry arising from a complaint received from the Austrian privacy advocacy organisation NOYB (None of Your Business) which focused on Insta-gram’s Terms of Use and Data Policy for its users. The in-quiry is examining whether Instagram has complied with the obligation to have a legal basis to process personal data of individuals using the Instagram platform. The inquiry includes an examination of whether Instagram provided the data subject with information on Instagram’s legal basis for processing in connection with its Terms
of Use. It also addresses the complainant’s contention that processing in accordance with WhatsApp’s Terms of Service was conducted on the basis of the data subject’s consent but that that consent was not valid having regard to the nature of the consent which is required under the GDPR.
LinkedIn Ireland Unlimited Company (legal basis for processing in context of targeted advertising to users)
This complaint-based inquiry into LinkedIn is focused on examining whether LinkedIn has complied with its GDPR obligations, in particular in respect of the requirement to have a legal basis for processing personal data, in the context of behavioural analysis and targeted advertising on its platform. The complaint in question was lodged by a French digital advocacy organisation, La Quadra-ture du Net, through Article 80 of the GDPR whereby a data subject can mandate a not-for-profit body to lodge a complaint and act on his/her behalf. Issues that the DPC is specifically examining, and which formed part of the complaint, include the issue of whether consent and another legal basis can be relied upon jointly for process-ing. Amongst other things, this inquiry involves a detailed examination the technological framework underpinning the analysis of users’ behaviour/ activities (including profil-ing) on the Linkedin platform and how that relates to the delivery of targeted advertisements to the user. Co-op-eration with the CNIL (the French supervisory authority with which the complaint giving rise to this inquiry was originally filed) is ongoing.
Quantcast International Limited (legal basis for processing and transparency in profiling and targeted advertising)
This own-volition inquiry was commenced by the DPC following a submission which was made to the DPC by Privacy International, a privacy advocacy organisation, concerning Quantcast which provides services to entities operating in the adtech sector. In particular, the DPC is examining whether Quantcast has discharged its obliga-tions in connection with the processing and aggregating of personal data which it conducts for the purposes of profiling and utilising the profiles generated for targeted advertising. The inquiry is examining how, and to what extent, Quantcast fulfils its obligation to be transparent to individuals in relation to what it does with personal data (including sources of collection, combining and making the data available to its customers) as well as Quantcast’s personal data retention practices. The inquiry will also examine the lawful basis pursuant to which processing occurs.
Twitter International Company (right of access and right to data portability)
This complaint-based inquiry arises from a complaint by a Twitter user in relation to an access and portability request which was made to Twitter whereby the user sought certain technical information (related to user interaction with web links generated by Twitter). This
43
44
request was refused by Twitter. The inquiry examines whether Twitter has discharged its obligations in respect of the right of access and the right to data portability to personal data having regard to Article 12 of the GDPR and the extent to which a data controller may refuse to act on a data subject request in circumstances where that controller believes that the request is “manifestly un-founded or excessive”, as referred to in Article 12 GDPR.
WhatsApp Ireland Limited (legal basis for processing and transparency in relation to Terms of Service and Privacy Policy)
This complaint-based inquiry arose from a complaint received from the Austrian privacy advocacy organisa-tion NOYB (None of Your Business) which focused on Whatsapp’s Terms of Service and Privacy Policy for its users. The inquiry is examining whether WhatsApp has complied with the obligation to have a legal basis to process personal data of individuals using the WhatsApp platform. The inquiry includes an examination of whether WhatsApp provided the data subject with information on WhatsApp’s legal basis for processing in connection with its Terms of Service. The inquiry also addresses the complainant’s contention that processing in accordance with WhatsApp’s Terms of Service was conducted on the basis of the data subject’s consent but that that consent was not valid having regard to the nature of the consent which is required under the GDPR.
Facebook Ireland Limited (breach notification obligations — “token” breach)
This own-volition inquiry was commenced following a breach notification made to the DPC by Facebook con-cerning an incident where an external actor obtained Facebook user tokens. (User tokens enable the authen-tication of the related Facebook user account i.e. they keep the user logged into Facebook so that they do not need to re-enter their password every time they use the Facebook app). Following the incident, Facebook reset millions of user tokens for Facebook accounts. The inqui-ry is examining Facebook’s compliance with the breach notification obligations in Article 33 GDPR and amongst other things, involves an assessment of the information provided by Facebook to the DPC in relation to the inci-dent, the timing of same and the internal documentation of the data breach by Facebook.
Facebook Ireland Limited (technical and organisational measures — “token” breach)
This own-volition inquiry was commenced following the same breach notification made to the DPC by Facebook as in the preceding inquiry, where an external actor obtained Facebook user tokens. (User tokens enable the authentication of the related Facebook user account i.e. they keep the user logged into Facebook so that they do not need to re-enter their password every time they use the Facebook app). As referred to above, following the incident, Facebook reset millions of user tokens for Facebook accounts. This inquiry is examining Facebook’s compliance with its obligations, pursuant to articles 32, 24,
and 5 of the GDPR, to implement appropriate technical and organizational measures and amongst other things, involves an assessment of the information provided by Facebook to the DPC in relation to the incident and an assessment the policies and procedures Facebook had in place at the time the incident occurred.
Facebook, Inc. (technical and organisational measures — “token” breach)
This own-volition inquiry was commenced following the same breach notification made to the DPC by Facebook as in the two preceding inquiries, where an external actor obtained Facebook user tokens. (User tokens enable the authentication of the related Facebook user account i.e. they keep the user logged into Facebook so that they do not need to re-enter their password every time they use the Facebook app). As referred to above, following the incident, Facebook reset millions of user tokens for Face-book accounts. This inquiry is examining Facebook Inc.’s compliance with its obligations, pursuant to articles 32 and 5 of the GDPR, to implement appropriate technical and organisational measures and amongst other things involves an assessment of the information provided by Facebook Inc. to the DPC in relation to the incident and an assessment the policies and procedures Facebook Inc. had in place at the time the incident occurred.
Facebook Ireland Limited (multiple breaches)
This own-volition inquiry was commenced following a number of breach notifications made to the DPC by Face-book Ireland Limited concerning unauthorised disclosure of personal data. The inquiry is examining Facebook’s compliance with its obligations, pursuant to articles 32, 24, and 5 of the GDPR, to implement appropriate technical and organisational measures and amongst other things, involves an assessment of the information provided by Facebook to the DPC in relation to the incidents and an assessment the policies and procedures Facebook had in place at the time the incidents occurred.
Twitter International Company (multiple breaches)
This own-volition inquiry was commenced following a number of breach notifications made to the DPC by Twitter concerning unauthorised disclosure of personal data. The inquiry is examining Twitter’s compliance with its obligation, pursuant to articles 32, 24, and 5 of the GDPR, to implement appropriate technical and organisa-tional measures and amongst other things, involves an assessment of the information provided by Twitter to the DPC in relation to the incidents and an assessment the policies and procedures Twitter had in place at the time the incidents occurred.
Oath (EMEA) Ltd/Verizon Media (transparency)
This own-volition inqiuiry was opened into Verizon Media/Oath (EMEA) Limited in respect of the company’s com-pliance with its transparency obligations under Articles 12, 13 and 14 of the GDPR. This inquiry was commenced under section 110(1) of the Data Protection Act 2018
Annu
al R
epor
t 1
Janu
ary
— 3
1 D
ecem
ber
2019
following assessment of a number of complaints regard-ing Oath products and services, including some from individuals in other EU member states. The inquiry was in the information-gathering phase as of the end of 2019.
WhatsApp Ireland Limited (transparency)
This own-volition inquiry was commenced following a number of complaints made by data subjects throughout Europe about the transparency of WhatsApp Ireland’s data sharing with the Facebook family of companies and transparency surrounding its use of non-user data, focusing on transparency obligations under Articles 12, 13 and 14 of the GDPR. The investigative stage of the process being complete, the final inquiry report has been passed to the Commissioner, who is the decision-maker under Section 111 of the Data Protection Act 2018. The Commissioner will prepare a draft decision which will be circulated to other European DPAs for comment pursuant to Article 60 GDPR. A final decision will then be made by on whether the GDPR has or is being infringed, whether any corrective powers will be exercised, and if so, what those corrective powers will be.
Twitter International Company (breach notification)
This own-volition inquiry was commenced following a breach notification made to the DPC by Twitter con-cerning a bug in Twitter’s Android app, where users who changed the email address associated with their account had all of their protected tweets made public. The focus is on the obligation to make breach notifications in a timely manner under Article 33(1) of the GDPR, and the obligation to document data breaches under Article 33(5) of the GDPR. The investigative stage of the process being complete, the final inquiry report has been passed to the Commissioner, who is the decision-maker under Section 111 of the Data Protection Act 2018. The Commissioner will prepare a draft decision which will be circulated to other European DPAs for comment pursuant to Article 60 GDPR. A final decision will then be made on whether the GDPR has or is being infringed, whether any corrective powers will be exercised, and if so, what those corrective powers will be.
45
46
Ongoing National Inquiries
Domestic Statutory Inquiries commenced since 25 May 2018
Green indicates inquiries opened between 25 May 2018 – 31 December 2018. White indicates inquiries opened in 2019.
Organisation Inquiry type Issue being examined
31 local authorities and An Garda Síochána
Own Volition Examining surveillance of citizens by the state sector for law enforcement purposes through the use of technologies such as CCTV, body-worn cameras, automatic number plate recognition (ANPR) enabled systems, drones and other technologies. The purpose of these inquiries is to probe whether the processing of personal data that occurs in those circumstances is compliant with data protection law.
An Garda Síochána Own Volition Examining governance and oversight with regard to disclosure requests within AGS and within organisations processing such requests, as well as examining the actual requests made by AGS to third parties.
Bank of Ireland Own Volition Commenced in response to the large number of breaches notified to the DPC during the period since 25 May 2018.
Catholic Church Own Volition Multiple complaints re right to rectification & right to be forgotten
DEASP Own Volition Examining the position of the Data Protection Officer under Article 38 of the GDPR.
SUSI Own Volition Commenced in response to a breach notified to the DPC.
Irish Credit Bureau Own Volition Commenced in response to a breach notified to the DPC.
Irish Prison Service Own Volition Examining whether it has discharged its GDPR obligations in respect of the lawful basis on which it relies to process personal data.
Maynooth University Own Volition Commenced in response to a breach notified to the DPC in relation to a phishing incident.
UCD Own Volition Commenced in response to a number of breaches notified to the DPC during the period since 25 May 2018.
University of Limerick Own Volition Commenced in response to a breach notified to the DPC in relation to a phishing incident.
Slane Credit Union Own Volition Commenced in response to a breach notified to the DPC in relation to an unauthorised disclosure.
HSE Mid Leinster (Tullamore Labs)
Own Volition Commenced in response to a breach notified to the DPC.
HSE Our Lady of Lourdes Own Volition Examining the security of processing data, appropriate organisational and technical measures following the loss of sensitive personal data.
HSE South Own Volition Commenced in response to a breach notified to the DPC.
TUSLA Own Volition Commenced in response to a number of breaches notified to the DPC.
TUSLA Own Volition Commenced in response to a number of breaches notified to the DPC during the period since 25 May 2018.
TUSLA Own Volition Commenced in response to a breach notified to the DPC.
Annu
al R
epor
t 1
Janu
ary
— 3
1 D
ecem
ber
2019
University of Limerick
This inquiry relates to a notified breach about an incident of phishing which the controller became aware of in No-vember 2018, along with three previous phishing breach-es notified in February, April and May 2018. The inquiry commenced in July 2019. A further phishing breach was notified in August 2019.
379 individuals were impacted in the November 2018 breach.
An on-site inspection will be carried out in early 2020.
University College Dublin
This inquiry relates to seven breach notifications received between September 2018 and January 2019.
The university reported that email accounts across multiple university schools were compromised and were detected to be sending spam. Some of the breaches related to users furnishing their credentials on external websites and, in other cases, the controller was unable to identify how its systems were compromised. The account credentials had been posted publicly online for some users. Other credentials were identified in
“haveibeenpwnd.com”.
The inquiry commenced in July 2019. A site inspection has been carried out and a Draft Inquiry Report is being prepared�
Maynooth University
This inquiry relates to an instance of hacking of a uni-versity’s employee email account. The email account of an employee at Maynooth University was hacked and forwarding rules were set. Subsequent correspondence between that employee and another staff member was intercepted and bogus bank account details were substituted, causing a money transfer of a lump sum of €28,823.40 to be diverted.
Initial analysis by the university indicated attempted phishing, but there was no indication of any success-ful phishing. The employee’s personal computer had malware on it since 2017. The particular malware was a Trojan often used as a launchpad to download malicious software. The university found no indication of the meth-od used to place that malware on the personal computer.
The attacked email account was only one of six accounts potentially accessed. However, the university has not found any evidence of exploitation of the other five ac-counts. For all six accounts there is a risk that there were substantial amounts of personal data within the emails that may have been disclosed/accessed.
This inquiry commenced in November 2019 and is ongoing.
Bank of Ireland
This inquiry relates to 22 breach notifications from Bank of Ireland, in which the bank was sending inaccurate data to the Central Credit Register, with a corresponding risk
that the credit rating of certain bank customers had inac-curate information recorded.
The inquiry commenced in November 2019 and is ongoing.
Irish Credit Bureau
This inquiry relates to a breach notification that the DPC received from the Irish Credit Bureau (ICB) in relation to a data integrity issue. A change to the ICB system inadver-tently allowed incorrect updates to be applied to the loan account records of financial institutes’ customers.
The issue impacted on the credit ratings of 15,238 indi-viduals. 118 individuals had requested their credit report directly from the ICB while the data was incorrect.
The inquiry commenced in July 2019. The next step of the inquiry is to furnish a Draft Inquiry Report to the ICB.
Slane Credit Union
This inquiry relates to a breach notification received from Slane Credit Union,where the credit union publically disclosed personal data of 78 account holders via general searches on the internet. A plug-in on the credit union’s website had indexed the private content of the credit union pages and made it available as public content, which could subsequently be accessed using generic searches about Slane village. Oversight of the website had been outsourced to a separate company, who acted as a data processor.
The inquiry commenced in July 2019 and an on-site inspection has taken place where the data controller and processor were questioned about data protection man-agement. The next step is to issue a Draft Inquiry Report.
HSE (South)
This inquiry relates to the discovery of hospital records by a member of the public. Hospital documents containing personal data (name, date of birth, clinical details, and treatment) of 56 patients were found by a member of the public at a public recycling facility in Cork. Previously, there had been seven similar breaches reported to the DPC for the same HSE Area.
This inquiry commenced in October 2019. A Draft Inquiry Report has been issued to the HSE.
HSE (Our Lady of Lourdes Hospital)
This inquiry relates to the discovery of hospital records by a member of the public. The inquiry was commenced in November 2019 as a result of hospital ward handover documents relating to 15 patients being discovered by a member of the public in her front garden. A very similar incident had occurred in March 2019 when handover notes on eight patients were discovered on the public road outside the same hospital.
A Draft Inquiry Report is in preparation.
47
48
HSE Mid-Leinster (Tullamore)
This inquiry relates to a breach notification about ransom-ware activated on the computers within the HSE Labo-ratories in Tullamore. The data controller understood that ICT security measures had been delegated to a data processor. The inquiry commenced in October 2019 and is ongoing.
Tusla (November 2018)
This inquiry relates to 71 personal data disclosure breach-es notified by Tusla — The Child and Family Agency to the DPC. The inquiry began in November 2018.
The subject matter of the breaches included inappro-priate system access, disclosure by email and post and security of personal data.
The DPC conducted site inspections at Tusla head-quarters and at regional offices in Dublin Central, Naas, Swords, Waterford, Galway and Cork. In the course of the inspections, a number of other data protection issues came to light which fell outside the original scope of the Inquiry. However, as these issues have relevance with regard to the protection of personal data, they will be highlighted in the Draft Inquiry Report.
The DPC is currently preparing the Draft Inquiry Report.
Tusla (October 2019)
This inquiry relates to three breach notifications received between February and May 2019 relating to unauthorised disclosure of personal data.
In one breach, Tusla accidently disclosed the contact and location data of a mother and child victim to an alleged abuser.
In the next breach, Tusla accidently disclosed contact, location and school details of foster parents and children to a grandparent. As a result, that grandparent made con-tact with the foster parent about the children.
In the third breach, Tusla accidently disclosed the address of children in foster care to their imprisoned father, who used it to correspond with his children.
The inquiry commenced in October 2019. A Draft Inquiry Report has issued to Tusla.
Tusla (November 2019)
This inquiry relates to a breach notification received from Tusla in November 2019 regarding an unauthorised disclosure of sensitive personal data. The disclosure was made to an individual against whom an allegation of abuse had been made.
The disclosed data was subsequently posted on social media.
This inquiry commenced in December 2019.
Department of Employment Affairs and Social Protection (DEASP) DPO
This inquiry relates to potential infringements of Article 38 of the GDPR in relation to the Department’s interactions with its Data Protection Officer in the Department of Em-ployment Affairs and Social Protection. The inquiry began in December 2018. A Draft Inquiry Report was issued to the Department in May 2019 and the controller made submissions on it. These have been analysed by the DPC and the Final Inquiry Report is in preparation.
Catholic Church
This inquiry relates to the lawful basis for processing the personal data of individuals who no longer want to have their personal data so processed. The DPC received a number of complaints from individuals who were mem-bers of the Catholic Church and many of whom no longer wished to remain as members. In the absence of a way to defect formally from the Catholic Church, the individuals expressed dissatisfaction with the ongoing processing of their personal data by the Catholic Church, in particular the retention of their personal data on sacramental reg-isters. As a consequence, each individual had requested the erasure of their church records, including those con-tained in baptism, confirmation and marriage registers. In all instances the request for erasure had been refused by the relevant parish offices.
Having considered the issue at a preliminary level, the DPC has opened an own-volition inquiry pursuant to sec-tion 110(1) of the Data Protection Act 2018. This inquiry is directed to the Archdiocese of Dublin and will examine whether there is a lawful basis for the processing of the personal data of individuals who no longer want to have their personal data so processed.
An Garda Síochána
This inquiry relates to the process and procedures gov-erning disclosure requests to external third party data controllers by An Garda Síochána (AGS). The inquiry com-menced in April 2019. Within the context of the inquiry, pursuant to section 136 of the Data Protection Act 2018, 8 data protection audits were conducted of AGS and a selection of organisations processing disclosure requests received from AGS.
The next step of the inquiry is to furnish a Draft Inquiry Report to AGS.
Irish Prison Service
The DPC opened an own-volition inquiry into the Irish Prison Service, specifically into the governance proce-dures in place regarding the processing of personal data by the work of the Operational Support Group. This inqui-ry is in its initial stages.
Student Universal Support Ireland (SUSI)
This inquiry relates to a breach notification received from the City of Dublin Education and Training Board (CDETB) in relation to its Student Universal Support Ireland (SUSI)
Annu
al R
epor
t 1
Janu
ary
— 3
1 D
ecem
ber
2019
website. The website had a breach, where malicious code (a web-shell) was detected by the SUSI IT team on 16 October 2018. The inquiry is examining the technical and organisational measures in place at the time of the breach, and how SUSI has discharged its obligations as a data controller following the breach. The inquiry com-menced in July 2019 and is ongoing.
Surveillance by the State Sector for Law Enforcement Purposes
Surveillance systems that capture images of people and in turn lead to the identification of individuals either di-rectly or indirectly, i.e. when combined with other pieces of information, can trigger the applicability of the GDPR and the Data Protection Act, 2018. While the use of such technologies for surveillance purposes by the state for law-enforcement functions has become more widespread and while there may be a perception by many that sur-veillance has become the norm, this perception does not diminish the obligations placed on organisations process-ing personal data through these means. Furthermore, while the usefulness of such technology for surveillance purposes may be obvious, i.e. the detection of specific security relevant incidents, surveillance systems operating in public places can impact on the privacy of individuals. As such it is essential that organisations in control of such systems can demonstrate that their systems are operat-ing in compliance with data protection legislation.
The type of CCTV camera used may also raise data protection concerns. Pan-Tilt -Zoom (PTZ) cameras may be used to zoom in from a considerable distance on individuals and their property so they may pose higher risks to individuals’ privacy. Furthermore, the deployment of ANPR cameras is becoming more common place in the State Sector but the absence of data protection policies governing the use of such technology in the State Sector is notable.
These concerns prompted the DPC to commence a number of own-volition inquiries under the Data Pro-tection Act 2018 into surveillance of citizens by the state sector for law-enforcement purposes through the use of technologies such as CCTV, body-worn cameras, drones and other technologies such as Automatic Number-Plate Recognition (ANPR) enabled systems, which is becoming an increasingly prevalent part of CCTV systems. There are several other aspects to these ongoing own-volition inqui-ries such as an examination of the use of CCTV cameras to monitor certain local-authority housing estates and the use of covert cameras to detect offenders in the act of lit-tering and unlawful waste disposal. The inquiries are also examining the legal basis underpinning the use of these surveillance technologies for law-enforcement purposes.
These own-volition inquiries are being conducted under Section 110 and Section 123 of the Data Protection Act 2018 and they have been split into a number of modules. The first module focuses on the 31 local authorities in Ireland, and the second module focusses on An Garda Síochána. Further modules are likely to be added as the inquiries progress. The first and second modules com-
menced using the data protection audit power provided for in Section 136 of the Data Protection Act 2018.
In the first phase of the audits, the DPC issued a detailed questionnaire to all 31 local authorities and to An Garda Síochána to elicit information in relation to their respec-tive usage of CCTV, body-worn cameras, ANPR-enabled systems, drones and other technologies for surveillance purposes. The second phase, i.e. the information gath-ering phase, began in September 2018 with a series of on-site inspections.
To date, the DPC has conducted inspections in seven separate local authorities. The local authorities inspected were Kildare County Council, Limerick City and County Council, Galway County Council, Sligo County Council, Waterford City and County Council, Kerry County Council and South Dublin County Council. Between them, these seven local authorities have more than 1,000 CCTV cameras in operation for surveillance purposes. Note: The inquiries do not apply to security cameras such as those deployed for normal security purposes. Each of the local authorities inspected had its own unique approach to how it conducted surveillance on citizens. As part of the inquiry process, the DPC sought evidence of robust data protection policies as well as evidence of active oversight and meaningful governance.
Another key aspect of these inquiries involves auditing the deployment of community-based CCTV systems by examining whether Section 38(3)(c) of the Garda Síochá-na Act 2005 (which provides a legislative basis for such schemes under certain conditions) is being fully complied with. Community-based CCTV schemes that have been set up at local level require that the local authority be a data controller and that prior authorisation of the Garda Commissioner is required. In particular, the inquiries are examining whether or not the Garda Commissioner has approved all such schemes in operation at present (to date the Garda Commissioner has authorised Communi-ty-based CCTV schemes in approximately seventy cities, towns and villages across the State). The inquiries are also examining how data controller obligations are being met by the local authorities as required under that Act.
An Garda Síochána
Separate to the ongoing inquiries in the local authority sector, an inquiry was conducted into An Garda Síochána in relation to Garda-operated CCTV schemes (Section 38(3)(a) of the Garda Síochána Act 2005 provides a legislative basis for such schemes). Currently there are approximately 38 separate schemes that operate under this legislation that are solely under the control of An Gar-da Síochána. The inquiry conducted involved inspections at Garda Stations in Tullamore, Henry Street Limerick, Pearse Street Dublin, Duleek and Ashbourne Co. Meath.
Following the submission of the final inquiry report to the Commissioner for Data Protection, the Commissioner made 13 findings in respect of infringements of the Data Protection Act, 2018. These infringements relate to a number of matters such as governance issues (including record-keeping of downloads, retention periods, train-ing, auditing of access logs); transparency in relation
49
50
to informing the general public by signage and other means; the absence of data processor contracts; and the deployment of ANPR cameras on one Garda scheme in the absence of the implementation of appropriate data protection policies by An Garda Síochána and its failure to carry out a data protection impact assessment before rolling out the scheme. Note: As the matters under exam-ination related to the law enforcement provisions of the Data Protection Act 2018 only, infringements of the GDPR did not arise in these instances.
The Commissioner decided to exercise three corrective powers in accordance with Section 127 of the Data Pro-tection Act, 2018. In summary, a reprimand was issued to An Garda Síochána in circumstances where the process-ing was not in compliance with the 2018 Act and in such instances the Commissioner ordered the processing to be brought into compliance. Furthermore a temporary ban was imposed on processing in one region where such processing involves the operation of ANPR cameras until such time as their necessity and justification can be demonstrated. An Garda Síochána switched off these ANPR cameras as ordered by the Commissioner within seven days.
Cookies Sweep 2019 (Carried out under the GDPR and ePrivacy Regulations)
In August 2019, the DPC commenced an examination of the use of cookies and similar technologies on a selection of websites across a range of sectors, including media and publishing, the retail sector, restaurants and food ordering services, insurance, sport and leisure and the public sector.
The purpose of the sweep survey was to request informa-tion to allow us to examine the deployment of such tech-nologies and to establish how, and whether, organisa-tions are complying with the law. In particular, we wanted to examine how controllers obtain the consent of users for the use of cookies and other tracking technologies.
The standard of consent that controllers must obtain from users or subscribers for the use of cookies must now be read in light of the GDPR standard of consent, i.e. it must be obtained by means of a clear, affirmative act and be freely given, specific, informed and unambiguous.
There was a good level of cooperation with the sweep and most organisations were keen to demonstrate compliance. In some cases they signalled their awareness that they may not currently be compliant with S.I. No. 336/2011 — the European Communities (Electronic Com-munications Networks and Services) (Privacy and Elec-tronic Communications) Regulations 2011 (‘the ePrivacy Regulations’) and they wished to obtain guidance from the DPC on how to amend their practices, if required.
The quality of information provided to users in relation to cookies varied widely. Some organisations provided detailed and layered information about the technologies in use, and others provided little detail about the use of cookies, or about how to reject them.
We also established that many organisations are setting a wide range of cookies as soon as a user lands on their
website, without any engagement by the user with a consent management platform or cookie banner. These included third-party cookies from social media companies, payment providers and advertisers.
Many organisations categorised the cookies deployed on their websites as having a ‘necessary’ or ‘strictly neces-sary’ function, or a ‘performance’, ‘functional’ or ‘analytics’ function.
However, some cookies defined by controllers in their responses as ‘strictly necessary’ appear not to meet either of the two consent exemption criteria set down in the ePrivacy Regulations.
There was some level of awareness, particularly among larger organisations, of recent or pending rulings by the Court of Justice of the European Union (CJEU) in the ePri-vacy area, which may impact on their practices. Some are reassessing issues of joint controllership that may arise in respect of the use of third-party plugins and social ‘like’ buttons in light of the Fashion ID judgment of 29 July 2019.
On 1 October, shortly after the DPC commenced this sweep, another significant judgment from the CJEU in the Planet49 case clarified that consent for the placement of cookies is not valid if it is obtained by way of pre-checked boxes which users must deselect to refuse their consent.
The use of pre-checked boxes and sliders set by default to the ‘on’ position was a feature on a number of the web-sites we examined. In addition, many organisations relied on implied consent to set cookies, or they directed users to their browser settings to control cookies.
There were also examples of pre-checked boxes which opted users in to analytics and marketing cookies by default, but with the organisation failing to honour any choice expressed by the user if they unchecked the boxes. A lack of clarity on how users could withdraw their consent to cookies was also a feature on some sites.
During 2020, the DPC will produce updated guidance on cookies and other technologies which will take account of the judgments in Planet49 and Fashion ID. This guidance will underpin our future enforcement strategy and activity.
Given the pervasive nature and scope of online tracking, and the inextricable links between such tracking and cookie technologies and adtech, we will place a strong focus on compliance in this area.
Other Investigations (Under the Data Protection Acts 1988 and 2003)
Tusla Child and Family Agency Investigation
In November, the DPC concluded an investigation that had commenced in March 2017 (under the Data Protec-tion Acts 1988–2003 which were applicable at the time) into the governance of personal data within the Child and Family Agency, Tusla.
The investigatory phase, which included physical inspec-tions by our Authorised Officers at Tusla locations around the country, had been completed in December 2017.
Annu
al R
epor
t 1
Janu
ary
— 3
1 D
ecem
ber
2019
The DPC continued to engage with Tusla throughout 2018 and 2019 in relation to a number of our findings, includ-ing in relation to issues related to the co-location of Tusla offices with facilities also occupied by the Health Service Executive (HSE).
The agency confirmed that a number of organisational and technical measures have been put in place since the DPC’s site inspections in late 2017. Tusla’s ICT unit is also advancing what the agency describes as “a significant work programme” which will see the establishment of an ICT environment wholly managed and controlled by Tusla.
Tusla also confirmed that it expects to revise its current record management policy with the aim of aligning it with the necessity and proportionality principles of the GDPR. The agency is also seeking to review its use of “in perpetu-ity” record retention periods.
Investigation of Independent News and Media (INM) under the Data Protection Acts 1988 and 2003
The DPC investigation of Independent News and Media (INM) under the Data Protection Acts 1988 and 2003 in relation to the possible unlawful disclosure of data held on company servers to third parties and other potential contraventions of the Data Protection Acts is nearing a conclusion. The DPC has raised queries and received sub-missions from various stakeholders to gather the infor-mation about the facts surrounding the data extraction process that was widely reported in the media and which formed part of the basis for appointment of High Court Inspectors. The DPC is finalising the Investigation Report and anticipates a decision of the DPC will issue following this.
Investigation in relation The Public Services Card under The Data Protection Acts, 1988 and 2003.
A detailed report of the Investigation by the DPC into the processing of personal data by Department of Employ-ment And Social Protection (DEASP) in relation to the Pub-lic Services Card can be found in Appendix 3 on page 93.
51
52
Legal Affairs7
Annu
al R
epor
t 1
Janu
ary
— 3
1 D
ecem
ber
2019
Procedural law issuesThe work of the DPC’s Legal team has always been challenging and diverse but perhaps never so much as during 2019. The progression of the first inquiries, partic-ularly those concerning cross-border processing issues, towards completion has given rise to novel and highly complex issues, including a certain level of procedural challenges being raised by respondent data control-lers, as well as individual complainants and (Article 80) representative bodies. These challenges often concern novel points of law, particularly concerning the interaction between the GDPR and the Irish national implementing legislation, the Data Protection Act 2018, which have not previously arisen under Irish law.
During 2019, the DPC has had to consider a multiplicity of legal procedural issues raised by parties to processes conducted by the DPC such as: how best to balance the rights and entitlements of the parties concerned in the context of requests for access to the inquiry file; claims of legal privilege, confidentiality and commercial sensitivity made over material submitted by parties to inquiries; as well as challenges to the fairness of the processes and procedures undertaken by the DPC. In order to determine the various issues arising, the DPC has had to consider how legislative provisions might be interpreted and operated in harmony with European legislation as well as how rights deriving from the European Union’s legal framework, such as the right of access to the file and the right to good administration, should operate in the context of an Irish regulatory inquiry. Similarly there
have been many issues arising concerning the potential conflict of other national administrative laws (insofar as they implement and give further effect to the GDPR at national level) with the Data Protection Act 2018. This phenomenon is one which is occurring in the context of the work of supervisory authorities across the EU. Con-sequently, at EDPB level, supervisory authorities continue to work through how to resolve these procedural issues at a practical level to ensure the highest degree possible of harmonisation of GDPR implementation nationally. The DPC anticipates that 2020 will involve the reconciliation of many such complex legal issues which will flow from the conclusion of its first waves of statutory inquiries (particu-larly those which must progress to final resolution under the One Stop Shop mechanisms i.e. where the DPC is the Lead Supervisory Authority) and the crystallisation in practical terms of many theoretical legal and procedural issues which have been raised during those first novel inquiries.
Litigation involving the DPCBetween 1 January and 31 December 2019, substantive judgments on data protection issues were delivered in the following proceedings, to which the DPC was a party. It should be noted that these proceedings related to the performance of the DPC’s functions under the previous legislative regime of the Data Protection Acts 1988 and 2003.
An appeal to the Circuit Court in the case of Young’s Garage v The Data Protection Commissioner (judgment of Nenagh Circuit Court, delivered 4 February 2019). Note: this judgment was reserved and subsequently delivered orally only and the below is a summary of that oral judgment).
This case concerned an appeal, brought by a car dealership, against a decision of the DPC dated 21 December 2017 in relation to a complaint made by an individual against that dealership. In his complaint, the individual alleged that the dealership provided his per-sonal data to a third party bank for the purpose of enabling the carrying out of a credit check on the individual with that bank. The individual alleged that this credit check, and the processing of his personal data by the dealership for this purpose, took place without his consent.
The DPC commenced an investigation into the complaint, during the course of which the dealership asserted that the individual had consented to the processing of his personal data for the purpose of a credit check. While the dealership asserted that it normally records an individual’s consent by way of a “ticked” checkbox on an
application form, the application form relating to the com-plainant individual did not contain a “ticked” checkbox. In the circumstances, the dealership had no way of proving by way of documentary evidence that the individual had, in fact, consented to the processing of his personal data for the purpose of a credit check. Accordingly, the DPC
53
54
found that the dealership breached Section 2A of the Data Protection Acts, 1988 and 2003.
The DPC’s decision noted that Section 2A of the Data Protection Acts, 1988 and 2003 requires consent to be
“freely given, specific, informed and unambiguous”. As the checkbox on the form used to process the individual’s personal data had not been “ticked”, and there was no further documentary evidence available to support the assertion that the individual consented to the processing, the DPC concluded that the requisite elements of ‘consent’ were not satisfied in this case and the dealership could not show that it had a lawful basis to support the process-ing of the individual’s personal data. The issue of control-lership was also raised by the dealership during the DPC’s investigation with the dealership claiming that it was not the controller and instead was a processor for the third party bank to whom the complainant’s personal data had been passed. This argument was not accepted by the DPC.
The dealership appealed the decision to the Circuit Court. In the oral judgment delivered by the Circuit Court, the
Court found that the investigation process, as carried by the DPC, had been properly conducted and noted that there were two different accounts of the facts put forward by the dealership and the complainant. The Court found that the DPC’s decision was correct based on the evidence before her. On the consent issue, the Court noted that the affidavit sworn on behalf of the dealership in this appeal was silent on the issue of consent and that no evidence had been put forward as to consent having been provided by the complainant to his details being forwarded to the bank. Further, in relation to the question of controllership, the Court found that there was no question but that the dealership was a data controller, and that it was clear that the dealership could not be a processer as it did not act for the bank in question. It was noted that the dealership’s solicitor had previously seemed to agree with this position in earlier correspondence; therefore it seemed to follow that the dealership’s solicitor accepted that it was not a processor, and it also followed from this that the dealer-ship was a data controller. Therefore the Court did not allow the dealership’s appeal.
An appeal to the Circuit Court in the case of Doolin v The Data Protection Commissioner (judgment of Dublin Circuit Court, delivered 1 May 2019). Note: the judgment in this appeal was delivered ex tempore only and the below is a summary of that judgment).
This case concerned an appeal, brought by an individual, against a Decision of the DPC dated 27 July 2018. In the complaint that formed the basis for the Decision, the individual alleged that his employer used CCTV footage of him to sanction him for taking unautho-rised breaks at work.
During the course of the investigation, it was established that the employer discovered a threatening message carved into a table in the break room at the place of em-ployment. The employer reported the matter to An Garda Síochána for investigation. An Garda Síochána requested the employer to examine all fob usage records and CCTV footage from a corridor leading to the break room in question. The CCTV footage was used to identify those persons who entered/left the break room. The employer then interviewed the identified members of staff with a view to establishing whether or not the message was on the table during the time they were present in the room (so as to narrow down the time that the incident could have taken place). The employer advised that a number of staff, when interviewed, admitted that they had been taking an unofficial break from their duties. The employer asserted that disciplinary action was taken on the basis of those admissions and that the CCTV footage was not used for the purpose of the disciplinary hearing. The employer reiterated that the only purpose for the use of the CCTV was the investigation into a criminal matter that had been referred to An Garda Síochána.
The individual alleged that the employer breached Section 2 of the Data Protection Acts, 1988 and 2003 (“the Acts”) when it used the CCTV footage for disciplinary purposes. The individual relied on the employer’s CCTV policy, in this
regard, which stated that the purpose of the CCTV system was to prevent crime and promote staff security and public safety.
In examining the individual’s complaint, the DPC consid-ered two issues relating to the processing of his personal data by way of the CCTV system, as follows:
1� Whether the employer had a lawful basis under Sec-tion 2A of the Acts for processing the individual’s data; and
2. Whether the employer complied with the statutory requirements set out in Section 2(D) of the Acts in rela-tion to the fair processing of the individual’s data, with particular reference to the requirement to provide no-tice of the processing of the individual’s personal data.
The DPC firstly noted that it was apparent from the inves-tigation that the employer had a legitimate justification to access and view the CCTV footage in order to make en-quiries as to who had carved the offensive and threaten-ing material into the table of the staff break room. It was a serious security issue which potentially gave rise to a threat to staff and it had to be investigated. This included the necessity to view CCTV footage as part of the investi-gation. Under Section 2A(1)(d) of the Acts, the processing of personal data is permitted if it is necessary for the
Annu
al R
epor
t 1
Janu
ary
— 3
1 D
ecem
ber
2019
purposes of the legitimate interests of the data control-ler, except where that processing is unwarranted in any particular case by reason of prejudice to the fundamental rights and freedoms of the individual.
The DPC had regard to the Opinion of Advocate General Bobek in the Rīgas regional security police case (Case C-13/16, Valsts policijas Rīgas reģiona pārvaldes Kārtī-bas policijas pārvalde v Rīgas pašvaldības SIA ‘Rīgas satiksme’) and, in particular, AG Bobek’s consideration of the scope and meaning of the term ‘legitimate interests’. AG Bobek noted that, when considering whether the ‘le-gitimate interests’ ground applies, a three-step test must be followed:
1� There must be the existence of a legitimate interest justifying processing;
2. That interest must prevail over the rights and interests of the individual; and
3. The necessity of processing of the personal data for the realisation of the legitimate interests.
Applying the above to the matters established during the course of the investigation, the DPC was firstly satisfied that the employer demonstrated that it had a legitimate interest in processing the individual’s personal data by viewing the CCTV footage in order to identify the staff members who should be interviewed in relation to the security risk presented.
In relation to the second and third limbs of the test, the DPC found that the viewing of the CCTV footage was a crucial investigative step in order to identify the staff members who were present around the time that the incident occurred. The DPC was satisfied that the processing of the individual’s personal data in the form of a limited viewing of the relevant CCTV footage, without downloading or further processing of any kind was nec-essary for this purpose and did not go beyond the stated purpose. The CCTV camera was located outside the staff room and was not monitoring employees in a private area. The DPC therefore concluded that the viewing was proportionate in all of the circumstances and prevailed over the individual’s rights and interests in that limited context.
Accordingly, the DPC found that the employer had a lawful basis, under the legitimate interests provision set out in Section 2A(1)(d) of the Acts, for the very limited processing of the individual’s personal data which took place in this case.
The DPC further considered whether the requirements of Section 2(1)(c)(ii) of the Acts had been satisfied by the employer. This provision requires that personal data must not be processed for purposes other than the purpose for which it was originally collected. In this case, the DPC was satisfied that the individual’s images, as captured on the CCTV system, were processed in connection with the investigation of a security incident when they were
initially viewed by the investigation team for that pur-pose alone. The information gathered from that viewing may subsequently have been used for another purpose, i.e. disciplinary proceedings, but this, in the view of the DPC, did not constitute a different purpose, because the CCTV images were not further processed for that second purpose. If the images had been further processed for that second purpose, for example by downloading and use in the disciplinary proceedings, it may constitute further processing for a different purpose. This did not occur in this particular case and no further processing of the individual’s images occurred for the second purpose. Accordingly, the DPC found that the limited viewing of the individual’s images took place exclusively for the security purpose for which the images were originally collected and that no contravention of Section 2(1)(c)(ii) occurred.
Finally, the DPC considered whether the fair processing requirements set out in Section 2D of the Acts were satisfied by the employer in this particular case. The DPC found that it was evident, from the information provided by both the employer and the individual themselves, that the individual was on notice that CCTV footage was in operation in the employer’s premises. This was through information provided in the staff handbook which the em-ployer said was issued to every employee during induc-tion. It was also evident through CCTV signage on display at the premises. Accordingly, the DPC was satisfied that the fair processing requirements, as set out in Section 2D, were satisfied by the employer in this particular case.
In his appeal to the Circuit Court, the individual alleged that the DPC had erred in fact or in law in determining that there was no breach of Section 2 of the Acts by his employer in respect of the CCTV footage. To succeed on this claim, and by reference to the test set out in Orange Limited v The Director of Telecommunications, the individual had to establish that there had been a serious and significant error or series of such errors. The Court found that the DPC carried out a significant investigation into the individual’s complaint and that the individual had been put on full notice of the employer’s position and was given every opportunity to make submissions (and did, in fact, make such submissions). The Court also accepted that there had only been one investigation and not two investigations. The investigation undertaken was based on security concerns arising from the graffiti incident in question and the disciplinary action by the employer against the individual was taken for security purposes.
In all of the circumstances, and taking into account all the facts, the Court was satisfied that the individual did not meet the test as would require the DPC’s Decision to be overturned. Accordingly, the Court dismissed the individ-ual’s appeal. Costs were awarded to the DPC and to the notice party (the employer).
Note: this Circuit Court decision is now under appeal to the High Court.
55
56
Supervision8
Annu
al R
epor
t 1
Janu
ary
— 3
1 D
ecem
ber
2019
Supervision contact with companies, organisations, policy makers and legislators enables the DPC to better understand the ways in which personal data is processed by control-lers and processors, and the actions they take to meet their data protection obligations. It helps the DPC in proactively identifying data protection concerns and, in the case of new products or services, ensuring organisations are aware of compliance obligations and potential problems in advance of the commencement of the processing of personal data.
The DPC received 1,420 general consultation queries during 2019. These queries act as a starting point for much of the DPC’s supervision of controllers and proces-sors of personal data, and provides an important insight into the types of issues which could benefit from further engagement and guidance. The sectoral breakdown of these queries is as follows:
Sector Number %
Health Sector 194 14%
Law Enforcement Sector 35 2%
Private/Financial Sector 629 44%
Public Sector 472 33%
Voluntary/Charity Sector 90 6%
TOTAL 1,420
Public Sector A key focus in 2019 was the promotion of ‘Guidelines on the processing of personal data by Elected Representa-tives under Section 40 of the Data Protection Act 2018’ published by the DPC at the end of 2018.
Presentations were made to local councillors at the Asso-ciation of Irish Local Government annual conference, and to members of the Oireachtas and their staff. The guide-lines were also presented to the Local Government Data Protection Officers Network, in recognition of the import-ant role that local councillors provide for their constitu-ents in accessing the services of their local authorities.
The DPC engaged with several local authorities in 2019 on the topic of the processing of personal data in the context of waste management enforcement activities. Activity in the local government sector around waste enforcement took two different forms; one was the development of byelaws that sought to allow for increased sharing of personal data in order to more effectively enforce existing waste legislation, and the other was by way of a pilot proj-ect which focused on using Eircodes of households in a particular region in order to focus enforcement activities
in that area. The DPC highlighted the importance of prop-er stakeholder consultation and full consideration of data protection implications by way of data protection impact assessments (DPIAs) as central to success in this area.
The DPC also continued to engage with several key stakeholders of the national smart meter rollout proj-ect, including ESBN, the Commission for the Regulation of Utilities (CRU) and the electricity suppliers. As the implementation of this project is being progressed for public policy reasons, the DPC emphasised the need for a clear statutory underpinning for this complex project, in accordance with the Data Protection Act 2018, and will continue to provide guidance on the data protection implications of the project as it develops.
The National Newborn Bloodspot Screening ProgrammeIn 2019, the DPC stepped up regulatory engagement with the Department of Health to bring to a conclusion the matter of the indefinite retention of the historic archive (pre 2012) of national new-born screening test cards. These cards are used in screening newborn babies for a range of health conditions shortly after their birth as part of the National Newborn Bloodspot Screening Programme. The original indefinite retention policy of the programme was found by the DPC in 2010 to be in breach of data protection law. Following this finding, the DPC directed the various stakeholders to find a resolu-tion to the breach, either by way of establishing a lawful basis for the retention of the archive or its destruction. A protracted period of stakeholder consultation and review within the Department of Health was then undertaken, as well as a period of time during which members of the public were afforded the opportunity to extract their cards from the archive. The DPC has been informed that a Ministerial order for the destruction of the archive has now been signed and we understand the destruction process will be completed in the first quarter of 2020. It should be noted that, following revision of its data retention policy in 2012, the National Newborn Bloodspot Screening Programme as it currently operates does not present any data protection concerns.
57
58
Prior Consultation Under the GDPR and the Data Protection Act 2018, there is a mandatory obligation to consult with the DPC on legislative proposals involving the processing of personal data. In this area we encourage early engagement so that we have a clear understanding of the legislation and what it is trying to achieve at the earliest opportunity. This also allows us to encourage government departments to ad-here to the principle of ‘data protection by design’, and to carry out effective Data Protection Impact Assessments.
In 2019 the DPC was consulted by a range of government departments and other stakeholders on legislative mat-ters including, but not limited to, the following:
Sample of Legislative Consultations:
þ Adoption (Information and Tracing) Bill 2016
þ Proposals on The Future Funding of Public Service Broadcasting
þ Proposals to extend the circumstances in which re-cording devices, including Body worn cameras, can be used by An Garda Síochána
þ Report on the Collection of Tuam Survivors’ DNA Publication
þ Affordable Childcare Scheme — prescribing persons who may process personal data
þ CervicalCheck Tribunal Bill 2019
þ Amendments to the Electoral Act 1992 to allow for the establishment of the Citizens Assembly 2019 and the Dublin Citizens Assembly
þ The Civil Registration Bill 2019
þ Defence Forces (Evidence) Bill 2019
þ Disabled Drivers and Disabled Passengers Fuel Grant
þ Registrar of Beneficial Ownership of Companies and Industrial and Provident Societies
þ Proposal for the Establishment of a Statutory Electoral Commission
þ Draft General Scheme of the Sea-Fisheries (Amend-ment) Bill 2019
þ Amendment to the Gaming & Lotteries Act 1956
þ Gender Pay Gap Information Bill 2019
þ European Union (Hague Maintenance Convention) Regulations 2019
þ Housing (Regulation of Approved Housing Bodies) Bill 2019
þ Investment Limited Partnerships (Amendment) Bill 2019
þ S.I. to establish A Beneficial Ownership Register for ICAVs (Irish Collective Asset-Management Vehicles) and Credit Unions
þ S.I. to create a beneficial ownership register for the beneficial owners of Trusts
þ Regulations to add the Registrar of Beneficial Owner-ship of Companies and Industrial and Provident Soci-eties as a specified body to Schedule 5 of the Social Welfare Consolidation Act 2005
þ Judicial Council Act 2019
þ Microchipping of Dogs Regulations 2019
þ Monuments and Archaeological Heritage Bill 2019
þ Parental Leave (Amendment) Bill 2017
þ Residential Tenancies Amendment Bill 2018
þ Data Protection Act 2018 (Section 60(6)) (Health Pro-fessionals’ Regulators) Regulations 2018
þ Amendments to the Data Protection Act 2018 (Section 36(2)) (Health Research) Regulations 2018
þ Social Welfare Spring Bill 2019
þ Transposition of EU Shareholders Rights Directive (providing for the identification of shareholders and remuneration of directors) as amendments to the Companies Act
þ Waste Presentation Byelaws
Sample of Non-legislative Observations:
þ Public Consultation on the Potential Introduction of Open or Semi-Open Adoption in Ireland
þ National Action Plan of Business and Human Rights
þ Draft National Risk Assessment 2019 — Overview of Strategic Risks Report
þ Revenue Statement of Strategy
þ Public Consultation on National Cyber Security Strategy
þ EU Commission Survey on Internet Connected radio equipment and wearable radio equipment
þ National Artificial Intelligence Strategy
þ Public Consultation and launch of updated Central Bank of Ireland guidance, on policies and procedures for en-tities, in complying with Anti Money Laundering laws
þ Proposal for a Fraud Sharing Database in the Banking sector
þ Proposal for an Insurance Fraud Database
þ Proposal by Dept of Transport Tourism & Sport, to set up a ‘Motor Third Party Liability Database’, to record the insurance status of registered vehicles
Annu
al R
epor
t 1
Janu
ary
— 3
1 D
ecem
ber
2019
Law Enforcement Over 2019 the DPC was involved in extensive consulta-tions with An Garda Síochána in respect of its programme to modernise core technology platforms. This included reviewing data protection impact assessments for its Electronic Content Management (ECM) platform and
Investigative Management system (IMS). The DPC also engaged with An Garda Síochána on its data protection impact assessment in respect of the Schengen Informa-tion System second generation project (SIS II).
Private and Financial Sector Supervision of private sector entities and organisations connected with the financial, banking and insurance sec-tors continued in 2019 providing direction and guidance to data controllers on a broad range of complex data protection issues. The organisations with whom the DPC engaged during 2019 included:
• Ulster Bank• Bank of Ireland• Permanent TSB• Western Union • Prudential Assurance• Aer Lingus• SIPTU• Irish Rail• Lidl • Banking Payments Federation Ireland • Accountancy Ireland• Irish Farmers Association • Money Advice and Budgeting Service (MABS)• IBEC (Telecommunication and Internet Federation)• Insurance Ireland• National Recruitment Federation• The Irish Association of Pension Funds• Irish Petrol Retailers Association• Department of Finance• Revenue Commissioners• Central Bank of Ireland• An Garda Síochána
Whilst it can be seen since the introduction of the GDPR in May 2018 there is greater awareness amongst private sector organisations of data protection obligations and so contributing to the reduction in queries received some of the core recurring concerns for companies throughout 2019, amongst others, included:
• Personal data transfers following a No-Deal Brexit
• Direct Marketing rules under the ePrivacy Directive
• Effectively dealing with Subject Access Requests
• Use of technologies in the workplace such as bio-metric clocking/GPS vehicle tracking and CCTV in the workplace
• Transferring of employee data in mergers and take-overs
• New technologies and their impact on controller’s data protection obligations.
2019 saw continued emergence of new technologies most notably in the Fintech and payments industry with the advent of Open Banking and the European Payment Services Directive 2 (PSD2) with new Fintech start-ups or trusted third-parties (TPPs) setting up operations in Ireland. This is expected to gather momentum in 2020 and as the sharing of account information and personal data is the cornerstone of the Directive this will be a core priority for the coming year for the DPC’s consultation engagement with the private and financial sector.
CASE STUDY 13 Proposals for Fraud Sharing Databases
During 2019 the DPC was consulted on proposals for the creation of two sepa-rate fraud information-sharing databases.
The first proposal from Insurance Ireland is to expand an existing database, called InsuranceLink, to include additional data fields. InsuranceLink contains details of insurance claims made by individuals to facilitate the exchange of information between insurance companies when a claim for compensation has been made by a customer for the purpose of identifying fraud where
false claims are being potentially processed. One of the proposed additional data sets is third party personal data such as witnesses to accidents.
The second proposal was from Banking and Payments Federation Ireland (BPFI) on behalf of the main retail banks, who wish to create a fraud information-sharing da-
59
60
tabase that would be operated by an independent trusted third party. Each bank that establishes fraudulent activity would, according to predefined rules, transmit that infor-mation to the database and all participant banks would be permitted to check client details against the database for the purposes of identifying and preventing fraud.
The DPC has emphasised to both Insurance Ireland and BPFI that industry fraud databases, involving the process-ing of significant volumes of sensitive data, must meet necessity and proportionality requirements under EU law and jurisprudence. We have also emphasised that the operation of each database must, as necessary, have a statutory underpinning to ensure compliance with data protection obligations under the GDPR and the Data Protection Act 2018, such as, for example, where the
processing is in the public interest and/or involves data relating to offences or alleged offences.
It is the DPC’s view that both proposals raise significant risks for individuals, in particular to persons who may be wrongly identified as participating in fraudulent activity, or, in the case of insurance claims, to persons who are not directly linked to a claim such as a witness. We have advised the parties that these risks must be fully as-sessed and mitigated, including by building in very robust safeguards, rules and procedures and ensuring that the principles of data protection such as data minimisation are complied with. Furthermore, we have highlighted the importance of public consultation and awareness on the scope and purpose of these proposals.
Multinational SupervisionIn 2019, the DPC attended over 100 meetings with vari-ous multinational companies in its supervisory capacity. In addition, the DPC issued formal requests seeking detailed information on compliance with the GDPR on a broad range of matters such as:
• discrepancies in privacy policies;
• media reports outlining security issues, e.g. human review of voice recordings;
• seeking improvements to processing activities such as location tracking;
• reviewing potential new features and products, e.g. a suicide & self-harm prevention feature; and
• assisting our European counterparts in relation to concerns raised by them, e.g. the use of diagnostic data�
Certification and Codes of Conduct
Certification
During 2019, the DPC continued with its preparation for the implementation of the GDPR’s certification approv-al mechanisms. GDPR certification is intended as an accountability mechanism for organisations’ specific pro-cessing operations, to demonstrate compliance efforts to individuals and ultimately to support individuals’ trust in personal data processing.
The GDPR allows for the Supervisory Authority or the member state’s National Accreditation Board (NAB) to accredit certification bodies to “data protection certifica-tion mechanisms” in accordance with ISO 17065/2012 and with additional requirements established by DPC. Section 35 of the Irish Data Protection Act, 2018, sets out that the Irish National Accreditation Board (INAB) will be the sole accrediting body for Ireland. As a result, the DPC will not be undertaking the role of an accreditation body in Ireland.
As part of implementing Article 43 of the GDPR, the DPC must set out “additional requirements” to that of ISO 17065/2012 that INAB will apply during accreditation of certification bodies to certification mechanisms that have DPC approved data protection criteria. The DPC have just finalised these additional requirements which are now to be submitted to the EDPB in the early part of 2020. These will be subject to an EDPB consistency opinion. Once this opinion is adopted by the EDPB and any adjustments accounted for by the DPC they will be made publically available.
The DPC is also currently in the process of finalising a co-operation agreement with INAB, regarding accreditation operations. Work has also commenced on the operation-al aspects of assessing schemes’ data protection criteria that stakeholders may submit to DPC and on the detailed communication, cooperation and interaction the DPC will have with INAB, scheme ‘owners’, and the EDPB during the approval process.
Finally, in late 2019, the DPC co-hosted with INAB an initial information session with a group of certification bodies and other stakeholders to raise awareness of the parameters of GDPR certification mechanisms and to en-courage development of such mechanisms among certifi-cation bodies. This was the first in a series of information sessions with further expected to take place in 2020.
Codes of Conduct
Rules around the drafting and monitoring of ‘Codes of Conduct’ are set out in Articles 40 and 41 of the GDPR, representing a practical and meaningful method of achiev-ing greater levels of compliance with the principles of data protection and of protection for data protection rights. Codes of Conduct can, in particular, provide an oppor-tunity for specific sectors to reflect upon common data processing activities and to agree to context-specific and practical rules and procedures, which will meet the needs of the sector as well as the requirements of the GDPR.
The DPC led on the development of EDPB guidelines on the drafting of Codes of Conduct and appointing Monitor-ing Bodies for those Codes, as set out by the GDPR, which
Annu
al R
epor
t 1
Janu
ary
— 3
1 D
ecem
ber
2019
were approved and published by the EDPB in June 2019, following public consultation. The DPC has compiled draft accreditation criteria for the accreditation of Monitoring Bodies which will be tasked with monitoring compliance with any proposed Codes of Conduct. The review of these criteria by the EDPB and their approval and publication in 2020 will be an important step towards supporting organisations in drawing up Codes of Conduct, alongside the previously published EDPB guidelines.
The DPC looks forward to the development of Codes of Conduct as a way to improve standards of data protec-tion and transparency for particular sectors or processing
operations. Codes of Conduct, properly monitored by suitable Monitoring Bodies, will bring more compre-hensive, context-specific clarity to the data protection obligations of certain sectors and certain controllers. Fol-lowing the extensive consultation work undertaken by the DPC in the area of children’s data protection rights, the DPC will encourage the drawing up of Codes of Conduct intended to contribute to the proper application of data protection to the processing of children’s personal data (more information on the Children’s’ Consultation can be found on page 66).
61
62
Data Protection Officers
9
Annu
al R
epor
t 1
Janu
ary
— 3
1 D
ecem
ber
2019
DPC’s DPOThe Data Protection Officer (DPO) of an organisation is a person with expert knowledge of data protection law and practices. Their role is to help the organisation monitor compliance with the GDPR. It is essential that the DPC, as the Irish regulator for data protection, meets the highest standard of data protection compliance in respect of the personal data it processes.
The GDPR requires the appointment of a DPO with the necessary professional qualities and, in particular, refers to expert knowledge of data protection law and prac-tice. As a qualified solicitor with experience in ensuring practical compliance with data protection obligations from an organisational perspective, the DPC’s DPO has the required expert knowledge of data protection law. In addition, as a senior member of staff of the DPC (Assis-tant Commissioner), the DPC’s DPO reports directly to the highest level of management of the DPC (its SMC), as required by the GDPR.
The role of the DPO in a data protection supervisory authority such as the DPC is broadly similar to the role of the DPO in any other data controller. It can involve responding to subject access requests and other queries from members of the public. The DPO also responds to queries from DPC staff members and ensures security measures and data protection policies are relevant and up-to-date. The DPO ensures that the Record of Process-ing Activities is accurate and provides assistance to the DPC with Data Protection Impact Assessments. The DPO also advises on some of the DPC’s wider strategic projects, such as the DPC’s Accounting Officer Project.
In November 2019, the European Data Protection Board set up its own DPO Network to bring together the DPOs of all EU data supervisory authorities, to discuss the specific and unique aspects of the DPO role in these or-ganisations. As a member of this network, the DPC’s DPO has an opportunity to share knowledge and develop best practices with the DPOs of other data supervisory author-ities with the objective of implementing a coordinated and consistent approach to compliance with the GDPR.
The DPC’s DPO acts as a ‘critical friend’ to the DPC. By identifying key data protection issues, understanding the legal matrix, the operational context, measuring risk and proactively taking proportionate action when required, the DPC’s DPO not only serves the cause of data pro-tection, but also addresses organisational-risk exposure from multiple perspectives.
The DPC’s DPO can be reached via [email protected].
DPO Notifications to the DPCArticle 37.7 of the GDPR states that “the controller or the processor shall publish the contact details of the data protection officer and communicate them to the supervisory authority.”
In 2019, the DPC received 712 DPO notifications through the online webform on the DPC website. The table below shows the industry sectors from which notifications were made.
DPO notifications for 2019
Private 577
Public 49
Not-for-Profit 86
Total in 2019 712
Engagement with DPOsThe DPC is committed to engaging fully with DPOs and their teams, in recognition of their key role in ensuring that the progress made to date in implementing GDPR programmes translates into lasting organisational culture and practice. DPC staff spoke at many events for DPOs during the year and a DPC-facilitated DPO Network was developed in late 2019. Mobilising this Network is a prior-ity for the DPC for 2020. The purpose of the Network is to foster peer-to-peer engagement and knowledge-sharing between DPOs. The first initiative being rolled-out by the DPC for this Network is a DPO conference on 31 March 2020, with further initiatives such as webinars, regional events and the publication of further guidance planned.
63
64
International Activities10
Annu
al R
epor
t 1
Janu
ary
— 3
1 D
ecem
ber
2019
International TransfersA key focus in the area of international transfers for the Data Protection Commission is the assessment and approval of Binding Corporate Rules applications from multi-national companies. It also has an advisory role on general transfers matters; attending events and speaking engagements and meetings of the International Transfers expert subgroup of the European Data Protection Board (EDPB).
Binding Corporate RulesBinding Corporate Rules (BCR) were introduced in response to the need of organisations to have a global approach to data protection where many organisations consisted of several subsidiaries located around the globe, transferring data on a large scale. The inclusion of BCR in the GDPR further solidifies their use as an appro-priate safeguard to legitimise transfers to Third Countries.
During 2019, the DPC continued to act or commenced acting as lead reviewer in relation to 19 BCR applications from 12 different companies.
The DPC also assisted other European Data Protection Agencies (DPA’s) by acting as co-reviewer on 5 BCRs in this period.
The procedure for approval of BCRs has changed from a system of mutual recognition under the Directive to the current system, where all BCRs must be submitted to the EDPB for an Article 64 opinion. This process means all DPAs get an opportunity to comment on all BCR appli-cations, which results in a slightly longer co-operation procedure. This procedure will assist the EDPB in drafting its opinion if all issues are dealt with in advance of the Article 64 procedure.
The EDPB issued Article 64 opinions on 2 BCR applica-tions submitted through the UK and Belgian DPAs in 2019. We expect to seek similar opinions on a number of DPC-led BCRs in the first quarter of 2020.
Due to the upcoming departure of the UK from the European Union, we have had contact from a number of companies enquiring about moving their lead authority for BCR purposes to the DPC. It is expected that the numbers of BCRs that the DPC will handle will increase in 2020, once the UK has left the EU and those companies with an ICO-approved BCR need a new BCR lead authority.
BrexitIn 2019, the DPC spent a lot of time engaging with stake-holders and providing information on Brexit, particularly the impact on Irish companies transferring personal data to the UK in the event of a no-deal Brexit. The DPC par-ticipated in joint events with IBEC, Enterprise Ireland and
Local Enterprise Boards to ensure that information was delivered to as many companies as possible. The main concern was that smaller companies who did not routine-ly transfer data to third countries could be in contraven-tion of the GDPR if they continued to do so post-Brexit without applying the relevant safeguards to the transfer.
The DPC also directly advised and participated in events within the public sector to give advice which could be used in the event of the UK becoming a third country from the point of view of data transfers.
Other International Transfer Issues Staff from the DPC attended 7 meetings of the EDPB International Transfers expert sub-group (ITES) in 2019. This sub-group of the EDPB meets to consider, advise and prepare documentation on matters concerning Interna-tional Transfers.
DPC’s EU RoleDuring 2019, the DPC continued to play a central role in safeguarding the data protection rights of millions of people across the European Economic Area (EEA).6 The DPC holds these increased responsibilities arising from the cooperation and consistency mechanisms under the GDPR.
Consistency Mechanism and EDPB TasksLike all other EEA data protection supervisory authorities, the DPC must ensure that we interpret, supervise and enforce the GDPR in a way that achieves consistency. The GDPR’s consistency mechanism introduced several additional tasks for the EDPB and all of its members, in-cluding the DPC, to ensure that the goal of harmonisation is reached.
These tasks are mainly delivered through the work of the EDPB’s expert subgroups and plenary meetings, in which the DPC participates fully, given the importance of these tasks. During 2019, DPC staff members attended over 80 in-person meetings in Brussels related to EDPB activities, including those of the twelve EDPB expert subgroups:
• Borders, Travel and Law Enforcement;• Cooperation;• Compliance, eGovernment and Health;• Enforcement;• Financial Matters;
6 The European Economic Area includes all European Union (EU) member states and Iceland, Liechtenstein, and Norway.
65
66
• Fining Taskforce;• International Transfers;• IT Users;
• Key Provisions;
• Social Media;
• Strategic Advisory; and
• Technology.
DPC staff members have contributed extensively to the development of guidelines and opinions across all of the EDPB expert subgroups during 2019. The DPC is the co-ordinator of the Social Media expert subgroup and was co-rapporteur of that subgroup’s work on regulatory priorities relating to the processing of personal data by social media companies, in the past year.
During 2019, the DPC hosted counterparts from the UK, Iceland, the Netherlands, Luxembourg and Sweden, and visited colleagues in the UK, Germany and Belgium. These bilateral discussions and exchange of experiences have been very valuable towards ensuring consistency. These meetings will continue in 2020.
European Data Protection Supervisory BodiesDuring 2019, the DPC continued to actively participate in the work programmes of the European Supervisory Bod-ies for large-scale EU IT systems such as Europol, Eurodac, Eurojust, the Customs Information System (CIS) and the Internal Market Information (IMI) system. In addition, we continued to participate as observers to the coordinated supervision of the Schengen and Visa Information Sys-tems (SIS II and VIS).
With regard to SIS II, during the course of 2019, the DPC continued to work alongside An Garda Síochána and the Department of Justice & Equality in relation to Ireland’s imminent participation in certain non-border aspects of the Schengen acquis and connection to SIS II. The work programme to progress Ireland’s participation will contin-ue in 2020.
Other European EngagementRepresentatives of the DPC spoke at conferences and events in many EEA Member States during 2019, in-cluding Belgium, Germany, France, the UK and Slovenia. Several DPC members of staff participated in the annual case-handling workshop for European data protection su-pervisory authorities, from both EEA and non-EEA coun-tries, which was hosted by the European Data Protection Supervisor (EDPS) in Brussels in November. We were also very pleased to host a colleague from the Rhineland-Pa-latinate supervisory authority, who spent a week at the DPC in October.
In December 2019, the DPC signed up to a two-year pro-gramme in collaboration with our Croatian counterparts and Vrije University Belgium, mainly funded by the EU Commission. The aim of the programme is to increase the awareness, knowledge and understanding of Small-Me-
dium Enterprises (SMEs) in Europe, on the principles of data protection, so that their future compliance levels are strengthened. The programme will start in early 2020.
International Engagement The DPC engages with supervisory authorities, interna-tional organisations and legislators from outside of the EU, to share information on the DPC’s practices and experiences. This engagement helps to ensure that our own regulatory approach is understood, and it also helps us to understand the differences in regulatory approach in other countries, including in how this affects people and organisations.
The Commissioner appeared before the US Senate Com-mittee on Commerce, Science and Transportation in May, as part of the Committee’s examination of consumer ex-pectations on data privacy. She also appeared before the International Grand Committee on Disinformation and ‘Fake News’ at its hearing held in Dublin in November, at-tended by parliamentarians from ten countries. The DPC hosted delegations throughout the year from countries including Australia, New Zealand and the United States, amongst others.
Also as part of this activity, senior DPC staff attended the International Conference of Data Protection and Privacy Commissioners (ICDPPC) in Tirana, Albania, which took place in October. The ICDPPC is a global forum for data protection authorities to share knowledge and insights. Following the conference, the name of the ICDPPC forum was changed to the Global Privacy Assembly (GPA). The DPC also attended the meeting of the British Isles and Islands Data Protection Authorities (BIIDPA) in Jersey June 2019. The DPC will host the next BIIDPA annual confer-ence in Dublin in June 2020.
68
Processing of Children’s Personal Data and the Rights of Children as Data Subjects under GDPR
11
Annu
al R
epor
t 1
Janu
ary
— 3
1 D
ecem
ber
2019
Processing of Children’s Personal Data and the Rights of Children as Data Subjects under the GDPR
Background
In 2018, the DPC launched an initiative as part of the DPC’s obligation under the GDPR to promote awareness and understanding of issues concerning the processing of children’s personal data, the specific standards required for the protection of children’s personal data, and the rights of children as data subjects. Following exploratory work in early 2018, it became clear that the significance at-tributed to children under the GDPR meant that a special consultation to gather the views of all relevant stakehold-ers, most importantly children themselves, was required.
Launch of the consultation
The DPC’s public consultation on the processing of chil-dren’s personal data and the rights of children as data subjects under the GDPR ran from December 2018 to April 2019. It focussed on several questions that the DPC wished to put to the public on the interpretation of key provisions in the GDPR in relation to children.
The consultation was divided into two streams:
• Stream 1, launched in December 2018, targeted adult stakeholders and invited all interested parties — in-cluding, parents, educators, children’s rights organisa-tions, and others — to submit their responses to any or all of the 16 questions set out in the consultation document that was published on the DPC’s website.
• Stream 2 was launched on International Data Pro-tection Day (28 January 2019) and sought to involve children and young people directly in the classroom through an innovative and specially designed lesson plan and consultation process.
The DPC reached out to every primary and post-primary school in Ireland — as well as all Youthreach centres — informing them of the consultation and inviting them to take part. The DPC distributed a pack of lesson plan mate-rials that had previously been tested, with the support of the Ombudsman for Children’s Office (OCO), in a series of pilot workshops in October 2018. The lesson plan was designed to help teachers discuss data protection issues with their students and had a particular focus on data protection in the context of social media. It introduced students to “SquadShare”, a fictitious app created by the DPC for educational purposes, and encouraged them to explore their data protection rights while learning about the terms and conditions of this fictitious app. Students were then invited to give their answers to a series of six questions on feedback posters and return them to the DPC via email and post.
Feedback and preliminary reports
In total, the DPC received 30 submissions from adult stakeholders including technology and social media com-panies, children’s rights charities, public sector bodies, academia and trade associations. Stream 2 of the consul-
tation gathered the views of approximately 1,200 children and young people across Ireland. It was very encouraging to see both streams of the consultation generate such a high level of interest. Adult stakeholders were well represented across all sectors and children were well represented across all age groups, which were also very positive developments.
The DPC spent several months following the close of the consultation analysing the submissions of all respon-dents. Two preliminary reports, each focusing on a sep-arate stream of the consultation, were published in July and September 2019 (called “Some Stuff You Just Want to Keep Private!” and “Whose Rights Are They Anyway?”). Each report presented qualitative and quantitative trends observed across all responses to the consultation and the DPC’s interpretation of these results. The consultation has to date received considerable praise and recognition. It was cited by the ICDPPC Digital Education Working Group (DEWG) as a core international initiative under the DEWG’s Action Plan for “Awareness-raising on the exercise of digital rights by the children themselves”. It was also short-listed as one of two finalists in the Education and Public Awareness category of the 2019 ICDPPC Awards for its child-focused consultation initiative.
Next steps
The DPC is now finalising its guidance document on children’s data protection rights and the processing of children’s data. This is intended to be a guide for data controllers and interested parties on how to address the issues highlighted in the DPC’s consultation, taking into account the feedback from participants. Specifically, this guidance will shed light on the following questions:
• How and when should children be able to exercise their data protection rights for themselves and the role of parents or guardians in this regard?
• What information should be given to children about the use of their personal data?
• How the age of digital consent should be implement-ed for processing based on consent?
• Under what circumstances is the profiling of children for advertising or marketing purposes permissible?
The DPC plans to publish this guidance in early 2020 and will run a further public consultation on this document to take account of the views of stakeholders before finalising it�
In tandem with the guidance, the DPC will be publishing a separate child-friendly guide which will explain to children their rights under data protection law and the risks that may arise when they disclose their personal data online. Finally, the DPC will also work with industry, government and voluntary sector stakeholders and their representa-tive bodies on foot of the consultation to encourage the drawing up of codes of conduct in relation to the process-ing of children’s personal data, as per Section 32 of the Data Protection Act 2018. Working towards the develop-ment of codes of conduct in this area is a priority for the DPC in 2020.
69
70
Communications12
Annu
al R
epor
t 1
Janu
ary
— 3
1 D
ecem
ber
2019
Direct EngagementThe DPC continued an active outreach schedule during 2019 engaging with a broad base of Irish and internation-al stakeholders. The Commissioner and her staff spoke, presented or otherwise contributed at events on over 180 occasions during the year. For example:
National:
• Research report launch of ‘Falling Through the Cracks’;
• PDP 2019 Annual Data Protection Conference;
• Taking Care of Business 2019;
• National Association of Principals and Deputy Princi-pals Data Protection Seminar;
• Digital Summit 2019;
• IIEA Young Professionals’ Network;
• Early Childhood Ireland Annual Conference;
• NSSO Annual Conference; and
• UCD Student Legal Convention 2019.
Parliamentary Committees (Oireachtas):
• Joint Committee on Justice and Equality;
• Committee of Public Accounts;
• Joint Committee on Communications, Climate Action and Environment; and
• International Grand Committee on Disinformation and Fake News.7
International:
• AmCham 7th Annual Transatlantic Digital Economy Conference;
• Technology Law Committee of the International Bar Association — 6th Biennial Technology Law Confer-ence;
• The Eurofi Financial Forum 2019;
• Sooner than you think — A Bloomberg technology series;
• International Association of Privacy Professionals Summit Washington DC; and
• IAPP Congress Brussels.
• United States Senate Committee on Commerce, Sci-ence and Transportation.
7 *Not an Oireachtas committee, an interparliamentary com-mittee to which the Oireachtas sends delegates. Hosted by the Oireachtas on 7 November.
Media engagementThe profile of, and the media interest in, the DPC con-tinued to grow at both national and international level during 2019. Domestically, the Commissioner and other senior staff appeared on national television, national and regional radio and contributed to print and digital media throughout the year. Much of the media engagement emanated from investigations, e.g. the publishing of the DPC’s report into the Public Services Card investigation in August. On other occasions, the DPC engaged in inter-views to talk through practical issues that were of public concern/interest such as taking photographs at school events and there was also significant media attention around the DPC’s appearances at various Oireachtas Committee hearings throughout the year.
On the international front, the Commissioner and DPC staff engaged regularly with a wide range of media outlets, including Bloomberg, BBC, CNN, Politico, the Wall Street Journal, the New York Times and the Financial Times, to name a few. A large amount of this engagement focussed on the operation of the One Stop Shop and on the stat-utory inquiries that the DPC has open into multinational technology companies, as well as dealing with breaches and issues that arose in the tech sector during the year. There was also significant international media attention surrounding the DPC’s attendance at a US Senate Com-mittee hearing in May 2019.
Guidance, blogs and podcastsThe DPC continued to update, produce and disseminate comprehensive guidance on a wide variety of topics in the form of podcasts, blogs, and formal guidance, for both the public and organisations, to raise awareness of data protection law and its various rights and obligations. In total the DPC published 33 guidance documents, 18 blogs and released 8 podcasts in 2019. This guidance covered general topics, as well as providing more detailed guidance on certain topical or complex issues.
Some of the topics on which the DPC produced guidance during 2019 included:
• the basics of data protection;
• guidance for both organisations and individuals on the use of CCTV;
• guidance regarding requesting personal data from prospective tenants;
• FAQ for individuals on access requests; and
• guidance on the principles of data protection.
Under the GDPR mandatory breach notification regime, receiving, analysing, and acting on breach notifications has been a significant area of growth for the DPC. In light of that, the DPC produced both a ‘quick guide’ to breach
71
72
notification obligations and a more detailed ‘practical guide’ which provided further practical guidance based on the experiences of the DPC and controllers following the first year of the GDPR.
The DPC also continued to both produce and update technical guidance, focusing mainly on online and digital security, as well as the data protection implications on new and emerging technologies. The DPC published secu-rity-focused guidance on phishing and social engineering attacks, portable storage devices, and cloud service pro-viders, as well as a guide to common online risks which individuals may encounter.
In light of developments regarding the UK’s planned withdrawal from the EU, the DPC published guidance on international transfers of personal data in the case of a ‘No Deal’ Brexit scenario and a Brexit FAQ, as well as up-dating our general guidance on transfers of personal data to third countries or international organisations.
The production and dissemination of podcasts and blogs were a key element of the DPC’s external communica-tions strategy for 2019, with a regular podcast ‘Know Your Data’, as well as a series of myth-busting and topical blogs, shedding light on areas of interest to the general public, as well as highlighting relevant guidance published by the DPC. Topics covered included:
• Does the GDPR Really Say That?;
• Taking photos at school events;
• Video surveillance in the home;
• What to do if you find personal data in a public place?;
• Representing account-holders; and
• Christmas myth-busting blog.
EDPB GuidanceThe DPC also worked closely with our fellow data protec-tion authorities through the EDPB to produce guidance documents on EU data protection law. During 2019, the EDPB published guidelines and draft guidelines on topics including:
• Codes of Conduct and monitoring bodies;
• Video devices;
• Data protection by design and by default; and
• The right to be forgotten and search engines.
Links to EDPB guidelines and publications are also avail-able on the DPC website.
Social mediaThe DPC has continued to utilise social media in support of its awareness-raising and communications activities. In 2019, the DPC continued to grow its social media activities across Twitter, Instagram and LinkedIn. Our combined followers across the three platforms has more than dou-bled, exceeding 20,000 by the end of 2019. There was an organic reach of almost 3.3 million, reaching hundreds of thousands of accounts each month.
The DPC has continued to enhance its engagement on social media through producing visually impactful infographics, videos and gifs, which have been effective tools in disseminating guidance and supporting the DPC’s awareness-raising activities.
DPC WebsiteThe DPC website, www.dataprotection.ie, is an important resource for individuals and organisations. The DPC’s webforms provide website users with a convenient means of submitting complaints, breach notifications, and general queries directly to the DPC. In addition to press releases and statements, guidance, blogs and podcasts on topical issues of relevance to our stakeholders were published frequently throughout 2019.
Annu
al R
epor
t 1
Janu
ary
— 3
1 D
ecem
ber
2019
73
74
Key DPC Projects13
Annu
al R
epor
t 1
Janu
ary
— 3
1 D
ecem
ber
2019
Regulatory Strategy 2020–2025Work on the DPC’s new Regulatory Strategy, for the peri-od from 2020 to 2025, continued during 2019. This proj-ect is an opportunity to re-examine how our work could have the biggest impact possible within the resources we have available to us, taking account of the greatest risks to people’s rights. It also ensures we consider how we can best set ourselves up to deliver that impact over the next five years even while our regulatory environment continues to change, from the point of view of changes in society, technology, law and the EU.
As part of our analysis of the context in which we regulate, we commenced two main consultation initiatives during 2019. The first consultation exercise was run in July 2019 and involved a series of focus groups with members of the public. The purpose of these focus groups was to:
• understand people’s views on data protection rights;
• the role of the DPC;
• how compliance with data protection law should be encouraged, facilitated and maximised; and
• how non-compliance should be regulated.
The key output from this first consultation was a docu-ment on the DPC’s Target Outcomes. This document fo-cuses on the target outcomes to which we aspire and on how the DPC’s activities help to achieve those outcomes.
The second key consultation exercise during 2019 was the open public consultation on the DPC’s Target Out-comes, which commenced in December and ran until the end of January 2020. The submissions received are now being analysed as part of the development of the draft Regulatory Strategy itself. The draft Regulatory Strategy will then be subject to a further open public consultation during 2020. We may also consult directly with represen-tative bodies, advocacy groups and other organisations.
A Strategy Implementation and Measurement Plan will also be published, later in 2020, which will set out how the strategic priorities will be implemented through key projects and initiatives. This Plan will also set out how the impact to our target outcomes will be measured.
In line with our Public Sector Equality and Human Rights Duty, our Regulatory Strategy will set out, in a manner accessible to the public, the human rights and equality issues which are relevant to the work of the DPC and our proposed plans to address these issues.
DPC Accounting OfficerUp to and including 2019, the DPC’s funding has been included within the budget of the Department of Justice and Equality (DJE), with that budget being voted on each year by the Dáil; that is, the DPC has been included in the DJE’s Vote until now. The Accounting Officer remit of the Secretary General of the DJE has therefore included the DPC’s expenditure to date, in terms of holding account-ability for the regularity and propriety of expenditure in the DJE’s Vote, for economy and efficiency in the use of resources, and for the systems, procedures and practices used to evaluate the effectiveness of operations.
The Data Protection Act 2018 included a change to this structure. Under Section 25 of the 2018 Act, which was commenced with effect from 1 January 2020, the Com-missioner, or the Chairperson of the Commission, is now the Accounting Officer for the DPC’s expenditure. The DPC now manages its own expenditure directly and DPC fund-ing has been moved from the DJE’s Vote into the DPC’s own separate Vote (Vote 44) to enable this direct control and accountability.
In preparation for this change of status, the DPC formed an Accounting Officer project team during 2019, with responsibility to prepare and implement the changes that were needed for the DPC to take on this control and accountability directly. These were mainly in the areas of Finance, Governance, Procurement and Corporate Ser-vices, and we worked with counterparts from those areas in the Department in defining and implementing the changes. We also engaged with the Department of Public Expenditure and Reform (DPER) and the National Shared Services Office (NSSO) on the changes.
A key output of the project has been the DPC’s Corpo-rate Governance Framework which sets out the DPC’s governance arrangements, including the establishment of the DPC’s new Audit and Risk Committee. The extended and additional activities that our supporting corporate functions must now provide mean that the DPC is now incurring additional pay and non-pay costs from 2020 onwards, so that the DPC can discharge its accounting officer obligations fully.
Phase 2 of the Accounting Officer changes will continue during 2020, mainly linked to the HR and Payroll impact.
Operational Change ProgrammeDuring 2019, our operational change programme includ-ed several initiatives and improvements that were fo-cused on DPC’s internal procedures, processes, systems and management information, for example:
• our ongoing refinement of our internal standard procedures, to take account of our case volumes, our organisational expansion and further clarifications of our powers under the 2018 Act;
• adopting some practical improvements and work-arounds in the EU Internal Markets Information (IMI) system to manage information-sharing with other EDPB data protection supervisory authorities;
• increasing our use of management information and key statistics, and using them to inform organisation-al changes, process improvements and operational priorities;
• improving the webforms on the DPC website to increase their usability, with further improvements planned for early 2020; and
• reinforcing our existing case management tools to support management information needs and to better serve our growing staff numbers.
All of these initiatives have been key building blocks to-wards ensuring that the DPC derives the maximum bene-fits possible from our new Case Management System, on which we will begin phased implementation during 2020.
75
76
Corporate Affairs14
Annu
al R
epor
t 1
Janu
ary
— 3
1 D
ecem
ber
2019
DPC Funding and StaffingThe funding of the DPC by government has increased year-on-year from €1.7 million in 2013 to €15.2 million in 2019 (comprising €8.9 million in pay and €6.3 million in non-pay allocation). The increased funding for 2019 en-abled the DPC to continue to grow its staff complement, from 110 at the start of 2019 to 140 at year-end.
The DPC engaged with the Public Appointments Service to recruit staff through the following competitions in 2019:
• Principal Officer — Head of Regulatory Activity• Principal Officer — Head of Corporate Affairs, Media
and Communications• Assistant Principal Officer — Senior Regulatory Lawyer• Higher Executive Officer — Legal Researcher• Higher Executive Officer — Business Systems Analyst
As a result of these recruitment campaigns, the DPC has increased its resources and expertise in key areas. Fur-ther recruitment of staff with a wide range of specialisms in 2020 is a priority for the DPC.
Corporate Governance — Code of Practice for the Governance of State BodiesThe DPC is an independent body established under the Data Protection Act 2018, and its statutory governance requirements are set out in that Act. The DPC applies high standards of corporate governance and works to ensure that it follows the requirements set out for all public-sector bodies in the Code of Practice for the Governance of State Bodies (2016), having regard to the DPC’s specific statutory governance structure.
As part of the requirements of the Code of Practice, the DPC has a Corporate Governance Assurance Agreement in place with the Department of Justice and Equality (DJE). This Agreement sets out the broad corporate governance framework within which the DPC operates, and defines key roles and responsibilities that underpin the relation-ship between the DPC and the DJE. As the DPC is inde-pendent in the performance of its functions under the provisions of the GDPR and the Data Protection Act 2018, it is not subject to a Performance Delivery Agreement with the Department of Justice and Equality.
In accordance with the Code of Practice for the Gover-nance of State Bodies, the DPC is required to produce an annual Statement on Internal Control. The DPC’s State-ment covering 2019 is set out at Appendix IV.
From 1 January 2020, the DPC will follow the require-ments under the Corporate Governance Standard for the Civil Service (2015) and work began in 2019 in the devel-opment of the Data Protection Commission’s Corporate Governance Framework.
Risk ManagementThe Risk Management Policy of the DPC outlines its approach to risk management and the roles and respon-sibilities of the Senior Management Committee (SMC), heads of areas, as well as managers and staff. The policy also outlines the key aspects of the risk-management process, and how the DPC determines and records risks to the organisation. The DPC implements the procedures outlined in its risk-management policy and maintains a risk register in line with Department of Finance guidelines. This includes carrying out an appropriate assessment of the DPC’s principal risks, which involves describing the risk and associated measures or strategies to effectively control and mitigate these risks. The risk register is re-viewed by members of the SMC on a regular basis.
Reflecting the key priorities of the DPC, the main risks managed by the office during 2019 were as follows:
• building organisational capacity to meet the enhanced functions of the organisation under the GDPR and national legislation. This included the development of the expertise of the DPC’s staff as well as the con-tinued recruitment of new staff with legal, specialist investigatory, and information technology skillset;
• the identification of suitable accommodation to meet the requirements of the DPC as a growing organisa-tion;
• ensuring ongoing effective integration and consoli-dation of effective and efficient regulatory structures, business processes and functions across the DPC as it implements new and enhanced supervisory functions and responsibilities set out in the GDPR, LED and Data Protection Act 2018; and
• putting in place business processes and policies to directly manage functions such as financial, payroll, HR, ICT, and internal audit in preparation for the DPC transitioning to becoming its own Accounting Officer from 1 January 2020.
Official Languages Act The DPC’s fourth Irish Language Scheme under the Offi-cial Languages Act 2003 commenced with effect from 1 November 2017 and remains in effect until October 2020. The DPC continues to provide Irish language services as per our Customer Charter and Irish language information via its website.
77
78
Public Sector Human Rights and Equality Duty The DPC seeks to meet its obligations under Section 42 of the Irish Human Rights and Equality Commission Act 2014 and has put in place measures to ensure that consideration is given to human rights and equality in the development of policies, procedures and engagement with stakeholders in fulfilling its mandate to protect the EU fundamental right to data protection.
The Public Sector Equality and Human Rights Duty is referenced in the DPC’s Strategy Statement for 2019 and its budget submission for 2020 funding. The Public Sector Equality and Human Rights Duty was reflected upon in the drafting of the public consultation on the DPC’s Regulatory Strategy 2020–2025 — Consultation on Target Outcomes.
The DPC has developed and implemented a number of ways in which to communicate with stakeholders, both on an individual basis and in the provision of guidance in an accessible manner. The DPC website content along with other published information is designed with regard to the principles of plain English, and the DPC has also published audio resources. The DPC’s commitment to the principles of plain English has been recognised with a ‘highly commended’ award at the NALA Plain English Awards. The website is designed with regard to com-
pliance with accessibility principles including Website Accessibility Initiative (WAI), Web Content Accessibility Guidelines 2.0 AAA, and ARIA standards. The DPC also operates a helpdesk to facilitate customers.
The DPC has an Accessibility Officer who acts as liaison for the customer and the relevant section of the organisation.
Freedom of InformationThe DPC has been partially subject to the Freedom of Information (FOI) Act 2014 since 14 April 2015 in respect of records relating to the general administration of the Office only. Information on making a request under FOI is available on the DPC’s website. A disclosure log for all non-personal information requests under the FOI Act is available under our FOI Publication Scheme on the website.
During 2019, the DPC received a total of 46 requests under the FOI Act. Of these, 33 were deemed to be out of scope on the basis that they related to records held by the DPC other than those relating to the general admin-istration of the office. A summary of the FOI requests received by the DPC between during 2019 is included in the table below. No cases were appealed to the Office of the Information Commissioner.
Request by type Category total Outcome
Administrative Issues 9 6 granted 1 partially granted
2 dealt with outside of FOI
Matters outside the scope of the Acts 37 33 out of scope 4 withdrawn
FOI
In relation to the European Communities (Access to Information on the Environment) Regulation 2007, S.I. No. 133 of 2007, the DPC received no requests in 2019.
Annu
al R
epor
t 1
Janu
ary
— 3
1 D
ecem
ber
2019
Energy Report 2019 — Overview of Energy Usage
Dublin
21 Fitzwilliam Square
The head office of the DPC is located at 21 Fitzwilliam Square, Dublin 2. Energy consumption for the office is solely electricity, which is used for heating, lighting and equipment usage.
21 Fitzwilliam Square is a protected building and is there-fore exempt from the energy rating system.
Satellite office
DPC currently maintains additional office space in Dublin to accommodate the increase in staff numbers. This office was sourced by OPW and DPC took occupancy in October 2018. This office will be maintained until a new permanent head office is ready to facilitate the DPC’s Dublin-based staff and operations. The office is 828 sq. metres in size.
Energy consumption for the building is solely electricity, which is used for heating, lighting and equipment usage.
The energy rating for the building is B2.
Portarlington
The Portarlington office of the DPC has an area of 444 sq. metres and is located on the upper floor of a two-storey building, built in 2006.
Energy consumption for the office is electricity for lighting and equipment usage and natural gas for heating.
The energy rating for the building is C1.
Actions UndertakenThe DPC participates in the SEAI online system for the purpose of reporting its energy usage in compliance with the European Communities (Energy End-use Efficiency and Energy Services) Regulations 2009 (S.I. No 542 of 2009)
The energy usage for the office for 2018 (last validated SEAI figures available) is as follows:
Electrical Natural Gas
Dublin
Fitzwilliam Sq. 88,440KwH
Satellite Office 14,687KwH *
Portarlington 40,102KwH 51,308
Overview of Environmental policy /statement for the organisation The Data Protection Commission is committed to operate in line with Government of Ireland environmental and sustainability policies.
Outline of environmental sustainability initiatives • Purchase of single use plastics ceased since January
2019
• Replacement of fluorescent lighting with LED lighting in Portarlington office as units fail or require replace-ment bulbs
• Sensor lighting in use in one office (Satellite)
• Review of heating system in one office underway (Fitzwilliam Square)
• New Tender competition run for bin collection ser-vices to include compost bin service for Portarlington & Fitzwilliam Square.
• Reduction of approx. 10% in lighting costs in Fitzwil-liam Square following DSE Environmental testing and removal of lights.
• Green Committee 2019 established.
Reduction of Waste Generated• DPC use a default printer setting to print documents
double-sided.
• DPC has also introduced dual monitors for staff to reduce the need to print documents to review / com-pare against other documentation during case work.
• DPC provide General Waste and Recycling bins at stations throughout the offices.
Maximisation of RecyclingDPC policy is to securely shred all waste paper. Consoles are provided at multiple locations throughout the offices. Shredded paper is recycled.
Sustainable ProcurementDPC procurements and processes are fully compliant with Sustainable Procurement.
Catering contracts stipulate the exclusion of single use plastics.
79
80
Appendices15
Annu
al R
epor
t 1
Janu
ary
— 3
1 D
ecem
ber
2019
Appendix I Court of Justice of the European Union (CJEU) Case Law
There were a number of significant judgments delivered by the CJEU during 2019 which concerned the interpretation of EU law as it relates to data protection. Key aspects of these judgments, insofar as they relate to issues of data protection, are summarised be-low.
TK v Asociaţia de Proprietari bloc M5A-ScaraA (Case C-708/18)
Key issues: video surveillance system in a private property, legal basis, consent, legitimate interest, proportionality. This case was considered under the (now repealed) Data Protection Directive (Directive 95/46/EC).
Facts
This case relates to the lawful basis of a video surveillance system installed in the common areas of an apartment building in Romania. As there had been burglaries and thefts in several apartments and the common areas of the apartment building and the lift had been vandalised on many occasions, the association of co-owners of the building decided to install a video surveillance system in order to monitor who entered and left the building. Romanian law provided for this possibility. Measures which were taken previously, namely the installation of an intercom/magnetic card entry system, had not prevented repeat offences of the same nature being committed. On foot of this, the owner of one apartment in the apartment building sought an injunction order for the removal of this video surveillance system, arguing an infringement of his right to respect for private life and a breach of the Romanian law.
By way of preliminary reference to the CJEU, the Regional Court of Bucharest asked a number of questions refer-ring to the underlying Romanian law and queried as to whether the installation of a video surveillance system in the common areas of a residential building for the pur-poses of pursuing the legitimate interests of ensuring the safety and protection of individuals and property is pro-portionate or, alternatively, whether individuals’ consent is necessary for such data processing.
Judgment
The CJEU’s decision was delivered on 11 December 2019. The CJEU held that the processing of personal data in the context of a video surveillance system must comply first, with the principles relating to data quality (Article 6 of Directive 95/46 (Data Protection Directive)) and, secondly, with one of the criteria to legitimise data processing (as listed in Article 7 of Data Protection Directive). The CJEU noted that Article 7 sets out an exhaustive and restric-tive list of six bases pursuant to which the processing of personal data may be regarded as being lawful. One of these bases is pursuant to the legitimate interests of the controller or a third party (Article 7(f)). The CJEU opined that Member States cannot add new principles relating to the lawfulness of the processing of personal data or impose additional requirements other than those already set out in the Data Protection Directive.
Referring to previous decisions, the CJEU reiterated that, in order to rely on legitimate interests to legitimise data processing, there must be three cumulative conditions satisfied. The first condition is that the legitimate interests pursued by the controller must be present and effective at the time of the data processing. Secondly, there must be the need to process personal data for the purpose of the legitimate interests pursued. This need must be inter-preted strictly, in other words, the purpose cannot rea-sonably be as effectively achieved by other means which are less restrictive of the fundamental rights and free-doms of data subjects. Thirdly, because under Article 7(f)
81
82
the rights of a data subject may override the legitimate interests pursued by the controller, this condition neces-sitates a balancing of the opposing rights and interests concerned which depends on the individual circumstanc-es. In the context of processing of data from non-public sources, it is essential to assess the seriousness of the infringements of a data subject’s rights, taking account of, among the other things, the nature of the personal data at issue such as the potentially sensitive nature of those data, the nature and specific methods of processing of the data such as the number of persons having access to those data and the methods of accessing them, and the data subject’s reasonable expectations that his or her personal data will not be processed. The CJEU said that in the present case, those factors must be balanced against the importance of the legitimate interests pursued by the co-owners of the apartment building in relation to the video surveillance system, insofar as this video installation
system seeks to ensure that the property, health and life of those co-owners are protected.
The Court also confirmed that a data subject’s consent is not required when processing of personal data occurs pursuant to the legitimate interests of a controller or third party in this context.
The CJEU concluded that provisions of Romanian law which authorise the installation of a video surveillance system in the common areas of a residential building for the purpose of pursuing the legitimate interests of ensur-ing the safety and protection of individuals and property were not therefore precluded by the Data Protection Directive — as long as the processing by the video surveil-lance system fulfilled the conditions laid down in Article 7(f). It was for the referring Court to make this assessment.
Bundesverband der Verbraucherzentralen und Verbraucherverbände — Verbraucherzentrale Bundesverband eV v Planet49 GmbH (Case C-673/17)
Key issues: cookie consent, pre-ticked checkboxes. This case was considered under both the (now repealed) Data Protection Directive (Directive 95/46/EC) and the GDPR, as well as in relation to Directive 2002/58, as amended by Direc-tive 2009/136 (E-Privacy Directive).
Facts
The German Federation of Consumer Organisation (Ver-braucherzentrale Bundesverband eV) sought an injunc-tion against an online gaming company, Planet49 GmbH, ordering it to refrain from using a pre-ticked checkbox to gather users’ consent to the storage of or access to in-formation in the form of cookies installed on those users’ terminal equipment. Planet49 organised a promotional lottery in which participants were required to enter their names and addresses on a web page registration form. The form contained two statements of agreement; one of the statements included a pre-ticked box and the other did not. The pre-ticked statement sought to affirm the participants’ agreement to the placement of cookies. The cookies placed on the participants’ terminal equipment were linked to names and addresses of the participants provided in the registration form thus the pre-ticked statement was intended to authorise the processing of personal data rather than anonymous data.
The matter came before the German Federal Court which decided to stay the proceedings and to refer a number of questions to the CJEU for a preliminary ruling concerning the requirement in Article 5(3) of the Directive 2002/58, as amended by Directive 2009/136 (E-Privacy Directive)
that users must provide their consent for the storage of, and access to, information in the form of cookies on their terminal equipment.
Judgment
The CJEU’s decision was delivered on 1 October 2019. While the preliminary reference was made before the GDPR came into force, the judgment of the CJEU was delivered after the GDPR came into force. The German Federation of Consumer Organisation had also sought an order in the German Courts that Planet49 refrain from future action. The CJEU determined first that the ques-tions referred must be answered having regard to both the Data Protection Directive and the GDPR.
On the issue of the validity of the consent to the cook-ies, the CJEU noted that the E-Privacy Directive defines ‘consent’ as corresponding to the definition in the Data Protection Directive, however the GDPR had repealed the Data Protection Directive and provided that references to that Directive must be construed as references to the GDPR. The CJEU decided that only active behaviour can fulfil the requirement of consent. First, the CJEU relied on the requirement that consent must be ‘unambigu-ously given’ (Article 7(a) of the Data Protection Directive),
Annu
al R
epor
t 1
Janu
ary
— 3
1 D
ecem
ber
2019
reasoning that only active behaviour can dispel ambiguity. Second, the CJEU considered that consent cannot be presumed but must be the result of active behaviour. The CJEU considered that the requirement of active be-haviour is also confirmed by the GDPR and noted that the definition of consent is even more stringent in the GDPR than it is in the Data Protection Directive on the basis that the GDPR’s recitals expressly require active consent and expressly exclude the possibility of using pre-ticked boxes for the collection of valid consent. Applying this definition of consent, the CJEU held that consent is not valid if cookies are permitted to be placed by way of a pre-checked checkbox which the user must de-select to refuse consent.
The CJEU also considered whether the E-Privacy Directive should be interpreted differently according to whether the information stored or accessed in terminal equipment is personal data or non-personal data. The cookies that Planet49 used were linked to the names and addresses
of the participants in the promotional lottery, and thus, their storage constituted the processing of personal data. The CJEU noted that Article 5(3) E-Privacy Directive applies to information stored in terminal equipment, regardless of whether or not it is personal data.
The CJEU also considered the scope of information that must be provided to users in light of the requirement in Article 5(3) E-Privacy Directive that those users must be provided with clear and comprehensive information prior to providing consent. The Court stated that the user must be in a position to easily determine the consequences of any consent that the user may provide and to understand the functioning of the cookies employed. Additionally, the information that must be provided to users includes the duration of the operation of the cookies and whether or not third parties may have access to the cookies.
G. C. and Others v Commission Nationale de l’Informatique et des Libertés (CNIL) (Déréférencement de données sensibles), (Case C-136/17)
Key issues: right to be forgotten, right to de-referencing, obligations on oper-ators of a search engine, special categories of personal data, information on criminal proceedings. This case was considered under both the (now repealed) Data Protection Directive (Directive 95/46/EC) and the GDPR).
Facts
As an operator of a search engine, Google refused to ac-cede to the requests of four individuals (a local politician; a former public relations officer of the Church of Scien-tology; a person questioned in the context of a judicial in-vestigation into political funding; and a person previously convicted of sexual offences against children) to de-ref-erence various links to third-party web pages (including press articles) in the list of results displayed by Google in response to searches against their names. Those individ-uals complained to the French Data Protection Authority (CNIL) which refused to serve formal notices on Google to carry out the de-referencing requested. The case was brought by the four affected individuals before the Con-seil d’État (French Administrative Supreme Court) and the Conseil d’État asked the CJEU to clarify the obligations of an operator of a search engine when handling a request for de-referencing under the Data Protection Directive.
Judgment
The CJEU’s decision was delivered on 24 September 2019. The CJEU determined firstly that the questions referred
must be answered having regard to both the Data Protec-tion Data Protection Directive and the GDPR.
The first issue before the CJEU was whether the prohi-bition and restrictions on processing special categories of personal data, such as those revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, data concerning health or sex life, data relating to offences, criminal convictions or se-curity measures, also applies to operators of a search en-gine. The CJEU held that the prohibition and restrictions relating to the processing of special categories of data ap-plies to operators of a search engine in the same way as any other data controller. However, the Court reiterated its decision in Google Spain, C-131/12 and noted that the operator of a search engine is only responsible for the reference to a third party web page. Thus, the prohibition and restrictions relating to the processing of special cat-egories of data apply to the operator of a search engine in the context of any request for de-referencing received from a data subject.
In relation to the issue of a request for de-referencing relating to special categories of data, the CJEU stated that, when the operator of a search engine receives such re-
83
84
quest, it is in principle required, subject to certain excep-tions, to accede to that request. However, the operator may refuse a request for de-referencing if it establishes that the relevant links lead to data which are manifestly made public by the data subject. In any event, the oper-ator must ascertain whether the inclusion of the link to a web page on which special categories of data are pub-lished in the list of results displayed following a search of that data subject’s name is strictly necessary for protect-ing the freedom of information of internet users, who may be interested in accessing that web page by means of such a search. The CJEU pointed out that a balancing test between, on the one hand, the data subject’s rights to privacy and the protection of personal data and, on the other, the freedom of information of internet users, is necessary based on the specific circumstances of each request and considering the nature of the information in question and its sensitivity in the context of that data subject’s private life as well as the interest of the public in having that information. The CJEU noted that the interest of the public may vary according to the role played by the data subject in public life.
In the specific context of a request for de-referencing data relating to criminal proceedings brought against the data subject where that information is now out of date relative to the developments in the proceedings, the CJEU held that, based on the circumstances of the request, the operator of a search engine must assess whether, at the time of the request, the data subject has the right to the information in question no longer being linked with the data subject’s name by a list of results displayed following a search of his/her name. Even in this case, the operator must apply a balancing test between a data subject’s rights to privacy and the protection of personal data and the freedom of information of internet users. However, whenever the inclusion of the link in question is strictly necessary, the operator of a search engine is required to adjust the list of results in such a way that the overall picture it gives the internet user reflects the current legal position, which means, in particular, that links to web pages containing information in this respect must appear in first place on the list.
Google LLC, successor in law to Google Inc. v Commission Nationale de l’Informatique et des Libertés (CNIL), (Case C-507/17)
Key issues: right to be forgotten, right to de-referencing, obligations of oper-ators of a search engine, removal of the links in all, or only European domain name extensions. This case was considered under both the (now repealed) Data Protection Directive (Directive 95/46/EC) and the GDPR).
Facts
In 2015 the French Data Protection Authority (CNIL) served formal notice on Google to the effect that, when granting a request from a natural person for links to web pages to be removed from the list of results displayed fol-lowing a search conducted on the basis of that person’s name, Google must apply that removal to all its search engine’s domain name extensions. Google refused to comply with that formal notice, but rather only removed the links in question from the results displayed following searches conducted in the domain name extensions corresponding to the versions of its search engine in EU Member States.
In 2016, after finding that Google had failed to comply with that formal notice within the prescribed period, the CNIL imposed a penalty on Google. Google lodged an application with the Conseil d’État (French Administrative Supreme Court) for the annulment of that penalty. By way of a preliminary reference, the Conseil d’État referred certain questions to the CJEU in this context for consider-ation�
Judgment
The CJEU’s decision was delivered on 24 September 2019. The CJEU determined firstly that the questions referred must be answered having regard to both the Data Protec-tion Directive and the GDPR.
On the issue of the territorial scope of the right to de-referencing and reiterating the principles of the right to de-referencing as affirmed previously in the decision Google Spain C-131/12, the CJEU considered that the operator of a search engine is required to carry out the de-referencing only on those versions of the search en-gine corresponding to Member States. In order to ensure a consistent and high level of protection throughout the EU, the CJEU held that the operator must carry out the requested de-referencing not only on the version of the search engine corresponding to the Member State of res-idence of the person benefitting from that de-referencing but on the versions of the search engine corresponding to all of the EU Member States.
The CJEU also emphasised that although EU law does not require the operator of a search engine to carry out
Annu
al R
epor
t 1
Janu
ary
— 3
1 D
ecem
ber
2019
the requested de-referencing on all the search engine’s domain name extensions, it does not prohibit such a practice. Accordingly the Court opined that in the light of the fact, that the interest of the public in accessing infor-mation may vary from Member State to Member State (for example, pursuant to derogations available in the Data Protection Directive and the GDPR), a supervisory or ju-dicial authority of a Member State remains competent to
consider a data subject’s right to privacy and the protec-tion of personal data concerning him or her and the right to freedom of information in light of national standards of protection for those rights. As such, a supervisory or judicial authority could order, where appropriate, the operator to carry out a de-referencing request in relation to all versions of that search engine.
Fashion ID GmbH & Co.KG v Verbraucherzentrale NRW eV (Case C-40/17)
Key issues: social plugins, controllership, legitimate interests, consent, duty to inform. This case was considered under the (now repealed) Data Protection Directive (Directive 95/46/EC).
Facts
Fashion ID is an online clothing retailer whose website embedded Facebook’s ‘Like’ social plugin. When an inter-net user visited Fashion ID’s website, that visitor’s per-sonal data was transmitted to Facebook as a result of the inclusion of Facebook’s “Like” social plug-in on the web-site. On the basis of the facts contained in the preliminary reference to the CJEU, it appeared that such transmission occurred without that visitor being aware of their data be-ing transmitted to Facebook and irrespective of whether or not he or she was a member of Facebook, or whether he or she clicked on the Facebook ‘Like’ button.
A German public-service association tasked with safe-guarding the interests of consumers (Verbraucherz-entrale NRW) criticised Fashion ID for transmitting the personal data of visitors to its website to Facebook on the basis that this transmission occurred without their consent and in breach of the duty to inform visitors of relevant data processing as set out in data protection law.
The association sought an injunction before Düsseldorf Regional Court against Fashion ID to force it to stop the practice of embedding the “Like” social plugin on its web-site. The Regional Court granted an injunction in favour of the association. Fashion ID subsequently appealed this decision to Düsseldorf Higher Regional Court. The Higher Regional Court then referred a number of ques-tions by way of preliminary reference to the CJEU. These questions centred on whether Fashion ID was a controller of the data collected by the social plugin even if it was unable to influence this data processing; whether it was possible to rely on the lawful basis of legitimate interests to embed the social plugin or whether it was necessary to collect consent of data subjects to the processing; and who should fulfil the duty to inform data subjects of data processing when an operator of the website embeds a third party’s social plugin.
Judgment
The CJEU’s decision was delivered on 29 July 2019. The CJEU considered firstly whether national legislation may prohibit consumer protection associations from bringing or defending legal proceedings against a person allegedly responsible for an infringement of data protection law. Recalling the underlying objectives of data protection law to ensure effective and complete protection of the fundamental rights and freedoms of natural persons, and, in particular, the right to privacy with respect to the processing of personal data, the CJEU held that the fact that a Member State provides in its national legislation for the possibility for a consumer protection association to commence legal proceedings does not undermine the objectives of that protection, but rather contributes to the realisation of those objectives.
On the issue of controllership of the social plugin, the CJEU held that an operator of a website (such as Fashion ID), which embeds a social plugin of a third party on its website (such as the Facebook “Like” button), causing the browser [in a device] of a visitor to that website to request content from the provider of that plugin and, to that end, to transmit to that provider the personal data of the visitor, can be considered to be a joint controller, with the third party that owns the social plugin. However, the Court considered that liability of the operator of the website is limited to the operation or set of operations involving the processing of personal data in respect of which the operator of the website actually determines the purposes and means i.e. the collection and disclosure by transmission of the data at issue.
On the issue of legitimate interests and social plugins, the CJEU determined that, in a situation in which the operator of a website embeds a social plugin on its website causing the browser of a visitor to that website to request content from the provider of that plugin and, to that end, to
85
86
transmit to that provider personal data of the visitor, it is necessary that that operator and that provider each pur-sue a legitimate interest for the purpose of the respective processing operations in order for those operations to be justified in respect of each of them.
On the issue of consent and provision of information related to social plugins, the CJEU firstly recalled that the duty to obtain the consent of the data subject and the duty to inform are incumbent on that controller which ac-tually determines the purposes and means of the relevant operation or set of operations involving the processing of personal data. The CJEU held that consent must be given prior to the collection and disclosure (in other words the onward transmission) of the data subject’s data to third party. In such circumstances, the CJEU said, it is for the operator of the website, rather than for the provid-er of the social plugin, to obtain that consent. This was
because it would not be in line with efficient and timely protection of the data subject’s rights if the consent were given only to the joint controller that is involved later, namely the provider of the social plugin. It is the visiting by the visitor of that website triggers the processing of the personal data. However, the consent that must be given to the operator relates only to the operation or set of operations involving the processing of personal data in respect of which the operator actually determines the purposes and means. With reference to the duty to inform, this duty is similarly incumbent on the operator of the website but the information that must be provided to the data subject need relate only to the operation or set of operations involving the processing of personal data in respect of which that operator actually determines the purposes and means.
Sergejs Buivids v Datu valsts inspekcija (Case C-345/17)
Key issues: video recording in a police station, publication of video, journalistic exemption. This case was considered under the (now repealed) Data Protec-tion Directive (Directive 95/46/EC).
Facts
Mr Buivids made a video recording in a police station of the Latvian national police while he was making a state-ment in the context of administrative proceedings which had been brought against him. He later published the video on the Youtube internet site. Following the publica-tion of the video, the National Data Protection Agency of Latvia found that Mr Buivids had infringed data protection law because he had not informed the police officers of the intended purpose of the processing of personal data concerning them and he did not provide any information to the National Data Protection Agency of Latvia as to the purpose of the recording and its publication. Conse-quently, the National Data Protection Agency requested that Mr Buivids remove the video from YouTube and from other websites.
Mr Buivids brought an action before the Latvian Dis-trict Administrative Court seeking a declaration that the decision of the National Data Protection Agency was unlawful. Mr Buivids also claimed compensation for the harm he suffered. The Latvian District Administrative Court dismissed the action and subsequently the Latvian Regional Administrative Court dismissed the subsequent appeal. Mr Buivids filed an appeal in the Latvian Supreme Court invoking his right to freedom of expression. By way of preliminary reference to the CJEU, the Latvian Supreme Court asked a number of questions regarding whether the act of filming police officers while carrying out their duties in a police station and the act of publishing this
recorded video on the internet are matters which come within the scope of Data Protection Directive and whether those activities may be regarded as processing of person-al data for journalistic purposes.
Judgment
The CJEU’s decision was delivered on 14 February 2019. The CJEU held firstly that the once-off act of recording a video using a digital photo camera and publishing the video recording containing personal data on a video website on which users can send, watch and share videos, constitutes processing of those data wholly or partly by automatic means.
The CJEU considered that the recording and publication of the video in question can be regarded as a processing of personal data which falls within the scope of the Data Protection Directive. The Court said that such a video did not constitute a processing operation which concerns public security, defence, State security or the activities of the State in areas of criminal law, as it was the result of activity of a private individual. Moreover, such an activity could not be considered to be purely personal within the context of or household activities because, as a matter of fact, Mr Buivids had published the video in question on a video website on which users can send, watch and share videos, thereby permitting access to the personal data in the video to an indefinite number of people.
Annu
al R
epor
t 1
Janu
ary
— 3
1 D
ecem
ber
2019
On the issue of processing of personal data for journalis-tic purposes, after recalling the need to balance the right to data protection against freedom of expression, the CJEU reiterated that the right to freedom of expression must be interpreted broadly and that journalistic activities are those which have as their purpose the disclosure of information, opinions or ideas to the public, irrespective of the medium which is used to transmit such informa-tion, opinions or ideas. In the circumstances of the case, the Court decided that the fact that Mr Buivids was not a professional journalist did not seem to exclude the possibility that the recording of the video in question and its publication on a video website on which users can send, watch and share videos, could come within the scope of the journalistic exemption. However, the CJEU stated that not all information published on the internet involving personal data can be categorised as journalistic activities. The CJEU indicated that it was for the referring court to determine whether it appeared from the video in question that the sole purpose of the recording and pub-lication of the video was to disclose information, opinion
or ideas to the public particularly taking into account the factual circumstances and whether the video in question was published on an internet site for the purpose of highlighting the alleged police malpractice that Mr Buivids claimed. In order to verify if the journalistic exemption may apply, the referring Court would have to consider this exemption only where it is necessary in order to reconcile two fundamental rights, namely, the right to privacy and the right to freedom of expression, and only in so far as is strictly necessary. The CJEU also held, in relation to the balancing of these two fundamental rights, that the referring Court must take into account, amongst other things, contribution to a debate of public interest, the degree of notoriety of the person affected, the sub-ject of the news report, the prior conduct of the person concerned, the content, form and consequences of the publication, and the manner and circumstances in which the information was obtained and its veracity.
Deutsche Post AG v Hauptzollamt Köln (Case C 496/17)
Key issues: personal data, tax identification number, customs authority authori-sation process. This case was considered under both the (now repealed) Data Protection Directive (Directive 95/46/EC) and the GDPR.
Facts
Pursuant to Commission Implementing Regulation (EU) 2015/2447 (which relates to the implementation of customs rules), the German customs authority (the Hauptzollamt) requested that Deutsche Post reply to a self-evaluation questionnaire for the purposes of as-sessing whether Deutsche Post should have authorised economic operator (AEO) authorisation. (The AEO status allows an entity to benefit from certain simplifications un-der customs legislation). Under this assessment process, certain information (including tax identification numbers) about owners, shareholders, directors and other officers of Deutsche Post, including those responsible for cus-toms matters, was requested, together with details of the tax offices responsible for the taxation of those persons.
On foot of this request, Deutsche Post brought an action before the Düsseldorf Finance Court, challenging the obligation to send the tax identification numbers of the persons concerned and the details of the tax offices responsible for their taxation to the Hauptzollamt.
The Düsseldorf Finance Court then referred certain matters for a preliminary ruling to the CJEU. The German Court sought to ascertain whether, in the light of Article 8(1) of the Charter and the principle of proportionality, the Hauptzollamt could request personal data, such as
the tax identification numbers of data subjects and the details of the tax offices responsible for the assessment of income tax payable by those persons.
Judgment
The CJEU’s decision was delivered on 16 January 2019. The judgment interpreted Regulation 2015/2447 by refer-ence to both the Data Protection Directive and the GDPR. The CJEU firstly recalled that tax data, such as tax iden-tification numbers, constitutes personal data. However, according to the Regulation 2015/2447, the Hauptzollamt, as the national German customs authority, must comply with principles relating to data quality and the legitimacy of data processing whenever it processes personal data in the conduct of its activities.
In this case, the tax identification numbers of natural per-sons were initially collected by the employer in order to ensure compliance with income tax legislation and, more specifically, to ensure that the employer could fulfil its obligation to deduct and collect income tax at source. In those circumstances, the CJEU found that the subsequent collection of that personal data by a national customs authority (such as the Hauptzollamt) in order to make a decision on an application for the purpose of AEO status in relation to an entity (i.e. in this case, Deutsche Post)
87
88
was necessary to comply with Regulation 2015/2447. In particular, a national customs authority must ascertain not only whether an applicant for the purpose of AEO sta-tus complies with Regulation 2015/2447, but also whether relevant natural persons within the organisation of that applicant have committed any serious infringement or re-peated infringements of that legislation or of the tax rules having regard to the level of their responsibility within the applicant’s organisation, irrespective of whether those in-fringements have any connection to the economic activity of the applicant. To that extent, the CJEU noted that data is collected and therefore processed for specified, explicit and legitimate purposes. Moreover, the CJEU underlined that the data collected by national customs authorities, namely, the tax identification numbers of natural persons listed in Regulation 2015/2447, are adequate, relevant and not excessive in relation to the purposes for which that data is collected.
The CJEU concluded that the data collection by a national customs authority, such as Hauptzollamt, from an appli-cant for AEO status, of tax identification numbers which are allocated for income tax purposes, which solely relate to the natural persons who are in charge of the applicant or who exercise control over its management and those who are in charge of the applicant’s customs matters, and the details of the tax offices responsible for the taxation of all those persons, is permissible only to the extent that such data enables those authorities to obtain informa-tion on serious or repeated infringements of customs legislation or of tax rules, or on serious criminal offences committed by those natural persons related to their economic activity.
Annu
al R
epor
t 1
Janu
ary
— 3
1 D
ecem
ber
2019
Appendix II Litigation concerning Standard Contractual Clauses
Data Protection Commissioner v. Facebook Ireland Limited and Maximilian Schrems [Record No. 2016/ 4809 P]
On 31 May 2016, the DPC (then the Data Protection Commissioner) commenced proceedings in the Irish High Court seeking a reference to the Court of Justice of the European Union (CJEU) in relation to the validity of “stan-dard contractual clauses” (SCCs). SCCs are a mechanism, established by a number of EU Commission decisions, under which, at present, personal data can be transferred from the EU to the US. The DPC took these proceedings in accordance with the procedure set out by the CJEU in its 6 October 2015 judgment (which also struck down the Safe Harbour EU to US personal data transfer regime). The CJEU ruled that this procedure (involving seeking a reference to the CJEU) must be followed by an EU data protection authority where a complaint which is made by a data subject concerning an EU instrument, such as an EU Commission decision, is considered by the EU data protection authority to be well founded.
(1) BackgroundThe proceedings taken by the DPC have their roots in the original complaint made in June 2013 to the DPC about Facebook by Mr Maximillian Schrems concerning the transfer of personal data by Facebook Ireland to its parent company, Facebook Inc., in the US. Mr Schrems was concerned that, because his personal data was being transferred from Facebook Ireland to Facebook Inc., his personal data was then being accessed (or was at risk of being accessed) unlawfully by US state security agencies. Mr Schrems’ concerns arose in light of the disclosures by Edward Snowden regarding certain programmes said to be operated by the US National Security Agency, most notably a programme called “PRISM”. The DPC had de-clined to investigate that complaint on the grounds that it concerned an EU Commission decision (which estab-lished the Safe Harbour regime for transferring data from the EU to the US) and on that basis he was bound under existing national and EU law to apply that EU Commission decision. Mr Schrems brought a judicial review action against the decision not to investigate his complaint and that action resulted in the Irish High Court making a refer-ence to the CJEU, which in turn delivered its decision on 6 October 2015.
(2) CJEU procedure on complaints concerning EU Commission decisions
The CJEU ruling of 6 October 2015 made it clear that where a complaint is made to an EU data protection
authority which involves a claim that an EU Commission decision is incompatible with protection of privacy and fundamental rights and freedoms, the relevant data protection authority must examine that complaint even though the data protection authority cannot itself set aside or disapply that decision. The CJEU ruled that if the data protection authority considers the complaint to be well founded, then it must engage in legal proceedings before the national Court and, if the national Court shares those doubts as to the validity of the EU Commission decision, the national Court must then make a reference to the CJEU for a preliminary ruling on the validity of the EU Commission decision in question. As noted above, the CJEU in its judgment of 6 October 2015 also struck down the EU Commission decision which underpinned the Safe Harbour EU to US data transfer regime.
(3) DPC’s draft decision
Following the striking down of the Safe Harbour person-al data transfer regime, Mr Schrems reformulated and resubmitted his complaint to take account of this event and the DPC agreed to proceed on the basis of that refor-mulated complaint. The DPC then examined Mr Schrems’ complaint in light of certain articles of the EU Charter of Fundamental Rights (the Charter), including Article 47 (the right to an effective remedy where rights and free-doms guaranteed by EU law are violated). In the course of investigating Mr Schrems’ reformulated complaint, the DPC established that Facebook Ireland continued to transfer personal data to Facebook Inc. in the US in reliance in large part on the use of SCCs. Arising from her investigation of Mr Schrems’ reformulated complaint the DPC formed the preliminary view (as expressed in a draft decision of 24 May 2016 and subject to receipt of further submissions from the parties) that Mr Schrems’ complaint was well founded. This was based on the DPC’s draft finding that a legal remedy compatible with Article 47 of the Charter is not available in the US to EU citizens whose data is transferred to the US where it may be at risk of being accessed and processed by US State agencies for national security purposes in a manner incompatible with Articles 7 and 8 of the Charter. The DPC also formed the preliminary view that SCCs do not address this lack of an effective Article 47-compatible remedy and that SCCs themselves are therefore likely to offend against Article 47 insofar as they purport to legitimise the transfer of the personal data of EU citizens to the US.
89
90
(4) The Proceedings and the Hearing
The DPC therefore commenced legal proceedings in the Irish High Court seeking a declaration as to the validity of the EU Commission decisions concerning SCCs and a preliminary reference to the CJEU on this issue. The DPC did not seek any specific relief in the proceedings against either Facebook Ireland or Mr Schrems. However, both were named as parties to the proceedings in order to afford them an opportunity (but not an obligation) to fully participate because the outcome of the proceedings would impact on the DPC’s consideration of Mr Schrems’ complaint against Facebook Ireland. Both parties chose to participate fully in the proceedings. Ten interested third parties also applied to be joined as amicus curiae (“friends of the court”) to the proceedings and the Court ruled four of those ten parties (the US Government, BSA The Software Alliance, Digital Europe and EPIC (Electronic Privacy Information Centre)) should be joined as amici.
The hearing of the proceedings before Ms Justice Costello in the Irish High Court (Commercial Division) took place over 21 days in February and March 2017 with judg-ment being reserved at the conclusion of the hearing. In summary, legal submissions were made on behalf of: (i) each of the parties, being the DPC, Facebook Ireland and Mr Schrems; and (ii) each of the “friends of the Court”, as noted above. The Court also heard oral evidence from a total of 5 expert witnesses on US law, as follows:
• Ms Ashley Gorski, expert witness on behalf of Mr Schrems;
• Professor Neil Richards, expert witness on behalf of the DPC;
• Mr Andrew Serwin, expert witness on behalf of the DPC;
• Professor Peter Swire, expert witness on behalf of Facebook; and
• Professor Stephen Vladeck, expert witness on behalf of Facebook.
In the interim period between the conclusion of the trial and the delivery of the judgment on 3 October 2017 (see below), a number of updates on case law and other de-velopments were provided by the parties to the Court.
(5) Judgment of the High Court
Judgment was delivered by Ms Justice Costello on 3 October 2017 by way of a 152 page written judgment. An executive summary of the judgment was also provided by the Court.
In the judgment, Ms Justice Costello decided that the concerns expressed by the DPC in her draft decision of 24 May 2016 were well-founded, and that certain of the issues raised in these proceedings should be referred to the CJEU so that the CJEU could make a ruling as to the validity of the European Commission decisions which established SCCs as a method of carrying out personal data transfers. In particular the Court held that the DPC’s draft findings as set out in her draft decision of 24 May 2016 that the laws and practices of the US did not respect the right of an EU citizen under Article 47 of the Charter to an effective remedy before an independent tribunal
(which, the Court noted, applies to the data of all EU data subjects whose data has been transferred to the US) were well-founded.
In her judgment of 3 October 2017, Ms. Justice Costello also decided that, as the parties had indicated that they would like the opportunity to be heard in relation to the questions to be referred to the CJEU, she would list the matter for submissions from the parties and then determine the questions to be referred to the CJEU. The parties to the case, along with the amicus curiae made submissions to the Court, amongst other things, on the questions to be referred, on 1 December 2017 and on 16, 17 and 18 January 2018. During these hearings, submissions were also made on behalf of Facebook and the US Government as to “errors” which they alleged had been made in the judgment of 3 October 2017. The Court reserved its judgment on these matters.
(6) Questions referred to the CJEU
On 12 April 2018, Ms. Justice Costello notified the parties of her Request for a Preliminary Ruling from the CJEU pursuant to Article 267 of the TFEU. This document sets out the 11 specific questions to be referred to the CJEU, along with a background to the proceedings.
On the same date, Ms Justice Costello also indicated that she had made some alterations to her judgment of 3 Oc-tober 2017, specifically to paragraphs 175, 176, 191,192, 207, 213, 215, 216, 220, 221 and 239. During that hearing, Facebook indicated that it wished to consider whether it would appeal the decision of the High Court to make the reference to the CJEU and if so, seek a stay on the refer-ence made by the High Court to the CJEU. On that basis, the High Court listed the matter for 30 April 2018.
When the proceedings came before the High Court on 30 April 2018, Facebook applied for a stay on the High Court’s reference to the CJEU pending an appeal by it against the making of the reference. Submissions were made by the parties in relation to Facebook’s application for a stay�
On 2 May 2018, Ms. Justice Costello delivered her judg-ment on the application by Facebook for a stay on the High Court’s reference to the CJEU. In her judgment, Ms Justice Costello refused the application by Facebook for a stay, holding that the least injustice would be caused by the High Court refusing any stay and delivering the reference immediately to the CJEU.
(7) Appeal to the Supreme Court
On 11 May 2018, Facebook lodged an appeal, and ap-plied for leave to appeal to the Supreme Court, against the judgments of 3 October 2017, the revised judgment of 12 April 2018 and the judgment of 2 May 2018 refusing a stay. Facebook’s application for leave to appeal to the Supreme Court was heard on 17 July 2018. In a judgment delivered on 31 July 2018, the Supreme Court granted leave to Facebook allowing it to bring its appeal in the Supreme Court but leaving open the question as to what was the nature of the appeal which was allowed to be brought to the Supreme Court. During late 2018, there
Annu
al R
epor
t 1
Janu
ary
— 3
1 D
ecem
ber
2019
were several procedural hearings in the Supreme Court in preparation for the substantive hearing. The substan-tive hearing of the appeal took place over 21, 22 and 23 January 2019 before a 5 judge Supreme Court panel com-posed of the Chief Justice — Mr Justice Clarke, Mr Justice Charleton, Ms Justice Dunne, Ms Justice Finlay Geoghegan and Mr Justice O’Donnell. Oral arguments were made on behalf of Facebook, the DPC, the US Government and Mr Schrems. The central questions arising from the appeal related to whether, as a matter of law, the Supreme Court could revisit the facts found by the High Court relating to US law. This arose from allegations by Facebook and the US Government that the High Court judgment, which underpinned the reference made to the CJEU, contained various factual errors concerning US law.
On 31 May 2019 the Supreme Court delivered its main judgment, which ran to 77 pages. In summary, the Su-preme Court dismissed Facebook’s appeal in full. In doing so, the Supreme Court decided that:
• It was not open to it as a matter of Irish and EU law to entertain any appeal against a decision of the High Court to make a reference to the CJEU. Neither was it open to the Supreme Court to entertain any appeal in relation to the terms of such a reference (i.e. the specific questions which the High Court had referred to the CJEU). The Supreme Court decided that the issue of whether to make a reference to the CJEU is a matter solely for the Irish High Court. Therefore it was not appropriate for the Supreme Court to consider, in the context of Facebook’s appeal, the High Court’s analysis which led to the decision that it shared the concerns of the DPC in relation to the validity of the SCC decision. This was because this issue was inex-tricably linked to the High Court’s decision to make a reference to the CJEU and it was not open to Face-book to pursue this as a point of appeal.
• However it was open to the Supreme Court to con-sider whether the facts found by the High Court (i.e. those facts which underpinned the reference made to the CJEU) were sustainable by reference to the ev-idence which had been placed before the High Court, or whether those facts should be overturned.
• Insofar as Facebook disputed certain key issues of fact which had been found by the High Court concerning US law, on the basis of the expert evidence before the High Court, the Supreme Court had not identified any findings of fact which were unsustainable. Accordingly, the Supreme Court did not overturn any of the facts found by the High Court. Instead the Supreme Court was of the view that the criticisms which Facebook had made of the High Court judgment concerned the proper characterisation of the underlying facts rather than the actual facts.
(8) Hearing before the CJEU
The CJEU (Grand Chamber) held an oral hearing in respect of the reference made to it by the Irish High Court on 9 July 2019. The CJEU sat with a composition of 15 judges, including the President of the CJEU, Judge Koen Lenaerts. The appointed Judge Rapporteur is Judge Thomas von
Danwitz. The Advocate General assigned to the case is Henrik Saugmandsgaard Øe.
At the hearing, the DPC, Mr Schrems and Facebook made oral submissions before the CJEU. The 4 parties who were joined as amicus curiae (“friends of the court”) to the case before the Irish Court (the USA, EPIC, BSA Business Soft-ware Alliance Inc. and Digital Europe) were also permitted to make oral submissions. In addition, the European Parliament, the European Commission and a number of Member States (Austria, France, Germany, Ireland, Neth-erlands, and the United Kingdom) who each intervened in the proceedings also made oral submissions at the hearing before the CJEU. Additionally, at the invitation of the CJEU, the European Data Protection Board (EDPB) addressed the CJEU on specific issues.
(9) Opinion of the Advocate General
The Opinion of Advocate General Saugmandsgaard Øe (the AG) was delivered on 19 December 2019.
In this Opinion, as preliminary matters, the AG noted that the DPC had brought proceedings in relation to Mr Schrems’ complaint before the national referring Court in accordance with paragraph 65 of the CJEU’s judgment of 6 October 2015 (as described further above). The AG also found that the request for a preliminary ruling was admissible.
In relation to the questions referred to the CJEU by the Irish High Court, the AG expressly limited his consider-ation to the validity of the Commission Decision underly-ing the SCCs (SCCs Decision). At the outset, the Advocate General noted that his analysis in the Opinion was guided by the desire to strike a balance between the need to show a reasonable degree of pragmatism in order to allow interaction with other parts of the world and the need to assert the fundamental values recognised in the legal orders of the EU, its Member States and the Charter of Fundamental Rights. He was also of the view that the SCCs Decision must be examined with reference to the provisions of the GDPR (as opposed to the Data Protec-tion Directive (Directive 95/46)) in line with Article 94(2) GDPR and the AG also noted that the relevant provisions of the GDPR essentially reproduce the corresponding provisions of the Data Protection Directive.
The AG considered that EU law applies to a transfer of personal data from a Member State to a third country where that transfer forms part of a commercial activity. In this regard, the AG’s view was that EU law applies to a transfer of this nature regardless of whether the personal data transferred may be processed by public authorities of that third country for the purpose of protecting nation-al security of that country. As regards the nature of the SCCs, the AG opined that the SCCs represent a general mechanism applicable to transfers irrespective of the third country of destination and the level of protection guaranteed there.
As regards the test for the level of protection which is required in relation to the safeguards (which may be provided by SCCs) contemplated by Article 46 of the GDPR where personal data is being transferred out of the
91
92
EU to a third country which does not have an adequacy finding, the AG’s opinion was that the level of protection as offered by such safeguards must be essentially equiv-alent to that offered to data subjects in the EU by the GDPR and the Charter of Fundamental Rights. As such, the requirements of protection of fundamental rights guaranteed by the Charter do not vary according to the legal basis for the data transfer.
Following a detailed examination of the nature and content of the SCCs, the AG concluded that the SCCs Decision was not invalid with reference to the Charter. In his view, because the purpose of the SCCs was to com-pensate for any deficiencies in the protection of personal data offered by the third country, the validity of the SCCs Decision could not be dependent on the level of protec-tion in the third country. Rather the question of validity must be evaluated by reference to the soundness of the safeguards offered by the SCCs to remedy the deficien-cies in protection in the third country. This evaluation must also take account of the safeguards consisting of the powers of supervisory authorities under the GDPR. As the SCCs place responsibility on the controller (the exporter), and in the alternative supervisory authorities, this meant that transfers must be assessed on a case by case basis by the controller, and in the alternative by the supervisory authority, to assess whether the laws in the third country were an obstacle to having an adequate level of protection for the transferred data, such that data transfers must be prohibited or suspended.
The AG then went on to consider the nature of the obligations on the controller carrying out the export of the personal data, which included, according to the AG, a mandory obligation to suspend a data transfer or termi-nate a contract with the importer if the importer could not comply with the provisions of the SCCs. The AG also considered the obligations on the importer in this regard and made certain observations about the nature of the examination of the laws of the third country which should be carried out by the exporter and the importer.
The AG also referred to the rights of data subjects who believe there has been a breach of the SCC clauses to complain to supervisory authorities, and went on to consider what he considered the role of the supervisory authority was in this context. In essence, the AG consid-ered that where, following an examination, a supervisory authority considers that data transferred to a third coun-try does not benefit from appropriate protection because the SCCs are not complied with, adequate measures should be taken by the authority to remedy this illegality, if necessary by ordering suspension of the transfer. The AG noted the DPC’s submissions that the power to sus-pend transfers could only be exercised on a case by case basis and would not address systemic issues arising from an adequate lack of protection in a third country. On this point, the AG pointed to the practical difficulties linked to a legislative choice to make supervisory authorities re-sponsible for ensuring data subjects’ rights are observed in the context of transfers or data flows to a specific recipient but said that those difficulties did not appear to him to render the SCC Decision invalid.
Although noting that the question as to the validity of the Privacy Shield was not explicitly referred to the CJEU by the Irish High Court, the AG considered that some of the questions raised by the Irish High Court indirectly raised the validity of the finding of adequacy which the Europe-an Commission made in respect of the Privacy Shield. The AG considered that it would be premature for the Court to rule on the validity of the Privacy Shield in the context of this reference although he noted that answers to the questions raised by the Irish High Court in relation to the Privacy Shield could ultimately be helpful to the DPC later in determining whether the transfers in question should actually be suspended because of an alleged absence of appropriate safeguards. However the AG also referred to the possibility that the DPC could in the subsequent examination of Mr Schrems’ complaint, following the delivery of the Court’s judgment, decide that it could not determine the complaint unless the CJEU first ruled on whether the existence of the Privacy Shield itself was an obstacle to the DPC exercising the power to suspend the transfers in question. The AG noted that in such circum-stances, if the DPC had doubts about the validity of the Privacy Shield, it would be open to the DPC to bring the matter before the Irish Court again in order to seek that another reference on this point be made to the CJEU.
However, despite the AG taking the position that the Court should, in the context of this reference, refrain from ruling on the validity of the Privacy Shield in its judgment, he went on to express, in the alternative, some
“non-exhaustive observations” on the effects and validity of the Privacy Shield decision. These observations were set out over approximately 40 pages of detailed analysis, including an analysis of the scope of what the “essential equivalence” of protection in a third party state involved, the possible interferences with data subject rights in re-lation to data transferred to the US as posed by national intelligence agencies, the necessity and proportionality of such interferences and the laws and practices of the US, including those relating to the question of whether there is an effective judicial remedy in the US for persons whose data has been transferred to the US and whose data protection rights have been subject to interferenc-es by the US intelligence agencies. Having carried out this analysis, the AG ultimately concluded by expressing doubts as to the conformity of the Privacy Shield with provisions of EU law.
The AG’s Opinion is not binding on the CJEU. It is expected that the CJEU will deliver its judgment on the matters re-ferred to it by the Irish High Court at some point in 2020.
Materials relating to the proceedings
The various judgments referred to above, the questions referred to the CJEU, the expert evidence on behalf of the DPC, and the transcripts of the trial before the High Court are available on the DPC’s website.
Annu
al R
epor
t 1
Janu
ary
— 3
1 D
ecem
ber
2019
Appendix III Investigation by the DPC into the processing of personal data by DEASP in relation to the Public Services Card
The DPC’s reportOn 15 August 2019, the DPC delivered its report in relation to the first part of its investigation into the pro-cessing of personal data carried out by the Department of Employment Affairs and Social Protection (DEASP) in connection with the Public Services Card (PSC), to include DEASP’s “SAFE 2” registration process.
DEASP published the report on its website8 on 17 Sep-tember 2019, along with its own response.9
This first part of the DPC’s investigation focused on a defined and limited number of specific issues. In particu-lar, it examined the legal basis on which personal data is processed by DEASP in connection with the PSC, and whether the information provided to data subjects in relation to the processing of their personal data in that context satisfied applicable legal requirements in terms of transparency. (The DPC’s investigation in certain other aspects of processing by DEASP in connection with the PSC is ongoing, as detailed below).
Legal framework for the DPC’s investigationBecause the PSC scheme (and the DPC’s investigation) pre-dated the coming into effect of the GDPR (the inves-tigation was commenced in October 2017), the DPC’s findings were made by reference to particular obligations imposed on controllers under the Data Protection Acts, 1988 and 2003 rather than the GDPR. (This is specifically mandated by the Data Protection Act 2018 which was in-troduced in 2018 to facilitate the application of particular elements of the GDPR at national level). For completeness, it should be noted that the report also included some (non-binding) material addressing applicable provisions of the GDPR.
8 Available at http://m.welfare.ie/en/pressoffice/Pages/pr170919.aspx
9 Under applicable legislation, it was not open to the DPC to publish the report itself. A statement was issued by the DPC on its own website outlining the scope of the investigation and summarising the report’s findings.
FindingsA total of eight findings were made in the DPC’s report. Three of those relate to the legal basis issue; the re-maining five relate to issues around transparency.
Seven of the eight findings were adverse to positions ad-vanced by DEASP insofar as the DPC found that there is, or has been, non-compliance with applicable provisions of data protection law.
In summary terms, the DPC found that:
• The processing of certain personal data by DEASP in connection with the issuing of PSCs for the purpose of validating the identity of a person claiming, receiving or presenting for payment of a benefit, has a legal basis under applicable data protection law.
• The processing of personal data by DEASP in connec-tion with the issuing of PSCs for the purposes of trans-actions between individuals and other specified public bodies (i.e. bodies other than DEASP itself) does not have a legal basis under applicable data protection laws; specifically, such processing contravenes Section 2A of the Data Protection Acts, 1988 and 2003.
• DEASP’s retention of underlying documents and information provided by persons applying for a PSC on a blanket and indefinite basis contravenes Section 2(1)(c)(iv) of the Data Protection Acts, 1988 and 2003 because such data is being retained for periods longer than is necessary for the purposes for which it was collected.
• In terms of transparency, the scheme does not com-ply with Section 2D of the Data Protection Acts, 1988 and 2003, in that the information provided by DEASP to the public about the processing of their personal data in connection with the issuing of PSCs was not adequate.
(As per the DPC’s statement of 16 August 2019 (refer-enced above), the DPC has determined that PSCs already issued by DEASP will not be treated as invalid and likewise, individuals who access benefits — including free travel — using their PSC will remain free to do so.)
93
94
Requirements to address contraventions identified in the reportWhen delivering its report, the DPC notified DEASP that enforcement action would be deferred to afford the Department an opportunity to identify the measures it would need to implement to bring the PSC scheme into compliance with data protection legislation and to remedy the contraventions identified in the report. The DPC called on DEASP to develop and submit its imple-mentation plan within a period of 6 weeks, and to ensure that the measures necessary to bring the scheme into compliance would be in place no later than 31 December 2019. Separately, however, the DPC called on DEASP to take two specific steps within a period of 21 days:
(1) Cease all processing of personal data carried out in connection with the issuing of PSCs, where a PSC is issued solely for the purpose of a transaction between a member of the public and a specified public body (i.e. a public body other than DEASP itself).
(2) Notify all public bodies who require production of a PSC as a pre-condition to entering into a transaction with (or providing a public service to) a member of the public that, going forward, DEASP would not be in a position to issue PSCs to such persons.
DEASP’s response to the DPC’s findingsDEASP wrote to the DPC on 3 September 2019, noting that, having carefully considered the contents of the report, along with advices received from the Attorney General’s office, the Minister was satisfied that, contrary to the position of the DPC, the processing of personal data in connection with the PSC has a strong legal basis. The letter also noted the Minister’s position that the information provided to users of the scheme satisfies applicable statutory requirements relating to transpar-ency. Against that backdrop, the letter noted that the Minister considered that it would be inappropriate and potentially unlawful to take the measures required by the DPC. Accordingly, the letter indicated that the Minister had determined that DEASP would continue to operate the PSC scheme and the SAFE 2 identity authentication process, without modification.
Notwithstanding its rejection of the report, and its refusal to formulate and implement measures to bring the scheme into compliance, the letter of 3 September pro-posed that DEASP and the DPC should nonetheless meet to explore whether measures could be agreed that would obviate the requirement for enforcement proceedings.
A statement was issued by the Minister (along with the Minister for Public Expenditure and Reform) on the same date, in terms that reflected the contents of the letter of 3 September.
The DPC replied to DEASP by letter dated 5 September 2019, explaining the reasons why the DPC considered
that, in light of the rejection of the report’s findings, and the Minister’s stated determination to continue to oper-ate the PSC scheme, without modification, there could be no basis for engagement between the parties in the manner — or for the purpose — suggested. The letter concluded by noting that, since DEASP was refusing to ac-cept the report’s findings, and where it was clear that no implementation plan would be formulated or implement-ed by DEASP to address the points of non-compliance identified within those findings, the basis on which the DPC had deferred enforcement action no longer applied. Accordingly, the letter indicated that the DPC would now proceed to enforcement.
Following a further exchange of correspondence between the parties in the intervening period, DEASP published its response to the DPC’s report on its website on 17 Sep-tember 2019 together with a statement by the Minister. As well as restating that the Minister and DEASP did not accept the findings contained in the DPC’s report, the re-sponse and statement reiterated the stated views of the Minister and DEASP to the effect that the PSC has a ro-bust legal basis and so DEASP will continue to issue PSCs for use by a number of public bodies across the public sector. DEASP’s response to the report also criticised vari-ous aspects of the report, the investigation process which had been followed by the DPC, as well as the process the DPC had called on DEASP to engage with to identify measures to remedy the contraventions of data protec-tion law identified in the report. DEASP also reiterated, in categoric terms, its position that it would continue to operate the PSC and SAFE registration process as it had done to that point.
Enforcement action by the DPCUltimately an enforcement notice was issued under Section 10 of the Data Protection Acts 1988 and 2003 on 6 December 2019. That notice, which was directed to the Minister (acting through DEASP), directs the taking of a range of steps in order to remedy the contraventions identified in the DPC’s report.
The enforcement notice has since been appealed by the Minister to the Circuit Court. It is expected that the appeal will be heard at some point during 2020.
Continuation of the DPC’s investigation into other aspects of processingSeparately, the DPC is continuing its investigation into certain other aspects of processing carried out by DEASP in connection with the issuing of PSCs and the SAFE 2 registration system, including the security of processing, facial matching processing by DEASP in connection with the PSC and specific use cases of the PSC.
Annu
al R
epor
t 1
Janu
ary
— 3
1 D
ecem
ber
2019
Appendix IV Statement of Internal Controls in Respect of the DPC for the period 1 January 2019 to 31 December 2019
Scope of ResponsibilityOn behalf of the DPC, I acknowledge responsibility for ensuring that an effective system of internal control is maintained and operated. This responsibility takes ac-count of the requirements of the Code of Practice for the Governance of State Bodies (2016).
Purpose of the System of Internal ControlThe system of internal control of the DPC is designed to manage risk to a tolerable level rather than to eliminate it. The system can therefore only provide reasonable and not absolute assurance that assets are safeguarded, transactions are authorised and properly recorded, and that material errors or irregularities are either prevented or detected in a timely way.
The system of internal control, which accords with guid-ance issued by the Department of Public Expenditure and Reform, has been in place in the office of the DPC for the period of 1st January to 31 December 2019 and up to the date of approval of the financial statements for that period�
Capacity to Handle RiskThe SMC of the DPC acts as the risk committee for the organisation.
The Internal Audit function carries out audits on financial and other controls in the DPC, in line with its annual pro-gramme of audits. The DJE Internal Audit Unit carried out an audit at the DPC during 2019.
The DPC’s senior management team has developed a risk-management policy that sets out its risk appetite, the risk-management processes in place and the roles and responsibilities of staff in relation to risk. The policy has been issued to all staff who are expected to work within the DPC’s risk-management policies, and to alert man-agement of emerging risks and control weaknesses and assume responsibility for risks and controls within their own area of work.
Risk and Control FrameworkThe DPC has implemented a risk-management system that identifies and reports key risks and the management actions being taken to address and, to the extent possible, mitigate those risks.
A risk register identifies the key risks facing the DPC; these have been identified, evaluated, and graded ac-cording to their significance. The register is reviewed and updated by the SMC on a quarterly basis. The outcome of these assessments is used to plan and allocate resources to ensure that risks are managed to an acceptable level. The risk register details the controls and actions needed to mitigate risks and responsibility for operation of con-trols assigned to specific staff.
I confirm that a control environment containing the fol-lowing elements is in place:
• Procedures for all key business processes have been documented.
• Financial responsibilities have been assigned at man-agement level with corresponding accountability.
• There is an appropriate budgeting system with an annual budget that is kept under review by senior management.
• There are systems aimed at ensuring the security of the information and communication technology systems. The ICT Division of the DJE provides DPC with ICT services. They have provided an assurance state-ment outlining the control processes in place in 2019.
• There are systems in place to safeguard the DPC’s assets. No grant funding to outside agencies occurs.
• The National Shared Services Office provides Human Resource and Payroll Shared services. The National Shared Services Office provides annual assurances over the services provided. They are audited under the ISAE 3402 certification processes.
Ongoing Monitoring and ReviewFormal procedures have been established for monitoring control processes, and control deficiencies are commu-nicated to those responsible for taking corrective action and to management, where relevant, in a timely way. I confirm that the following ongoing monitoring systems are in place:
95
96
• Key risks and related controls have been identified and processes have been put in place to monitor the operation of those key controls and report any identi-fied deficiencies.
• An annual audit of financial and other controls is carried out by the DJE’s Internal Audit Unit.
• Reporting arrangements have been established at all levels where responsibility for financial management has been assigned.
• There are regular reviews by senior management of periodic and annual performance and financial reports that indicate performance against budgets/ forecasts.
Procurement I confirm that the DPC has procedures in place to ensure compliance with current procurement rules and guide-lines, and that between 1st January and 31 December 2019 the DPC complied with those procedures.
Review of Effectiveness I confirm that the DPC has procedures in place to monitor the effectiveness of its risk management and control pro-cedures. The DPC’s monitoring and review of the effective-ness of the system of internal financial control is informed by the work of the internal and external auditors, the Au-dit Committee of the Department of Justice and Equality, and the SMC. The senior management within the DPC is responsible for the development and maintenance of the internal financial control framework.
The DPC’s Internal Audit function is carried out by the DJE Internal Audit Unit under the oversight of the Audit Committee of Vote 24 (Justice) for assurance to internal controls and oversight.
The Internal Audit Unit carried out an audit at the DPC during 2019 and reviewed the effectiveness of the internal controls. It should be noted that this extended beyond financial controls and examined ICT controls, management practices and other governance processes. I confirm that the SMC of the DPC kept the effectiveness of internal controls under review between 1st January and 31 December 2019.
Helen Dixon
Commissioner for Data Protection
Annu
al R
epor
t 1
Janu
ary
— 3
1 D
ecem
ber
2019
Appendix V Report on Protected Disclosures received by the Data Protection Commission in 2019
The policy operated by the Data Protection Commission (DPC) under the terms of the Protected Disclosures Act 2014 is designed to facilitate and encourage all workers to raise internally genuine concerns about possible wrongdoing in the workplace so that these concerns can be investigated following the principles of natural justice and ad-dressed in a manner appropriate to the circumstances of the case.
Section 22 of the Protected Disclosures Act 2014 requires public bodies to prepare and publish, by 30th June in each year, a report in relation to the previous year in an anonymised form.
Pursuant to this requirement, the DPC confirms that in 2019:
• No internal protected disclosures (from staff of the DPC) were received.
• Six protected disclosures (set out in the table below) were received from individuals external to the DPC in relation to issues pertaining to data protection within other entities. These cases were raised with the DPC in its role as a ‘prescribed person’ as provided for un-der Section 7 of the Protected Disclosures Act (listed in SI 339/2014 as amended by SI 448/2015).
Reference Number Type Date Received Status Outcome
1/19/1/16 Section 7 (external, to ‘prescribed person’)
6 November 2019 Open — under examination
1/19/1/15 Section 7 (external, to ‘prescribed person’)
3 April 2019 Closed Closed — complainant did not
pursue matter
1/19/1/14 Section 7 (external, to ‘prescribed person’)
16 March 2019 Open — Being investigated under
Article 57(1)(f) of the GDPR
1/19/1/13 Section 7 (external, to ‘prescribed person’)
1 March 2019 Closed Closed — not a protected
disclosure — to be handled as a standard DP
complaint
1/19/1/12 Section 7 (external, to ‘prescribed person’)
2 March 2019 Closed Closed — complainant did not
pursue matter.
1/19/1/11 Section 7 (external, to ‘prescribed person’)
4 February 2019 Closed Closed — complainant failed
to provide evidence of data protection
breaches.
97
98
Appendix VI Financial Statements for the Year 1 January to 31 December 2019
The Account of Receipts and Payments of the Data Protection Commission for the year 1January to 31 December 2019 is in preparation by the DPC and will be appended to this report following completion of an audit in respect of that year by the Comptroller and Auditor General.
Annu
al R
epor
t 1
Janu
ary
— 3
1 D
ecem
ber
2019
Appendix Organisation Chart
Com
mis
sion
erH
elen
Dix
on
Cor
por
ate
Aff
airs
&C
omm
unic
atio
ns
Gra
ham
Doy
le
Str
ateg
y, O
per
atio
ns
& In
tern
atio
nal
Jenn
ifer
O’S
ulliv
an
Hea
d o
f Leg
alA
nna
Mor
gan
Hea
d o
f Reg
ulat
ory
Act
ivit
yD
ale
Sun
derl
and
Hea
d o
f Reg
ulat
ory
Act
ivit
yJo
hn O
’Dw
yer
Hea
d o
f Reg
ulat
ory
Act
ivit
y To
ny D
elan
ey
Hea
d o
f Reg
ulat
ory
Act
ivit
yC
olum
Wal
sh
Inte
rnat
iona
l Aff
airs
&
One
Sto
p S
hop
O
per
atio
nsLa
ura
Flan
nery
Op
erat
iona
l Pe
rfor
man
ceEm
ma
Floo
d
Acc
ount
ing
Offi
cer
Pro
ject
Ais
ling
O’L
eary
Acc
ount
ing
Offi
cer
Pro
ject
& IC
TTo
m W
alsh
Reg
ulat
ory
Str
ateg
y
Sen
ior L
egal
Ad
viso
rD
iarm
uid
Gou
ldin
g
Sen
ior L
egal
Ad
viso
rN
icol
a H
arri
son
Sen
ior L
egal
Ad
viso
rA
lison
McI
ntyr
e
Sen
ior L
egal
Ad
viso
rFl
eur O
’She
a
Sen
ior L
egal
Ad
viso
rJo
anne
Nea
ry
Sen
ior L
egal
Ad
viso
r M
eg M
acM
ahon
Sen
ior I
nves
tig
ator
Nic
ola
Bay
ly
Chi
ldre
n’s
Dat
a P
rote
ctio
n R
ight
sJe
nny
Dol
an
Polic
y &
Gui
dan
ce;
Cod
es o
f Con
duc
t;
Sha
ne M
cNam
ee
Tech
nolo
gy
Polic
y;
Cer
tifi
cati
onU
ltan
O’C
arro
ll
Pub
lic S
ecto
r, H
ealt
h, &
Vo
lunt
ary
Sec
tor
Con
sult
atio
nD
avid
Mur
phy
Priv
ate
& F
inan
cial
S
ecto
r Con
sult
atio
nG
arre
tt O
’Nei
ll
Mul
tina
tion
al
Sup
ervi
sion
&
Eng
agem
ent;
La
w E
nfor
cem
ent
Con
sult
atio
nC
atha
l Rya
n
DP
C D
PO
Cat
hal R
yan
Am
icab
le R
esol
utio
n; B
reac
h N
otifi
cati
ons
&
Ass
essm
ent;
B
reac
h C
omp
lain
ts;
Sec
tion
10
Dec
isio
nsS
andr
a S
keha
n
Acc
ess
Req
uest
C
omp
lain
ts H
and
ling
&
Inq
uirie
sM
aure
en K
ehoe
Con
cern
ed S
uper
viso
ry
Aut
horit
y C
ases
&
Dec
isio
ns A
sses
smt.
; A
mic
able
Res
olut
ion;
C
omp
lain
ts H
and
ling
&
Inq
uirie
sG
ráin
ne H
awke
s
Law
Enf
orce
men
t D
irect
ive
Com
pla
ints
&
Inq
uirie
s;
EU
Dat
abas
es;
Bor
der
s, T
rans
por
t, L
aw
Enf
orce
men
t;D
irect
Inte
rven
tion
Euni
ce D
elan
ey
Inte
rnaL
OTa
l Tra
nsfe
rs
incl
udin
g B
ind
ing
C
orp
orat
e R
ules
Nic
ola
Coo
gan
Cro
ss-B
ord
er In
qui
ries
Nea
sa M
oore
Cro
ss-B
ord
er
Com
pla
ints
Han
dlin
g
Nei
ll D
ouga
n
Bre
ach
Inq
uirie
sN
iall
Cav
anag
h
Bre
ach
Inq
uirie
s
Sp
ecia
l Inv
esti
gat
ions
; P
rose
cuti
ons;
e-
Mar
keti
ng
Com
pla
int
Han
dlin
g
Firs
t R
esp
onse
&
Com
pla
ints
A
sses
smen
tD
eird
re M
cGol
dric
k
Com
pla
ints
H
and
ling
A
nne
Slo
wey
Inq
uirie
s K
athl
een
O’S
ulliv
an
Cor
por
ate
Ser
vice
s &
Fac
iliti
es
Rec
ruit
men
t, S
taffi
ng,
Ind
ucti
on &
Tra
inin
g;
Com
mun
icat
ions
&
Med
ia;
DP
O N
etw
ork
MB
Don
nelly
Fina
nce
& P
rocu
rem
ent
Gra
ham
Geo
gheg
an
Ris
k &
Gov
erna
nce
Ann
e P
icke
tt
99
100
Mr. Colum Walsh
Ms. Anna MorganMr. Graham DoyleMs. Helen Dixon
Ms. Jennifer O’SullivanMr. John O’Dwyer Mr. Dale Sunderland
DPC Senior Team
Mr. Tony Delaney
102
Data Protection Commission, 21 Fitzwilliam Square, Dublin 2.
www.dataprotection.ieEmail: [email protected]: 0761 104 800
Tuar
ascá
il bh
liant
úil
1 Ea
náir
— 3
1 N
olla
ig 2
019
Tuar
ascá
il bh
liant
úil
1 Ea
náir
— 3
1 N
olla
ig 2
019
Réamhfhocal
Róil agus freagrachtaí
Súil Siar ar 2019
Eolas agus Measúnú
Gearáin
Sáruithe
Fiosruithe
Gnóthaí Dlí
Maoirseacht
Oifigigh Cosanta Sonraí
Gnóthaí Idirnáisiúnta
Comhairliúchán maidir le Próiseáil Sonraí Leanaí
Cumarsáid
Príomh-thionscadail an DPC
Gnóthaí Corparáideacha
AguisíníAguisín 1: Cásdlí Chúirt Bhreithiúnais an Aontais Eorpaigh (CJEU)
Augisín II Dlíthíocht maidir le Clásail Chonarthacha Chaighdeánacha
Augisín III Imscrúdú an DPC ar phróiseáil atá an DEASP a dhéanamh ar shonraí pearsanta maidir leis an gCárta Seirbhísí Poiblí.
Aguisín IV Ráiteas ar Rialuithe Inmheánacha i leith an CCS don tréimhse 1 Eanáir 2019 go 31 Nollaig 2019
Aguisín V: Tuarascáil ar Nochtadh Cosanta a fuair an Coimisiún um Chosaint Sonraí in 2019
Aguisín VI: Ráitis Airgeadais don Bhliain 1 Eanáir go 31 Nollaig 2019
Clár Ábhar
Réamhfhocal
An Chéad Bhliain Iomlán den GDPR Bhí 2019 ar an gcéad bhliain a chuala mé á rá é ag mórán cleachtas dlí cosanta sonraí gur bhraith siad gur gá dóibh foireann lánaimseartha a fhostú, díreach chun monatóireacht a dhéanamh ar chásdlí agus ar chora dlí, mar go bhfuil géarú mór tagtha ar an luas ina bhfuil cúrsaí ag forbairt. Más fíor go raibh a mór-mhóimint ag cosaint sonraí in 2018 tá sé soiléir go bhfuil sé athraithe anois chun bheith ina suiteach seanbhunaithe sa chomhfhios poiblí. As réimse forbairtí tábhachtacha AE, lena n-áirítear breithiúnais inchiallaithe CJEU (Cúirt Bhreithiúnais an AE) (Faisean ID agus Planet49 san áireamh) agus tuairim an Abhcóide Ceannais ar dhlíthíocht aistrithe sonraí na SCC, go dtí an pionós i leith phríobháideacht sonraí is mó a gearradh ar domhain (an $5bn a ghearr an FTC ar Facebook), ní bliain a bhí inti a bhí gann i scéalta móra.
Ag fágáil na gceannlínte níos mó suntais sin i leataobh, ba í an chéad bhliain iomlán féilire í a raibh an GDPR agus an Treoir um Fhorfheidhmiú Dlí i bhfeidhm agus tá go leor eagraíochtaí tar éis a bheith ag dul ar aghaidh go ciúin le cleachtais sonraí níos cuntasaí a leabú ar fud a gcuid eagraíochtaí. In Éirinn tá fógra faighte ag an DPC faoi 1,500 oifigeach cosanta sonraí (DPO) agus tá siad gafa go laethúil laistigh den earnáil phoiblí agus eagraíochtaí móra próiseála sonraí ag cinntiú go gcuirtear cearta daoine is ábhair do shonraí san áireamh i ngach tionscadal. Deir DPOanna linn gur mian leo go mbeadh tuilleadh acmhainní agus tacaíochta acu ón DPC agus déanfaidh an DPC a chéad chomhdháil Líonraithe DPO a óstáil i mBaile Átha Cliath i Márta 2020. Bhí glaonna ag iarraidh go ndéanfadh údaráis chosanta sonraí (DPA) breis treorach a chur ar fáil mar chineál téama le linn 2019. I Meitheamh ghlac mé páirt in imeacht úsáideach tógála stoic sa Bhruiséil a bhí eagraithe ag Coimisiún an AE chun suntas a thabhairt do bhliain a haon den GDPR agus an príomh-cheacht a thóg mé uaidh ná go bhfuil SMEanna níos lú ar fud na hEorpa ag iarraidh níos mó cabhrach ar mhaithe le bearta forfheidhmithe réasúnta agus cuí a aimsiú agus chun go mbeidh fócas níos earnála ann le treoir. Tá an DPC gafa faoi láthair i dtionscadal atá maoinithe ag an AE ar fheasacht a ardú do SMEanna, i gcomhoibriú le hÚdarás Cosanta Sonraí na Cróite, a chuideoidh chun é seo a chur chun cinn.
Cainníocht agus Cáilíocht Bhí méid ina eochair-fhocal don DPC sa chéad bhliain iomlán den GDPR. Sonraítear ar leathanach xx den tuarascáil seo na leibhéil thar na bearta de threoir ginearálta agus blaganna a d’eisigh an DPC ar mhaithe le léiriú a thabhairt ar an dlí nua. Sonraítear ar leathanach ooo an líon gearán a taisceadh linn agus líon na ngearán aonair a réitíodh tríd an oifig. Tá 40% ar a laghad dár n-acmhainní dírithe ar ghearáin aonair (seachas
� 1
imscrúduithe mórscála agus níos córasaí) a láimhseáil. Tugtar eolas faoi na fiosrúcháin mórscála ar leathanach xxx agus glacann siad sin go leor acmhainní. Taispeántar ar leathanach yyy an méid taistil agus ceangaltais idirnáisiúnta a dhéanann an DPC chun freastal ar chruinnithe Bhord Cosanta Sonraí na hEorpa (87 uair sa bhliain) sa Bhruiséil agus ag dul i gcomhairle lena mhacasamhail dhomhanda chun réitithe réalaíocha a fháil ar dhúshláin cosanta sonraí atá seanbhunaithe le fada (mar shampla, conas trédhearcacht leordhóthanach a thabhairt d’úsáideoirí agus a bheith gonta chomh maith). Tá na sáruithe a cuireadh in iúl agus ar déileáladh leo astu féin sonraithe ar leathanach bbbb. Tá sonraí faoi fhiosrúcháin ó na meáin a freagraíodh agus faoi theagmhálacha meán, comhdhála agus coiste parlaimintigh sonraithe ar leathanach wwww. Agus próiseáil sonraí pearsanta uathoibríoch ach go háirithe chomh uileláithreach le caochadh súil anois, agus, leis na céadta mílte eintiteas próiseála faoi mhaoirseacht gach DPA, is ag dul in airde a bheidh an leibhéal gníomhaíochta.
Tá aighnis idir fostaithe agus fostóirí nó iar-fhostóirí fós ina théama suntasach sna gearáin a thaisctear leis an DPC, leis an troid bunaithe go minic ar iarratas rochtana a bhfuil aighneas faoi. Tá dlíthíocht atá glactha ag daoine aonair in aghaidh chinntí an DPC gurb é fírinne an scéil nár sáraíodh a gcearta cosanta sonraí ar chor ar bith ina chuid shuntasach den dlíthíocht a chuirtear ar an DPC sna cúirteanna sa lá inniu. Spreagtar é seo gan dabht toisc nach féidir leis an gCoimisiún um Chaidreamh san Áit Oibre ná an Chúirt Oibreachais follasú a ordú in éilimh fostaíochta, rud a fhágann go bhfuil brath ar iarratais rochtana mar a thugann an DPC breith orthu lárnach i mórán de na cásanna seo. Is iad Telcos agus na bainc an dá earnáil is mó a ndéantar gearán fúthu leis an DPC, leis na gearáin ag díriú den chuid is mó ar riar cuntas agus táillí. Ós rud é go bhfuil na hearnálacha seo faoi rialú trom in Éirinn, is cúis díoma é nach féidir níos mó den fhadhb atá ag croílár a gcuid saincheisteanna cosanta tomhaltóirí a réiteach laistigh de na hearnálacha sin, gan gá a bheith ag tomhaltóirí le gearán a thaisceadh leis an DPC chun go gcloisfí iad. Tá méadú tagtha chomh maith ar líon na ngearán in aghaidh ardáin idirlín leis na príomh-shaincheisteanna ag baint le cuntais daoine aonair a bhainistiú agus go háirithe na cearta atá acu sonraí a scriosadh ar fhágáil an ardáin dóibh.
Mar ullmhúchán don straitéis rialála 5 bliana ar feitheamh do 2020 go 2025 ghlac an DPC páirt i ngrúpaí fócais leis an bpobal chun an leibhéal feasachta agus a bhfuiltear ag súil leis ón údarás cosanta sonraí a fháil amach. Fuarthas amach go príomha go bhfuil mearbhall ar go leor daoine faoi na cearta atá acu maidir le sonraí pearsanta agus go gcuirfidís fáilte roimh níos mó cásanna ón DPC a bheadh oibrithe amach, chun tuiscint níos fearr a fháil ar mar a chuirtear i bhfeidhm iad sa ghnáth-shaol. Tá sé i gceist ag an DPC cur lena iarrachtaí níos mó cás-staidéar a chur ar fáil agus le míniú a thabhairt ar a bhfuil le foghlaim mar a bhaineann sé leis an tomhaltóir, ach an oiread leis an rialaitheoir. Is díol mór misnithe é go bhfuil daoine feasach tríd is tríd faoina gcuid cearta faoi GDPR agus fonn orthu mar a chuirtear i bhfeidhm iad a fháil amach.
� 2
Choinnigh an oifig go láidir le hionchúisimh e-príobháideachta i leith cionta margaíochta dírí in 2019 agus sonraítear iad sin ar leathanach 4444. Idir an dá linn táthar ag leanúint de reachtas an AE lena iarracht le rialúchán e-príobháideachta nua-aimseartha a chur i gcrích chun dlíthe an AE ar phríobháideacht cumarsáide, fianáin agus margaíocht dhíreach a chomhoiriúnú.
Ina theannta sin, thug an DPC a comhairliúchán faoi shonraí pearsanta leanaí chun críche agus táthar ag réiteach faoi láthair chun na treoir-phrionsabail do rialaitheoirí a fhoilsiú. I gcaitheamh 2019 chuaigh an DPC i gcomhairle go dian le sainpháirtithe leasmhara sa réimse a bhain le cearta digiteacha leanaí agus leanfaimid ag obair leis na páirtithe sin agus spreagadh á thabhairt againn do sheastáin mhóra theicniúla glacadh le cód iompair i leith phróiseáil sonraí leanaí.
Foireann níos mo a chur le chéile agus dul chun cinn a bhrú ar aghaidh Chun na hualaí oibre níos mó a bhainistiú, lean an DPC de bhreis foirne a fhostú, ag cur leis an líon foirne ó 110 ag tús na bliana go 140 ag deireadh na bliana 2019. Tháinig dlíodóirí rialála, taighdeoirí dlí, imscrúdaitheoirí agus teicneolaithe ar fad isteach ar fhoireann DPC anuraidh. Tá an t-idirphlé leanúnach a choinníonn an DPC ar bun leis an bpobal i gcoitinne agus go hidirnáisiúnta faoi chúrsaí cosanta sonraí fós ina ghné thábhachtach dár ról le réitithe níos fearr i leith dhúshláin cosanta sonraí atá thart le fada an lá a chur chun cinn. In 2019, bhí sé d’onóir ag an DPC cuairt a fháil ó Choimisinéirí ón Nua Shéalainn, An Astráil, An Íoslainn agus an Ríocht Aontaithe, mar aon le foirne ó DPAanna na Sualainne, na hÍsiltíre, na hÍoslainne agus ó DPAnna Réigiúnach na Gearmáine. Ina theannta sin d’óstáil an DPC cuairteanna staidéir ó ghrúpa foirne Chomhdháil na Stáit Aontaithe a bhí ag déanamh staidéar ar cheachtanna ón GDPR i gcomhthéacs Bhille Príobháideachta Cónaidhme ionchasach na Stáit Aontaithe agus Seanadóirí ó Stát California ag déanamh scrúdú ar shaincheisteanna teicneolaíochta agus cosaint sonraí.
In 2019, thug an DPC a chéad fhiosrúchán agus cinneadh faoi Acht um Chosaint Sonraí nua na hÉireann 2018 (Acht 2018) agus go sonrach faoi na forálacha a dhéantar an treoir fhorfheidhmithe dlí a thrasuímh a thabhairt chun críche. Bhain an cás le himlonnú CCTV agus Córais Uathaitheanta Uimhirphlátaí an Gharda Síochána agus bhain an DPC feidhm as réimse cumhachtaí ceartaitheacha chun géilliúlacht a chur i bhfeidhm. Tá roinnt fiosrúchán eile nasctha faoi imlonnú teicneolaíochtaí faireacháin ag Údaráis Áitiúla in Éirinn faoi shiúl agus ón uair a thiocfaidh deireadh leis an gcéad ceann díobh seo tá sé i gceist ag an DPC treoir a fhoilsiú bunaithe ar na cinntí lena chinntiú níos fearr go dtuigeann údaráis uile an Stáit ceanglais an Achta 2018 agus go dtuigeann an pobal an bealach ina ndéantar a gcuid cearta a chosaint.
Thug an DPC fiosrúchán mionsonraithe ar ghnéithe próiseála sonraí pearsanta Chárta náisiúnta Seirbhíse Poiblí na hÉireann agus foilsíodh na cinntí i Lúnasa 2019. Orthu sin
� 3
bhí cinneadh nach raibh aon bhonn dlíthiúil ann chun chlárúchán i leith Cárta Seirbhíse Poiblí a shainordú ag eagraíochtaí seachas an Roinn Gnóthaí Fostaíochta agus Cosanta Sóisialta agus íocaíochtaí leasa shóisialaigh á n-eisiúint acu. Dhiúltaigh an Roinn do chinneadh an DPC. D’eisigh an DPC Fógra Forfheidhmiúcháin agus taisceadh achomharc chuig an gCúirt Chuarda roimh dheireadh na bliana 2019.
Éisteadh roinnt achomharc eile i ndúshláin a tugadh in aghaidh chinntí an DPC le linn 2019 agus seasadh le cinneadh an DPC i ngach cás, mar a shonraítear ar leathanach 3333.
Leanadh d’fhiosrúcháin ar chuideachtaí móra teicneolaíochta in 2019 leis an gcéad dá fhiosrú ag bogadh ón staid imscrúdaithe go dtí an chéim cinnteoireachta. Tá go leor cainte faoi nach raibh fíneálacha gearrtha mar thoradh orthu ach ar thrí chás trasteorainn a bhí sách beag, agus fíneálacha a bhí beag go maith leis, ó 25ú Bealtaine 2018 go dtí deireadh 2019 ar fud an AE. Glacann sé am i gcónaí le creat nua dlí, agus ceann atá ag déanamh machnaimh faoi phionóis mhóra shuntasacha, gan trácht ar nuálaíocht dlí maidir le leagan síos forálacha ‘comhoibrithe agus comhsheasmhachta’, a chur i bhfeidhm i gceart. Ach ná bíodh aon dabht ort ach go bhfuil dian-obair faoi shiúl. Faoi láthair: tá 30 cás beo dlíthíochta; fiosrúchán mórscála casta maidir le Facebook a bheith ag aistriú sonraí pearsanta; Fógra Forfheidhmiúcháin maidir le hachomharc atá déanta ag an Roinn Gnóthaí Fostaíochta agus Cosanta Sóisialaigh in Éirinn faoin gCárta Seirbhísí Poiblí; breis ionchúiseamh e-príobháideachta; cumhachtaí nua ceartaitheacha faoi Acht 2018 á gcur i bhfeidhm le rialaitheoirí ar leith; dul chun cinn agus réiteach leis na mílte gearán trí ghéilliúlacht le rialaitheoirí a bhrú chun cinn in 2019. Is cinnte nach bhfuil aon easpa tiomantais ná cumais i DPC na hÉireann. Tá tuiscint ghrinn ann, ag an am céanna, ar an gceanglas dlíthiúil le nósanna imeachta atá cóir a chur i bhfeidhm agus faoi céard atá ag teastáil chun cás a chur trasna na líne agus fanann an DPC dírithe ar an obair seo. Mar atá ráite go seasta againn, ní mórán leasa i gceist le cinntí a chur amach as éadan agus ansin na cúirteanna ag cinneadh iad a aisiompú. Tar éis do rialacha dlí iomaíochta an AE teacht isteach i dtosach in 1962, bhí sé roinnt blianta eile ina dhiaidh sin sular eisíodh an chéad chinneadh suntasach i gcás Grundig agus sé roinnt blianta eile ina dhiaidh sin sular eisíodh an chéad fhíneáil. Ar an gcaoi chéanna, glacann sé roinnt blianta, ar an meán, le fiosrúcháin iomaíochta an AE (táim ag tagairt do dhlí na hiomaíochta mar go bhfuil an réimeas fíneála sa GDPR bunaithe ar dhlí iomaíochta an AE), a chríochnú. Mar chomhlacht rialála freagrach, táimid airdeallach ar éilimh go dtabharfar réitigh tapa agus ar iarrataí go ngearrfar pionóis throma ar eagraíochtaí le sáruithe cosanta sonraí, a bhfuil seans go mbunaítear cuid acu, ar a laghad, ar fheidhmiú prionsabal nach bhfuil comhaontú ann i gcónaí i dtaca leo. Cé go nglacamaid gur gné thábachtach í meicníocht na bhfianálacha riaracháin chun an chuntasacht bhríoch a fhograítear san GDPR a thiomáint, caithimid aithint chomh maith gur, cosúil le haon chuid eile dár ndlíthe, oibríonn prionsabail cosanta sonraí i
� 4
gcomhthéacs dlíthiúil níos leithne agus dá bharr sin, mar shampla beidh feidhmiú agus forfheidhmiú prionsabal dá leithéid ag rialálaí reachtúil i gcónaí faoi réir riachtanais na próise chuí a thugtar sainordú dóibh ag ár ndlíthe bunreachtúla agus ag dlí an AE. Ní féidir (agus níor cheart) na sriantachtaí seo a chur i leataobh i gcaoi threallach nó de ghrá an réitigh.
An Breatimeacht B’ionann na hullmhúcháin le haghaidh an Bhreatimeachta agus ualach suntasach oibre don DPC in 2019, ag cur san áireamh na himpleachtaí a bhainfeadh le haistrithe sonraí pearsanta srianta do thír nach bhfuil san AE. D’eisigh an DPC treoir chun cuidiú le heagraíochtaí ullmhú le haghaidh an dá chás, socrú nó gan socrú, thugamar cainteanna ag líon mór imeachtaí earnála ar na saincheisteanna, chuireamar aiseolas agus treoir ar fáil do roinnt ranna rialtais agus gníomhaireachtaí ar shocruithe dlí chun cás gan socrú a chlúdach agus bhíomar ag déileáil le réimse eagraíochtaí a bhí ag féachaint le bunaíocht phríomha a chruthú agus le maoirseacht a eagrú ar a gcuid Rialacha Corparáideacha Ceangailteacha in Éirinn seachas sa Ríocht Aontaithe.
Slán le Cairde Ní fhéadfaí súil siar a chaitheamh ar 2019 gan tagairt a dhéanamh do bhás Mhaoirseoir Cosanta Sonraí na hEorpa, Giovanni Buttarelli, i Lúnasa 2019. Tugtar le fios leis na teachtaireachtaí amhra ómóis a tugadh dó gur fathach de dhuine a bhí ann agus fathach de cheannaire inár bpobal agus airímid uainn go mór é. Faraor, bhásaigh Paul Anthony McDermott, sain-abhcóide don DPC i mórán achomharc, athbhreithniú breithiúnach agus gnóthaí tagartha CJEU, i mí Nollag 2019 agus is cuí go bhfuil doiciméadú fairsing déanta ar a mhór-ghníomhartha iontacha agus ar a chion tairbhe don saol in Éirinn. Níos gaire don bhaile bhásaigh comhghleacaí a raibh an-mheas ag an DPC in Éirinn air, (Mark Mullin) i samhradh 2019, agus airímid uile uainn a chion tairbhe sár-chumasach, a eitic iontach oibre agus a phearsantacht shona anseo sa DPC.
Ionchas do 2020 Tá sé de phribhléid agam a bheith ag obair le foireann atá paiseanta dáiríre faoin obair a dhéanann an DPC, faoi atá á dhéanamh againn faoi láthair agus faoi a bheidh á dhéanamh againn amach anseo. Is daoine gairmiúla iad atá ag obair don DPC mar go gcreideann siad go domhain i gcearta cosanta sonraí. Bliain thábhachtach a bheidh ann in 2020. Táimid ag fanacht leis an mbreithiúnas ar an CJEU i gcás aistrithe sonraí an SCC; tabharfaidh an DPC na chéad dhréacht-chinntí faoi fhiosrúcháin mhóra teicneolaíochta tríd an bpróiseas comhairliúcháin le húdaráis cosanta sonraí eile AE, agus leanfaidh lucht léinn agus na meáin leis an obair shármhaith atá á déanamh acu chun béim a chur ar dhroch-chleachtais sonraí pearsanta. Tá súil ag an DPC gur féidir leis an spás a chruthú le bogadh chun cinn ó “chéad phrionsabail” de GDPR (bonn dleathach, rialaitheoir/próiseálaí) agus dul isteach i ndáiríre go croí “cosaint sonraí trí dhearadh”, lena chinntiú nach mbainfidh na fadhbanna céanna leis na gcéad ghlúin eile
� 5
teicneolaíochta a úsáidfimid agus a bhain leo sin a shiúlamar isteach iontu inár gcodladh sa fiche bliain atá caite. Tá sé d’aidhm againn faoi dheireadh 2020 go mbeidh an dul chun cinn i dteicneolaíochtaí móra éascaithe i dtreo cód iompair chun cosaint níos fearr a thabhairt do leanaí ar líne. Is comhartha atá sa bhrú atá sna Stáit Aontaithe chun níos mó agus níos mó dlíthíocht phríobháideachta a chur i bhfeidhm gur “leor sin” mar a bhaineann sé le bheith ag glacadh gan gá le cleachtais agus teicneolaíochtaí cosanta sonraí atá ionrach. Tá DPC na hÉireann chun leanúint de bheith ina chuid den réiteach, ag baint úsáid as a réimse iomlán cumhachtaí agus ag leanúint leis an gcaint agus le saineolas as gach taobh a chur i gcuing chun cosán chun tosaigh níos fearr a aimsiú.
� 6
Róil agus freagrachtaí
Is í seo an dara tuarascáil bhliantúil de chuid an Choimisiúin um Chosaint Sonraí. Ullmhaíodh an tuarascáil de réir Alt 24 den Acht um Chosaint Sonraí 2018 agus clúdaítear inti an tréimhse ó 01 Eanáir 2019 go dtí an 31 Nollaig 2019.
Feidhmeanna an DPC Is é an DPC an t-údarás neamhspleách náisiúnta in Éirinn a thacaíonn le ceart bunúsach daoine aonair san Aontas Eorpach (AE) chun a gcuid sonraí pearsanta a chosaint. Dá réir sin, is é an DPC údarás maoirseachta na hÉireann atá freagrach as monatóireacht agus as feidhmiú an GDPR (Rialachán (AE) 2016/679).
Áirítear ar fheidhmeanna croíláir an DPC, faoin GDPR agus faoin Acht um Chosaint Sonraí 2018, a thugann tuilleadh éifeachta don GDPR in Éirinn:
• treallús a chur faoi chomhlíonadh fheabhsaithe leis an reachtaíocht cosanta sonraí ag rialaitheoirí agus ag lucht próiseála sonraí;
• gearáin ó dhaoine aonair maidir le sárú féideartha a gcearta cosanta sonraí a láimhsiú;
• fiosrúcháin agus imscrúduithe a dhéanamh maidir le sáruithe féideartha ar an reachtaíocht um chosaint sonraí;
• feasacht a chur chun cinn i measc eagraíochtaí agus i measc an phobail maidir le rioscaí, rialacha agus cearta maidir le próiseáil sonraí pearsanta; agus
• comhoibriú le húdaráis cosanta sonraí i mballstáit AE eile maidir le saincheisteanna ar nós gearáin agus sáruithe líomhnaithe lena mbaineann próiseáil trasteorann.
Feidhmíonn an DPC freisin mar údarás maoirseachta do phróiseáil sonraí pearsanta faoi roinnt creataí breise dlí. Áirítear orthu sin an Treoir maidir le Forfheidhmiú an Dlí (Treoir 2016/680, a trasuíodh isteach i nDlí na hÉireann faoin Acht um Chosaint Sonraí 2018) a bhaineann le próiseáil sonraí pearsanta ag comhlachtaí le feidhmeanna forfheidhmithe dlí i gcomhthéacs cosc, imscrúdú, brath nó ionchúiseamh cionta coiriúla nó forghníomhú pionóis choiriúla. Feidhmíonn an DPC feidhmeanna áirithe maoirseachta agus forfheidhmithe freisin maidir le próiseáil sonraí pearsanta i gcomhthéacs cumarsáid leictreonach faoina Rialacháin ríomhPhríobháideachais (I.R. Uimh. 336 de 2011).
Cé go rialaíonn an DPC faoin GDPR agus faoin Acht um Chosaint Sonraí 2018 maidir le formhór na n-oibríochtaí próiseála sonraí pearsanta (neamhforfheidhmithe dlí) a bhfuiltear ag tabhairt fúthu ón 25 Bealtaine 2018, leanann an DPC ar aghaidh lena chuid feidhmeanna rialála a fheidhmiú faoi na hAchtanna um Chosaint Sonraí 1988 agus 2003
� 7
maidir le gearáin agus le himscrúduithe ar sháruithe a bhaineann leis an tréimhse an 25 Bealtaine 2018, chomh maith le gearáin agus sáruithe féideartha a bhaineann le catagóirí teoranta áirithe eile próiseála, beag beann ar cibé ar tharla an phróiseáil roimh nó tar éis an 25 Bealtaine 2018.
Sa bhreis ar reachtaíocht cosanta sonraí sonrach, tá thart ar 20 píosa eile reachtaíochta ann a chuimsíonn réimsí earnála éagsúla maidir le próiseáil sonraí pearsanta, nach mór don DPC feidhm mhaoirseachta ábhartha a fheidhmiú atá sannta dó faoin reachtaíocht sin.
Foireann Bainistíochta Sinsearaí an DPC Cuimsíonn Coiste Bainistíochta Sinsearaí (SMC) an DPC an Coimisinéir um Chosaint Sonraí agus seachtar Leas-Choimisinéirí. Déanann an Coimisinéir agus comhaltaí den SMC maoirseacht ar bhainistíocht agus ar rialachas cuí na heagraíochta, de réir na bprionsabal atá leagtha amach sa Chód Cleachtais chun Comhlachtaí Stáit a Rialú (2016). Tá sceideal foirmiúil ábhair atá le breithniú agus le cinneadh a dhéanamh ina leith ag an SMC, le maoirseacht éifeachtach agus rialú na heagraíochta a chinntiú.
Cuimsíonn an SMC:
• Helen Dixon (An Coimisinéir um Chosaint Sonraí);
• Anna Morgan (Leas-Choimisinéir — Ceann Cúrsaí Dlí);
• Colum Walsh (Leas-Choimisinéir – Ceann Gníomhaíochta Rialála).
• Dale Sunderland (Leas-Choimisinéir — Ceann Gníomhaíochta Rialála);
• Graham Doyle (Leas-Choimisinéir — Ceann Gnóthaí Corparáideacha, Meáin agus Cumarsáide);
• Jennifer O’Sullivan (Leas-Choimisinéir — Ceann Straitéise, Oibríochtaí & Idirnáisiúnta)
• John O’Dwyer (Leas-Choimisinéir — Ceann Gníomhaíochta Rialála); agus
• Tony Delaney (Leas-Choimisinéir – Ceann Gníomhaíochta Rialála).
Maoiniú agus Riarachán Tá an DPC á mhaoiniú go hiomlán ón Státchiste, chun a sainchúram a chomhlíonadh mar an comhlacht maoirseachta neamhspleách in Éirinn chun cearta bunúsacha cosanta sonraí a chosaint. Sa bhliain 2019, d’fháiltigh an DPC roimh leithdháileadh buiséid méadaithe de €3.5 milliún, a chiallaigh go seasann leithdháileadh iomlán an DPC ag €15.2 milliún don bhliain agus cuireadh an leithdháileadh maoinithe seo ar fáil ar bhonn bliain iomlán. Chuir an maoiniú méadaithe don bhliain ar chumas an DPC
� 8
leanúint ar aghaidh ag cur lena líon foirne, ó 110 amhail an 1 Eanáir go 140 amhail an 31 Nollaig 2019.
� 9
Súil Siar ar 2019 • Fuarthas 7,215 gearán ar an iomlán agus ba í an chatagóir ba choitianta “Cearta
chun Rochtana” a chuimsigh 29% de líon iomlán na ngearán a fuarthas.
• Fuarthas 6,904 gearán GDPR agus 311 gearán faoi na hAchtanna um Chosaint Sonraí 1988 agus 2003.
• As measc na 6,904 gearán a fuarthas a bhain le GDPR, bhí 2,582 de na gearáin sin á meas go gníomhach an 31 Nollaig 2019, bhí 1,098 gearán tar éis leanúint ar aghaidh go dtí an próiseas láimhseála gearán agus cuireadh clabhsúr le 4,554 gearán.
• Cuireadh clabhsúr le 5,496 gearán in 2019 ar an iomlán.
• Cuireadh clabhsúr le 620 gearán faoi na hAchtanna um Chosaint Sonraí 1988 agus 2003 leis.
• D’eisigh an DPC 29 cinneadh faoi na hAchtanna um Chosaint Sonraí 1988 & 2003. As measc seo, sheas 13 díobh leis an ngearán, dhiúltaigh 7 gcinn díobh don ghearán agus sheas 9 gcinn díobh leis an ngearán go pointe áirithe.
• Fiosraíodh 165 gearán nua faoi I.R. 336/2011 maidir le foirmeacha éagsúla margaíochta dírí leictreonaí: bhain 77 díobh le margaíocht ríomhphoist; bhain 81 díobh le margaíocht SMS (téacsteachtaireachtaí); agus bhain 7 gcinn díobh le margaíocht teileafóin.
• Cuireadh clabhsúr le roinnt de na fiosrúcháin seo le cásanna de chuid an DPC sa Chúirt Dúiche ar éirigh leo. Cuireadh clabhsúr le cásanna le linn na tréimhse seo i gcoinne 4 eintiteas maidir le 9 gcion faoi na Rialacháin Ríomhphríobháideachais.
• Fuair an DPC gearán próiseála trasteorann tríd an meicníocht Ionad Ilfhreastail, gearáin a chuir daoine aonair isteach le húdaráis cosanta sonraí eile de chuid an Aontais Eorpaigh.
• Láimhseáil an DPC 207 gearáin maidir le sárú ar shonraí ó dhaoine aonair.
• Rinneadh taifead ar 6,069 cás bailí de shárú ar shlándáil sonraí agus ba í an chatagóir ba choitianta “Nochtadh Neamhúdaraithe”.
• Rinneadh teagmháil le hEolas agus Measúnú nach mór 48,500 uair, lena n-áiríodh thar tar 22,300 ríomhphost, 22,200 glao teileafóin agus nach mór 4,000 comhfhreagras tríd an bpost.
• Osclaíodh 6 fhiosrúchán reachtúla maidir le comhlíonadh GDPR chomhlachtaí ilnáisiúnta teicneolaíochta, rud a d’fhág gur 21 fiosrúchán a bhí ann an iomlán.
� 10
• Fuarthas 1,420 ceist maidir le comhairle ghinearálta.
• Bhí an DPC mar phríomh-athbhreithneoir ar 19 iarratas ar Rialacha Corparáideacha Ceangailteacha (BCRanna).
• Labhair baill foirne de chuid an DPC nó rinne siad cur i láthair ag breis agus 180 imeacht, lena n-áirítear comhdhálacha, seimineáir agus cuir i láthair d’eagraíochtaí aonair ó réimse leathan earnálacha.
• In 2019, chuir an DPC lena chuid gníomhaíochtaí meán sóisialta ar Twitter, LinkedIn agus Instagram agus faoi dheireadh na bliana bhí lucht leanúna de 20,000 duine aige ar an iomlán agus d’fhreastail sé go horgánach ar na céadta míle gach mí.
• Bhí comhairliúchán cuimsitheach ag an DPC maidir le próiseáil shonraí pearsanta leanaí, rud a tharraing 80 freagra agus beidh sé seo i measc thosaíochtaí an DPC in 2020.
• Leanfar ar aghaidh le hobair ar Straitéis nua Rialála an DPC le doiciméad comhairliúcháin ar Spriocthorthaí an DPC agus grúpaí fócais le daoine aonair.
• D’fhoilsigh an DPC a chuid torthaí taighde maidir le gnéithe áirithe den Chárta Seirbhísí Poiblí (“PSC”) tar éis fiosrúchán fada. Dhírigh na torthaí taighde a foilsíodh le dhá phríomhcheist, an bonn dleathach ar a ndéantar sonraí pearsanta a phróiseáil agus trédhearcacht.
• Chuir an tAire Gnóthaí Fostaíochta agus Coimirce Sóisialaí páipéir achomhairc isteach chuig Cúirt Chuarda Bhaile Átha Cliath i dtreo dheireadh na bliana 2019 agus táthar ag súil go gcuirfear tús le himeachtaí éisteachta in earrach na bliana 2020.
• Fuair an DPC 712 fógra ó Oifigigh Cosanta Sonraí, rud a fhágann gur 1,596 fógra a fuarthas ar an iomlán.
� 11
Eolas agus Measúnú
Príomhchuspóir de chuid an DPC is ea seirbhís ardchaighdeáin, fhreagrach eolais a chur ar fáil do dhaoine aonair agus d’eagraíochtaí maidir lena gcearta agus lena bhfreagrachtaí faoi reachtaíocht cosanta sonraí.
Cuireann Eolas agus Measúnú ag an DPC deasc chabhrach le seirbhís eolais phoiblí ar fáil agus faightear agus fiosraítear ann ceisteanna ó dhaoine aonair agus ó eagraíochtaí ar an ríomhphost, trí fhoirm ar líne nó trí ghlaonna teileafóin. Chomh maith leis sin, déantar measúnú luathchéime ann, ina ndéantar amach an gá le teachtaireacht dul níos faide san DPC agus cé an bealach is cuí chun dul i ngleic lena leithéid.
Ceisteanna agus Gearáin a Fhreagairt Sa chéad bhliain féilire den GDPR, lean an DPC ar aghaidh ag dul i ngleic le teagmháil shuntasach ó dhaoine aonair agus eagraíochtaí. In 2019, rinneadh teagmháil leis an DPC nach mór 48,500 uair, lena n-áiríodh thart ar 22,300 ríomhphost, 22,200 glao teileafóin agus nach mór 4,000 comhfhreagras tríd an bpost.
[Insert table with breakdown of stats figures]
D’fhonn seirbhís éifeachtúil a chur ar fáil, leanann an DPC ar aghaidh ag féachaint ar a chuid próiseas agus é mar aidhm aige barr éifeachtúlachta a sholáthar dá úsáideoirí uile. Beidh feabhsú chaighdeán agus fhreagrúlacht na seirbhíse a chuireann an DPC ar fáil ina thosaíocht arís eile in 2020.
Treochtaí agus Patrúin atá ag Teacht Chun Cinn Chomh maith leis sin, déanann an DPC, ach anailís a dhéanamh ar na ceisteanna a ndírítear a aird orthu, treochtaí agus patrúin atá ag teacht chun cinn agus ina n-ábhar imní do dhaoine aonair agus d’eagraíochtaí a aithint. Cabhraíonn sé seo leis an DPC a chumarsáid sheachtrach a dhíriú ar na ceisteanna is ábhartha agus cabhróidh sé le cumarsáid an DPC a threorú i gcaitheamh na bliana 2020.
I measc na n-ábhar ar leith ba spéisiúla ar chuir an DPC tacaíocht ar fáil do dhaoine aonair maidir leo, bhí:
• ceisteanna aonair a bhain le ról agus le húsáid an Chárta Seirbhísí Poiblí;
• úsáid Theilifís Chiorcaid Iata (CCTV) – go háirithe i gcomhthéacs achrann i measc comharsan agus i gcomhthéacs chur i bhfeidhm na heisceachta sa teaghlach;
� 12
• iarratais rochtana ar son leanaí – ceisteanna ó dhaoine aonair agus ó eagraíochtaí araon ag lorg soiléiriú maidir le conas dul i ngleic leis ar bhealach atá cruinn, cuí agus ar son leas an linbh;
• cá bhfuil mo chuid sonraí? – iarratais a bhaineann le cleachtais míochaine a dúnadh (go minic sa chás go bhfuair an dochtúir bás) agus níl a fhios ag othair cé atá i gceannas anois ar a gcuid sonraí pearsanta;
• achrainn acmhainní daonna (HR)/fostaíochta – go háirithe faireachas san ionad oibre ach freisin ceisteanna faoi roinnt eolais i gcomhthéacs na n-achrann seo agus faoi leasú sonraí tríú páirtí mar fhreagra ar iarratais rochtana fhostaithe;
• eolas scrúdaithe – go háirithe ceisteanna a bhaineann le nótaí an scrúdaitheora; agus
• grianghrafadóireacht – go háirithe an bhaint atá ag comhthoiliú, foilsiú agus eisceachtaí ealaíonta léi.
� 13
Gearáin
Mar a théitear i ngleic le Gearáin
Ó chur i bhfeidhm GDPR, thug an DPC méadú suntasach ar líon na ngearán a fuarthas faoi deara. Lean an treocht seo ar aghaidh sa chéad bhliain féilire de chur i bhfeidhm GDPR. In 2019, fuair an DPC 7,215 gearán.
Déanann an DPC na gearáin a fhaightear a phróiseáil faoi dhá phríomhchreat dhleathacha le linn na tréimhse seo:
• téitear i ngleic le gearáin a fhaightear ón 25 Bealtaine 2018 ar aghaidh faoi GDPR, faoin Treoir maidir le Forfheidhmiú an Dlí (LED), agus faoi fhorálacha an Achta um Chosaint Sonraí 2018; agus
• téitear i ngleic le gearáin agus sáruithe a tharla roimh an 25 Bealtaine 2018 faoi na hAchtanna um Chosaint Sonraí 1998 agus 2003.
Tá brí an-sonrach ag an téarma “gearán” faoi GDPR (agus faoi LED) agus faoi fhorálacha an Achta um Chosaint Sonraí 2018 a chuireann na dlíthe sin i bhfeidhm. Chun gur gearán a bheadh i gcumarsáid – agus mar sin chun go spreagfadh sé dualgais áirithe reachtúla an DPC maidir le láimhseáil gearán – níor mhór gur faoi cheann de na catagóirí seo a leanas a bheadh sé:
• gearán ó dhuine aonair a bhaineann le próiseáil a chuid sonraí pearsanta féin; • eintiteas atá údaraithe ó thaobh dlí de ag gearán ar son duine aonair; agus • grúpaí abhcóideachta ag feidhmiú mar a cheadaítear laistigh de na paraiméadar
a leagtar amach sa GDPR, san LED agus san Acht um Chosaint Sonraí 2018.
Le linn an phróisis láimhseála gearán, tá sé de dhualgas ar an DPC nuashonruithe a chur ar fáil don ghearánach maidir leis an dul chun cinn agus ar deireadh, an duine aonair a chur ar an eolas maidir le toradh an ghearáin. Cuireann an DPC nuashonruithe ar fáil do ghearánaigh gach ráithe de réir a dhualgas.
As measc na 7,215 gearán a fuair an DPC, ba ghearáin GDPR iad 6,904 díobh, fad is gur ghearáin a láimhseáladh faoi na hAchtanna um Chosaint Sonraí 1988 go 2003 iad 311 díobh.
Ach an oiread le blianta eile, ba í an chatagóir a bhain le hIarratais Rochtana an cineál gearáin ba choitianta a fuair an DPC in 2019 (29%), ach i gcomparáid leis na gearáin ar an iomlán, tá ag laghdú uirthi. Arís eile, fuarthas go leor gearán a bhain le Próiseáil Éagothrom Sonraí (16%) agus Nochtadh (19%).
� 14
In 2019, d’eisigh an Coimisinéir 29 cinneadh faoi na hAchtanna um Chosaint Sonraí 1988 & 2003. As measc na gcinntí seo, sheas 13 díobh leis an ngearán, dhiúltaigh 7 gcinn díobh don ghearán agus sheas 9 gcinn díobh leis an ngearán go pointe áirithe.
Gearáin a fuarthas faoi GDPR Tabhair faoi deara: ba ionann na cúig chatagóir ba choitianta agus 76% de líon iomlán na ngearán a
fuarthas.
Gearáin a fuarthas faoi Achtanna 1988 & 2003 Tabhair faoi deara: ba ionann na cúig chatagóir ba choitianta agus 83% de líon iomlán na ngearán a
fuarthas.
Gearáin a Fuarthas le linn 2019 – Na 5 Chatagóir Gearán ba Choitianta Uimh.
% den iomlán
Iarratas Rochtana 1,971 29%
Gearáin maidir le Sárú 1,320 19%
Próiseáil Chothrom 1,074 16%
Gearáin Ríomh-mhargaíochta 532 8%
An Ceart go ndéanfaí léirscriosadh 353 5%
Gearáin a Fuarthas le linn 2019 – Na 5 Chatagóir Gearán ba Choitianta Uimh.
% den iomlán
Iarratas Rochtana 93 30%
Próiseáil Chothrom 87 28%
Gearáin maidir le Sárú 57 18%
Fáil Chothrom 13 4%
Aidhm Shonraithe 9 3%
� 15
Cás-Staidéar 1 – Iarraidh maidir leis an gceart go ndéanfaí ceartúcháin chuig Cúram Sláinte
(An Dlí is Infheidhme – GDPR & An tAcht um Chosaint Sonraí 2018)
Fuaireamar gearán i gcoinne An Cúram Sláinte, mar gheall gur dhiúltaigh sé iarraidh maidir leis an gceart go ndéanfaí ceartúcháin faoi Airteagal 16 den Rialachán Ginearálta maidir le Cosaint Sonraí. Líomhain an gearánach go raibh a ainm á litriú go mícheart ar a ríomhchóras trí bhíthin an síneadh fada, aiceann atá mar chuid de theanga scríofa na Gaeilge, a fhágáil ar lár.
Baineann ospidéil Saolta úsáid as grúpa riaracháin othar chun sonraí othar a thaifeadadh den chéad uair, sonraí a roinntear le córais eile níos faide amach i gcúram na hothar, i.e. Saotharlann, Raideolaíocht agus Cairdeolaíocht. Chuir Saolta in iúl don ghearánach nach féidir an síneadh fada a thaifeadadh mar gheall go ndéantar carachtair chomhréire a thaifeadadh mar orduithe ar an grúpa riaracháin othar, rud a imríonn tionchar ar an tslí a ndéantar sonraí a stóráil agus a phróiseáil.
Mar chuid dá scrúdú, chuaigh an DPC i mbun caidrimh le Saolta. Chuir Saolta in iúl don DPC go bhfuil an grúpa riaracháin othar le hathsholáthar in 2019/2020. Ní cheadóidh córas nua Saolta don síneadh fada a úsáid, áfach. Chuir Saolta in iúl don DPC gurbh amhlaidh sin chun críocha aon phointe teagmhála sruthlínithe amháin le haghaidh faisnéis faoi othair a chur ar bun ar feadh chórais éagsúla. Chuirfeadh sin ar chumas gairmithe rochtain a dhéanamh ar an bhfaisnéis sin laistigh d’ospidéal nó de ghrúpa ospidéal gan na sonraí a ath-iontráil tráth níos déanaí, lena seachnófaí an seans go ndéanfaí earráidí níos déanaí. Ní thacaíonn na córais eile ar feadh líonra reatha Saolta agus/nó an líonra ospidéal níos leithne le húsáid an tsínte fhada. Chuir Saolta in iúl don DPC freisin go ndéanann siad othair a shainaithint le hUimhreacha Aitheantais Othar seachas le hainmneacha ar leithligh.
Rinneadh an tAonad Ceannaireachta Teicneolaíochta (“TLU”) sa DPC scrúdú ar an aighneacht sin ó Shaolta. Mheas TLU go mbeadh costais shuntasacha agus go leor ama i gceist le nuashonrú ar bith a dhéanamh ar an ríomhchóras, chomh maith le hearráidí ó thaobh stórála agus meaitseála taifead de. Chuaigh an DPC i dteagmháil leis an gCoimisinéir Teanga freisin maidir leis an gcomhairle a thugann sé d’eagraíochtaí san earnáil phoiblí i ndáil le ríomhchórais a bheith ag tacú leis an síneadh fada. Thug An Coimisinéir Teanga le fios nach n-eascraíonn ceanglas den sórt sin as Acht na dTeangacha Oifigiúla 2003, ach go bhféadfaidh ceanglas den sórt sin eascairt as scéim
� 16
teanga – comhaontú a dhéantar idir comhlacht poiblí agus an tAire Cultúir, Oidhreachta agus Gaeltachta.
D’fhiafraigh an DPC de Shaolta an raibh scéim teanga acu agus tugadh cóip de Scéim Teanga HSE do Limistéar an Iarthair 2003-2007 (“scéim teanga HSE”). Leagtar amach sa scéim sin meas ar roghanna na n-othar maidir le hainmneacha, seoltaí agus a rogha teanga. Tugtar gealltanas sa scéim freisin na ríomhchórais a nuashonrú go mbeidh siad “in oiriúint d’fhorálacha Acht na dTeangacha Oifigiúla”. Ní thugtar creat ama i scéim teanga HSE chun an gealltanas sin a chomhlíonadh.
Chuir Saolta in iúl don DPC go bhfuil siad tiomanta do shábháilteacht othar mar ábhar imní príomha agus lárnach. Ar an gcúis sin, chuir Saolta na deacrachtaí a bhainfeadh le faisnéis a stóráil agus a roinnt le córais eile dá ndéanfadh siad nuashonrú ar a gcóras chun úsáid an tsínte fhada a cheadú in iúl don DPC. Chuir Saolta in iúl go ndéanfaidh siad tástáil ar an bhféidearthacht maidir leis an síneadh fada a úsáid i nuashonrú ar bith a dhéanfar ar a ríomhchóras.
Rinne an DPC tagairt d’Airteagal 16 agus d’Airteagal 5(1) (d) den GDPR agus scrúdú á dhéanamh ar an ngearán seo. Sa dá airteagal sin, leagtar amach cearta ábhair sonraí maidir le “cuspóirí na próiseála”. Ní ceart glan é an ceart go ndéanfaí ceartúcháin faoi Airteagal 16 den GDPR. Tá ceanglas ar rialaitheoirí sonraí céimeanna réasúnta a ghlacadh sna himthosca. Rinne an DPC tagairt do chásdlí ón gCúirt Eorpach um Chearta an Duine maidir le cearta teanga agus/nó ainmniúchán. Léirítear sa chásdlí sin go dtagann litriú ainmneacha faoi choimirce Airteagal 8 den Choinbhinsiún Eorpach um Chearta an Duine, ach go mbíonn cur chuige sriantach ag an gCúirt maidir leis sin. Mar sin, luaigh an DPC arís gurbh é cuspóir na próiseála in imthosca an ghearáin, cúram sláinte a thabhairt don ghearánach agus go raibh Uimhreacha Aitheantais Othar i gceist. Níorbh ionann ainm an ghearánaigh agus an t-aon bhealach chun é a shainaithint agus dá bharr sin, go raibh cuspóir na próiseála á baint amach gach marcanna idirdhealaitheacha a úsáid.
Chuir an DPC aon bhaol don ghearánach san áireamh agus iad ag diúltú don iarraidh faoi Airteagal 16 freisin. Thug an DPC ar aird go méadófaí an baol don ghearánach mar gheall ar na deacrachtaí a bhain le láimhseáil an tsínte fhada thar chórais éagsúla. Thug siad aird freisin ar an tionchar a bheadh aige sin ar aon chinnteoireacht ó thaobh cúraim sláinte don ábhar sonraí. Sna himthosca sin, ní chuirfí isteach ar chearta bunúsacha an ábhair sonraí mar thoradh ar gan an síneadh fada a úsáid.
� 17
Faoi alt 109(5) (f) den Acht um Chosaint Sonraí 2018 (“an tAcht”), d’iarr an DPC ar Shaolta a ghníomhartha a chur in iúl don ghearánach maidir le cur i bhfeidhm ríomhchóras a raibh in ann an síneadh fada a léiriú. Chomh maith leis sin, d’iarr an DPC ar Shaolta aguisín a chur le comhad an ábhair sonraí lena taispeáint go bhfuil an síneadh fada mar chuid d’ainm an ábhair sonraí.
Chuir an DPC, faoi alt 109(5)(c) den Acht, in iúl don ghearánach go bhféadfaidh sé teagmháil a dhéanamh leis an gCoimisinéir Teanga faoin scéim teanga agus faoi shárú ar bith ina leith.
� 18
Cás-staidéar 2 - Nochtadh neamhúdaraithe taifead ríomhshonrasctha fóin póca, ina raibh sonraí pearsanta, ag cuideachta teileachumarsáide, d’iar-fhostóir an ábhair sonraí (An dlí is infheidhme: Na hAchtanna um Chosaint Sonraí 1988 agus 2003 (“na hAchtanna”))
Cúlra
D’iarr an gearánach, i rith tréimhse fostaíochta san am atá caite, ar an cuideachta teileachumarsáide (“An cuideachta teileachumarsáide”) a huimhir fóin póca phearsanta a nascadh le cuntas an fhostóra a bhí aici ag an am. Chuir sin ar chumas an ghearánaigh leas a bhaint as lascaine a bhain le cód grúpa An cuideachta teileachumarsáide an fhostóra sin. Cé gur athraíodh an t-ainm ar chuntas an ghearánaigh go dtí ainm an iar-fhostóra, bhain seoladh baile an ghearánaigh leis an gcuntas i gcónaí agus ba é an gearánach a bhí freagrach i gcónaí as aon bhillí a íoc.
Nuair a tháinig deireadh leis an gcaidreamh fostaíochta sin, rinne an gearánach teagmháil le An cuideachta teileachumarsáide agus d’iarr (i) go gcuirfí srian ar an rochtain a bhí ag a hiar-fhostóir ar a cuntais fóin póca; agus (ii) an cuntas a dheighilt ó chuntas a hiar-fhostóra. De bhun an iarrata sin, ghlac bainisteoir cuntais de chuid An cuideachta teileachumarsáide roinnt céimeanna ag ceapadh (go mícheart) go ndéanfaí cuntas an ghearánaigh a dheighilt ó chuntas a iar-fhostóra. Tháinig an gearánach chun fios a bheith aici, áfach, gur lean a hiar-fhostóir ar aghaidh ag déanamh rochtana ar a taifid chuntais i ndiaidh di an iarraidh sin a dhéanamh. De bhun fiosrúchán breise ón ngearánach, tháinig An cuideachta teileachumarsáide ar a earráid agus rinne cuntas an ghearánaigh a dheighilt ó chuntas a hiar-fhostóra ar deireadh.
Rinne an gearánach gearán le An cuideachta teileachumarsáide ina dhiaidh sin. I ndiaidh do An cuideachta teileachumarsáide an gearán a fhiosrú, chuir siad in iúl don ghearánach nach raibh taifead acu ar an iarraidh bhunaidh maidir le srian a chur ar rochtain ar an gcuntas. Sna himthosca sin, chuir an gearánach gearán ar aghaidh chuig an oifig seo.
Imscrúdú
Le linn ár n-imscrúdaithe, d’admhaigh An cuideachta teileachumarsáide nárbh leor an chéad ghníomh a rinne a bhainisteoir cuntais mar nár dheighil sé cuntas an ghearánaigh ó chuntas a hiar-fhostóra agus nár chuir sé cosc ar a hiar-fhostóir rochtain a fháil ar a taifid ríomhshonrasctha. D’admhaigh An cuideachta teileachumarsáide freisin nach raibh taifid iomlána aige nuair a d’imscrúdaigh sé gearán an ghearánaigh. Dhearbhaigh sé, maidir leis sin, go raibh iarraidh bhunaidh an ghearánaigh, maidir le srianadh/deighilt, aimsithe aige.
Dá bharr sin, ba iad na saincheisteanna a bhí le cinneadh, cibé an ndearna An cuideachta teileachumarsáide, mar Rialaitheoir Sonraí, na nithe seo a leanas:
� 19
1. Bearta slándála cuí a chur i bhfeidhm, ag féachaint d’Ailt 2(1)(d) agus 2C(1) de na hachtanna d’fhonn sonraí pearsanta an ghearánaigh a chosaint in aghaidh rochtana neamhúdaraithe, agus in aghaidh nochtadh le tríú páirtí (i.e. iar-fhostóir an ghearánaigh); agus
2. sonraí an ghearánaigh a choinneáil beacht, iomlán agus cothrom le dáta, mar a éilítear faoi Alt 2(1)(b) de na hAchtanna.
Bearta Slándála Cuí
Fuair an oifig seo nár chuir An cuideachta teileachumarsáide bearta slándála cuí i bhfeidhm chun sonraí pearsanta an ghearánaigh a chosaint in aghaidh rochtana neamhúdaraithe ag a iar-fhostóir ná in aghaidh nochta leis. Ba léir sin mar gheall gur lean iar-fhostóir an ghearánaigh ar aghaidh ag déanamh rochtana ar a taifid ríomhshonrasctha d’ainneoin na ngníomhartha thosaigh a rinne An cuideachta teileachumarsáide.
Thug an oifig seo ar aird freisin an oibleagáid, arna leagan amach in Alt 2C(2) de na hAchtanna, go bhfuil ar Rialaitheoir Sonraí maidir le gach céim réasúnach a ghlacadh lena chinntiú – (a) go mbeidh na daoine atá fostaithe aige nó aici … ar an eolas faoi na bearta slándála cuí réamhluaite agus go gcloífidh siad leo. Fuair an oifig seo nár chomhlíon An cuideachta teileachumarsáide a chuid oibleagáidí maidir leis sin. Arís, ba léir é sin mar gheall gur cheap an bainisteoir cuntais a chuaigh i mbun gnímh i ndáil le hiarraidh an ghearánaigh ar an gcéad dul síos, go mícheart, gur leor iad na gníomhartha a rinneadh chun cuntas an ghearánaigh a dheighilt ó chuntas a hiar-fhostóra.
Beacht, iomlán agus suas le dáta
Chuir an oifig seo san áireamh freisin, an tráth a ndearna an gearánach a gearán le An cuideachta teileachumarsáide, nach raibh An cuideachta teileachumarsáide in ann a hiarraidh thosaigh, maidir lena cuntas a shrianadh, a aimsiú. An toradh a bhí air sin, gur tháinig imscrúdú An cuideachta teileachumarsáide féin ar ghearán an ghearánaigh ar an gconclúid mhícheart. Dá réir sin, agus d’ainneoin gur cuireadh cúrsaí ina gceart ina dhiaidh sin, fuair an oifig seo gur theip ar An cuideachta teileachumarsáide cloígh lena oibleagáidí faoi Alt 2(1)(b) de na hAchtanna in imthosca nach raibh taifid an ghearánaigh, amhail an tráth ábhartha, beacht, iomlán ná suas le dáta.
Príomhthátail
Is léir ón gcás-staidéar thuas gur oibleagáid leanúnach í an oibleagáid maidir le sonraí pearsanta a choimeád slán agus sábháilte. Ní mór do rialaitheoirí sonraí a chinntiú go ndéanann siad monatóireacht agus measúnú leanúnach ar éifeachtacht a mbearta slándála, agus a chur san áireamh go bhfuil seans ann go dtiocfaidh athrú ar imthosca nó ar shocruithe maidir lena ngníomhaíochtaí próiseála sonraí ó am go ham. Sa chás seo, theip ar an Rialaitheoir Sonraí an gníomh riachtanach a dhéanamh chun an t-athrú ar imthosca a léiriú, imthosca a chuir an gearánach in iúl nuair a d’iarr sí go gcuirfí srian ar a chuntas agus go ndéanfaí é a dheighilt ó chuntas a hiar-fhostóra. Tarraingíonn an
� 20
cás-staidéar aird bhreise ar an tábhacht a bhaineann le hoiliúint éifeachtach d’fhostaithe i ndáil le prótacail inmheánacha ar bith.
Cás-Staidéar 3 – Bheith ag brath ar thoiliú maidir le grianghraf linbh a úsáid i bhfoirm ábhair bolscaireachta (An dlí is infheidhme - Na hAchtanna um Chosaint Sonraí 1988 agus 2003)
Fuaireamar gearán ó thuismitheoir ábhair sonraí ar mionaoiseach a bhí ann. D’fhreastail an tuismitheoir ar fhéile a d’eagraigh an Gníomhaireacht Stáit, in éineacht lena leanbh. Ghlac grianghrafadóir grianghraf den leanbh. An bhliain ina dhiaidh sin, d’úsáid an Gníomhaireacht Stáit an grianghraf sin in ábhar bolscaireachta. An tuiscint a bhí ag tuismitheoir an ábhair sonraí, cé gur ghlac siad leis gur labhair siad leis an ngrianghrafadóir an tráth ar glacadh an grianghraf, go ndéanfaí teagmháil leo sula n-úsáidfí an íomhá.
Le linn an imscrúdaithe, thug an Gníomhaireacht Stáit le tuiscint gur bhraith siad ar thoiliú de bhun alt 2A(1)(a) de na hAchtanna, mar go bhfuair an grianghrafadóir cead ó bhéal ó thuismitheoir an ábhair sonraí. Mar sin féin, ghlac an Gníomhaireacht Stáit leis freisin nárbh léir do thuismitheoir an ábhair sonraí go n-úsáidfí an íomhá chun críocha na meán/caidreamh poiblí. Ghlac an Gníomhaireacht Stáit leis freisin nár tugadh a dhóthain faisnéise don tuismitheoir maidir leis an íomhá a bheith á coinneáil. D’fháiltigh an DPC roimh an méid a chuir Gníomhaireacht Stáit in iúl maidir le hathbhreithniú láithreach a dhéanamh ar a chleachtais agus ar a nósanna imeachta.
Mar fhocal scoir, fuair an DPC nach raibh a dhóthain faisnéise tugtha ag an Gníomhaireacht Stáit do thuismitheoir an ábhair sonraí le toiliú a thabhairt maidir le próiseáil na híomhá in ábhar bolscaireachta Bhord Bia.
� 21
Cás-Staidéar 4 – Glacadóirí agus próiseáil chothrom Fuaireamar gearán i gcoinne ghlacadóir príobháideach a cheap foras airgeadais maidir le réadmhaoin an ghearánaigh.
Rinneadh líomhaintí sa ghearán gur sáraíodh na hAchtanna ar an mbunús go ndearna an glacadóir na nithe seo a leanas:
1. nach raibh siad cláraithe mar rialaitheoir de bhun alt 16 de na hAchtanna,
2. nach raibh bonn dleathach acu chun sonraí pearsanta an ghearánaigh a fháil ón bhforas airgeadais,
3. go ndearna siad próiseáil bhreise neamhdhleathach ar shonraí pearsanta trí bhíthin faisnéis a nochtadh do chuideachta a d’fhostaigh an glacadóir chun an ghlacadóireacht a bhainistiú (“gníomhaire bainistithe” an ghlacadóra).
4. gur oscail siad cuntas bainc in ainm an ghearánaigh,
5. go bhfuair siad ID agus PIN na maoine ó na Coimisinéirí Ioncaim, rud a thug rochtain don ghlacadóir ar chuntas pearsanta ar líne an ghearánaigh leis na Coimisinéirí Ioncaim, agus
6. gur chuir siad an réadmhaoin faoi árachas in ainm an ghearánaigh.
I ndiaidh imscrúdú a dhéanamh de bhun alt 10 de na hAchtanna, dheimhnigh an DPC gur fhostaigh an foras airgeadais an glacadóir de bhun Ghníomhas Ceapacháin Glacadóra (DOA) rud a dheonaigh cumhachtaí don ghlacadóir de bhun an Conveyancing Act 1881, agus de bhun an ghníomhais mhorgáiste idir an gearánach agus an foras airgeadais. Ar a bheith ceaptha dóibh, scríobh an glacadóir chuig an ngearánach lena chur in iúl dó gur ceapadh iad mar ghlacadóir maidir le réadmhaoin an ghearánaigh agus chuir cóip den DOA faoi iamh. Cheap an glacadóir cuideachta ar leithligh mar ghníomhaire bainistithe chun cabhrú le bainistiú na réadmhaoine. Le linn na glacadóireachta, rinne an glacadóir idirchaidreamh leis na Coimisinéirí Ioncaim d’fhonn aon cháin amuigh ar an réadmhaoin a íoc, amhail an Cháin Mhaoine Áitiúil (LPT). Deimhníodh gur oscail an glacadóir cuntas bainc chun críche ioncam ón réadmhaoin a bhainistiú. Bhí ainm an ghearánaigh mar chuid d’ainm an chuntais bainc. Deimhníodh freisin gur tógadh amach polasaí árachais i ndáil leis an réadmhaoin. Rinneadh tagairt d’ainm an ghearánaigh ar an bpolasaí árachais.
Ar dtús, bhreithnigh an DPC cibé an raibh ceanglas ar ghlacadóir clárú mar rialaitheoir sonraí de bhun alt 16 de na hAchtanna, agus cibé an raibh feidhm leis na díolúintí a tugadh san Acht um Chosaint Sonraí 1988 (Alt 16(1)) Rialacháin 2007 (na “Rialacháin Chlárúcháin”). Ba é tuairim an DPC nach raibh ar ceanglas ar ghlacadóir clárú, mar gheall go raibh feidhm leis an díolúine faoi rialachán 3(1)(g) de na Rialacháin
� 22
Chlárúcháin don ghlacadóir. Thug Rialachán 3(1)(g) díolúine do rialaitheoirí sonraí a raibh sonraí á bpróiseáil acu i ndáil lena gcustaiméirí. Agus machnamh déanta aige ar an gcaidreamh idir an gearánach agus an glacadóir, ba é tuairim an DPC é go raibh feidhm leis an díolúine i ndáil le gníomhaíochtaí an ghlacadóra maidir leis an ngearánach.
Ansin, bhreithnigh an DPC cibé an raibh bonn dleathach ag an nglacadóir chun na sonraí pearsanta a fháil ón bhforas airgeadais, chun iad a nochtadh don ghníomhaire bainistithe, agus cibé arbh ionann an phróiseáil sin agus próiseáil bhreise nach raibh ag teacht leis an gcuspóir bunaidh faoina bhfuarthas iad de bhun alt 2(1)(c)(ii) de na hAchtanna. Bhí morgáiste ag an ngearánach leis an bhforas airgeadais a bhí i riaráistí. Faoi alt 19(1)(ii) den Conveyancing Act 1881, d’fhéadfadh an foras airgeadais glacadóir a cheapadh chomh luath agus a bhí an fiachas ar an morgáiste le híoc. Faoi alt 2A(1)(b)(i) de na hAchtanna, ceadaítear sonraí pearsanta a phróiseáil sa chás go bhfuil gá leis an bpróiseáil “chun conradh ar páirtí ann an t-ábhar sonraí a chomhlíonadh”. Ba chonradh idir an t-ábhar sonraí agus an foras airgeadais a bhí sa ghníomhas morgáiste, agus in imthosca nach rabhthas ag cloí le téarmaí an chonartha, bhí ceapadh an ghlacadóra ag an bhforas airgeadais riachtanach chun an conradh a chomhlíonadh. Ba é tuairim an DPC go raibh bonn dleathach ag an nglacadóir chun sonraí pearsanta an ghearánaigh a fháil ón bhforas airgeadais.
Fuair an DPC freisin go raibh bonn dleathach ag an nglacadóir de bhun alt 2A(1)(b)(i) de na hAchtanna maidir le sonraí pearsanta a nochtadh dá ghníomhaire bainistithe, chun cabhrú le bainistiú na glacadóireachta ó lá go lá. Fuair an DPC go bhfuair an foras airgeadais sonraí pearsanta an ghearánaigh chun críocha comhaontú iasachta a dhéanamh. Ba chuspóir sonrach, follasach agus dlisteanach é sin. Bhí nochtadh sonraí pearsanta an ghearánaigh ag an bhforas airgeadais don ghlacadóir, agus ag an nglacadóir don ghníomhaire bainistithe de réir an chuspóra tosaigh dá bhfuarthas na sonraí pearsanta. Ní próiseáil bhreise de bhun alt 2(1)(c)(ii) de na hAchtanna a bhí sa phróiseáil a rinneadh le linn na glacadóireachta.
Rinne an DPC measúnú ar cibé an raibh bonn dleathach ag an nglacadóir cuntas bainc a oscailt in ainm an ghearánaigh. Mhaígh an gearánach gur osclaíodh an cuntas sin gan fios a bheith acu agus gan toiliú uathu. Tá toiliú ar cheann de na boinn dhleathacha chun sonraí pearsanta a phróiseáil faoi na hAchtanna. Bhreithnigh an DPC cibé an raibh bonn dleathach eile ag an nglacadóir chun próiseáil a dhéanamh faoi alt 2A(1)(d) de na hAchtanna, ar bhonn leasanna dlisteanacha. Chun measúnú a dhéanamh ar an mbonn dleathach sin, chuir an DPC cás Chúirt Bhreithiúnais an Aontais Eorpaigh (CJEU), Rīgas
� 23
C-13/16 , san áireamh, ina leagtar amach tástáil trí chéime maidir le próiseáil ar bhonn 1
leasanna dlisteanacha, mar seo a leanas:
a) caithfidh próiseáil sonraí pearsanta a bheith ar mhaithe le dul i mbun leasa dlisteanaigh an rialaitheora nó tríú páirtí,
b) caithfidh an phróiseáil a bheith riachtanach maidir leis an gcuspóir agus na leasanna dlisteanacha a bhfuiltear ina mbun, agus
c) ní bheidh tosaíocht ag cearta agus saoirsí bunúsacha an duine i gceist.
Ba é tuairim an DPC gur bheart réasúnach a bhí in oscailt an chuntais bhainc d’fhonn an tioncam agus caiteachas le linn glacadóireachta a bhainistiú. Mhaígh an glacadóir gur ghá tagairt a dhéanamh d’ainm an ghearánaigh mar chuid d’ainm an chuntais bainc lena chinntiú go gcuirfí an ghlacadóireacht i gcrích go héifeachtúil agus chun mearbhall a sheachaint maidir le glacadóireachtaí éagsúla. Cé go bhféadfaí cuntas a oscailt gan ainm an ghearánaigh a úsáid, chuir an DPC breithiúnas an CJEU sa chás Huber v Bundesrepublik C-524/06 san áireamh, ina bhfuair an Chúirt go bhféadfaí a mheas go 2
raibh gá le próiseáil sa chás gur thug sin deis an cuspóir ábhartha a bhaint amach ar bhealach níos éifeachtúla. Ba é tuairim an DPC go raibh gá, mar sin, le tagairt a dhéanamh d’ainm an ghearánaigh ar an gcuntas bainc, mar gheall gur thug sin deis dul i mbun leasanna dlisteanacha an ghlacadóra ar bhealach níos éifeachtúla.
Maidir leis an tríú ghné den tástáil i ndáil le leasanna dlisteanacha (a éilíonn cleachtadh comhardaithe, agus cearta agus saoirsí bunúsacha an ábhair sonraí á gcur san áireamh), ba é tuairim an DPC go bhfágfadh an tagairt d’ainm an ghearánaigh ar an gcuntas go mbeadh daoine a raibh rochtain acu ar an gcuntas bainc, nó ar tugadh ainm an chuntais bainc dóibh, ábalta an duine a shainaithint. Rinne an DPC na ceisteanna sin a mheas in aghaidh na gcostas riarachán agus airgeadais a thiocfadh as an ngá go gcuirfeadh an glacadóir nós imeachta eile i bhfeidhm maidir le hainmneacha a bhronnadh ar chuntais. Agus gach rud san áireamh, ní bhfuair an DPC go raibh tosaíocht ag cearta bunúsacha an ghearánaigh ar leasanna dlisteanacha an ghlacadóra. Mar thoradh air sin, bhí bonn dleathach ag an nglacadóir chun ainm an ghearánaigh a phróiseáil chun críocha leasanna dlisteanacha an ghlacadóra.
Maidir leis an líomhain go bhfuair an glacadóir rochtain ar chuntas pearsanta an ghearánaigh leis na Coimisinéirí Ioncaim, fuair an DPC nach bhfuair an glacadóir rochtain ar chuntas pearsanta an ghearánaigh leis na Coimisinéirí Ioncaim, mar a
Valsts policijas Rīgas reģiona pārvaldes Kārtības policijas pārvalde v Rīgas pašvaldības SIA ‘Rīgas 1
satiksme’ Cás C-13/16
Heinz Huber v Bundesrepublik Deutschland Cás C-524/062
� 24
líomhnaíodh. Bhí an glacadóir ag gníomhú mar ghníomhaire cánach i ndáil leis an gCáin Mhaoine Áitiúil agus níor thug sé sin rochtain ar chuntas pearsanta leis na Coimisinéirí Ioncaim. Maidir leis an bpolasaí árachais a tugadh amach in ainm an ghearánaigh, ba é tuairim an DPC nár phróiseáil an glacadóir sonraí pearsanta sa chás sin. 3
Le linn an imscrúdaithe, scrúdaigh an DPC cibé ar chloígh an glacadóir leis na prionsabail um chosaint sonraí faoi alt 2 de na hAchtanna. I ndáil leis sin, scrúdaigh an DPC an comhfhreagras tosaigh a sheol an glacadóir chuig an ngearánach inar cuireadh a gceapachán in iúl. Is é a bhí sa chomhfhreagras sin, litir chumhdaigh agus cóip den DOA. Rinneadh measúnú ar an litir chumhdaigh agus ar an DOA lena chinneadh cibé ar chomhlíon an glacadóir a oibleagáid maidir leis na sonraí pearsanta a phróiseáil go cothrom. Éilítear faoi alt 2D de na hAchtanna go soláthródh rialaitheoir sonraí faisnéis faoi aitheantas an rialaitheora sonraí, faisnéis faoi na cuspóirí beartaithe dá bhféadfar na sonraí a phróiseáil, na catagóirí sonraí atá i gceist agus aon fhaisnéis eile a mbeadh gá léi le go ndéanfaí próiseáil chothrom. Ba é tuairim an DPC gur leor an comhfhreagras chun aitheantas an rialaitheora sonraí (agus an rialaitheora sonraí tosaigh) a chur in iúl don ghearánach. Mar sin féin, ba é tuairim an DPC, cé nach raibh gá le glacadóir chun faisnéis chomhiomlánaithe a thabhairt faoi gach cuspóir dá raibh na sonraí pearsanta le próiseáil, gur cheart go dtabharfaí imlíne ghinearálta don ghlacadóir ar na cuspóirí dá raibh sé beartaithe na sonraí pearsanta a phróiseáil, agus nach ndearnadh sin sa chás seo. Maíodh freisin gur cheart go mbeadh na catagóirí sonraí pearsanta a bhí á gcoinneáil ag an nglacadóir i ndáil leis an ngearánach curtha ar fáil aige, ach nach ndearnadh sin. I bhfianaise an mhéid sin, ba é tuairim an DPC nár chomhlíon an glacadóir alt 2D de na hAchtanna.
Léiríonn an cinneadh sin ón DPC go bhféadfaidh glacadóirí príobháideacha agus a ngníomhairí sonraí pearsanta iasachtaithe a phróiseáil go dleathach sa chás go bhfuil gá leis an bpróiseáil sin d’fhonn sócmhainní urraithe a réadú nó a bhainistiú. Ba chóir go mbeadh ábhair sonraí ar an eolas go bhféadfaí faisnéis fúthu a phróiseáil gan toiliú uathu in imthosca ina ndéanann gníomhas morgáiste soláthar do ghlacadóir a cheapadh. Ag an am céanna, ní mór do ghlacadóirí cloí lena gcuid oibleagáidí faoi na hAchtanna agus faoin Rialachán Ginearálta maidir le Cosaint Sonraí chun faisnéis faoi phróiseáil a chur ar fáil d’ábhair sonraí ar leithligh ag tús na glacadóireachta.
Tá an cinneadh seo ina ábhar achomhairc ón ngearánach chun na Cúirte Cuarda faoi láthair.
Rinneadh measúnú ar phróiseáil sonraí pearsanta i gcás comhchosúil ina ndearna an 3
gearánach céanna gearán i gcoinne an ghníomhaire bhainistithe sa chás seo. Ba é tuairim an DPC, sa chinneadh sin, go raibh leas dlisteanach ag an ngníomhaire bainistithe chun sonraí pearsanta an ghearánaigh a phróiseáil chun críocha an réadmhaoin a chur faoi árachas.
� 25
� 26
Gearáin maidir le Cearta chun Rochtana
Le linn 2019, fuair an DPC 2,064 gearán maidir leis an gceart chun rochtana agus bhain líon ard díobh seo le teip eagraíochtaí a raibh smacht acu ar shonraí pearsanta freagairt d’iarratas rochtana nó le teip scaoileadh leis na sonraí cuí uile mar thoradh ar iarratas rochtana. In 2019, ba i gcoinne banc agus cleachtais dlíodóra a bhí líon méadaithe de na gearáin a fuarthas, chomh maith le gearáin a bhain le teip scoileanna agus clubanna spóirt freagairt d’iarratais rochtana.
Leathnaíonn an Rialachán Ginearálta maidir le Cosaint Sonraí (GDPR) fairsinge an ábhair a bhaineann leis an gceart chun rochtana i gcomparáid leis an gcreat dleathach a bhí ann roimhe agus b’fhéidir go raibh an ceart feabhsaithe seo le sonrú sa mhéadú ar líon na n-iarratas a cuireadh isteach chuig Coimisiún na Scrúduithe Stáit i Lúnasa 2019. Tá sé de cheart ag duine aonair cóip a bheith aige de na sonraí pearsanta atá ag Coimisiún na Scrúduithe Stáit agus clúdaíonn an ceart seo chun rochtana scripteanna scrúdaithe. Fad is a bhain seanreachtaíocht leis an gceart chun rochtana ar thorthaí scrúdaithe, téann Alt 56 d’Acht 2018 i ngleic go sonrach leis an gceart chun rochtana ar scripteanna scrúdaithe agus ar thorthaí achomhairc.
Cé gur tábhachtach an ceart bunúsach é, ní ceart absalóideach é an ceart chun rochtana. Leagann an GDPR córas amach in Airteagal 23 a cheadaíonn srian a chur le cearta i gcásanna áirithe agus sonracha. Ligeann sé seo do bhallstáit a gcuid díolúintí féin a thabhairt isteach sa reachtaíocht náisiúnta. In Éirinn, is trí Alt 60 d’Acht 2018 a baineadh seo amach.
Rud atá tábhachtach is ea nach mór d’aon srian a mbíonn rialtóirí ag brath air aird a léiriú ar bhunús na gceart bunúsach agus na saoirsí bunúsacha agus a bheith ina bheart oiriúnach agus cuí i sochaí dhaonlathach d’fhonn cuspóirí tábhachtacha ar mhaithe le leas ginearálta an phobail a chosaint. Scrúdóidh an DPC an cheist seo i gcás aon chásanna ina mbítear ag brath ar dhíolúintí.
Chomh maith leis na srianta atá in Alt 60, éilítear in Airteagal 15 de GDPR go ndéanfaí sonraí tríú páirtí a chosaint agus freagra á thabhairt d’iarratas rochtana agus sonraítear “Níor chóir don cheart chun cóip a fháil mar fhreagra ar iarratas rochtana dochar a dhéanamh do chearta ná saoirsí daoine eile, lena n-áirítear cearta agus saoirsí maidir le ruin trádála nó maoin intleachtúil agus go háirithe níor cheart dó dochar a dhéanamh don chóipcheart lena gcoinnítear bogearraí.”
Nuair a fhaightear iarratas rochtana, tá sé tábhachtach go gcuimhneodh rialtóirí gur ceart bunúsach é an ceart chun rochtana, ionas go mbeidh barúil ar son an nochta ag na rialtóirí.
� 27
Gearáin maidir le Margaíocht Dhíreach D’oscail an DPC 165 gearán nua i ndáil le margaíocht leictreonach dhíreach in 2019. Bhain tuairim is 77 leo le ríomhphost gan iarraidh, bhain 81 le teachtaireachtaí téacs gan iarraidh (SMS) agus bhain seacht gcinn le glaonna gutháin gan iarraidh. Bhain roinnt de na gearáin le níos mó ná cineál amháin margaíochta gan iarraidh ón eagraíocht chéanna.
Tugadh 130 imscrúdú ar ghearáin maidir le margaíocht dhíreach chun críche i rith na bliana.
Ionchúisimh i ndáil le margaíocht dhíreach leictreonach D’ionchúisigh an DPC ceithre eintiteas i ndáil le margaíocht leictreonach dhíreach gan toiliú. Áiríodh orthu sin an soláthraí teileachumarsáide Vodafone Ireland Limited, an tseirbhís ordaithe bia Just-Eat Ireland Limited, agus na miondíoltóirí ar líne Cari’s Closet Limited agus Shop Direct Ireland Limited (t/a Littlewoods Ireland).
CÁS-STAIDÉAR 5 - Ionchúiseamh Vodafone Ireland Limited In Aibreán 2019, fuair an DPC dhá ghearán ar leithligh ó dhuine a fuair cumarsáid margaíochta dírí ar téacs agus ar an ríomhphost ón oibritheoir líonra mhóibíligh, Vodafone. Mhaígh an duine go ndearna Vodafone neamhaird dá socruithe rogha custaiméara, a thaifid nár theastaigh uathu margaíocht den sórt sin a fháil.
I rith ár n-imscrúdaithe, dhearbhaigh Vodafone gur roghnaigh an gearánach gan teagmháil margaíochta dírí a fháil ach gur seoladh cumarsáidí chucu mar gheall ar earráid dhaonna i gcás na teachtaireachta téacs agus na bhfeachtas margaíochta ríomhphoist araon.
I gcás na teachtaireachta SMS, dhearbhaigh Vodafone gur seoladh téacs inar tairgeadh deis do na faighteoirí ticéid le haghaidh chluiche rugbaí idir Éirinn agus an Fhrainc a bhuachan chuig tuairim is 2,436 chustaiméir a roghnaigh roimhe sin gan margaíocht dhíreach a fháil ar téacs. Tharla sin mar gheall gur teipeadh scagaire roghanna margaíochta a chur i bhfeidhm ar an bhfeachtas SMS sular seoladh é.
I gcás an ríomhphoist a fuair an gearánach, úsáideadh feidhmchlár ar beartaíodh é a úsáid chun margaíocht dhíreach a sheoladh chuig custaiméirí ionchasacha de dhearmad agus seoladh an teachtaireacht chuig custaiméirí reatha Vodafone. Cé nach raibh Vodafone in ann dearbhú a thabhairt maidir leis an líon custaiméirí a ndearnadh teagmháil leo ar an ríomhphost contrártha dá rogha, seoladh an ríomhphost margaíochta chuig 29,289 gcustaiméir reatha Vodafone. Dhearbhaigh an chuideachta go ndearnadh teagmháil le tuairim is 2,523 as 7,615 díobh sin de dhearmad. Ní raibh sí in ann an 21,674 chustaiméir eile ar seoladh an ríomhphost céanna chucu a nascadh lena roghanna margaíochta i stóras sonraí Vodafone chun an líon iomlán daoine a ndearnadh teagmháil leo de dhearmad a dhearbhú.
� 28
Bhí gearán ar leithligh faighte ag an DPC i mí Feabhra 2019 ó dhuine eile ar iar-chustaiméir de chuid Vodafone iad. Scoir an duine sin de bheith ina gcustaiméir de chuid Vodafone níos mó ná cúig bliana roimhe sin ach bhí teachtaireachtaí téacs bolscaireachta fós á bhfáil acu. Le linn ár n-imscrúdaithe, dhearbhaigh Vodafone gur de dhearmad a seoladh na teachtaireachtaí margaíochta dírí. Dúirt siad nár baineadh uimhir an ghearánaigh den ardán a úsáideadh chun cumarsáidí margaíochta a sheoladh, sa chás eisceachtúil sin, nuair nach raibh an uimhir gníomhach níos mó ar an líonra.
De bharr gur ionchúisigh an DPC Vodafone roimhe seo, in 2011, 2013 agus 2018, i ndáil le cionta margaíochta leictreonaí dírí, chinneamar imeachtaí ionchúisimh a thionscnamh maidir leis na gearáin sin.
I gCúirt Dúiche Chathrach Bhaile Átha Cliath an 29 Iúil 2019, phléadáil Vodafone ciontach i gcúig chúis maidir le cumarsáidí margaíochta dírí gan iarraidh a sheoladh de shárú ar I.R. Uimh. 336 de 2011 (Rialachán maidir le Príobháideachas agus Cumarsáid Leictreonach). Ciontaíodh an chuideachta agus gearradh fíneáil €1,000 uirthi maidir le gach ceann de na trí chúis. Ciontaíodh í agus gearradh fíneáil €750 an ceann uirthi maidir leis an dá chúis eile.
CÁS-STAIDÉAR 6 - Ionchúiseamh Cari’s Closet Limited I mí Bealtaine 2018, fuaireamar gearán i gcoinne an mhiondíoltóra faisin ar líne, Cari’s Closet, ó dhuine a chuir ordú ar líne isteach chuig an gcuideachta roimhe sin. Bhain an gearán le trí ríomhphost margaíochta dírí gan iarraidh a fuarthas. Bhí gearán déanta ag an duine céanna leis an DPC i mí Eanáir 2018 maidir le ríomhphoist gan iarraidh ón gcuideachta sin. An t-am sin, dúirt an gearánach go bhfuair siad os cionn daichead teachtaireacht margaíochta in aon mhí amháin. Bhí iarracht déanta ag an duine díchlárú gan cúpla uair, ach níor éirigh leo.
Dúirt Cari’s Closet gur theip orthu an gearánach a dhíchlárú ó ríomhphoist mar gheall ar fhíor-earráid.
De bharr gur eisigh an DPC rabhadh i mí Aibreáin 2018 i ndáil leis an ngearán a rinneadh roimhe sin, chinneamar imeachtaí ionchúisimh a thionscnamh i gcoinne na cuideachta.
I gCúirt Dúiche Chathrach Bhaile Átha Cliath an 29 Iúil 2019, phléadáil Cari’s Closet ciontach i gcúis amháin maidir le ríomhphost margaíochta dírí gan iarraidh a sheoladh chuig an ngearánach. In áit ciontaithe agus fíneála, chuir an chúirt alt 1(1) den Probation of Offenders Act i bhfeidhm ar an mbonn go mbronnfadh an chuideachta €600 ar an gcarthanas Little Flower Penny Dinners.
� 29
CÁS-STAIDÉAR 7 - Ionchúiseamh Just-Eat Ireland Limited Fuaireamar gearán ó dhuine i mí na Samhna 2018 maidir le ríomhphoist margaíochta dírí gan iarraidh ó Just-Eat Ireland Limited. Dhíchláraigh an gearánach ó ríomhphoist margaíochta dírí na cuideachta ach fuair ríomhphost margaíochta dírí gan iarraidh cúpla lá ina dhiaidh sin. I rith ár n-imscrúdaithe ar an ngearán sin, chuir an chuideachta in iúl dúinn nár éirigh le hiarracht an ghearánaigh díchlárú mar gheall ar fhadhb theicniúil lena hardán ríomhphoist. Bhí tionchar ag an bhfadhb sin ar 391 chustaiméir in Éirinn.
De bharr gur thug an DPC rabhadh do Just-Eat Ireland Limited in 2013 de bhun gearáin i ndáil le ríomhphoist margaíochta dírí gan iarraidh, chinneamar imeachtaí ionchúisimh a thionscnamh.
I gCúirt Dúiche Chathrach Bhaile Átha Cliath an 29 Iúil 2019, phléadáil Just-Eat Ireland Limited ciontach i gcúis amháin i ndáil le ríomhphost margaíochta dírí gan iarraidh a sheoladh. In áit ciontaithe agus fíneála, chuir an chúirt alt 1(1) den Probation of Offenders Act i bhfeidhm ar an mbonn go mbronnfadh an chuideachta €600 ar an gcarthanas, Peter McVerry Trust.
CÁS-STAIDÉAR 8 - Ionchúiseamh Shop Direct Ireland Limited t/a Littlewoods Ireland I mí Bealtaine 2019, fuair an DPC gearán ó dhuine a dúirt go raibh teachtaireachtaí margaíochta dírí á bhfáil acu ar téacs ó Littlewoods ó mhí an Mhárta. Dúirt an gearánach gur lean siad na treoracha chun díchlárú agus gur sheol siad an focal ‘STOP’ ar téacs cúig huaire chuig uimhir ainmnithe ar a dtugtar gearrchód, ach nár éirigh leo díchlárú agus go raibh teachtaireachtaí margaíochta ar téacs fós á bhfáil acu.
Le linn ár n-imscrúduithe, dhearbhaigh Shop Direct Ireland Limited (t/a Littlewoods Ireland) go raibh taifead ar théacsanna díchláraithe a chuir an gearánach isteach trí bhíthin a socruithe cuntais ar láithreán gréasáin Littlewoods an 8 Bealtaine 2019. Ní raibh taifead acu, áfach, ar a gcuid iarrachtaí roimhe sin díchlárú ó théacsanna margaíochta dírí agus an gearrchód SMS á úsáid. B’amhlaidh sin de bharr earráid dhaonna agus an t-ábhar do na teachtaireachtaí margaíochta SMS á socrú. Dúirt an chuideachta gur chuir an duine a bhí freagrach as ábhar a bhain le téacsanna margaíochta a ullmhú agus a uaslódáil an eochairfhocal díchláraithe ‘STOP’ san áireamh ag deireadh téacsanna margaíochta de dhearmad, in áit ‘LWISTOP’.
D’ionchúisigh Shop Direct Ireland Limited an DPC in 2016 i ndáil le saincheist cosúil leis sin ina ndearnadh custaiméir iarracht gan rath díchlárú ó ríomhphoist margaíochta dírí. Ba é toradh an cháis cúirte an t-am sin, gur bhronn an chuideachta €5,000 ar charthanas in áit ciontaithe agus fíneála.
� 30
Chinn an DPC an chuideachta a ionchúiseamh i ndáil le cionta margaíochta dírí leictreonaí i ndáil leis an ngearán a rinneadh i mí Bealtaine 2019.
I gCúirt Dúiche Chathrach Bhaile Átha Cliath an 29 Iúil 2019, phléadáil Shop Direct Ireland Limited (t/a Littlewoods Ireland) ciontach in dhá chúis a bhain le teachtaireachtaí margaíochta dírí gan iarraidh a sheoladh ar téacs. Rialaigh an chúirt nach gciontófaí an chuideachta agus nach ngearrfaí fíneáil uirthi dá mbronnfadh sí €2,000 ar na carthanais Peter McVerry Trust agus Little Flower Penny Dinners agus cuireadh alt 1(1) den Probation of
Offenders Act i bhfeidhm.
� 31
Gearáin a bhaineann leis an sásra maidir le hIonaid Ilfhreastail Bunaíodh an sásra maidir le hIonaid Ilfhreastail faoin GDPR. Is é an cuspóir atá leis cuíchóiriú a dhéanamh ar an dóigh a ndéileálann eagraíochtaí a dhéanann gnó, nó a sheolann gníomhaíochtaí, i níos mó ná Ballstát amháin den Aontas Eorpach, le húdaráis chosanta sonraí (ar a dtugtar ‘údaráis mhaoirseachta’ faoin GDPR).
Ceanglaítear leis an Ionad Ilfhreastail go mbeadh na heagraíochtaí sin faoi réir maoirseacht rialála ag údarás cosanta sonraí amháin, i gcás go bhfuil ‘príomhbhunaíocht’ acu san Aontas, in ionad iad a bheith faoi réir rialáil ag na húdaráis chosanta sonraí de chuid gach Ballstáit. Dé ghnáth, is é áit a riaracháin agus/nó cinnteoireachta láir an phríomhbhunaíocht de chuid eagraíochta. I gcás rialaitheoir sonraí, áfach, má dhéantar cinntí ar an bpróiseáil sonraí pearsanta in áit eile san Aontas, beidh an áit eile sin san Aontas ar a phríomhbhunaíocht. I gcás próiseálaí sonraí nach bhfuil aon áit riaracháin láir aige, beidh a phríomhbhunaíocht lonnaithe san áit ina ndéantar a phríomhghníomhaíochtaí próiseála san AE.
Mar phríomh-údarás maoirseachta, láimhseálann an DPC gearáin a ndearnadh chuig údaráis mhaoirseachta cosanta sonraí eile sa Limistéir Eorpaigh Eacnamaíoch (EEA) ar dtús, chomh maith le gearáin a dhéanann daoine go díreach chuig an DPC. Le bliain anuas, d’aistrigh údaráis mhaoirseachta cosanta sonraí eile líon suntasach gearán casta trasteorann chuig an DPC. Ina theannta sin, chuir an DPC tús le roinnt fiosrúchán mórscála agus lean ar aghaidh le fiosrúcháin a thionscain an DPC ar a thoil féin agus a bhaineann le próiseáil trasteorann. Cé gur ar an DPC atá an phríomh-fhreagracht maoirseachta, ní mór dúinn comhairliúchán fairsing a dhéanamh leis na húdaráis mhaoirseachta cosanta sonraí eile agus iad a choimeád ar an eolas le linn ár bpróiseas láimhseála agus imscrúdaithe gearán. Go sonrach, ní mór dúinn a dtuairimí a chur san áireamh agus a gcomhaontú a lorg maidir lenár ndréachtchinntí ar na cásanna trasteorann sin, faoi shásra comhoibrithe an GDPR. Áirítear ar ról an phríomhúdaráis mhaoirseachta imscrúdú a dhéanamh ar ghearán nó ar shárú líomhnaithe ar an GDPR a bhaineann le próiseáil trasteorann agus dréachtchinneadh ina leith a ullmhú. Ansin ní mór dó cinneadh comhdhearcaidh a chomhordú, nuair is féidir sin, le húdaráis chosanta sonraí eile san AE a mheastar a bheith ina ‘n-údaráismhaoirseachta lena mbaineann’.
Beidh an Coimisiún ina údarás maoirseachta lena mbaineann sna cásanna seo:
• rinneadh an gearán maidir le próiseáil trasteorann leis an DPC ar dtús ach tá údarás cosanta sonraí eile ar an bpríomhúdarás maoirseachta;
• téann an phróiseáil i bhfeidhm go mór, nó is dóigh di dul i bhfeidhm go mór, ar ábhair shonraí in Éirinn;
� 32
• nó tá an rialaitheoir/an próiseálaí bunaithe in Éirinn.
Dá bharr sin, ní hé amháin nach mór don phríomhúdarás maoirseachta, le linn dó dréachtchinneadh a ullmhú, ‘an aird is mó’ a thabhairt ar thuairimí an údaráis chosanta sonraí a fuair an gearán, ach ní mór dó freisin an dréachtchinneadh uaidh a chomhroinnt le gach údarás maoirseachta sonraí lena mbaineann, dul i ndáil chomhairle leo agus a dtuairimí a bhreithniú agus é ag tabhairt an chinnidh chun críche.
I gcás nach féidir déanamh amhlaidh, foráiltear leis an GDPR do shásra réitigh dhíospóide a spreagadh. Is é an toradh a bheidh air sin go ndéanfaidh na baill den Bhord Eorpach um Chosaint Sonraí cinneadh tromlaigh ar na saincheisteanna faoi dhíospóid sa dréachtchinneadh.
Faoin sásra maidir le hIonaid Ilfhreastail, is é an DPC an príomhúdarás maoirseachta do raon leathan cuideachtaí ilnáisiúnta a bhfuil a bpríomhbhunaíocht lonnaithe in Éirinn. Áirítear leo sin roinnt mhaith cuideachtaí móra teicneolaíochta agus meán sóisialta. Mar phríomhúdarás maoirseachta, láimhseálann an Coimisiún gearáin a rinneadh ar dtús le húdaráis chosanta sonraí eile san Aontas. Chomh maith leis sin, láimhseálann sé gearáin a dhéanann daoine aonair go díreach leis an gCoimisiún.
In 2019, fuair an DPC 1,229 ngearán a bhain le próiseáil trasteorann tríd an sásra maidir le hIonaid Ilfhreastail a ndearna daoine aonair iad le húdaráis chosanta sonraí eile san AE.
Gearáin Trasteorann Déileálann an DPC le gearáin trasteorann i ndáil le hiarrataí ar rochtain faoi Airteagal 15 den GDPR agus i ndáil leis an gceart go ndéanfaí ligean i ndearmad faoi Airteagal 17 den GDPR. Tá sin sa bhreis ar na gearáin go léir ina ngníomhaíonn an DPC mar údarás maoirseachta lena mbaineann faoin GDPR. Nuair is amhlaidh an cás, gníomhaíonn an DPC mar idirghabhálaí idir an gearánach agus an príomhúdarás maoirseachta.
Gearáin a bhaineann le Forfheidhmiú an Dlí Rinneadh an Treoir ón AE ar a dtugtar an Treoir maidir le Cosaint Sonraí i réimse Fhorfheidhmiú an Dlí (AE 2016/680) a thrasuí i ndlí na hÉireann an 25 Bealtaine 2018 trí bhíthin achtú an Achta um Chosaint Sonraí, 2018.
Tríd is tríd, tá feidhm ag an Treoir maidir le Cosaint Sonraí i réimse Fhorfheidhmiú an Dlí i gcás gur ‘údarás inniúilrialaitheoir sonraí agus go bpróiseáiltear sonraí pearsanta chun cionta coiriúla a chosc, a imscrúdú, a bhrath nó a ionchúiseamh nó chun pionóis choiriúla a fhorghníomhú.
Chun idirdhealú a dhéanamh, bheadh feidhm leis an Treoir maidir le Cosaint Sonraí i réimse Fhorfheidhmiú an Dlí sa chás go ndéanfadh ciontóir ciontaithe gearán chuig
� 33
Seirbhís Príosún na hÉireann, mar shampla, maidir le sonraí a taifeadadh ina leith a bheith míchruinn. Dá bhfaigheadh Seirbhís Príosún na hÉireann gearán ó fhostaí maidir lena sonraí pearsanta féin, áfach, is é an GDPR a bheadh i bhfeidhm.
In 2019, láimhseáil an DPC 47 ngearán faoin Treoir maidir le Cosaint Sonraí i réimse Fhorfheidhmiú an Dlí. Bhain an chuid is mó díobh leis an nGarda Síochána mar rialaitheoir sonraí, chomh maith le Seirbhís Príosún na hÉireann, na Coimisinéirí Ioncaim, Veolia, Iarnród Éireann agus roinnt údarás áitiúil.
Athbhreithnithe Alt 95 Faoi Alt 94 den Acht, tugtar cead do rialaitheoirí sonraí srian a chur ar rochtain a dhéanamh ar shonraí pearsanta ar fhorais amhail cosc ar an gcoireacht, nó dochar a dhéanamh d’imscrúdú nó d’ionchúiseamh a sheachaint. Sa chás go gcuirtear in iúl do dhuine go bhfuil srian curtha ar a gcearta faoi fhorálacha Alt 94, féadfaidh siad iarraidh ar an DPC athbhreithniú neamhspleách a dhéanamh ar a gcás faoi Alt 95.
In 2019, rinne an DPC ceithre athbhreithniú faoi Alt 95 den Acht, lena dheimhniú cibé an raibh nó nach raibh na srianta arna bhforchur ag na rialaitheoirí sonraí i gceist dleathach. I ngach ceann de na ceithre chás, bhí na hoifigigh sásta go raibh na srianta dleathach.
• Bhain cás amháin le hábhar sonraí a d’iarr rochtain iomlán ar a gcomhad. Bhí cóip dá gcuid sonraí mar a bhí taifeadta ar PULSE curtha ar fáil ag an nGarda Síochána (AGS) don ábhar sonraí, ach bhraith siad ar alt 94(3)(a) den Acht chun srian a chur ar chumarsáidí áirithe AGS a bhain le gnáth-oibríochtaí idir-ghníomhaireachta, mar gur measadh gur léirigh siad modhanna agus nósanna imeachta oibríochtúla de chuid AGS. Ar an gcomhad a athbhreithniú, mheas oifigigh údaraithe an DPC gur chomhlíon an phróiseáil Cuid 5 den Acht um Chosaint Sonraí 2018 –Próiseáil Sonraí Pearsanta Chun Críocha an Dlí a Fhorfheidhmiú. I rith an athbhreithnithe, shoiléirigh an rialaitheoir sonraí (AGS) d’oifigigh údaraithe nach raibh ról ná ionchur ar bith aige i ndáil le sonraí ar bith a bheadh próiseáilte agus ar gabhadh saoránach de chuid na hÉireann in aerfort lasmuigh den dlínse seo mar thoradh air. De bhun an athbhreithnithe faoi alt 95, chuir an DPC an fhaisnéis bhreise sin in iúl don ábhar sonraí.
• Rinneadh athbhreithniú faoi alt 95 maidir le hábhar sonraí a d’iarr go ndéanfaí athrú ar thaifid fúthu a bhí ag AGS. Rinne an DPC imscrúdú orthu agus tugadh faoi deara gur bhain an taifead le teagmháil gan iarraidh le mionaoiseach, ar tugadh foláireamh mar thoradh air. Mheas oifigigh ón DPC go raibh na sonraí a thaifid AGS i gcomhlíonadh le Cuid 5 den Acht um Chosaint Sonraí 2018.
• Rinneadh athbhreithniú faoi alt 95 bunaithe ar ghearán inar líomhain lánúin gur nocht An Garda Síochána a gcuid sonraí dá mbantiarna talún. Scrúdaigh oifigeach údaraithe ón DPC an cód i gceist. Agus á chur san áireamh gur inis An Garda Síochána don lánúin roimhe sin nár nocht siad aon sonraí pearsanta dá
� 34
mbantiarna talún, bhí an DPC sásta, bunaithe ar an gcomhad, go raibh na sonraí go léir a scrúdaíodh i gcomhlíonadh le Cuid 5 den Acht um Chosaint Sonraí 2018.
Gearáin a bhaineann le Sáruithe Sonraí In 2019, láimhseáil an tAonad Náisiúnta um Ghearáin faoi Sháruithe sa DPC 207 ngearán maidir le sárú sonraí ó ábhair shonraí a raibh tionchar orthu, i gcomparáid leis na 48 ngearán maidir le sárú sonraí a fuarthas idir 25 Bealtaine 2018 agus 31 Nollaig 2018. Tugtar le tuiscint ó na treochtaí gur tháinig ardú suntasach ar an líon gearán maidir le sárú atá á ndéanamh ag daoine aonair.
Bhain formhór na ngearán le nochtadh neamhúdaraithe, go príomha iad seo a leanas:
• ríomhphost/litreacha chuig an bhfaighteoir mícheart; • earráidí próiseála riaracháin; • nochtadh ó bhéal; • páipéir chaillte nó ghoidte; • rochtain neamhúdaraithe ar shonraí pearsanta sa láthair oibre.
Mar gheall ar an teagmháil a rinne sí le daoine aonair in 2019, tá tugtha faoi deara ag an oifig gur tháinig méadú ar an gcomhfhreagras ó ábhair shonraí a léirigh míshástacht leis an tslí a ndearnadh rialaitheoirí sonraí cumarsáid leo, go háirithe maidir le sáruithe sonraí agus leis na gníomhartha leigheasta a rinne an rialaitheoir ina dhiaidh sin. Ach cloí níos mó le hAlt 109(2) den Acht um Chosaint Sonraí 2018, thiocfaí ar réiteach níos luaithe in go leor cásanna den sórt sin agus thiocfadh laghdú ar an líon fiosruithe a dhéantar leis an DPC.
Cás-Staidéar 9 – FSS/ Ghníomhaireacht um Chúram Sláinte
In 2019, fuair an DPC gearán maidir le nochtadh sonraí othair trí theachtaire Facebook ag taisceoir ospidéil maidir lena bheith i láthair ag Aonad Luath-Thoirchis ospidéil. Tar éis scrúdú a dhéanamh ar an ngearán, shoiléirigh FSS don CCS go raibh gníomhaire cúraim sláinte a d’fhoilsigh an FSS i mbun an taisce ospidéil a nocht faisnéis phearsanta an othair. Rinne an DPC teagmháil leis an ngníomhaireacht agus lorg sí nuashonrú maidir lena imscrúdú inmheánach, sonraí ar aon ghníomh feabhais chomh maith le sonraí faoi aon ghníomh araíonachta a rinneadh i gcoinne an fhostaí i gceist. Ag an am céanna, chuir an CCS in iúl don FSS, mar go ndéanann sé conradh ar an gcuideachta atá i gceist chun foireann ghníomhaireachta a chur ar fáil chun obair san ospidéal, gurb é FSS an rialaitheoir sonraí i ndeireadh na dála maidir leis na sonraí pearsanta sa chás seo.
Tarraingíodh siar an gearán ina dhiaidh sin ag an aturnae ag gníomhú thar ceann na mná tar éis comhaontú a bheith comhaontaithe idir an páirtí lena mbaineann agus an t-
� 35
ospidéal / an ghníomhaireacht cúram sláinte. Féadfaidh rialaitheoirí sonraí / próiseálaithe sonraí a bheith faoi dhliteanas faoi dhuine faoi Alt 117 den Acht um Chosaint Sonraí 2018 maidir le damáistí mura gcomhlíonann siad an dualgas cúraim atá orthu i ndáil le sonraí pearsanta atá ina seilbh.
Níl aon ról ar bith ag an CCS maidir le déileáil le héilimh chúitimh agus níl feidhm ar bith aige maidir le haon imeachtaí den sórt sin a dhéanamh faoi Alt 117 d'Acht 2018 nó i soláthar aon chomhairle dlí den sórt sin.
Léiríonn an cás seo go bhfuil oiliúint leanúnach riachtanach don fhoireann go léir maidir lena ndualgais faoin dlí um chosaint sonraí agus go gcaithfidh rialaitheoirí dícheall cuí a dhéanamh agus iad féin a shásamh go bhfuil aon chonraitheoirí / próiseálaithe a bhfuil siad rannpháirteach iontu lánoilte agus sásta cloí le dlíthe cosanta sonraí .
� 36
Sáruithe
Fógraí Sáraithe Sonraí
Nuair a tugadh isteach an GDPR, cuireadh oibleagáidí ar gach rialaitheoir sonraí maidir le fógraí sáraithe sonraí éigeantacha. Déanann Aonad Measúnaithe Sáraithe an DPC anailís sheachtainiúil ar fhógraí sáraithe agus próiseálann líon ollmhór fógraí a fhaightear ó réimsí sna hearnálacha poiblí agus príobháideacha, lena n-áirítear:
• an earnáil airgeadais;
• an earnáil árachais;
• an tionscal teileachumarsáide;
• an tionscal cúraim sláinte;
• an earnáil ilnáisiúnta;
• forfheidhmiú an dlí.
Ar roinnt de na treochtaí agus saincheisteanna a sainaithníodh bhí:
• fógraí deireanacha;
• deacracht ó thaobh measúnú a dhéanamh ar rátálacha riosca;
• mainneachtain sárú a chur in iúl do na hábhair sonraí;
• fógraí sáraithe a dhéanamh arís is arís eile; agus
• tuairisciú nach bhfuil leordhóthanach.
In 2019, fuair an DPC 6,257 bhfógra sáraithe sonraí faoi airteagal 33 den GDPR. Fuarthas nach sáruithe a bhí in 188 díobh sin, mar gheall nár chomhlíon an fhaisnéis i gceist na critéir le teacht faoin sainmhíniú ar shonraí pearsanta arna leagan amach in Airteagal 4.12 den GDPR .
Fuarthas 6,069 sárú sonraí bailí ar an iomlán an bhliain seo caite. B’ionann sin agus ardú 71% ar an líon a tuairiscíodh in 2018. Is ionann nochtadh neamhúdaraithe agus an rangú is airde sáruithe fógartha ar feadh na n-earnálacha go léir – 83% de na sáruithe go léir.
� 37
Faoin GDPR, tá rialaitheoir faoi oibleagáid fógra a thabhairt don DPC maidir le haon sárú sonraí mura bhfuil ar a gcumas a léiriú ‘nach dóigh go mbeidh riosca mar thoradh ar shárú sonraí pearsanta ó thaobh cearta agus saoirsí daoine nádúrtha’. Ciallaíonn sin gurbh é an seasamh réamhshocraithe do rialaitheoirí ná gur chóir dóibh na sáruithe sonraí go léir a chur in iúl don DPC, seachas sna cásanna a bhfuil measúnú déanta ag an rialaitheoir ar an sárú agus nach dóigh go mbeidh riosca i gceist do na hábhair sonraí agus go bhfuil sé ar chumas an rialaitheora léiriú a thabhairt ar an gcúis atá aige/aici le teacht ar an gcinneadh. Ar aon nós, ó thaobh gach sárú – fiú na cinn nach gcuirtear in iúl don DPC ar an mbonn go meastar nach dóigh go mbeidh riosca mar thoradh orthu – ní mór do rialaitheoirí taifead a dhéanamh de mhionsonraí an tsáraithe ar a laghad, an measúnú a bhaineann leis, a thionchar, agus na céimeanna atá glactha mar fhreagra, de réir mar a cheanglaítear le hAirteagal 33(5) den GDPR.
Tá oibleagáid ar rialaitheoirí sonraí maolú a dhéanamh in aghaidh aon sáruithe a d’fheadfadh tarlú sa todhchaí. Tá ardú ar an líon sáruithe den chineál céanna a tharlaíonn arís is arís eile i líon mór cuideachtaí tugtha faoi deara ag an DPC. Is follasaí sin san earnáil airgeadais, áit a ndealraítear go mbaineann formhór mór na sáruithe le nochtadh neamhúdaraithe. Féadfaidh rialaitheoirí sonraí céimeanna simplí a ghlacadh mar iarracht na rioscaí sin a mhaolú, amhail oiliúint foirne agus cláir feasachta a reáchtáil; beartais déine maidir le pasfhocail agus fíordheimhniú ilghnéitheach le haghaidh cianrochtana a chur i bhfeidhm; bogearraí frithvíreas agus frith-bhogearraí mailíseacha a nuashonrú go rialta; a chinntiú go bhfuil timpeallachtaí ríomhphoist agus scagtha gréasáin cumraithe i gceart; agus a chinntiú go ndéantar gach gaireas ríomhaireachta a nuashonrú go rialta le bogearraí na ndéantúsóirí agus le paistí slándála.
Fógraí sáraithe sonraí de réir catagóire
Príobháideach Poiblí Iomlán
Nochtadh (neamhúdaraithe) 3,249 1,939 5,188
Haiceáil 98 10 108
Bogearraí Mailíseacha 22 2 24
Fioscaireacht 138 23 161
Bogearraí éirice/diúltú seirbhíse
17 0 17
Leochaileacht ó thaobh Forbairt Bogearraí
13 0 13
Gléas caillte nó goidte (criptithe)
14 27 41
� 38
Cás-Staidéar 10 - Rialú ar chomhaid pháipéir a chailleadh
Chuir soláthróir seirbhíse sláinte san earnáil phoiblí in iúl don CCS gur aimsíodh roinnt comhad ina raibh faisnéis mhíochaine othair i gcomh-aireachta stórála ar áitreabh ospidéil nár áitíodh a thuilleadh.
Thuairiscigh duine a fuair rochtain neamhdhleathach ar áitreabh srianta na taifid agus chuir sé grianghraif den chomh-aireacht ina dhiaidh sin ina raibh na comhaid ar na meáin shóisialta. Chuir eagraíocht na hearnála poiblí a bhí i gceist an CCS ar an eolas,
tar éis dó an sárú a bheith ar eolas, gur seoladh ionadaí ón eagraíocht chun na comhaid a aimsiú agus a dhaingniú. Baineadh na comhaid ón áitreabh agus daingníodh iad.
Leagann an sárú seo béim ar an tábhacht a bhaineann le polasaithe bainistíochta taifead cuí a bheith acu; lena n-áirítear meicníochtaí le haghaidh comhaid rianaithe, saoráidí stórála slána cuí agus nósanna imeachta iomlána chun taifid a choinneáil nó a scriosadh.
D'eisigh an CCS roinnt moltaí do na heagraíochtaí chun a gcleachtais próiseála sonraí pearsanta a fheabhsú.
Cás-staidéar 11 - Ionsaí Ransomware
Chuir eagraíocht a bhí ag feidhmiú sa tionscal fóillíochta in iúl don CCS go raibh ionsaí ransomware air a d’fhéadfadh criptiú / nochtadh sonraí pearsanta suas le 500
Gléas caillte nó goidte (nach bhfuil criptithe)
16 30 46
Páipéar caillte nó goidte 140 205 345
Dramhthrealamh leictreonach (sonraí pearsanta ar ghléas as feidhm)
0 1 1
Diúscairt mhíchuí páipéir 20 24 44
Míchumraíocht Chórais 43 10 53
Rochtain Neamhúdaraithe 67 64 131
Foilsiú neamhbheartaithe ar líne
44 41 85
Iomlán 3,881 2,376 6,257
� 39
custaiméir agus foireann a stóráladh ar fhreastalaí na n-eagraíochtaí. Rianaíodh bealach an insíothlaithe go ródaire móideim a cuireadh i gcontúirt (stóráladh sonraí cúltaca, áfach, go sábháilte trí fhreastalaí scamaill).
Tar éis an eachtra a scrúdú, d'eisigh an CCS roinnt moltaí don eagraíocht. Mhol an CCS
go ndéanfadh an eagraíocht anailís ar a infrastruchtúr TFC chun a fháil amach an raibh breis malware i láthair, chun athbhreithniú agus cur i bhfeidhm bearta cuí chun a chinntiú go bhfuil leibhéal slándála leordhóthanach ann maidir le próiseáil sonraí pearsanta, agus chun oiliúint fostaithe a dhéanamh le cuimsiú rioscaí cibearshlándála.
Tá nuashonruithe rialta faighte ag an CCS ón eagraíocht agus tá sé sásta gur glacadh céimeanna suntasacha chun bearta eagraíochtúla agus teicniúla a fheabhsú agus a chur i bhfeidhm maidir le heasnaimh i slándáil a mbonneagair TFC, lena n-áirítear plean oiliúna a fhorbairt don fhoireann uile sa réimse seo.
Cás-staidéar 12 - Píosaí scannáin CCTV a nochtadh trí na meáin shóisialta
Chuir cuideachta bainistíochta maoine tráchtála agus cónaithe in iúl don CCS go raibh fostaí de chuid cuideachta slándála a raibh a chuid seirbhísí coinnithe acu tar éis a bhfón póca pearsanta a úsáid chun píosa scannáin CCTV a thaifeadadh de bheirt den phobal a bhí páirteach i ngníomh pearsanta, a bhí gafa ag an mbainistíocht ceamaraí slándála na cuideachta.
Rinneadh an físeán a tógadh a roinnt ina dhiaidh sin trí WhatsApp le líon teoranta daoine aonair. Chuir an gnó in iúl don CCS gur chuir siad in iúl don fhoireann ad'fhéadfadh an scannán a fháil go gcaithfidh siad é a scriosadh agus d’iarr siad nach scaipfí an fhíseán a thuilleadh.
Bhí an chuideachta bhainistíochta réadmhaoine agus an chuideachta slándála in ann a thaispeáint go raibh beartais agus nósanna imeachta leordhóthanacha ann, ach bhí easpa maoirseachta agus maoirseachta cuí ann chun comhlíonadh na mbeartas agus na nósanna imeachta seo a chinntiú.
Tar éis moltaí a rinne an DPC chuig an gcuideachta bainistithe réadmhaoine, chuaigh an chuideachta i mbun oibre lena fhoireann chun oiliúint bhreise ar chosaint sonraí a sheachadadh le béim ar sháruithe sonraí pearsanta. Ina theannta sin, cuireadh comharthaí breise ar taispeáint a chuir cosc ar úsáid gléasanna soghluaiste pearsanta laistigh de theorainneacha an tseomra rialaithe CCTV.
� 40
Fiosruithe
Fiosruithe Reachtúla ón DPC
Faoin Acht um Chosaint Sonraí 2018, féadfaidh an DPC dhá chineál fiosrú reachtúil a dhéanamh faoi Alt 110 lena dheimhniú cibé ar sáraíodh an GDPR nó Acht 2018:
• fiosrú bunaithe ar ghearán;
• fiosrú de thoil an DPC féin.
Go bunúsach, tá dhá phróiseas ar leithligh i gceist le fiosrú reachtúil:
• an próiseas imscrúdaithe, arna chur i gcrích ag imscrúdaitheoir an DPC;
• an próiseas cinnteoireachta.
Cinnteoir sinsearach ar leithligh sa DPC nach raibh ról acu sa phróiseas imscrúdaithe a chuireann an próiseas cinnteoireachta i gcrích, an Coimisinéir um Chosaint Sonraí, de ghnáth.
Is éard is aidhm le fiosrú ar bith a dhéantar:
• na fíorais a shuíomh de réir mar a bhaineann siad leis na nithe faoi imscrúdú;
• na fíorais a fuarthas a chur i bhfeidhm le forálacha an GDPR agus/nó Acht 2018 mar is infheidhme d’fhonn anailís a dhéanamh ar cibé ar sainaithníodh sárú ar an GDPR agus/nó Acht 2018;
• cinneadh foirmiúil a dhéanamh ag an DPC i ndáil le cibé an bhfuil nó nach bhfuil sárú ann; agus
• sa chás go sainaithnítear sárú, cinneadh foirmiúil a dhéanamh faoi cibé a bhfeidhmeofar cumhacht cheartaitheach, agus sa chás go bhfeidhmeofar, cén chumhacht cheartaitheach . 4
Le linn phróiseas imscrúdaithe fiosraithe, féadfaidh an DPC oifigigh údaraithe a cheapadh agus féadfaidh siad raon cumhachtaí imscrúdaithe a fheidhmiú faoi Acht
Áirítear ar chumhachtaí ceartaitheacha 8neáil riaracháin a ghearradh (nach bhfuil inAeidhme maidir le sárú 4
ar an LED), rabhadh nó iomardú a thabhairt, cosc sealadach nó cinnKtheach ar phróiseáil, nó aistrithe sonraí idirnáisiúnta a chur ar fionraí nó treoir maidir le próiseáil a dhéanamh comhlíontach, i measc nithe eile.
� 41
2018, i gcomhthéacs fiosraithe. Chomh maith leis an gcumhacht ghinearálta maidir le fógra faisnéise a eisiúint lena n-éilítear go gcuirfí faisnéis shonraithe ar fáil don DPC, tá raon leathan cumhachtaí imscrúdaithe ar fáil d’oifigeach údaraithe a chuireann ar a chumas faisnéis, doiciméid agus ábhair ábhartha a bhailiú . Áirítear orthu sin 5
cumhachtaí maidir le hiontráil, le háitribh, trealamh, doiciméid agus faisnéis a chuardach agus a imscrúdú, le doiciméid agus taifid a bhaint agus a choinneáil, agus a éileamh go gcuirfí faisnéis agus cúnamh ar fáil dóibh i ndáil le rochtain ar dhoiciméid, ar thaifid agus ar threalamh. Tá cumhacht ann freisin iarratas a dhéanamh chuig an gCúirt Chuarda chun barántas a fháil dul chun isteach in áitreabh d’fhonn cumhachtaí an oifigigh údaraithe a fheidhmiú.
An 31 Nollaig 2019, bhí 70 fiosrú reachtúil ar láimh ag an DPC, 21 fiosrú trasteorann ina measc.
I gcomhthéacs Aiosrú atá ar bun cheana, féadfaidh an DPC “imscrúdú” reachtúil a sheoladh faoi Alt 137. Tá 5
cumhachtaí imscrúdaithe breise sonracha ag imscrúdú Alt 137, amhail cumhacht a bheith ag an oifigeach údaraithe atá á reáchtáil éisteacht ó bhéal a thionól. Go dX seo, níl tús curtha ag an DPC le imscrúdú Alt 137 ar bith.
� 42
Fiosrúcháin Leanúnacha Trasteorann
Apple Distribution International (oibleagáidí trédhearcachta)
Tagann an fiosrúchán seo atá gearán-bhunaithe as gearán a lóisteáil an gearánaí i dtosach sa Ghearmáin, ach a aistríodh ansin chuig an DPC, mar an príomh-údarás maoirseachta don rialaitheoir i gceist, mar go bhfuil príomh-bhunaíocht Apple in Éirinn. Líomhann an gearánaí go bhfuil an rialaitheoir ag sárú Airteagail 12 agus 13 den GDPR trí theipeadh eolas áirithe riachtanach a chur ar fáil do dhaoine aonair, mar aitheantas agus sonraí teagmhála ionadaí an rialtóra agus an oifigigh cosanta sonraí, an bunús dlí i leith próiseála agus an tréimhse stórála i gcás aon sonraí pearsanta a bhailítear. Tá an fiosrúchán dírithe ar scrúdú ar chomhlíonadh an rialtóra lena oibleagáidí trédhearcachta, ag féachaint ar an eolas a chuireann an rialaitheoir ar fáil d’úsáideoirí ar a shuíomh gréasáin. Cuimsíonn sé sin measúnú a dhéanamh ar an mbealach inar cheart/ar féidir cur chuige srathaithe do sholáthar eolais a úsáid, mar aon leis an uainíocht ar sholáthar eolais do dhaoine aonair.
Apple Distribution International (saincheisteanna maidir le hiarrataí ar rochtain)
Baineann an fiosrúchán gearán-bhunaithe seo le hiarrataí ar rochtain a rinne gearánaí ar thaifid seirbhíse custaiméara ó Apple i gcás go raibh an gearánaí míshásta le freagairt Apple dá iarraidh ar rochtain. Sa chás seo is é seasamh an rialaitheora go raibh an iarraidh a rinne an gearánaí ‘go follasach iomarcach’. Baineann an fiosrúchán le scrúdú a dhéanamh ar an réim inar féidir leis an rialaitheoir diúltú gníomhú ar iarraidh ar rochtain, i gcúinsí ina gcreideann an rialaitheoir go bhfuil an iarraidh “go follasach gan bhunús nó iomarcach” mar a thagraítear in Airteagal 12 den GDPR.
Apple Distribution International (bunús dlí i leith próiseála i gcomhthéacs fógraíochta spriocdhírithe d’úsáideoirí)
Tá an fiosrúchán gearán-bhunaithe seo ag scrúdú an bhfuil a chuid oibleagáidí GDPR comhlíonta ag an rialaitheoir maidir leis an mbunús dlí ar a bhfuil sé ag brath chun sonraí pearsanta a phróiseáil i gcomhthéacs anailís iompraíochta agus fógraíochta
� 43
spriocdhírithe ar a ardán. Rinne eagraíocht tacaíochta dhigiteach Francach, La Quadrature du Net, an gearán a lóisteáil, trí Airteagal 80 den GDPR, inar féidir le hábhar sonraí foras seachbhrabúsach gearán a thaisceadh agus gníomhú ar a son/shon. Cuimsíonn na saincheisteanna faoi fhiosrúchán an bhfuil nó nach bhfuil próiseáil sonraí pearsanta, sa chomhthéacs seo, tacaithe ag bunús dlí, mar a éilítear faoi Airteagal 6 den GDPR, agus má tá cé acu. Sainoidhríonn sé seo an coinníollacht agus na teorainneacha a bhaineann le bheith ag braith ar bhunúis áirithe dlí, ar nós toilithe agus suimeanna dleathacha an rialaitheora sonraí nó tríú páirtí, a bhreithniú. Tá comhoibriú leis an CNIL (an t-údarás Francach maoirseachta lenar cláraíodh an gearán ba chúis leis an bhfiosrúchán seo i dtosach) fós ar siúl.
Facebook Ireland Limited (bunús dlí i leith próiseála agus trédhearcachta mar a bhaineann le Téarmaí Seirbhíse agus Polasaí Sonraí)
Tháinig an fiosrúchán gearán-bhunaithe seo aníos de bharr gearáin a fuarthas ón eagraíocht abhcóideachta príobháideachta NOYB (Ní Bhaineann sé Leat) a dhírigh ar Théarmaí Seirbhíse agus Polasaí Sonraí Facebook i leith a chuid úsáideoirí. Tá an fiosrúchán ag scrúdú ar chomhlíon Facebook a oibleagáid bunús dlí a bheith aige chun sonraí pearsanta daoine aonair a bhaineann úsáid as ardán Facebook a phróiseáil. Cuimsíonn an fiosrúchán chomh maith scrúdú maidir le cibé ar chuir Facebook eolas faoina bhunús dlí le haghaidh próiseála mar a bhaineann lena chuid Téarmaí Seirbhíse ar fáil don ábhar sonraí, agus díríonn freisin ar áitiú an ghearánaí gur reáchtáladh próiseáil a bhain le Téarmaí Seirbhíse Facebook ar bhonn comhthoil a bheith faighte ón ábhar sonraí ach nach raibh an chomhthoil sin bailí i dtaca le nádúr na comhthola a éilítear faoin GDPR.
Facebook Ireland Limited (bunús dlí i leith próiseála i gcomhthéacs fógraíochta spriocdhírithe d’úsáideoirí)
Tá an fiosrúchán gearán-bhunaithe seo ag scrúdú ar chomhlíon Facebook a chuid oibleagáidí mar a bhaineann leis an gceanglas le bunús dlí a bheith aige chun sonraí pearsanta a phróiseáil i gcomhthéacs anailíse iompraíochta agus fógraíochta spriocdhírithe úsáideoirí Facebook ar a ardán. Rinne eagraíocht tacaíochta dhigiteach Francach, La Quadrature du Net, an gearán atá i gceist a thaisceadh. I measc nithe eile, baineann an fiosrúchán seo le scrúdú mionsonraithe de na hoibríochtaí próiseála a thacaíonn leis an anailís ar iompraíocht/gníomhaíochtaí úsáideoirí (lena n-áirítear próifíliú) ar ardán Facebook agus ar conas mar a bhaineann sé le seachadadh fógraí
� 44
spriocdhírithe don úsáideoir. Tá comhoibriú leis an CNIL (an t-údarás maoirseachta Francach ar comhdaíodh an gearán as a d’eascair an fiosrúchán seo leis i dtosach) fós ar siúl.
Facebook Ireland Limited (oibleagáidí fógra sáraithe – sárú “comharthach”)
Cuireadh tús leis an bhfiosrúchán féintoilithe seo i ndiaidh fógra sáraithe a rinne Facebook chuig an DPC i dtaobh teagmhais ina bhfuair gníomhaí seachtrach ceadchomharthaí úsáideoirí Facebook. (Ceadaíonn ceadchomharthaí fíordheimhniú chuntas bainteach an úsáideora Facebook i.e. coinníonn siad an úsáideoir logáilte isteach go Facebook ionas nach gá dó a phasfhocal a athiontráil gach uair a úsáideann sé aip Facebook). I ndiaidh an teagmhais, rinne Facebook athshocrú ar na milliúin ceadchomharthaí úsáideoirí le haghaidh chuntais Facebook. Tá an fiosrúchán ag scrúdú comhlíonadh Facebook leis na hoibleagáidí fógra sáraithe in Airteagal 33 den GDPR agus i measc nithe eile, baineann sé le measúnú a dhéanamh ar an eolas a chuir Facebook ar fáil don DPC faoin teagmhas, ar an am a cuireadh ar fáil é agus ar an doiciméadacht inmheánach a choinnigh Facebook faoin sárú sonraí.
Facebook Ireland Limited (teagmhas slándála ag baint le stóráil pasfhocail úsáideoirí i ngnáth-théacs)
Is fiosrúchán é seo atá ag scrúdú ar chomhlíon Facebook a chuid oibleagáidí faoin GDPR i leith theagmhas slándála a tharla go luath in 2019. Sa chás seo dheimhnigh Facebook don DPC gur stóráladh pasfhocail úsáideoirí, gan chuimhneamh, i ngnáth-théacs ar a chuid córas inmheánach. Tá an fiosrúchán seo ag scrúdú ar ionann iompar Facebook maidir leis an teagmhas seo agus sárú a dhéanamh ar aon fhoráil (forálacha) den GDPR agus ach go háirithe, nuair a stóráil sé pasfhocail úsáideoirí sa bhformáid gnáth-théacs, ar chomhlíon Facebook a chuid oibleagáidí mar a bhain sé le slándáil sonraí. Tá an fiosrúchán seo ag scrúdú cibé an sárú sonraí pearsanta chun críche Airtegail 33 den GDPR a bhí i bpasfhocail úsáideoirí a stóráil ar an gcaoi seo chomh maith.
� 45
Facebook Ireland Limited (iarraidh ar rochtain le haghaidh eolas teicniúil áirithe)
Cuireadh tús leis an bhfiosrúchán gearán-bhunaithe seo mar gheall ar ghearán a rinne ábhar sonraí leis an DPC, maidir le láimhseáil Facebook ar iarraidh ar rochtain an ábhair sonraí agus ar iarraidh inaistritheachta sonraí a rinne sé. Tá an fiosrúchán ag scrúdú ar chomhlíon Facebook a chuid oibleagáidí mar a bhaineann sé le cleachtas cearta rochtana chuig sonraí pearsanta an ghearánaí agus cearta inaistritheachta sonraí i leith sonraí pearsanta a bhí coinnithe ag Facebook i mbunachar áirithe teicniúil. Bhí iarraidh déanta ag an ngearánaí, i measc nithe eile, go gcuirfí cóip ar fáil dó de shonraí sainiúla pearsanta a bhain leis, lena n-áirítear sonraí pearsanta a bhí coinnithe, innéacsaithe le taobh nó ceangailte lena Aitheantas Úsáideora a bhí coinnithe i bhformáid lom; agus cóip dá shonraí pearsanta a bhí curtha ar fáil ag, nó breathnaithe faoi i bhformáid a bhí inléite ag meaisín. Tá an fiosrúchán seo ag scrúdú réimse chearta an té is ábhar do shonraí i leith rochtana agus inaistritheachta faoin GDPR, ag tabhairt aird ar Airteagal 12 den GDPR, lena n-áirítear an réimse inar féidir le rialaitheoir sonraí diúltú gníomhú ar iarraidh duine is ábhar do shonraí i gcúinsí ina gcreideann an rialtóir go bhfuil an iarraidh “go follasach gan bhunús nó iomarcach” mar a thagraítear dó in Airteagal 12 den GDPR.
Facebook Ireland Limited (bunús dlí do, agus trédhearcacht de, thairiscint fíor-ama Google agus córas Ceannaitheoirí Google-Údaraithe)
Is fiosrúchán féintoilithe é seo ar cuireadh tús leis tar éis don DPC aighneachtaí áirithe a rinne an Dr. Johnny Ryan as Brave chuige, atá ag scrúdú an próiseáil sonraí pearsanta ag Google i gcomhthéacs fógraíochta spriocdhírithe. Níos sainiúla, tá an fiosrúchán ag scrúdú próiseáil sonraí pearsanta i gcomhthéacs an phróisis ‘Thairisceana Fíor-ama’ (RTB) atá áisithe ag meicníocht dhílsithe Cheannaitheoirí Údaraithe Google, a éascaíonn fógraíocht spriocdhírithe. Ó thaobh raon de, tá an fiosrúchán ag scrúdú, i measc nithe eile, an bhfuil bunús dlí ag Google chun sonraí pearsanta, a d’fhéadfadh sonraí catagóire speisialta a chuimsiú, a phróiseáil, via meicníocht Cheannaitheoirí Údaraithe Google. Tá an fiosrúchán ag scrúdú chomh maith ar mar a chomhlíonann Google a chuid oibleagáidí trédhearcachta mar a bhaineann le coinneáil sonraí pearsanta dá leithéid, chomh maith lena oibleagáidí maidir le coinneáil sonraí pearsanta dá leithéid i gcomhthéacs Mhalartú Fógraíochta Cheannaitheoirí Údaraithe Google.
� 46
Instagram ((Facebook Ireland Limited) (bunús dlí i leith próiseála agus trédhearcachta maidir le Téarmaí Úsáide agus Polasaí Sonraí)
Tháinig an fiosrúchán gearán-bhunaithe seo chun cinn de bharr gearáin a fuarthas ón eagraíocht Ostarach abhcóideachta príobháideachta NOYB (Ní Bhaineann sé Leat) a dhírigh ar Théarmaí Úsáide agus Polasaí Sonraí Instagram dá úsáideoirí. Tá an fiosrúchán ag scrúdú ar chomhlíon Instagram a oibleagáid le bunús dlí a bheith aige chun sonraí pearsanta daoine aonair a bhaineann úsáid as ardán Instagram a phróiseáil. Cuimsíonn an fiosrúchán scrúdú faoi ar sholáthair Instagram an t-ábhar sonraí le heolas faoi bhunús dlí Instagram le haghaidh próiseála mar a bhaineann lena chuid Téarmaí Úsáide. Díríonn sé leis ar áitiú an ghearánaí gur reáchtáladh próiseáil de réir Téarmaí Seirbhíse WhatsApp ar bhonn chomhthoil an ábhair sonraí ach nach raibh an chomhthoil bailí mar a bhaineann le nádúr na comhthola a éilítear faoin GDPR.
LinkedIn Ireland Cuideachta Neamhtheoranta (bunús dlí i leith próiseála i gcomhthéacs fógraíochta spriocdhírithe d’úsáideoirí)
Tá an fiosrúchán gearán-bhunaithe seo ar LinkedIn dírithe ar ar chomhlíon LinkedIn a chuid oibleagáidí GDPR, go háirithe i leith an cheanglais le bunús dlí a bheith aige chun sonraí pearsanta a phróiseáil, i gcomhthéacs anailíse iompraíochta agus fógraíochta spriocdhírithe ar a ardán. Rinne eagraíocht tacaíochta dhigiteach Francach, La Quadrature du Net, an gearán a thaisceadh, trí Airteagal 80 den GDPR trínar féidir le hábhar sonraí foras nach bhfuil beann aige ar bhrabús a shainordú le gearán a thaisceadh agus le gníomhú ar a son(shon). I measc saincheisteanna atá á scrúdú go sonrach ag an DPC agus a bhí mar chuid den ghearán, tá an tsaincheist faoi an féidir brath ar chomhthoil agus bunús dlí eile le chéile i leith próiseála. I measc nithe eile cuimsíonn an fiosrúchán seo scrúdú mionsonraithe ar an gcreat teicneolaíoch a thacaíonn le hanailís iompraíochta/gníomhaíochtaí úsáideoirí (lena n-áirítear próifíliú) ar ardán LinkedIn agus conas mar a bhaineann sé sin le seachadadh fógraí spriocdhírithe don úsáideoir. Tá comhoibriú leis an CNIL (an t-údarás maoirseachta Francach ar comhdaíodh an gearán as a d’eascair an fiosrúchán seo leis i dtosach) fós ar siúl.
Quantcast International Limited (bunús dlí i leith próiseála agus trédhearcachta sa phróifíliú agus sa bhfógraíocht spriocdhírithe)
� 47
Chuir an DPC tús leis an bhfiosrúchán féintoilithe seo i ndiaidh aighneachta a rinne Privacy International, eagraíocht tacaíochta príobháideachta, leis an DPC faoi Quantcast, a chuireann seirbhísí ar fáil d’eintitis a oibríonn san earnáil Ard-Teicneolaíochta. Tá an DPC ag scrúdú, ach go háirithe, ar chomhlíon Quantcast a chuid oibleagáidí maidir le próiseáil agus comhbhailiú sonraí pearsanta a dhéanann sé ar mhaithe le próifíliú agus chun úsáid a bhaint as na próifílí a ghintear le haghaidh fógraíocht spriocdhírithe. Tá an fiosrúchán ag scrúdú conas, agus cé mhéad, a chomhlíonann Quantcast a chuid oibleagáidí a bheith trédhearcach le daoine aonair maidir le céard a dhéanann sé le sonraí pearsanta (lena n-áirítear foinsí bailiúcháin, ag cur sonraí le chéile agus á gcur ar fáil dá chuid custaiméirí) mar aon le cleachtais choinneála sonraí pearsanta Quantcast. Déanfaidh an fiosrúchán scrúdú chomh maith ar an mbunús dlí dá bhun a tharlaíonn próiseáil.
Twitter International Company (cearta rochtana agus cearta inaistritheacht sonraí)
Tagann an fiosrúchán gearán-bhunaithe seo chun cinn de bharr gearáin ó úsáideoir Twitter maidir le hiarratas ar rochtain agus inaistritheacht a cuireadh chuig Twitter inar lorg an t-úsáideoir eolas áirithe teicneolaíochta (a bhain le hidirghníomhú an úsáideora le naisc ghréasáin a bhí ginte ag Twitter). Dhiúltaigh Twitter don iarraidh seo. Scrúdaíonn an fiosrúchán ar chomhlíon Twitter a chuid oibleagáidí i leith chead rochtana agus chead inaistritheachta sonraí i dtaca le hAirteagal 12 den GDPR agus an méid inar féidir le rialtóir sonraí diúltú gníomhú ar iarratas ábhair sonraí i gcúinsí ina gcreideann an rialaitheoir sin go bhfuil an iarraidh “go follasach gan bhunús nó iomarcach” mar a thagraítear dó in Airteagal 12 GDPR.
WhatsApp Ireland Limited (bunús dlí i leith próiseála agus trédhearcachta maidir le Téarmaí Seirbhíse agus Polasaí Príobháideachta)
D’eascair an fiosrúchán gearán bhunaithe seo as gearán a tháinig ón eagraíocht tacaíochta príobháideachta Ostarach NOYB (Ní Bhaineann sé Leat) a dhírigh ar Théarmaí Seirbhíse agus Polasaí Príobháideachta WhatsApp dá úsáideoirí. Tá an fiosrúchán ag scrúdú ar chomhlíon WhatsApp an oibleagáid le bunús dlí a bheith aige chun próiseáil a dhéanamh ar shonraí pearsanta daoine aonair a bhaineann úsáid as
� 48
ardán WhatsApp. Cuimsíonn an fiosrúchán scrúdú faoi ar sholáthair WhatsApp eolas don ábhar sonraí faoi bhunús dlí WhatsApp chun próiseáil a dhéanamh mar a bhaineann lena chuid Téarmaí Seirbhíse. Díríonn an fiosrúchán chomh maith ar áitiú an ghearánaí gur reáchtáladh próiseáil de réir Théarmaí Seirbhíse WhatsApp ar bhonn chomhthoil an ábhair sonraí ach nach raibh an chomhthoil sin bailí i dtaca le nádúr na comhthola mar a éilítear faoin GDPR.
Facebook Ireland Limited (céimeanna teicniúla agus eagraíochtúla – sárú comharthach)
Cuireadh tús leis an bhfiosrúchán féintoilithe seo i ndiaidh fógra sáraithe a rinne Facebook chuig an DPC i dtaobh teagmhais ina bhfuair gníomhaí seachtrach ceadchomharthaí úsáideoirí Facebook. (Ceadaíonn ceadchomharthaí fíordheimhniú chuntas bainteach an úsáideora Facebook i.e. coinníonn siad an t-úsáideoir logáilte isteach i Facebook ionas nach gá dó a phasfhocal a chur isteach gach uair a úsáideann sé aip Facebook). I ndiaidh an teagmhais rinne Facebook athshocrú ar na milliúin ceadchomharthaí úsáideoirí le haghaidh chuntais Facebook. Tá an fiosrúchán ag scrúdú ar chomhlíon Facebook a chuid oibleagáidí de bhun Airteagail 32, 24 agus 5 den GDPR le céimeanna iomchuí teicniúla agus eagraíochtúla a chur i bhfeidhm agus i measc nithe eile cuimsíonn sé measúnú ar an eolas a chuir Facebook ar fáil don DPC faoin teagmhas agus measúnú ar na polasaithe agus na nósanna imeachta a bhí i bhfeidhm ag Facebook ag an am a tharla an teagmhas.
Facebook, Inc. (céimeanna teicniúla agus eagraíochtúla – sárú comharthach)
Cuireadh tús leis an bhfiosrúchán féintoilithe seo i ndiaidh fógra sáraithe a rinne Facebook Ireland Limited chuig an DPC i dtaobh teagmhais ina bhfuair gníomhaí seachtrach ceadchomharthaí úsáideoirí Facebook. (Ceadaíonn ceadchomharthaí fíordheimhniú chuntas bainteach an úsáideora Facebook i.e. coinníonn siad an t-úsáideoir logáilte isteach i Facebook ionas nach gá dó a phasfhocal a chur isteach gach uair a úsáideann sé aip Facebook). I ndiaidh an teagmhais rinne Facebook athshocrú ar na milliúin ceadchomharthaí úsáideoirí le haghaidh chuntais Facebook. Tá an fiosrúchán ag scrúdú ar chomhlíon Facebook Inc. a chuid oibleagáidí de bhun Airteagail 32 agus 5 den GDPR, chun céimeanna iomchuí teicniúla agus eagraíochtúla a chur i
� 49
bhfeidhm agus i measc nithe eile, cuimsíonn sé measúnú a dhéanamh ar an eolas a chuir Facebook Inc. ar fáil don DPC faoin teagmhas agus measúnú ar na polasaithe agus nósanna imeachta a bhí i bhfeidhm ag Facebook Corpraithe ag an am ar tharla an teagmhas.
Facebook Ireland Limited (Ilsáruithe)
Cuireadh tús leis an bhfiosrúchán féintoilithe seo i ndiaidh do Facebook Ireland Limited fógra a thabhairt don DPC faoi roinnt fógraí sáraithe faoi nochtadh neamh-údaraithe sonraí pearsanta. Tá an fiosrúchán ag scrúdú ar chomhlíon Facebook a oibleagáid, de bhun Airteagail 32, 24 agus 5 den GDPR, le céimeanna iomchuí teicniúla agus eagraíochtúla a chur i bhfeidhm agus i measc nithe eile cuimsíonn sé measúnú a dhéanamh ar an eolas a chuir Facebook ar fáil don DPC faoi na teagmhais agus measúnú ar na polasaithe agus na nósanna imeachta a bhí i bhfeidhm ag Facebook ag an am ar tharla na teagmhais.
Twitter International Company (Ilsáruithe)
Cuireadh tús leis an bhfiosrúchán féintoilithe seo i ndiaidh do Twitter fógra a thabhairt don DPC faoi roinnt fógraí sáraithe faoi nochtadh neamh-údaraithe sonraí pearsanta. Tá an fiosrúchán ag scrúdú ar chomhlíon Twitter lena oibleagáid, de bhun Airteagail 32, 24 agus 5 den GDPR le bearta iomchuí teicniúla agus eagraíochtúla a chur i bhfeidhm agus i measc nithe eile cuimsíonn sé measúnú a dhéanamh ar an eolas a chuir Twitter ar fáil don DPC faoi na teagmhais agus measúnú ar na polasaithe agus na nósanna imeachta a bhí i bhfeidhm ag Twitter ag an am ar tharla na teagmhais.
Fiosrúchán ar Oath (EMEA) Limited /Verizon Media
Cuireadh tús leis an bhfiosrúchán féintoilithe seo ar Verizon Media/Oath (EMEA) Limited i leith chomhlíonadh na cuideachta lena cuid oibleagáidí trédhearcachta faoi Airteagail 12, 13 agus 14 den GDPR. Cuireadh tús leis an bhfiosrúchán faoi Airteagal 110(1) den Acht um Chosaint Sonraí 2018 i ndiaidh measúnaithe ar roinnt gearán i dtaobh táirgí agus seirbhísí Oath, lena n-áirítear roinnt ó dhaoine aonair i mballstáit eile den AE. Bhí an fiosrúchán ag an staid bailithe eolais ag deireadh na bliana 2019.
� 50
WhatsApp Ireland Limited (trédhearcacht)
Ós rud é go bhfuil an staid fiosrúcháin den phróiseas críochnaithe, tá an tuairisc deiridh ar an bhfiosrúchán seolta ag an gCoimisinéir, atá ina cinnteoir faoi Airteagal 111 den Acht um Chosaint Sonraí 2018. Réiteoidh an Coimisinéir dréacht-chinneadh a bheidh scaipthe ar DPAnna eile na hEorpa le haghaidh ráitis de bhun Airteagal 60 den GDPR. Déanfar cinneadh deiridh ansin faoi an raibh nó an bhfuil sárú déanta ar an GDPR, an gcuirfear aon chumhachtaí ceartaitheacha i bhfeidhm, agus más amhlaidh go gcuirfear, céard iad na cumhachtaí ceartaitheacha sin.
Twitter International Company (fógra sáraithe)
Ós rud é go bhfuil an staid fiosrúcháin den phróiseas críochnaithe, tá an tuairisc deiridh ar an bhfiosrúchán seolta ag an gCoimisinéir, atá ina cinnteoir faoi Airteagal 111 den Acht um Chosaint Sonraí 2018. Réiteoidh an Coimisinéir dréacht-chinneadh a bheidh scaipthe ar DPAnna eile na hEorpa le haghaidh ráitis de bhun Airteagal 60 den GDPR. Déanfar cinneadh deiridh ansin faoi an raibh nó an bhfuil sárú déanta ar an GDPR, an gcuirfear aon chumhachtaí ceartaitheacha i bhfeidhm, agus más amhlaidh go gcuirfear, céard iad na cumhachtaí ceartaitheacha sin.
Fiosrúcháin Leanúnacha Náisiúnta
INSERT TABLE HERE
Ollscoil Luimnigh
Cuireadh tús le fiosrúchán in Iúil 2019 i leith sáraithe a raibh fógra tugtha faoi maidir le teagmhas fioscaireachta a tháinig an rialaitheoir ar an eolas faoi i Samhain 2018, mar aon le trí shárú eile fioscaireachta ar tugadh fógra fúthu i Feabhra, Aibreán agus Bealtaine 2018. Tugadh fógra faoi shárú eile fioscaireachta i Lúnasa 2019.
D'imir sárú na Samhna 2018 tionchar ar 379 duine aonair.
Reáchtálfar cigireacht ar an suíomh go luath in 2020.
An Coláiste Ollscoile, Baile Átha Cliath
� 51
Baineann an fiosrúchán seo le seacht bhfógra sáraithe a fuarthas idir Meán Fómhair 2018 agus Eanáir 2019.
Thuairiscigh an ollscoil go raibh cuntais ríomhphoist in scoileanna ollscoile éagsúla truaillithe agus go bhfuarthas amach go raibh siad ag seoladh amach turscar. Bhain cuid de na sáruithe le húsáideoirí a bheith ag cur a gcuid sonraí ar fáil ar shuíomhanna gréasáin seachtracha agus, i gcásanna eile, ní raibh an rialaitheoir in ann a dhéanamh amach conas a rinneadh truailliú ar na córais. Bhí na sonraí cuntais curtha suas go poiblí ar líne i gcás roinnt úsáideoirí. Aithníodh sonraí eile in “haveibeenpwnd.com”.
Cuireadh tús leis an bhfiosrúchán in Iúil 2019. Tá cigireacht suímh déanta agus tá Dréacht-thuairisc Fiosrúcháin á réiteach.
Ollscoil Mhá Nuad
Rinneadh haiceáil ar chuntas ríomhphoist fostaí ag Ollscoil Mhá Nuad agus socraíodh rialacha seolta. Rinneadh idircheapadh ar chomhfhreagras idir an fostaí sin agus ball eile foirne ina dhiaidh sin agus rinneadh sonraí bréige chuntas bainc a ionadú, a d’fhág gurbh fhéidir aistriú airgid cnapshuime €28,823.40 a atreorú.
Léirigh an chéad anailís a rinne an ollscoil go raibh iarracht ar fhioscaireacht ach ní raibh aon chosúlacht ann gur éirigh leis an bhfioscaireacht. Bhí bogearraí mailíseach ar ríomhaire pearsanta an fhostaí ó 2017. An bogearra mailíseach áirithe a bhí ann ná Trojan a úsáidtear go minic mar cheap lainseála chun bogearraí mailíseacha a íoslódáil. Ní bhfuair an ollscoil aon chomhartha faoin modh a úsáideadh chun an bogearra mailíseach a chur ar an ríomhaire pearsanta.
Ní raibh an cuntas ríomhphoist a ionsaíodh ach ar cheann de sé chuntas a d’fhéadfaí dul isteach iontu. Ach níl aon fhianaise faighte ag an ollscoil de dhúshaothrú maidir leis an 5 chuntas eile. I gcás na sé chuntas ar fad tá baol ann go raibh méideanna substainteacha sonraí pearsanta laistigh de na ríomhphoist a d’fhéadfadh a bheith nochta/rochtain faighte orthu.
Cuireadh tús leis an bhfiosrúchán seo i Samhain 2019 agus tá sé fós ar siúl.
Banc na hÉireann
Baineann an fiosrúchán seo le 22 fógra ar shárú ó Bhanc na hÉireann, ina raibh an banc ag cur sonraí míchruinn ag an Lár-Chlár Creidmheasa, leis an mbaol dá réir go raibh eolas míchruinn cláraithe faoi rátáil creidmheasa chustaiméirí áirithe an bhainc.
Cuireadh tús leis an bhfiosrúchán seo i Samhain 2019 agus tá sé fós ar siúl.
Biúró Creidmheasa na hÉireann
� 52
Fuair an DPC fógra ar shárú ó Bhiúró Creidmheasa na hÉireann (ICB) maidir le saincheist sláine sonraí. Cheadaigh athrú ar chóras ICB trí thimpiste d’athruithe chun dáta a bhí míchruinn a bheidh curtha ar thaifid chuntas iasachtaí chustaiméirí institiúidí airgeadais.
Bhí tionchar ag a tharla ar rátaí creidmheasa 15,238 duine aonair. Bhí iarratas déanta ar a dtuairisc creidmheasa ag 118 duine aonair go díreach ó ICB fad a bhí na sonraí míchruinn.
Cuireadh tús leis an bhfiosrúchán in Iúil 2019. An chéad chéim eile den fhiosrúchán ná Dréacht-Thuairisc Fiosrúcháin a chur ar fáil don ICB.
Comhar Creidmheasa Bhaile Sláine
Thug Comhar Creidmheasa Bhaile Sláine fógra don DPC faoi shárú sonraí inar nocht an comhar creidmheasa sonraí pearsanta 78 sealbhóir cuntais go poiblí via cuardach ginearálta ar an idirlíon. Bhí forlíontán ar shuíomh gréasáin an chomhair creidmheasa tar éis inneachar príobháideach leathanaigh an chomhair creidmheasa a innéacsú agus a chur ar fáil mar inneachar poiblí a d’fhéadfaí teacht air ina dhiaidh sin ag baint úsáid as cuardaigh cineálacha ar fud shráidbhaile Sláine. Bhí maoirseacht ar an suíomh gréasáin seach-fhoinsithe chuig cuideachta ar leith, a bhí ag feidhmiú mar phróiseálaí sonraí.
Cuireadh tús leis an bhfiosrúchán in Iúil 2019 agus tá cigireacht ar an suíomh déanta inar ceistíodh an rialaitheoir agus próiseálaí sonraí faoi bhainistiú cosanta sonraí. An chéad chéim eile ná Dréacht-Thuairisc Fiosrúcháin a eisiúint.
FSS (HSE) (An Deisceart)
Fuair duine den phobal cáipéisí ospidéil ina raibh sonraí pearsanta (ainm, dáta breithe, sonraí cliniciúla, agus cóir leighis) 56 othar ag saoráid athchúrsála poiblí i gCorcaigh. Roimhe sin bhí seacht sárú den chineál céanna tuairiscithe don DPC don cheantar FSS céanna.
Cuireadh tús leis an bhfiosrúchán seo i nDeireadh Fómhair 2019. Tá Dréacht-Thuairisc Fiosrúcháin eisithe don FSS.
FSS (Ospidéal Mhuire Lourdes)
Cuireadh tús leis an bhfiosrúchán seo i Samhain 2019 mar thoradh archáipéisí aistrithe bharda ospidéil a bhain le 15 othar a bheith faighte ag duine den phobal ina gairdín tosaigh. Tharla teagmhas an-chosúil leis i Márta 2019 nuair a fuarthas nótaí aistrithe ar ochtar othar ar an mbóthar poiblí taobh amuigh den ospidéal céanna.
Tá Dréacht-Thuairisc Fiosrúcháin á réiteach.
� 53
FSS Lár-Laighean (Tulach Mhór)
Baineann an fiosrúchán seo le fógra ar shárú faoi bhogearraí éirice a cuireadh ag obair ar ríomhairí laistigh de Shaotharlanna FSS sa Tulach Mhór. Thuig an rialaitheoir sonraí go raibh céimeanna slándála ICT tarmligthe le próiseálaí sonraí. Cuireadh tús leis an bhfiosrúchán i nDeireadh Fómhair 2019 agus tá sé fós ar siúl.
Tusla (Samhain 2018)
Is fiosrúchán é seo a thosaigh i Samhain 2018 ar shraith de 71 sárú nochta sonraí pearsanta a chuir Tusla – An Ghníomhaireacht um Leanaí agus an Teaghlach in iúl don DPC.
Chuimsigh ábhar na sáruithe rochtain mhíchuí chórais, nochtadh trí ríomhphost agus post agus slándáil sonraí pearsanta.
Reáchtáil an DPC cigireachtaí suímh ag ceanncheathrú Tusla agus ag oifigí réigiúnacha i Lár Bhaile Átha Cliath, An Nás, Sord, Port Láirge, Gaillimh agus Corcaigh. Le linn na gcigireachta tháinig roinnt saincheisteanna cosanta sonraí eile chun solais a thit lasmuigh de chéad réim an Fhiosrúcháin. Ach ós rud go bhfuil ábharthacht ag baint leis na saincheisteanna i leith chosaint sonraí pearsanta déanfar iad a aibhsiú sa Dréacht-Thuairisc Fiosrúcháin.
Tá an Dréacht-Thuairisc Fiosrúcháin á réiteach ag an DPC faoi láthair.
Tusla (Deireadh Fómhair 2019)
Baineann an fiosrúchán seo le trí fhógra ar shárú a fuarthas idir Feabhra agus Bealtaine 2019 ag baint le nochtadh neamh-údaraithe sonraí pearsanta.
I sárú amháin nochtaigh Tusla trí thimpiste, sonraí teagmhála agus seoladh máthar agus íospartaigh páiste do mhí-úsáideoir líomhnaithe.
Sa chéad sárú eile nochtaigh Tusla trí thimpiste, sonraí teagmhála, seoladh tuismitheoirí altrama agus sonraí scoile leanaí do sheantuismitheoir. Dá bharr sin rinne an seantuismitheoir sin teagmháil leis an tuismitheoir altrama faoi na leanaí.
Sa tríú sárú nochtaigh Tusla trí thimpiste seoladh leanaí a bhí i gcúram altrama dá n-athair a bhí sa phríosún agus bhain sé úsáid as chun cumarsáid a dhéanamh lena leanaí.
Cuireadh tús leis an bhfiosrúchán i nDeireadh Fómhair 2019. Tá Dréacht-Thuairisc Fiosrúcháin eisithe chuig Tusla.
Tusla (Samhain 2019)
� 54
Baineann an fiosrúchán seo le fógra ar shárú a fuarthas ó Tusla i Samhain 2019 maidir le nochtadh neamh-údaraithe sonraí pearsanta íogair. Rinneadh an nochtadh le duine a raibh líomhainn mí-úsáide déanta ina leith.
Cuireadh na sonraí a nochtadh in airde ar na meáin shóisialta ina dhiaidh sin.
Cuireadh tús leis an bhfiosrúchán seo i Nollaig 2019.
DEASP DPO
Is fiosrúchán é seo a cuireadh tús leis i Nollaig 2018 ar sháruithe féideartha ar Airteagal 38 den GDPR maidir le hidirghníomhaíocht na Roinne lena hOifigeach Cosanta Sonraí sa Roinn Gnóthaí Fostaíochta agus Coimirce Sóisialaí. Eisíodh Dréacht-Thuairisc Fiosrúcháin chuig an Roinn i mBealtaine 2019 agus rinne an rialtóir aighneachtaí ann. Tá anailís déanta orthu sin ag an DPC agus tá an Tuairisc Fiosrúcháin Deiridh á réiteach.
An Eaglais Chaitliceach
Fuair an DPC roinnt gearán ó dhaoine aonair a bhí ina mbaill den Eaglais Chaitliceach agus bhí go leor díobh nár mhian leo a bheith ina mbaill níos mó. Toisc nach bhfuil aon bhealach ann le cúl a thabhairt leis an Eaglais Chaitliceach go foirmiúil chuir na daoine mí-shástacht in iúl faoin bpróiseáil leanúnach ar a gcuid sonraí pearsanta ag an Eaglais Chaitliceach, ach go háirithe faoina gcuid sonraí pearsanta a bheith coinnithe ar chláir shacraimintí. Dá thoradh sin bhí sé iarrtha ag gach duine díobh go nglanfaí a gcuid taifid eaglaise, lena n-áirítear iad sin a bhí coinnithe i gcláir baistí, cóineartuithe agus póstaí. I ngach cás bhí an iarraidh ar ghlanadh diúltaithe ag an oifig paróiste ábhartha.
Tar éis machnamh a dhéanamh ar an gceist ag an tús-leibhéal tá fiosrúchán féintoilithe oscailte ag an DPC de bhun alt 110(1) den Acht um Chosaint Sonraí 2018. Tá an fiosrúchán seo dírithe ar Ard-Dheoise Bhaile Átha Cliath agus scrúdóidh sé an bhfuil bunús dlí ann chun próiseáil a dhéanamh ar shonraí pearsanta daoine aonair nach mian leo go ndéanfaí a gcuid sonraí a phróiseáil ar an gcaoi sin a thuilleadh.
An Garda Síochána
Cuireadh tús le fiosrúchán in Aibreán 2019 faoin bpróiseas agus na nósanna imeachta atá ag an nGarda Síochána maidir le rialú iarrataí nochta ag an Garda Síochána (AGS) chuig rialtóirí sonraí tríú páirtí seachtracha. Laistigh de chomhthéacs an fhiosrúcháin,
� 55
de bhun alt 136 den Acht um Chosaint Sonraí 2018, reáchtáladh 8 iniúchadh cosanta sonraí den AGS agus rogha d’eagraíochtaí ag próiseáil iarrataí nochta a fuarthas ó AGS.
An chéad chéim eile ná Dréacht-Thuairisc Fiosrúcháin a chur ar fáil don AGS.
Seirbhís Phríosúin na hÉireann
Chuir an DPC tús le fiosrúchán féintoilithe ar Sheirbhís Príosún na hÉireann, go sonrach maidir le nósanna imeachta rialaithe atá i bhfeidhm maidir le próiseáil sonraí pearsanta trí obair an Ghrúpa um Thacaíocht Oibriúcháin. Tá an fiosrúchán seo sna céimeanna tosaigh.
SUSI
Baineann an fiosrúchán seo le fógra ar shárú a fuarthas ó Bhord Oideachais agus Oiliúna Chathair Bhaile Átha Cliath (CDETB) maidir lena shuíomh gréasáin Tacaíocht Chomhchoiteann do Mhic Léinn in Éirinn (SUSI). Bhí sárú ag an suíomh gréasáin, inar thug foireann IT SUSI cód mailíseach faoi deara ar 16 Deireadh Fómhair 2018. Tá an fiosrúchán ag scrúdú na gcéimeanna teicniúla agus eagraíochtúla a bhí i bhfeidhm ag tráth an tsáraithe agus mar a chomhlíon SUSI a chuid oibleagáidí mar rialaitheoir sonraí i ndiaidh an tsáraithe. Cuireadh tús leis an bhfiosrúchán in Iúil 2019 agus tá sé fós ar siúl.
INM
Tá fiosrúchán an DPC ar Independent News and Media (INM) faoi na hAchtanna um Chosaint Sonraí 1988 agus 2003 maidir le nochtadh mídhleathach féideartha de shonraí a bhí coinnithe ar fhriothálaithe an chomhlachta le tríú páirtithe agus faoi sháruithe féideartha eile ar na hAchtanna um Chosaint Sonraí ag tarraingt ar a dheireadh. Tá ceisteanna ardaithe ag an DPC agus tá aighneachtaí faighte aige ó pháirtithe leasmhara éagsúla chun eolas a bhailiú faoi na fíorais atá thart ar an bpróiseas bailithe sonraí a bhí tuairiscithe go forleathan sna meáin agus a bhí mar chuid den bhunús le Cigirí Ard-Chúirte a cheapadh. Tá an DPC ag cur críoch leis an Tuairisc Fiosrúcháin agus tá súil aige go n-eiseofar cinneadh an DPC ina dhiaidh sin.
Faireachán arna dhéanamh ag Earnáil an Stáit ar mhaithe le Forfheidhmiú an Dlí
Is féidir le córais faireacháin a ghabhann íomhánna de dhaoine agus a mbíonn daoine le haithint go díreach nó go hindíreach mar gheall orthu i.e. nuair a chuirtear le píosaí eile eolais é, infheidhmeacht an GDPR agus an Achta um Chosaint Sonraí 2018 a thionscain. Cé go bhfuil úsáid teicneolaíochtaí dá leithéid ag an stát le haghaidh faireacháin ar mhaithe le forfheidhmiú an dlí níos forleathan agus cé go mb’fhéidir go bhfuil an intinn ag go leor gurb é faireachán an norm, ní laghdaíonn an intinn sin na hoibleagáidí atá curtha ar eagraíochtaí atá ag próiseáil sonraí pearsanta ar an gcaoi seo. Ina theannta
� 56
sin cé go mb’fhéidir go bhfuil áisiúlacht teicneolaíochtaí dá leithéid ar mhaithe le faireachán soiléir i.e. braith teagmhas áirithe atá bainteach le slándáil, is féidir le córais faireacháin atá ag feidhmiú in áiteanna poiblí tionchar a imirt ar phríobháideacht daoine aonair. Mar sin tá sé riachtanach gur féidir le heagraíochtaí atá i gceannas ar chórais dá leithéid a thaispeáint go bhfuil a gcuid córas ag feidhmiú agus reachtaíocht cosanta sonraí á gcomhlíonadh acu.
Spreag na hábhair imní seo an DPC le tús a chur le roinnt fiosrúchán féintoilithe faoin Acht um Chosaint Sonraí 2018 ar fhaireachán earnáil an stáit ar shaoránaigh ar mhaithe le forfheidhmiú an dlí trí úsáid a bhaint as teicneolaíochtaí ar nós CCTV, ceamaraí á gcaitheamh ar an duine, dróin agus teicneolaíochtaí eile ar nós córas atá cumasaithe le haghaidh Uathaithint Uimhirphlátaí (ANPR), atá ag éirí níos coitianta mar chuid de chórais CCTV. Tá go leor gnéithe eile ag baint leis na fiosrúcháin féintoilithe leanúnacha seo ar nós scrúdú ar úsáid ceamaraí CCTV chun monatóireacht a dhéanamh ar eastáit áirithe na n-údarás áitiúil agus úsáid ceamaraí atá i bhfolach chun ciontóirí a bhraith agus iad i mbun bruscar a chaitheamh uathu nó ag diúscairt dramhaíola go mí-dhleathach. Tá an fiosrúchán ag scrúdú chomh maith an bunús dlí atá mar bhonn ag na teicneolaíochtaí faireacháin seo a úsáid ar mhaithe le forfheidhmiú an dlí.
Is féidir leis an gcineál ceamara CCTV a úsáidtear freisin, imní maidir le cosaint sonraí a ardú. Is féidir ceamaraí Panáil-Claon-Súmáil (PTZ) a úsáid chun súmáil isteach ó achar fada ar dhaoine aonair agus ar a sealúchas ionas go bhféadfadh rioscaí níos airde a bheith ag baint leo maidir le príobháideacht an duine. Ina theannta sin tá feistiú ceamaraí ANPR ag éirí níos coitianta in Earnáil an Stáit ach tá an easpa polasaithe cosanta sonraí ag rialú úsáid teicneolaíochtaí dá leithéid in Earnáil an Stáit le nótáil.
Tá na fiosrúcháin féintoilithe seo á reáchtáil faoi Alt 110 agus Alt 123 den Acht um Chosaint Sonraí 2018 agus tá siad roinnte i roinnt modúl. Díríonn an chéad mhodúl ar an 31 údarás áitiúil in Éirinn, agus díríonn an dara modúl ar an nGarda Síochána. Is dóigh go gcuirfear breis modúl leis de réir mar a théann na fiosrúcháin chun cinn. Cuireadh tús leis an gcéad mhodúl agus leis an dara modúl ag baint úsáid as an gcumhacht iniúchta cosanta sonraí a bhfuil foráil déanta ina leith in Alt 136 den Acht um Chosaint Sonraí 2018.
Sa chéad chéim de na hiniúchtaí, chuir an DPC ceistneoir mionsonraithe ar aghaidh chuig gach ceann den 31 údarás áitiúil agus chuig an nGarda Síochána chun eolas a lorg maidir lena n-úsáid ar leith CCTV, ceamaraí a chaitear ar an duine, córais ANPR cumasaithe, dróin agus teicneolaíochtaí eile ar mhaithe le faireachán. Cuireadh tús leis an dara céim, i.e. an chéim bailithe eolais, i Meán Fómhair 2018 le sraith cigireachtaí ar an suíomh.
� 57
Go dtí seo, tá cigireachtaí déanta ag an DPC i seacht n-údarás áitiúil ar leith. Is iad na húdaráis áitiúla a bhfuil cigireacht déanta iontu ná Comhairle Chontae Chill Dara, Comhairle Cathrach agus Contae Luimnigh, Comhairle Chontae na Gaillimhe, Comhairle Chontae Shligigh, Comhairle Cathrach agus Contae Phort Láirge, Comhairle Chontae Chiarraí, agus Comhairle Chontae Bhaile Átha Cliath Theas. Bhí breis is 1,000 ceamara CCTV in úsáid eatarthu ag na seacht n-údarás áitiúil chun críche faireacháin. Tabhair ar aird: Ní bhaineann an fiosrúchán le ceamaraí slándála mar iad sin a fheistítear chun críche
gnáth-chúiseanna slándála: Bhí a chur chuige féin ag gach ceann de na húdaráis áitiúla a rinneadh cigireacht orthu faoi mar a reáchtáil siad faireachán ar shaoránaigh. Mar chuid den phróiseas fiosrúcháin lorg an DPC fianaise ar pholasaithe láidre cosanta sonraí mar aon le fianaise ar mhaoirseacht ghníomhach agus rialú bríoch.
Baineann príomh-ghné eile de na fiosrúcháin le hiniúchadh a dhéanamh ar imlonnú chórais phobal-bhunaithe CCTV trí scrúdú a dhéanamh cibé an bhfuil Alt 38(3)(c) d’Acht an Gharda Síochána 2005 (a thugann bunús dlí le haghaidh scéimeanna dá leithéid faoi choinníollacha áirithe) á chomhlíonadh go hiomlán. Éilíonn scéimeanna pobal-bhunaithe CCTV atá curtha suas ag an leibhéal áitiúil go mbeadh an t-údarás áitiúil ina rialtóir sonraí agus go bhfuil údarú roimh ré Choimisinéir an Gharda Síochánta ag teastáil. Ach go háirithe tá na fiosrúcháin ag scrúdú an bhfuil nó nach bhfuil údarú Choimisinéir an Gharda Síochána faighte ag na scéimeanna ar fad dá leithéid atá ag feidhmiú faoi láthair (go dtí seo tá údarú déanta ag Coimisinéir an Gharda Síochána ar scéimeanna pobal-bhunaithe CCTV i nach mór seachtó cathair, baile agus sráidbhaile ar fud an Stáit). Tá na fiosrúcháin ag scrúdú chomh maith mar atá oibleagáidí rialaitheora sonraí á gcomhlíonadh ag na húdaráis áitiúla mar a éilítear faoin Acht sin.
Amach ó na fiosrúcháin leanúnacha in earnáil na n-údarás áitiúil, reáchtáladh fiosrúchán ar an nGarda Síochána maidir le scéimeanna CCTV Garda-oibrithe. (Tugann Alt 38(3)(a) d’Acht an Gharda Síochána 2005 bunús reachtúil le haghaidh scéimeanna dá leithéid). Faoi láthair tá thart ar 38 scéim ar leith a oibríonn faoin reachtaíocht seo atá go hiomlán faoi smacht an Gharda Síochána. Chuimsigh an fiosrúchán a reáchtáladh cigireachtaí ag Stáisiún na nGardaí sa Tulach Mhór, ar Shráid Éinrí, i Luimneach, ar Shráid an Phiarsaigh, Baile Átha Cliath, i nDamhliag agus i gCill Dhéagláin, Co na Mí.
I ndiaidh an tuairisc deiridh fiosrúcháin a chur faoi bhráid an Choimisinéara um Chosaint Sonraí, rinne an Coimisinéir 13 cinneadh i leith sáruithe ar an Acht um Chosaint Sonraí, 2018. Baineann na sáruithe seo le roinnt ábhar mar saincheisteanna rialaithe (lena n-áirítear ag coinneáil taifead ar íoslódáil, tréimhse coinneála, oiliúint, iniúchadh ar loig rochtana); trédhearcacht maidir leis an bpobal a chur ar an eolas trí chomharthaíocht agus bealaí eile; easpa conarthaí próiseála sonraí; agus imlonnú ceamaraí ANPR ar scéim amháin Gardaí agus gan na polasaithe iomchuí cosanta sonraí a bheith curtha i bhfeidhm ag an nGarda Síochána agus teip an Gharda Síochána
� 58
measúnú tionchair cosanta sonraí a reáchtáil i dtosach sular chuir siad an scéim i bhfeidhm. Nóta: Ós rud é gur bhain na nithe a bhí faoi scrúdú le forálacha forfheidhmiú an dlí den Acht um Chosaint Sonraí 2018 amháin, níor bhain sáruithe ar an GDPR leis na cásanna seo.
Chinn an Coimisinéir trí chumhacht ceartaitheach a chur i bhfeidhm de réir Alt 127 den Acht um Chosaint Sonraí, 2018. Mar achoimre, eisíodh iomardú ar an nGarda Síochána i gcúinsí nach raibh an próiseáil ag comhlíonadh Acht 2018 agus i gcásanna mar sin d’ordaigh an Coimisinéir go dtabharfaí an próiseáil chun comhlíonta. Ina theannta sin, cuireadh bac sealadach ar phróiseáil i réigiún amháin ina gclúdaíonn próiseáil dá leithéid oibriú ceamaraí ANPR go dtí gur féidir a riachtanas agus a mbonn cirt a léiriú. Chas An Garda Síochána na ceamaraí ANPR seo as mar a bhí ordaithe ag an gCoimisinéir laistigh de sheacht lá.
Fiosrúcháin Eile
Fiosrúchán ar Tusla An Ghníomhaireacht um Leanaí agus an Teaghlach
I Samhain chríochnaigh an DPC fiosrúchán a tosaíodh i Márta 2017 maidir le rialú sonraí pearsanta laistigh den Ghníomhaireacht um Leanaí agus an Teaghlach, Tusla.
Bhí an chéim fiosrúcháin, a chuimsigh cigireachtaí fisiceacha a rinne Oifigigh Údaraithe dár gcuid ag láithreacha Tusla ar fud na tíre, críochnaithe i Nollaig 2017.
Lean an DPC ag déileáil le Tusla le linn 2018 agus 2019 maidir le roinnt dár gcinntí, lena n-áirítear i leith saincheisteanna a bhain le hoifigí Tusla a bheith comhshuite le háiseanna a bhí áitithe chomh maith ag Feidhmeannacht na Seirbhíse Sláinte (HSE).
Dheimhnigh an Ghníomhaireacht go raibh roinnt céimeanna eagraíochtúla agus teicniúla curtha i bhfeidhm ó rinneadh cigireachtaí suímh an DPC go déanach in 2017. Tá aonad ICT Tusla ag cur chur cinn mar a thug Tusla air “clár suntasach oibre” a fhágfaidh go mbunófar timpeallacht ICT a bheidh go hiomlán bainistithe agus faoi smacht Tusla.
Dheimhnigh Tusla leis go bhfuil súil aige athbhreithniú a dhéanamh ar a pholasaí bainistithe taifead reatha agus é mar aidhm acu é a ailíniú le prionsabail riachtanais agus comhréireachta an GDPR. Tá an ghníomhaireacht ag féachaint chomh maith le hathbhreithniú a dhéanamh ar mar a bhaintear úsáid as tréimhsí coinneála taifead “go buan”.
Scuabadh Fianán 2019
I Lúnasa 2019 chuir an DPC tús le scrúdú ar úsáid fianán agus teicneolaíochtaí eile dá leithéid ar rogha de shuíomhanna gréasáin ar fud réimse earnálacha, lena n-áirítear
� 59
meáin agus foilsitheoireacht, an earnáil mhiondíola, bialanna agus seirbhísí ordaithe bia, árachas, spórt agus caitheamh aimsire agus an earnáil phoiblí.
An aidhm a bhí leis an suirbhé scuabtha ná eolas a lorg le cead a thabhairt dúinn scrúdú a dhéanamh ar imlonnú teicneolaíochtaí dá leithéid agus lena fháil amach conas, agus an amhlaidh go bhfuil, eagraíochtaí ag comhlíonadh an dlí. Ach go háirithe theastaigh uainn mar a fhaigheann rialaitheoirí cead úsáideoirí chun fianáin a úsáid agus teicneolaíochtaí eile rianaithe a scrúdú.
Ní mór caighdeán na comhthola nach mór do rialtóirí a fháil ó úsáideoirí nó síntiúsóir i leith fianáin a úsáid a léamh anois i bhfianaise chaighdeán comhthola an GDPR, i.e. ní mór go mbeadh sé faighte trí ghníomh dearfach soiléir, agus tugtha gan srianadh, agus é sonrach, feasach agus gan athbhrí.
Bhí leibhéal maith comhoibrithe leis an scuabadh agus bhí fonn ar go leor de na heagraíochtaí comhlíonadh a léiriú. I roinnt cásanna chuir siad in iúl go raibh a fhios acu gur féidir nach bhfuil siad ag comhlíonadh S.I. No. 336/2011 – na Pobail Eorpacha (Líonraí agus Seirbhísí Leictreonacha Cumarsáide) (Príobháideacht agus Cumarsáid Leictreonach) Rialacháin 2011 (‘Na Rialacháin ePríobháideachta’) faoi láthair agus theastaigh uathu treoir a fháil ón DPC faoin mbealach lena gcuid cleachtas a chur ina gceart, más gá.
Bhí éagsúlacht leathan i gcaighdeán an eolais a cuireadh ar fáil d’úsáideoirí maidir le fianáin. Thug roinnt eagraíochtaí eolas mionsonraithe agus srathaithe faoi na teicneolaíochtaí in úsáid agus níor thug roinnt eile mórán sonraí faoi úsáid fianán ná faoi chonas iad a dhiúltú.
Fuaireamar amach chomh maith go bhfuil go leor eagraíochtaí ag socrú réimse leathan fianán chomh luath agus a thagann úsáideoir isteach ar a shuíomh gréasáin, gan aon teagmháil ag an úsáideoir le hardán bainistithe tola ná le meirge fianán. Chuimsigh siad seo fianáin tríú páirtí ó chomhlachtaí meáin shóisialta, soláthróirí íocaíochta agus lucht fógraíochta.
Rinne go leor eagraíochtaí na fianáin a bhí ar a gcuid suíomhanna gréasáin a chatagóiriú as feidhm ‘riachtanach’ nó ‘thar a bheith riachtanach’ a bheith acu nó feidhm ‘oibriú’ ‘feidhmiúil’, nó ‘anailíseach’ a bheith acu.
Ach, tá roinnt fianán a bhfuil curtha síos orthu ag rialaitheoirí ina gcuid freagraí mar ‘thar a bheith riachtanach’ agus is cosúil nach sásaíonn siad ceachtar de na critéir díolúine comhthola atá leagtha síos sna Rialacháin ePríobháideachta.
Bhí leibhéil áirithe feasachta ann go háirithe i measc eagraíochtaí níos mó, faoi rialuithe le gairid nó ar feitheamh ag Cúirt Bhreithiúnais an Aontais Eorpaigh (CJEU) sa réimse
� 60
ePríobháideachta, a d’fhéadfadh tionchar a bheith acu ar a gcuid cleachtas. Tá roinnt díobh ag athbhreithniú saincheisteanna faoi chomh-rialaitheoir a d’fhéadfadh teacht aníos faoi úsáid breiseán tríú páirtí agus cnaipí sóisialta ‘is maith’ i bhfianaise bhreithiúnas Fashion ID an 29 Iúil 2019.
Ar an 1 Deireadh Fómhair, go luath tar éis don DPC an scuabadh seo a thosú, shoiléirigh breithiúnas suntasach eile ón CJEU sa chás Planet49 nach bhfuil toil imlonnaithe fianán bailí má fhaightear é trí bhoscaí atá réamh-sheiceáilte nach mór d’úsáideoirí a dhíroghnú chun a dtoil a dhiúltú.
Bhí úsáid boscaí réamh-sheiceáilte agus barraí sleamhnáin a bhí socraithe sa staid ‘air’ trí réamhshocrú mar ghné ar roinnt de na suíomhanna gréasáin a scrúdaíomar. Ina theannta sin bhí go leor eagraíochtaí ag brath ar thoil intuigthe chun fianáin a shocrú, nó threoraigh siad úsáideoirí chuig a gcuid socruithe brabhsálaí chun fianáin a rialú.
Bhí samplaí ann chomh maith de bhoscaí réamh-sheiceáilte a rinne úsáideoirí a áireamh i bhfianáin anailíseacha agus margaíochta trí réamhshocrú, ach leis an eagraíocht ag teipeadh glacadh le haon rogha a chuir an t-úsáideoir in iúl trí na boscaí a dhísheiceáil. Bhí easpa soiléireachta faoi chonas a d’fhéadfadh úsáideoirí a dtoil i leith fianán a tharraingt siar mar ghné ar chuid de na suíomhanna.
Le linn 2020 cuirfidh an DPC treoir atá tugtha cothrom le dáta ar fáil ar fhianáin agus ar theicneolaíochtaí eile a chuirfidh san áireamh na breithiúnais i Planet49 agus Fashion ID.
Beidh an treoir seo mar bhonn agus thaca ag ár straitéis agus gníomhaíochta forfheidhmithe sa todhchaí.
Ag cur san áireamh an nádúr forleathach agus scóip rianaithe ar líne, agus na naisc dhofhuascailte idir rianú dá leithéid agus teicneolaíochtaí fianán agus ardtheicneolaíocht, cuirfimid fócas láidir ar chomhlíonadh sa réimse seo.
� 61
Saincheisteanna a bhaineann leis an dlí nós imeachta
Obair dhúshlánach agus ilghnéitheach a bhí riamh in obair fhoireann Dlí an DPC ach b’fhéidir nach raibh sé sin chomh fíor riamh agus a bhí sé le linn 2019. Tá saincheisteanna nua agus an-chasta eascartha as na chéad fhiosrúcháin a thabhairt ar aghaidh chun críche, go háirithe na cinn sin a bhain le saincheisteanna i dtaobh próiseáil trasteorann, lena n-áirítear leibhéal áirithe d’agóidí nós imeachta maidir leis an dlí nós imeachta arna ndúiseacht ag rialaitheoirí sonraí is freagróirí, chomh maith le gearánaigh aonair agus (Airteagal 80) comhlachtaí ionadaíochta. Baineann na hagóidí sin le poncanna nua dlí go minic, go háirithe i dtaca leis an idirghníomhaíocht idir GDPR agus an reachtaíocht cur chun feidhme Éireannach náisiúnta, an tAcht um Chosaint Sonraí, 2018, nár eascair roimhe sin faoi dhlí na hÉireann.
Le linn 2019, b’éigean don DPC an iliomad saincheisteanna maidir le nós imeachta dlíthiúil a bhreithniú, saincheisteanna a d’ardaigh páirtithe i bpróisis faoi stiúir an DPC amhail: conas is fearr cearta agus teidlíochtaí na bpáirtithe lena mbaineann a chomhardú i gcomhthéacs iarrataí ar rochtain ar an gcomhad fiosrúcháin; éilimh ar phribhléid dhlíthiúil, rúndacht agus íogaireacht tráchtála arna ndéanamh maidir le hábhar a chuir páirtithe faoi bhráid fiosrúcháin; chomh maith le hagóidí in aghaidh cothroime na bpróiseas agus na nósanna imeachta arna ndéanamh ag an DPC. D’fhonn na saincheisteanna éagsúla a d’eascair a bhreithniú, b’éigean don DPC a bhreithniú conas a dhéanfaí na forálacha reachtúla a léiriú agus a oibriú ar comhréir leis an reachtaíocht Eorpach chomh maith le conas ba chóir go n-oibreodh cearta a thagann as creat dlí an Aontais Eorpaigh, amhail an ceart rochtana ar an gcomhad agus an ceart chun dea-riaracháin, i gcomhthéacs fiosrúchán rialála in Éirinn. Mar an gcéanna, bhí go leor saincheisteanna ann i dtaca le coinbhleacht fhéideartha idir dlíthe riaracháin náisiúnta eile (a mhéid a chuirtear GDPR i ngníomh leo agus lena dtugtar tuilleadh éifeachta don GDPR leo ag leibhéal náisiúnta) agus an tAcht um Chosaint Sonraí, 2018. Is feiniméan é sin atá ag tarlú i gcomhthéacs oibre údarás rialála ar fud an AE. Mar thoradh ar sin, ag leibhéal an EDPB, tá údaráis maoirseachta ag leanúint ar aghaidh de bheith ag obair chun na saincheisteanna nós imeachta sin a réiteach ag leibhéal praiticiúil chun an leibhéal comhchuibhithe is airde is féidir a bhaint amach maidir le GDPR a chur i ngníomh go náisiúnta. Tá an DPC ag súil go ndéanfar go leor saincheisteanna casta dlí a chomhréiteach sa bhliain 2020, saincheisteanna a thiocfaidh ón gcéad bhabhta d’fhiosrúcháin reachtúla (go háirithe iadsan nach foláir a thabhairt ar aghaidh chuig an réiteach críochnaitheach faoi shásraí an Ionaid Ilfhreastail i.e. inarb é an DPC an Príomh-Údarás Maoirseachta) a chur i gcrích agus an criostalú a dhéanfar, i dtéarmaí praiticiúla, ar go leor saincheisteanna teoiriciúla nós imeachta agus dlí a ardaíodh le linn na chéad fhiosrúcháin nua sin.
� 62
Dlíthíocht ina raibh DPC páirteach
Idir an 1 Eanáir agus an 31 Nollaig 2019, tugadh breithiúnais shubstainteacha maidir le saincheisteanna cosanta sonraí sna himeachtaí seo a leanas a raibh an DPC ina pháirtí iontu. Ba chóir a thabhairt do d’aire gur bhain na himeachtaí sin le comhlíonadh fheidhmeanna an DPC faoin réim reachtach a bhí ann roimhe seo, faoi na hAchtanna um Chosaint Sonraí, 1988 agus 2003.
Achomharc chun na Cúirte Cuarda i gcás Young’s Garage v The Data Protection Commissioner (breithiúnas ó Chúirt Chuarda Aonach Urmhumhan, arna thabhairt an 4 Feabhra 2019). Nóta: breithiúnas forchoimeádta a bhí ann agus tugadh é ó bhéal amháin ina dhiaidh sin agus is achoimre atá anseo thíos ar an mbreithiúnas ó bhéal sin).
Bhain an cás seo le hachomharc, arna thabhairt ag lucht díolta feithiclí, in aghaidh cinneadh ón DPC dar dáta an 21 Nollaig 2017 i ndáil le gearán a rinne duine aonair in aghaidh an lucht díolta sin. Rinne an duine aonair líomhain ina ghearán gur sholáthar an lucht díolta a shonraí pearsanta do bhanc tríú páirtí chun a chumasú seiceáil creidmheasa a dhéanamh ar an duine aonair leis an mbanc sin. Líomhnaigh an duine aonair gur tharla an seiceáil creidmheasa sin, agus próiseáil a shonraí pearsanta ag an lucht díolta chun na críche sin, gan toiliú uaidh.
Chuir an DPC tús le fiosrúchán ar an ngearán agus dhearbhaigh an lucht díolta lena linn gur thoiligh an duine aonair le próiseáil a shonraí pearsanta chun críche na seiceála creidmheasa. Cé gur dhearbhaigh an lucht díolta go dtaifeadann sé toiliú duine aonair de bhíthin bosca a gcuirtear tic leis ar fhoirm iarratais, ní raibh an bosca a gcuirtear tic leis ar fhoirm iarratais an duine aonair arbh é an gearánach. Sna himthosca, ní raibh aon bhealach ag an lucht díolta chun a thaispeáint trí fhianaise dhoiciméadach gur thoiligh an duine aonair dáiríre le próiseáil a shonraí pearsanta chun críche seiceála creidmheasa. Dá réir sin, chinn an DPC gur sháraigh an DPC Alt 2A de na hAchtanna um Chosaint Sonraí, 1988 agus 2003.
Luadh sa chinneadh ón DPC go gceanglaítear le hAlt 2A de na hAchtanna um Chosaint Sonraí, 1988 agus 2003 go dtabharfar toiliú “faoi shaoirse, go sonrach, go feasach agus gan débhrí”. Os rud é nár cuireadh tic leis an mbosca ar an bhfoirm a úsáideadh chun sonraí pearsanta an duine aonair a phróiseáil, agus nach raibh aon fhianaise dhoiciméadach eile ar fáil chun tacú leis an dearbhú gur thoiligh an duine aonair leis an bpróiseáil, tháinig an DPC ar an gconclúid nár sásaíodh na heilimintí is gá maidir le ‘toiliú’ sa chás seo agus nach bhféadfadh an lucht díolta a thaispeáint go raibh bunús dlí aige chun tacú le próiseáil sonraí pearsanta an duine aonair. D’ardaigh an lucht díolta an tsaincheist maidir le rialúchán le linn fiosrúchán an DPC, ag éileamh nárbh é an
� 63
rialaitheoir agus ina ionad sin gur próiseálaí a bhí ann don bhanc tríú páirtí dár tugadh sonraí pearsanta an ghearánaigh. Níor ghlac an DPC leis an argóint sin.
Rinne an lucht díolta achomharc chun na Cúirte Cuarda in aghaidh an chinnidh. Sa bhreithiúnas ó bhéal a thug an Chúirt Chuarda, chinn an Chúirt gur seoladh próiseas fiosrúcháin an DPC go cuí agus thug sí dá haire gur chuir an lucht díolta agus an gearánach dhá chuntas éagsúil ar aghaidh. Chinn an Chúirt go raibh cinneadh an DPC ceart bunaithe ar an bhfianaise os a comhair. Maidir le saincheist an toilithe, thug an Chúirt dá haire nár luadh saincheist an toilithe sa mhionnscríbhinn arna mionnú thar ceann an luchta díolta san achomharc seo agus nár cuireadh aon fhianaise ar aghaidh i leith toiliú a bheith tugtha ag an ngearánach a shonraí a chur ar aghaidh chuig an mbanc. Thairis sin, i ndáil le ceist an rialúcháin, chinn an Chúirt nach raibh aon amhras ann ach gur rialaitheoir sonraí an lucht díolta agus go raibh sé soiléir nárbh fhéidir gur próiseálaí an lucht díolta os rud é nár ghníomhaigh sé don bhanc a bhí i gceist. Tugadh ar aird gur dealraitheach gur aontaigh aturnae an luchta díolta leis an tuairim sin roimhe sin i gcomhfhreagras níos túisce; dá bhrí sin is dealraitheach gur ghlac aturnae an luchta díolta leis nach próiseálaí a bhí ann, agus dá bhrí sin gur rialaitheoir sonraí a bhí ann. Ar an ábhar sin, níor cheadaigh an Chúirt an t-achomharc ón lucht díolta.
Achomharc chun na Cúirte Cuarda i gcás Doolin v The Data Protection Commissioner (breithiúnas ó Chúirt Chuarda Bhaile Átha Cliath, arna thabhairt an 1 Bealtaine 2019). Nóta: tugadh an breithiúnas san achomharc seo ex tempore amháin agus is achoimre atá anseo thíos ar an mbreithiúnas sin).
Bhain an cás seo le hachomharc, arna thabhairt ag duine aonair, in aghaidh Cinneadh ón DPC dar dáta an 27 Iúil 2018. Sa ghearán ba bhonn leis an gCinneadh, rinne an duine aonair líomhain gur úsáid a fhostóir píosa scannáin Teilifíse Chiorcaid Iata (CCTV) chun é a phionósú mar gheall ar sosanna neamhúdaraithe a ghlacadh ag an obair.
Le linn an imscrúdaithe, suíodh gur tháinig an fostóir ar theachtaireacht bhagrach greanta ar bhord sa seomra sosa ag an áit oibre. Rinne an fostóir an ní a thuairisciú don Gharda Síochána lena imscrúdú. D’iarr an Garda Síochána ar an bhfostóir scrúdú a dhéanamh ar gach taifead a bhain le húsáid siogairlíní agus gach píosa scannáin CCTV ó dhorchla ag dul go dtí an seomra sosa a bhí gceist. Baineadh úsáid as na píosaí scannáin CCTV chun na daoine a chuaigh isteach sa seomra sosa agus a d’imigh as a chéannú. Chuir an fostóir na daoine den fhoireann a céannaíodh faoi agallamh ansin d’fhonn a shuíomh an raibh an teachtaireacht ar an mbord nó nach raibh le linn dóibh a bheith sa seomra (d’fhonn an tréimhse ina bhféadfaí gur tharla an teagmhas lena linn a chúngú tuilleadh). Dúirt an fostóir gur admhaigh roinnt daoine den fhoireann agus iad faoi agallamh gur thógadar sos neamhúdaraithe óna ndualgas. Dhearbhaigh an fostóir
� 64
go ndearnadh gníomh araíonachta ar bhonn na n-admhálacha sin agus nár úsáideadh na píosaí scannáin CCTV chun críche na héisteachta araíonachta. D’athdhearbhaigh an fostóir gur le haghaidh an imscrúdaithe ar ní coiriúil a tarchuireadh chuig an nGarda Síochána agus ar an gcúis sin amháin a baineadh úsáid as an CCTV.
Líomhnaigh an duine aonair gur sháraigh an fostóir Alt 2 de na hAchtanna um Chosaint Sonraí, 1988 agus 2003 (“na hAchtanna”) nuair a d’úsáid sé na píosaí scannáin CCTV chun críocha araíonachta. Bhí an duine aonair ag brath ar bheartas CCTV an fhostóra i ndáil leis sin, inar dúradh gurb é a bhí mar chuspóir leis an gcóras CCTV ná coiriúlacht a chosc agus slándáil foirne agus sábháilteacht an phobail a chur chun cinn.
Le linn dó gearán an duine aonair a scrúdú, bhreithnigh an DPC dhá shaincheist a bhain le próiseáil a shonraí pearsanta trí bhíthin an chórais CCTV, de réir mar a leanas:
1. An raibh bunús dlí ag an bhfostóir faoi Alt 2A de na hAchtanna chun sonraí an duine aonair a phróiseáil; agus
2. Ar chomhlíon an fostóir na ceanglais reachtúla atá leagtha amach in Alt 2(D) de na hAchtanna i ndáil le próiseáil chothrom shonraí an duine aonair, ag tagairt go háirithe don cheanglas fógra a thabhairt i dtaobh sonraí pearsanta an duine aonair a phróiseáil.
Sa chéad ásc, thug an DPC ar aird go raibh sé soiléir ón imscrúdú go raibh réasúnú dlisteanach ag an bhfostóir rochtain a fháil ar na píosaí scannáin CCTV agus féachaint orthu d’fhonn fiosruithe a dhéanamh i dtaobh cén duine a ghrean ábhar maslach agus bagrach ar an mbord i seomra sosa na foirne. Saincheist thromchúiseach slándála a bhí i gceist a d’fhéadfadh a bheith ina bun le bagairt ar an bhfoireann agus bhí gá le himscrúdú. Ba ghá mar chuid den imscrúdú féachaint ar na píosaí scannáin CCTV. Faoi Alt 2A(1)(d) de na hAchtanna, ceadaítear sonraí pearsanta a phróiseáil más gá é chun críocha na leasanna dlisteanacha atá ag an rialaitheoir sonraí, ach amháin i gcás nach mbeidh údar leis an bpróiseáil sin in aon chás áirithe mar gheall ar dhochar do chearta agus saoirsí bunúsacha an duine aonair.
Bhí aird ag an DPC ar an Tuairim ón Abhcóide Ginearálta sa chás Rīgasregional security police (Case C-13/16,ValstspolicijasRīgasreģionapārvaldesKārtībaspolicijaspārvalde v Rīgaspašvaldības SIA ‘Rīgassatiksme’) agus, go háirithe, ar bhreithniú an Abhcóide Ginearálta Bobek ar scóip agus míniú an téarma “leasanna dlisteanacha’. Thug an AG Bobek ar aird nach foláir tástáil trí chéim a leanúint le linn a bhreithniú an bhfuil feidhm ag an bhforas i dtaobh ‘leasanna dlisteanacha’:
� 65
1. Ní foláir leas dlisteanach a bheith ann chun údar a bheith leis an bpróiseáil;
2. Ní foláir don leas sin tosaíocht a bheith aige ar chearta agus leasanna an duine aonair; agus
3. An riachtanas atá ann na sonraí pearsanta a phróiseáil chun na leasanna dlisteanacha a réadú.
Agus an méid sin thuas á chur i bhfeidhm ar na nithe a suíodh le linn an imscrúdaithe, bhí an DPC sásta, sa chéad ásc, gur thaispeáin an fostóir go raibh leas dlisteanach aige chun sonraí pearsanta an duine aonair a phróiseáil trí fhéachaint ar na píosaí scannáin CCTV d’fhonn na daoine den fhoireann ba chóir a chur faoi agallamh i ndáil leis an bpriacal slándála a bhí ann a chéannú.
I ndáil leis an dara cuid agus an tríú cuid den tástáil, chinn an DPC gur chéim ríthábhachtach den imscrúdú ba ea féachaint ar na píosaí scannáin CCTV d’fhonn na daoine den fhoireann a bhí i láthair taca an ama a tharla an teagmhas a chéannú. Bhí an DPC sásta go raibh gá le próiseáil shonraí pearsanta an duine aonair trí fhéachaint teoranta ar na píosaí scannáin CCTV iomchuí, gan íoslódáil ná a thuilleadh próiseála d’aon chineál a dhéanamh agus nach ndeachthas thar na críche sonraithe. Bhí an ceamara suite lasmuigh den seomra foirne agus ní raibh faireachán á dhéanamh ar fhostaithe i limistéar príobháideach. Dá bhrí sin, tháinig an DPC ar an gconclúid go raibh an fhéachaint comhréireach sna himthosca go léir agus go raibh tosaíocht ann thar chearta agus leasanna an duine aonair sa chomhthéacs teoranta sin.
Dá réir sin, chinn an DPC go raibh bunús dleathach ag an bhfostóir, faoi na forálacha atá leagtha amach in alt 2A(1)(d) de na hAchtanna maidir le leasanna dlisteanacha, chun an phróiseáil an-teoranta a dhéanamh ar shonraí pearsanta an duine aonair mar a tharla sa chás seo.
Bhreithnigh an DPC thairis sin cibé acu an raibh nó nach raibh ceanglais Alt 2(1)(c)(ii) de na hAchtanna comhlíonta ag an bhfostóir. Ceanglaítear leis an bhforáil sin nach ceadmhach sonraí pearsanta a phróiseáil chun críche ar bith seachas na críocha ar chucu a bailíodh na sonraí an chéad uair. Sa chás seo, bhí an DPC sásta go ndearnadh íomhánna an duine aonair, mar a gabhadh iad ar an gcóras CCTV, a phróiseáil i dtaca le teagmhas slándála a imscrúdú nuair a d’fhéach an fhoireann imscrúdaithe orthu ar dtús chun na críche sin amháin. Cé go mb’fhéidir gur úsáideadh an fhaisnéis a bailíodh ón bhféachaint sin chun críche eile ina dhiaidh sin i.e. imeachtaí araíonachta, i dtuairim an DPC ní chuimsíonn an méid sin críoch éagsúil mar nár próiseáladh na híomhánna sin a thuilleadh maidir leis an dara críoch sin. Dá mba rud é gur próiseáladh na híomhánna a thuilleadh maidir leis an dara críoch sin trí, mar shampla, iad a íoslódáil agus a úsáid sna himeachtaí araíonachta, d’fhéadfadh sé go gcuimseodh an méid sin próiseáil chun críoch a bhí éagsúil. Níor tharla sé sin sa chás áirithe seo agus ní dhearnadh a
� 66
thuilleadh próiseála ar íomhánna an duine aonair maidir leis an dara críoch. Dá réir sin, chinn an DPC nár tharla an fhéachaint teoranta ar íomhánna an duine aonair ach amháin go heisiach chun na críche slándála ar chuici a bailíodh na híomhánna an chéad uair agus nár tharla aon sárú ar Alt 2(1)(c)(ii).
Ar deireadh, bhreithnigh an DPC an raibh na ceanglais maidir le próiseáil chothrom atá leagtha amach in Alt 2D de na hAchtanna comhlíonta ag an bhfostóir sa chás áirithe seo. Chinn an DPC gur léir, ón bhfaisnéis a sholáthar an fostóir agus an duine aonair féin, gur thuig an duine aonair go raibh píosaí scannáin CCTV á n-oibriú in áitreabh an fhostóra. Is trí fhaisnéis arna soláthar sa lámhleabhar foirne a cuireadh é sin in iúl, lámhleabhar a eisíodh chuig gach fostaí le linn ionduchtúcháin dar leis an bhfostóir. Ba léir an méid sin freisin ó chomharthaíocht CCTV a bhí ar taispeáint san áitreabh. Dá réir sin, bhí an DPC sásta gur chomhlíon an fostóir na ceanglais maidir le próiseáil chothrom atá leagtha amach in Alt 2D sa chás áirithe seo.
Ina achomharc chun na Cúirte Cuarda, líomhnaigh an duine aonair go ndeachaigh an DPC amú i bhfírinne nó i ndlí nuair a chinn sé nár sáraíodh Alt 2 de na hAchtanna maidir leis na píosaí scannáin CCTV. Chun go n-éireodh leis san éileamh sin, agus faoi threoir na tástála a leagadh amach in Orange Limited v The Director of Telecommunications, b’éigean don duine aonair a shuíomh go raibh earráid tromchúiseach agus suntasach nó sraith d’earráidí den sórt sin déanta. Chinn an Chúirt gur sheol an DPC imscrúdú suntasach ar ghearán an duine aonair agus go raibh gach eolas ag an duine aonair i dtaobh seasamh an fhostóra agus gur tugadh gach deis dó aighneachtaí a dhéanamh (agus go deimhin rinne sé na haighneachtaí sin). Ghlac an Chúirt freisin nach raibh ach imscrúdú amháin ann seachas dhá imscrúdú. Bunaíodh an t-imscrúdú a rinneadh ar imní slándála a d’eascair as an teagmhas maidir le graifítí a bhí i gceist agus ba chun críocha slándála a rinne an fostóir an gníomh araíonachta in aghaidh an duine aonair.
Bhí an Chúirt sásta, sna himthosca go léir, agus na fíorais go léir á gcur i gcuntas aici, nár shásaigh an duine aonair an tástáil lena gceanglófaí an Cinneadh ón DPC a aisiompú. Dá réir sin, rinne an Chúirt achomharc an duine aonair a dhíbhe. Dámhadh costais don DPC agus don fhógra pháirtí (an fostóir).
Nóta: tá an cinneadh seo ón gCúirt Chuarda faoi achomharc chun na hArd-Chúirte anois.
� 67
Maoirseacht
Cuireann teagmháil maoirseachta le cuideachtaí, eagraíochtaí, lucht déanta beartas agus reachtóirí ar chumas an DPC tuiscint níos fearr a fháil ar na bealaí a dhéanann rialaitheoirí agus próiseálaithe próiseáil ar shonraí pearsanta, agus ar na gníomhartha a dhéanann siad chun a n-oibleagáidí cosanta sonraí a chomhlíonadh. Cabhraíonn sí leis an DPC ábhair imní maidir le cosaint sonraí a shainaithint go réamhghníomhach agus, i gcás táirgí nó seirbhísí nua, a chinntiú go mbeidh eagraíochtaí ar an eolas faoi oibleagáidí maidir le comhlíonadh agus faoi fhadhbanna féideartha sula dtosaítear ag próiseáil sonraí pearsanta.
Fuair an DPC 1,420 fiosrú comhairliúcháin ghinearálta i rith 2019. Is túsphointe iad na fiosruithe sin do chuid mhór de mhaoirseacht an DPC ar rialaitheoirí agus próiseálaithe sonraí pearsanta, agus tugann léargas tábhachtach ar na cineálacha saincheisteanna a bhainfeadh tairbhe as tuilleadh teagmhála agus treorach. Mar seo a leanas miondealú ar na fiosruithe sin de réir earnála:
An Earnáil Phoiblí
Díríodh go mór in 2019 ar na ‘Treoirlínte maidir le próiseáil sonraí pearsanta ag Ionadaithe Tofa faoi Alt 40 den Acht um Chosaint Sonraí 2018’, a d’fhoilsigh an DPC ag deireadh 2018, a chur chun cinn.
Rinneadh cuir i láthair chuig comhairleoirí áitiúla ag comhdháil bhliantúil Aontas Rialtas Áitiúil na hÉireann, agus chuig comhaltaí an Oireachtais agus a mbaill foirne. Cuireadh na treoirlínte i láthair líonra Oifigeach Cosanta Sonraí an Rialtais Áitiúil freisin, mar aitheantas ar an ról tábhachtach a imríonn comhairleoirí áitiúla dá dtoghthóirí ó thaobh rochtain a dhéanamh ar sheirbhísí a n-údarás áitiúil.
Rinne an DPC caidreamh le roinnt údarás áitiúil in 2019 faoi phróiseáil sonraí pearsanta i gcomhthéacs ghníomhaíochtaí forfheidhmithe maidir le bainistiú dramhaíola. Bhí dhá
Earnáil # %
Sláinte 194 14%
Forfheidhmiú an Dlí 35 2%
Príobháideach/Airgeadas 629 44%
Poiblí 472 33%
Deonach/Carthanas 90 6%
IOMLÁN 1,420
� 68
chineál éagsúla gníomhaíochta ar bun san earnáil rialtais áitiúil maidir le forfheidhmiú dramhaíola; forbraíodh fodhlíthe a d’fhéach le ceadú a fháil chun sonraí pearsanta a chomhroinnt tuilleadh d’fhonn forfheidhmiú níos éifeachtaí a dhéanamh ó thaobh na reachtaíochta reatha maidir le dramhaíl. Tionscadal píolótach a bhí sa cheann eile, a dhírigh ar úsáid a bhaint as Éirchóid teaghlach i réigiún faoi leith chun díriú ar ghníomhaíochtaí forfheidhmithe sa limistéar sin. Thug an DPC aird ar an tábhacht a bhaineann le comhairliúchán ceart a dhéanamh le geallsealbhóirí agus breithniú iomlán a dhéanamh ar impleachtaí cosanta sonraí trí bhíthin measúnuithe tionchair ar chosaint sonraí mar chuid lárnach de rath a bhaint amach sa réimse seo.
Lean an DPC ar aghaidh ag déanamh caidrimh le roinnt príomh-gheallsealbhóirí maidir le rolladh amach an mhéadraithe chliste, ina measc ESBN, an Coimisiún um Rialáil Fóntas agus na soláthraithe leictreachais. Mar gheall go bhfuil cur i bhfeidhm an tionscadail seo á bhrú ar aghaidh ar chúiseanna beartas poiblí, chuir an DPC béim ar an ngá le bonn reachtúil soiléir don tionscadal casta seo, de réir an Achta um Chosaint Sonraí 2018, agus leanfar le treoir ar impleachtaí an tionscadail ó thaobh na cosanta sonraí de a chur ar fáil, de réir mar a fhorbraítear é.
An Clár Náisiúnta Scagthástála Spota Fola Nuabheirthe
In 2019, chuir an CCS leis an idirchaidreamh rialála leis an Roinn Sláinte chun deireadh a chur leis an ábhar a bhain le cártaí tástála scagthástála náisiúnta nuabheirthe a choimeád slán. Úsáidtear na cártaí seo chun leanaí nuabheirthe a scagadh le haghaidh
raon coinníollacha sláinte go gairid tar éis a mbreithe mar chuid den Chlár Náisiúnta um Scagadh Fola Nuabheirthe. Fuair an DPC an beartas bunaidh coinneála éiginnte den
chlár i 2010 chun dlí cosanta sonraí a shárú. Tar éis an chinnidh seo, threoraigh an CCS na páirtithe leasmhara éagsúla teacht ar réiteach maidir leis an sárú, trí bhunús dleathach a bhunú chun an chartlann a choinneáil nó a scriosadh. Rinneadh tréimhse
fhada comhairliúcháin agus athbhreithnithe le páirtithe leasmhara laistigh den Roinn Sláinte ansin, chomh maith le tréimhse ama inar tugadh deis don phobal a gcuid cártaí a bhaint as an gcartlann. Cé go leanann siad ar aghaidh ag iarraidh réiteach a fháil ar an
gceist, bhí an DPC feasach ar an ngá le ham a chur ar fáil chun meastóireacht iomlán a dhéanamh ar an gcartlann mar acmhainn taighde ar mhaithe le leas an phobail. In 2019, chuir an CCS brú ar an Roinn Sláinte a measúnú a thabhairt chun críche, mar fhreagra ar a raibh sé curtha in iúl ag an Roinn dúinn gurb é scriosadh na cartlainne an beart ba chuí sna himthosca. D'iarr an CCS go gcuirfí tús leis an scrios mar ábhar
tosaíochta. Mar sin féin, de bhun uiríll ó ghrúpa abhcóideachta teaghlaigh agus ó ghairmí medial, bhí an DPC sásta moill ghearr ar an scrios a éascú chun ligean do chártaí tástála líon beag daoine éagtha a bhaint as an gcartlann ar leith agus clár tástála géiniteach sainithe. Cuireadh in iúl don CCS gur síníodh ordú ón Aire chun an chartlann
a scriosadh anois agus tuigimid go gcríochnófar an próiseas scriosta sa chéad ráithe de
� 69
2020. Ba chóir a thabhairt faoi deara, tar éis athbhreithniú a dhéanamh ar a pholasaí
coinneála sonraí in 2012, nach gcuireann an Clár Náisiúnta Scagthástála Spota Fola Nuabheirthe mar a fheidhmíonn sé faoi láthair aon imní maidir le cosaint sonraí i láthair
Réamhchomhairliúchán
Faoin GDPR agus faoin Acht um Chosaint Sonraí 2018, tá oibleagáid éigeantach dul i gcomhairle an DPC maidir le tograí reachtacha a bhaineann le próiseáil sonraí pearsanta. Molaimid teagmháil a dhéanamh linn go luath, sa réimse seo, le go mbeidh tuiscint mhaith againn ar an reachtaíocht agus ar a bhfuil sí ag iarraidh a bhaint amach, chomh luath agus is féidir. Tugann sin deis dúinn moladh do ranna rialtais cloí leis an bprionsabal ‘cosaint sonraí trí dhearadh’, agus Measúnuithe Tionchair ar Chosaint Sonraí éifeachtacha a dhéanamh.
In 2019, chuaigh ranna rialtais éagsúla agus geallsealbhóirí eile i gcomhairle an DPC maidir le saincheisteanna reachtacha lenar áiríodh, ach ní teoranta do, na nithe seo a leanas:
Sampla de Chomhairliúcháin Reachtacha:
☑ An Bille Uchtála (Faisnéis agus Lorgaireacht) 2016
☑ Tograí maidir le Maoiniú do Chraolachán Seirbhíse Poiblí Amach Anseo
☑ Tograí maidir leis na himthosca ina bhféadfaidh An Garda Síochána gléasanna taifeadta, ceamaraí coirp ina measc, a úsáid a leathnú amach
☑ Tuarascáil ar Bhailiú ADN Mharthanóirí Thuama a fhoilsiú
☑ An Scéim Cúraim Leanaí Inacmhainne – daoine a ainmniú a fhéadfaidh sonraí pearsanta a phróiseáil
☑ An Bille fán mBinse um CervicalCheck 2019
☑ Leasuithe ar an Acht Toghcháin 1992 le go bhféadfaí an Tionól Saoránach 2019 agus Tionól Saoránach Bhaile Átha Cliath a bhunú
☑ An Bille um Clárú Sibhialta 2019
☑ An Bille um Óglaigh na hÉireann (Fianaise) 2019
☑ Deontas Breosla do Thiománaithe Míchumasaithe agus Paisinéirí Míchumasaithe
☑ An Clár um Úinéireacht Thairbhiúil Cuideachtaí agus Cumann Tionscail agus Coigiltis
☑ Togra maidir le Coimisiún Reachtach Toghcháin a bhunú
� 70
☑ Dréacht-Scéim Ghinearálta an Bhille Iascaigh Mhara (Leasú) 2019
☑ Leasú ar an Acht um Chearrbhachas agus Crannchuir 1956
☑ An Bille Faisnéise um an Bearna Ioncaim idir na hInscní 2019
☑ Rialacháin ón Aontas Eorpach (Hague Maintenance Convention) 2019
☑ Bille na dTithe (Comhlachtaí Tithíochta Ceadaithe a Rialáil) 2019
☑ An Bille um Chomhpháirtíochtaí Teoranta Infheistíochta (Leasú) 2019
☑ I.R. chun Clár um Úinéireacht Thairbhiúil do Ghléasanna Éireannacha um Chomhbhainistiú Sócmhainní agus do Chomhair Chreidmheasa a bhunú
☑ I.R. chun clár um úinéireacht thairbhiúil a chruthú le haghaidh úinéirí tairbhiúla Iontaobhas
☑ Rialacháin chun an Clár um Úinéireacht Thairbhiúil Cuideachtaí agus Cumann Tionscail agus Coigiltis a chur le Sceideal 5 den Acht Leasa Shóisialaigh (Comhdhlúthú) 2005 mar chomhlacht sonraithe
☑ An tAcht um Chomhairle na mBreithiúna 2019
☑ Na Rialacháin um Micrishliseadh Madraí 2019
☑ An Bille um Séadchomharthaí agus Oidhreacht Seandálaíochta 2019
☑ An Bille um Shaoire do Thuismitheoirí (Leasú) 2017
☑ An Bille um Thionóntachtaí Cónaithe (Leasú) 2018
☑ Rialacháin 2018 maidir leis an Acht um Chosaint Sonraí 2018 (Alt 60(6)) (Rialtóirí Gairmithe Sláinte)
☑ Rialacháin 2018 maidir leis na Leasuithe ar an Acht um Chosaint Sonraí 2018 (Alt 36(2)) (Taighde Sláinte)
☑ An Bille Leasa Shóisialaigh, Earrach 2019
☑ An Treoir ón AE maidir le Cearta Scairshealbhóirí (lena ndéantar foráil do shainaithint scairshealbhóirí agus luach saothair stiúrthóirí) a thrasuí mar leasuithe ar Acht na gCuideachtaí
☑ Fodhlíthe maidir le Cur i Láthair Dramhaíola
Sampla de Bharúlacha Neamhreachtacha:
� 71
☑ Comhairliúchán Poiblí ar an bhFéidearthacht maidir le hUchtú Oscailte nó Leathoscailte a Thabhairt Isteach in Éirinn
☑ Plean Gníomhaíochta Náisiúnta maidir le Gnó agus Cearta an Duine
☑ Ábhar Díobhálach a Rialáil
☑ Dréacht-mheasúnú Riosca Náisiúnta 2019 – Forléargas ar an Tuarascáil maidir le Rioscaí Straitéiseacha
☑ Ráiteas Straitéise na gCoimisinéirí Ioncaim
☑ Comhairliúchán Poiblí ar an Straitéis Náisiúnta Cibearshlándála
☑ Suirbhé an Choimisiúin Eorpaigh ar threalamh raidió atá nasctha leis an idirlíon agus ar threalamh raidió inchaite
☑ An Straitéis Náisiúnta maidir le hIntleacht Shaorga
☑ Comhairliúchán Poiblí ar threoir nuashonraithe do Bhanc Ceannais na hÉireann a sheoladh, ar bheartais agus nósanna imeachta d’eintitis ó thaobh dlíthe frith- sciúradh airgid a chomhlíonadh
☑ Togra maidir le Bunachar Sonraí Comhroinnte ar Chalaois san earnáil Baincéireachta
☑ Togra maidir le Bunachar Sonraí ar Chalaois Árachais
☑ Togra ón Roinn Iompair, Turasóireachta agus Spóirt maidir le ‘Bunachar Sonraí ar Dhliteanas Tríú Páirtí Mótair’ a bhunú chun stádas árachais fheithiclí cláraithe a thaifeadadh
Forfheidhmiú an Dlí
I rith 2019 bhí an DPC páirteach i gcomhairliúcháin fhairsinge leis an nGarda Síochána i ndáil lena chlár chun a phríomh-ardáin teicneolaíochta a thabhairt cothrom le dáta. Áiríodh air sin athbhreithniú a dhéanamh ar mheasúnuithe tionchair ar chosaint sonraí dá ardán Bainistiú Ábhair Leictreonaigh agus dá chóras Bainistiú Imscrúdaitheach. Bhí an DPC rannpháirteach leis an nGarda Síochána ar a mheasúnú tionchair ar chosaint sonraí maidir leis an dara glúin den tionscadal Córas Faisnéise Schengen (SIS II) chomh maith.
An Earnáil Phríobháideach agus Airgeadais
� 72
Leanadh leis an maoirseacht ar eintitis san earnáil phríobháideach agus ar eagraíochtaí a bhaineann leis na hearnálacha airgeadais, baincéireachta agus árachais in 2019. Leis sin, tugadh treoir agus stiúir do rialaitheoirí sonraí ar raon leathan saincheisteanna casta a bhain le cosaint sonraí. I measc na n-eagraíochtaí a raibh an rannpháirteach leo i rith 2019 bhí:
▪ Banc Uladh
▪ Banc na hÉireann
▪ Permanent TSB
▪ Western Union
▪ Prudential Assurance
▪ Aer Lingus
▪ SIPTU
▪ Iarnród Éireann
▪ Lidl
▪ Banking Payments Federation Ireland
▪ Accountancy Ireland
▪ Feirmeoirí Aontaithe na hÉireann
▪ Seirbhís Buiséadaithe agus Comhairle Airgid (MABS)
▪ IBEC (Cónaidhm Theileachumarsáide agus Idirlín)
▪ Insurance Ireland
▪ National Recruitment Federation
▪ The Irish Association of Pension Funds
▪ Irish Petrol Retailers Association
▪ An Roinn Airgeadais
▪ Na Coimisinéirí Ioncaim
▪ Banc Ceannais na hÉireann
▪ An Garda Síochána
� 73
Cé gur léir go bhfuil níos mó feasachta ag eagraíochtaí san earnáil phríobháideach faoi oibleagáidí cosanta sonraí ó tugadh isteach an GDPR i mí Bealtaine 2018, agus go gcuireann sin leis an laghdú ar an líon fiosruithe a fhaightear, bhí roinnt ábhar imní a tháinig chun cinn arís agus arís eile do chuideachtaí, i rith 2019, ina measc:
• Aistrithe sonraí pearsanta i ndiaidh Bhreatimeacht Gan Mhargadh
• Rialacha ó thaobh Margaíocht Dhíreach faoin Treoir maidir le ríomh-Phríobháideachas
• Déileáil go héifeachtach le hIarrataí Rochtana ó Ábhair Sonraí
• Teicneolaíochtaí a úsáid sa láthair áit oibre, amhail clogáil isteach go bithmhéadrach/rianú feithicle GPS agus CCTV sa láthair oibre
• Sonraí fostaithe a aistriú i gcás cumasc agus táthcheangal
• Teicneolaíochtaí nua agus an tionchar atá acu ar oibleagáidí rialaitheoirí maidir le cosaint sonraí.
Tháinig tuilleadh teicneolaíochtaí nua chun cinn in 2019, go háirithe sa tionscal teicneolaíocht an airgeadais (FinTech) agus íocaíochtaí, le tabhairt isteach na Baincéireachta Oscailte agus an dara Treoir ón AE maidir le Seirbhísí Íocaíochta (PSD2). Chuaigh gnólachtaí nuathionscanta FinTech nó tríú páirtithe iontaofa i mbun oibríochtaí in Éirinn. Táthar ag súil go dtiocfaidh borradh faoi sin in 2020 agus mar gheall gur croílár na Treorach é faisnéis cuntais agus sonraí pearsanta a chomhroinnt, beidh sin ina phríomh-thosaíocht de rannpháirtíocht an DPC leis an earnáil phríobháideach agus airgeadais sa bhliain amach romhainn.
Cás-Staidéar 15: Moltaí le haghaidh Bunachair Roinnt Calaoise
Le linn 2019 chuathas i gcomhairle leis an DPC maidir le tograí chun dhá bhunachar sonraí ar leithligh maidir le comhroinnt faisnéise a chruthú.
Is é an chéad mholadh ó Insurance Ireland ná bunachar sonraí atá ann cheana, ar a dtugtar InsuranceLink, a leathnú chun réimsí breise sonraí a chur san áireamh. Tá sonraí ar éilimh árachais a dhéanann daoine aonair le InsuranceLink chun malartú faisnéise idir cuideachtaí árachais a éascú nuair a dhéanann custaiméir éileamh ar chúiteamh chun calaois a shainaithint i gcás ina bhféadfaí éilimh bhréagacha a phróiseáil. Ceann de na tacair shonraí bhreise atá beartaithe ná sonraí pearsanta tríú páirtí ar nós finnéithe ar thimpistí.
� 74
Ba é an dara togra ó Chónaidhm Baincéireachta agus Íocaíochtaí na hÉireann (BPFI) thar ceann na bpríomh-bhainc mhiondíola, ar mian leo bunachar sonraí comhroinnte calaoise a chruthú a bheadh á oibriú ag tríú páirtí iontaofa neamhspleách. De réir rialacha réamhshainithe, chuirfeadh gach banc a bhunaíonn gníomhaíocht chalaoiseach an fhaisnéis sin ar aghaidh chuig an mbunachar sonraí agus cheadófar do na bainc rannpháirteacha go léir sonraí cliant a sheiceáil i gcoinne an bhunachair sonraí chun calaois a aithint agus a chosc.
Tá béim curtha ag an DPC ar Insurance Ireland agus BPFI araon go gcaithfidh bunachair sonraí calaoise tionscail, a bhaineann le próiseáil méideanna suntasacha sonraí íogaire, riachtanais riachtanais agus comhréireachta a chomhlíonadh faoi dhlí agus dlí-eolaíocht an AE. Tá béim curtha againn freisin go gcaithfidh feidhmiú gach bunachar sonraí, mar is gá, taca reachtúil a bheith aige chun a chinntiú go gcomhlíontar oibleagáidí cosanta sonraí faoin RGCS agus faoin Acht um Chosaint Sonraí 2018, mar shampla, sa chás go bhfuil an phróiseáil ar mhaithe le leas an phobail agus / nó sonraí a bhaineann le cionta nó le cionta líomhnaithe.
Is é tuairim an DPC go gcruthaíonn an dá thogra rioscaí suntasacha do dhaoine aonair, go háirithe do dhaoine a d'fhéadfaí a aithint go mícheart mar dhaoine a ghlacann páirt i ngníomhaíocht chalaoiseach, nó, i gcás éileamh árachais, do dhaoine nach bhfuil baint dhíreach acu le héileamh amhail finné. Chuireamar in iúl do na páirtithe go gcaithfear na rioscaí seo a mheasúnú agus a mhaolú go hiomlán, lena n-áirítear trí chosaintí, rialacha agus nósanna imeachta an-láidre a thógáil agus a chinntiú go gcomhlíontar prionsabail na cosanta sonraí, amhail íoslaghdú sonraí. Ina theannta sin, leagamar béim ar an tábhacht a bhaineann le comhairliúchán poiblí agus feasacht maidir le scóip agus cuspóir na moltaí seo.
Maoirseacht Ilnáisiúnta
In 2019, d'fhreastail an CCS ar níos mó ná 100 cruinniú le cuideachtaí ilnáisiúnta éagsúla ina cháil maoirseachta. Ina theannta sin, d'eisigh an CCS iarrataí foirmiúla ag lorg eolais mhionsonraithe ar chomhlíonadh an RGCS ar réimse leathan ábhar, mar shampla:
• neamhréireachtaí i bpolasaithe príobháideachais;
• tuairiscí sna meáin ag cur síos ar shaincheisteanna slándála, m.sh. athbhreithniú daonna ar thaifeadtaí gutha;
• feabhsúcháin a lorg ar ghníomhaíochtaí próiseála mar rianú suímh;
• gnéithe agus táirgí nua a athbhreithniú, m.sh. gné coiscthe asicídí agus féindochair; agus
� 75
• cabhrú lenár gcomhghleacaithe Eorpacha maidir le hábhair imní a d'ardaigh siad, m.sh. úsáid sonraí diagnóiseacha.
Teicneolaíocht, Deimhniú agus Cóid Iompair
Deimhniú
I rith 2019, lean an DPC á ullmhú féin do chur i bhfeidhm shásraí ceadaithe an GDPR maidir le deimhniú. Tá deimhniú an GDPR beartaithe a bheith ina shásra cuntasaíochta d’oibríochtaí próiseála sonracha eagraíochtaí, chun iarrachtaí comhlíonta a léiriú d’ábhair sonraí agus, ar deireadh, chun tacú le muinín ábhair sonraí as próiseáil sonraí pearsanta.
Faoin GDPR, tugtar deis don Údarás Maoirseachta nó do Bhord Náisiúnta Ballstáit um Chreidiúnú comhlachtaí deimhniúcháin a chreidiúnú i leith “sásraí deimhnithe cosanta sonraí” de réir ISO 17065/2012 agus leis na riachtanais bhreise a bhunaigh an DPC. Leagtar amach in Alt 35 d’Acht um Chosaint Sonraí na hÉireann 2018 gurb é Bord Náisiúnta na hÉireann um Chreidiúnú (INAB) an t-aon chomhlacht creidiúnaithe d’Éirinn. Mar thoradh air sin, ní bheidh an DPC ag tabhairt faoi ról chomhlacht creidiúnaithe in Éirinn.
Mar chuid d’Alt 43 den GDPR a chur i bhfeidhm, ní mór don DPC “riachtanais bhreise” a leagan amach sa bhreis ar riachtanais ISO 17065/2012, a chuirfidh INAB i bhfeidhm le sásraí deimhnithe lena mbaineann critéir chosanta sonraí a cheadaigh an DPC, agus comhlachtaí deimhniúcháin á gcreidiúnú acu. Tá na riachtanais bhreise sin díreach tugtha chun críche ag an DPC agus tá siad le cur faoi bhráid an Bhoird Eorpaigh um Chosaint Sonraí (EDPB) go luath in 2020. Beidh tuairim an EDPB maidir le comhleanúnachas le fáil ina leith. Chomh luath agus a nglacfaidh an EDPB leis an tuairim sin agus a chuirfidh an DPC aon choigeartuithe san áireamh, cuirfear ar fáil don phobal iad.
Tá an DPC ag tabhairt comhaontú comhoibrithe le INAB chun críche faoi láthair, maidir le hoibríochtaí creidiúnaithe. Tá tús curtha leis an obair ar na gnéithe oibríochtúla a bhaineann le measúnú a dhéanamh ar na critéir chosanta sonraí sna scéimeanna a fhéadfaidh geallsealbhóirí a chur isteach chuig an DPC agus ar an gcumarsáid, comhoibriú agus idirghníomhú mionsonraithe a bheidh ag an DPC le INAB, le ‘húinéirí’ scéimeanna agus leis an EDPB i rith an phróisis cheadaithe.
Ar deireadh, reáchtáil an DPC seisiún tosaigh faisnéise i gcomhar le INAB ag deireadh 2019, le grúpa comhlachtaí deimhniúcháin agus le geallsealbhóirí eile, chun cur leis an bhfeasacht faoi pharaiméadair shásraí deimhniúcháin an GDPR agus chun forbairt
� 76
shásraí den chineál sin a spreagadh i measc comhlachtaí deimhniúcháin. Ba é sin an chéad cheann i sraith seisiún faisnéise agus táthar ag súil go reáchtálfar tuilleadh in 2020.
Cóid Iompair
Leagtar amach rialacha maidir le ‘Cóid Iompair’ a dhréachtú agus monatóireacht a dhéanamh orthu in Airteagail 40 agus 41 den GDPR. Is bealach praiticiúil agus bríoch iad chun leibhéil níos airde comhlíonta leis na prionsabail um chosaint sonraí agus cosaint do chearta cosanta sonraí a bhaint amach. Féadfaidh Cóid Iompair, go sonrach, deis a thabhairt d’earnálacha faoi leith machnamh a dhéanamh ar ghnáth-ghníomhaíochtaí próiseála sonraí agus rialacha agus nósanna imeachta praiticiúla, a bhaineann le comhthéacsanna sonraithe, agus a chomhlíonfaidh riachtanais na n-earnálacha chomh maith le riachtanais an GDPR, a chomhaontú.
Bhí an DPC ina cheann feadhna ó thaobh forbairt a dhéanamh ar threoirlínte an EDPB faoi Chóid Iompair a dhréachtú agus faoi Chomhlachtaí Monatóireachta a cheapadh do na Cóid sin, mar a leagtar amach ag an GDPR. Cheadaigh agus d’fhoilsigh an EDPB na treoirlínte i mí an Mheithimh 2019, i ndiaidh chomhairliúchán poiblí. Tá dréacht-chritéir creidiúnaithe curtha le chéile ag an DPC chun Comhlachtaí Monatóireachta a chreidiúnú, comhlachtaí a mbeidh mar chúram orthu monatóireacht a dhéanamh ar chomhlíonadh le Cóid Iompair ar bith a mholfar. Céim thábhachtach a bheidh in athbhreithniú an EDPB ar na critéir sin agus a gceadú agus a bhfoilsiú in 2020, i dtreo tacú le heagraíochtaí Cóid Iompair a leagan amach, in éineacht leis na treoirlínte a d’fhoilsigh an EDPB roimhe seo.
Tá an DPC ag súil le forbairt ar Chóid Iompair mar bhealach do rialaitheoirí feabhas a chur ar chaighdeáin chosanta sonraí agus trédhearcachta le haghaidh earnálacha nó oibríochtaí próiseála áirithe. Le Cóid Iompair a ndéanfar monatóireacht cheart orthu ag Comhlachtaí Monatóireachta oiriúnacha, tabharfar soiléire níos cuimsithí, a bhainfidh le comhthéacsanna sonracha, chuig oibleagáidí earnálacha agus rialaitheoirí áirithe maidir le cosaint sonraí. I ndiaidh na hoibre comhairliúcháin móire a rinne an DPC sa réimse cearta cosanta sonraí leanaí, spreagfaidh an DPC leagan amach Chóid Iompair a bheidh ceaptha rannchuidiú le cur i bhfeidhm ceart na cosanta sonraí le próiseáil sonraí pearsanta leanaí.
� 77
Oifigigh Cosanta Sonraí
Oifigeach Cosanta Sonraí an DPC
Duine is ea an tOifigeach Cosanta Sonraí (DPO) de chuid eagraíochta a bhfuil saineolas aige ar dhlíthe agus ar chleachtais cosanta sonraí. Is é an ról a bhíonn aige cabhrú leis an eagraíocht monatóireacht a dhéanamh ar chomhlíonadh GDPR. Tá sé riachtanach go mbainfeadh comhlíonadh cosanta sonraí den chaighdeán is airde leis an DPC maidir leis na sonraí pearsanta a dhéanann sé a phróiseáil, agus é mar rialtóir na hÉireann do chosaint sonraí.
Éilíonn GDPR go gceapfaí DPO a bhfuil na tréithe proifisiúnta cuí aige agus, tagraíonn sé go háirithe do shaineolas ar dhlí agus ar chleachtas cosanta sonraí. Mar dhlíodóir cáilithe a bhfuil taithí aige ag cinntiú go ndéantar dualgais cosanta sonraí a chomhlíonadh go heagraíochtúil, tá an saineolas ar dhlí cosanta sonraí a theastaíonn ag DPO an DPC. Anuas air sin, mar bhall sinsearach foirne den DPC (Coimisinéir Cúnta), oibríonn DPO an DPC díreach faoin leibhéal bainistíochta is airde dá bhfuil ag an DPC (a Choiste Bainistíochta Sinsearaí (SMC)), de réir mar a éilíonn GDPR.
Bíonn ról an DPO in údarás maoirseachta cosanta sonraí amhail an DPC an-chosúil le ról DPO in aon rialtóir sonraí eile. Is féidir go mbainfeadh sé le freagairt d’iarratais rochtana ar ábhar agus do cheisteanna eile ó bhaill den phobal. Freagraíonn an DPO freisin do cheisteanna ó bhaill foirne an DPC agus cinntíonn sé go mbíonn bearta slándála agus polasaithe cosanta sonraí tráthúil agus cothrom le dáta. Cinntíonn an DPO go mbíonn Cuntas na nGníomhaíochtaí Próiseála cruinn agus cuireann sé cabhair ar fáil don DPC le Measúnuithe Tionchair ar Chosaint Sonraí. Cuireann an DPO comhairle ar fáil freisin maidir le cuid de na tionscadail straitéiseacha níos leithne a bhíonn ag an DPC, cosúil le Tionscadal an DPC maidir le hOifigeach Cuntasaíochta.
I mí na Samhna 2019, bhunaigh an Bord Eorpach um Chosaint Sonraí a Líonra DPO féin d’fhonn DPOanna na n-údarás maoirseachta sonraí uile de chuid an Aontais Eorpaigh a thabhairt le chéile, chun na gnéithe uathúla, ar leith de ról DPOanna sna heagraíochtaí seo a phlé. Mar bhall den líonra seo, bíonn deis ag DPO an DPC eolas a roinnt agus na cleachtais is fearr a fhorbairt i dteannta DPOanna údaráis mhaoirseachta sonraí eile agus é mar aidhm acu cur chuige comhordaithe, leanúnach a chur i bhfeidhm maidir le comhlíonadh GDPR.
Feidhmíonn DPO an DPC mar ‘chara criticiúil’ de chuid an DPC. Ach príomhfhadhbanna cosanta sonraí a aithint; an mhaitrís dhleathach agus an comhthéacs oibríochtúil a thuiscint; riosca a mheas agus gníomh comhréireach a dhéanamh go réamhghníomhach nuair is gá, ní hamháin go bhfreastalaíonn DPO an DPC ar chúis na
� 78
cosanta sonraí, ach tugann sé aghaidh freisin ar neamhchosaint ar riosca eagraíochtúil ar go leor bealaí.
Is féidir teagmháil a dhéanamh le DPO an DPC ar ríomhphost ag [email protected].
Fógraí DPO chuig an DPC
Luaitear in Airteagal 37.7 den GDPR go “bhfoilseoidh an rialtóir nó an próiseálaí sonraí
teagmhála an oifigigh cosanta sonraí agus cuirfidh sé in iúl don údarás maoirseachta iad.”
In 2019, fuair an DPC 712 fógra DPO tríd an bhfoirm leictreonach ar líne ar láithreán gréasáin an DPC. Léiríonn an tábla thíos na hearnálacha tionscail óna ndearnadh fógraí.
Oibriú le DPOanna
Tá an DPC tiomanta d’oibriú go hiomlán le DPOanna agus lena bhfoirne, mar aitheantas ar an bpríomhról atá aige a chinntiú go ndéantar buanchultúr agus buanchleachtas eagraíochtúil den dul chun cinn a rinneadh go dtí seo ar chur i bhfeidhm chláir GDPR. Labhair baill foirne de chuid an DPC ag go leor imeachtaí do DPOanna i rith na bliana agus forbraíodh Líonra DPO, arna éascú ag an DPC, i dtreo dheireadh na bliana 2019. Príomhthosaíocht de chuid DPC don bhliain 2020 is ea an Líonra seo a thabhairt le chéile. Is é cuspóir an Líonra obair agus roinnt eolais idir piaraí a spreagadh i measc DPOanna. Is é an chéad tionscnamh atá á leathadh amach ag an DPC don Líonra seo ná comhdháil an DPO an 31 Márta 2020, agus tá pleananna ann do thionscnaimh eile amhail seimineáir ghréasáin, imeachtaí réigiúnacha agus foilsiú tuilleadh treoracha.
Fógraí DPO don bhliain 2019
Príobháideach 577
Poiblí 49
Seachbhrabúsach 86
Iomlán in 2019 712
� 79
10. Gnóthaí Idirnáisiúnta
Aistrithe Idirnáisiúnta
Is príomhfhócas i réimse na n-aistrithe idirnáisiúnta don Choimisiún um Chosaint Sonraí é measúnú agus faomhadh ar iarratais Rialacha Corparáideacha Ceangailteacha ó chuideachtaí ilnáisiúnta. Tá ról comhairleach aige freisin maidir le cúrsaí aistrithe ginearálta; ag freastal ar imeachtaí agus ar chruinnithe labhartha agus ar chruinnithe fhoghrúpa saineolaithe Aistrithe Idirnáisiúnta an Bhoird Eorpaigh um Chosaint Sonraí (BECS).
Rialacha Corparáideacha Ceangailteacha
Tugadh isteach Rialacha Corparáideacha Ceangailteacha (BCR) mar fhreagra ar an ngá atá le heagraíochtaí cur chuige domhanda a bheith acu maidir le cosaint sonraí nuair a bhí go leor eagraíochtaí comhdhéanta de roinnt fochuideachtaí ar fud na cruinne, ag aistriú sonraí ar scála mór. Cuireann cuimsiú an BCR sa GDPR a n-úsáid chun cinn mar chosaint chuí chun aistrithe chuig Tríú Tíortha a dhlisteanú.
I rith 2019, lean an CCS ar aghaidh ag gníomhú nó tosaíodh ag gníomhú mar phríomh-athbhreithnitheoir maidir le 19 iarratas BCR ó 12 chuideachta dhifriúla.
Chuidigh an CCS freisin le Gníomhaireachtaí Eorpacha eile um Chosaint Sonraí (DPAanna) trí ghníomhú mar chomh-athbhreithneoir ar 5 BCR sa tréimhse seo.
D'athraigh an nós imeachta maidir le BCRanna a fhormheas ó chóras aitheantais fhrithpháirtigh faoin Treoir go dtí an córas reatha, áit a gcaithfear gach BCR a chur faoi bhráid an EDPB le haghaidh tuairim Alt 64. Ciallaíonn an próiseas seo go bhfaigheann gach ÚDÁ deis chun trácht a dhéanamh ar gach iarratas BCR, a mbíonn nós imeachta comhoibrithe beagán níos faide mar thoradh air. Cuideoidh an nós imeachta seo leis an EDPB a thuairim a dhréachtú má dhéileáiltear le gach saincheist roimh nós imeachta Alt 64.
D'eisigh an EDPB tuairimí Airteagal 64 maidir le 2 iarratas BCR a cuireadh isteach trí DPAanna na Ríochta Aontaithe agus na Beilge in 2019. Táimid ag súil le tuairimí comhchosúla a lorg maidir le roinnt BCRanna faoi stiúir DPC sa chéad ráithe de 2020.
Mar gheall ar imeacht na Ríochta Aontaithe ón Aontas Eorpach atá ag teacht chun cinn, tá teagmháil déanta ag roinnt cuideachtaí a rinne fiosrú maidir lena n-údarás ceannais a bhogadh chuig an CCS chun críocha BCR. Táthar ag súil go dtiocfaidh méadú ar líon na BCRanna a láimhseálfaidh an CCS in 2020, nuair a bheidh an Ríocht Aontaithe tar éis an AE a fhágáil agus go mbeidh údarás ceannasach BCR ag teastáil ó na cuideachtaí sin a bhfuil BCR ceadaithe acu.
� 80
Brexit
I 2019, chaith an CCS a lán ama ag dul i dteagmháil le páirtithe leasmhara agus ag soláthar faisnéise maidir le Brexit, go háirithe an tionchar ar chuideachtaí Éireannacha ag aistriú sonraí pearsanta chuig an Ríocht Aontaithe i gcás Brexit gan déileáil. Ghlac an DPC páirt i gcomhimeachtaí le IBEC, Fiontraíocht Éireann agus Boird Fiontair Áitiúla chun a chinntiú gur seachadadh an fhaisnéis chuig an oiread cuideachtaí agus ab fhéidir. Ba é an príomhábhar imní a bhí ann ná go bhféadfadh cuideachtaí níos lú nár aistrigh go rialta chuig tríú tíortha sárú ar an GDPR dá leanfaidís ag déanamh amhlaidh tar éis Brexit gan na cosaintí ábhartha a chur i bhfeidhm maidir leis an aistriú.
Chuir an CCS comhairle agus páirt dhíreach in imeachtaí laistigh den earnáil phoiblí chun comhairle a thabhairt a d'fhéadfaí a úsáid i gcás go mbeadh an Ríocht Aontaithe ina tríú tír ó thaobh aistrithe sonraí de.
Saincheisteanna Aistrithe Idirnáisiúnta Eile
D'fhreastail baill foirne ón CCS ar 7 gcruinniú d'fho-ghrúpa saineolaithe Aistrithe Idirnáisiúnta an EDPB (ITES) in 2019. Tagann an foghrúpa seo de chuid an EDPB le chéile chun doiciméid a bhreithniú, a chomhairliú agus a ullmhú maidir le hábhair a bhaineann le Aistrithe Idirnáisiúnta.
Ról AE an DPC
Le linn 2019, lean an CCS ar aghaidh ag imirt ról lárnach maidir le cearta cosanta sonraí na milliúin daoine ar fud an Limistéir Eacnamaíoch Eorpaigh (LEE) a chosaint. Tá na freagrachtaí méadaithe seo ag an CCS a eascraíonn as na meicníochtaí comhair agus comhsheasmhachta faoin GDPR.
Sásra Comhsheasmhachta agus Tascanna EDPB
Cosúil le gach údarás maoirseachta um chosaint sonraí eile de chuid an LEE, ní mór don CCS a chinntiú go ndéanaimid an GDPR a léirmhíniú, a mhaoirsiú agus a fhorfheidhmiú ar bhealach a chomhlíonann comhsheasmhacht. Thug meicníocht comhsheasmhachta an OTI isteach roinnt cúraimí breise don EDPB agus dá chomhaltaí go léir, lena n-áirítear an CCS, chun a chinntiú go mbainfear amach an sprioc maidir le comhchuibhiú.
Déantar na tascanna seo a sheachadadh go príomha trí obair fhoghrúpaí saineolacha agus chruinnithe iomlánacha an EDPB, ina mbíonn an DPC rannpháirteach go hiomlán, mar gheall ar thábhacht na dtascanna seo. Le linn 2019, d'fhreastail baill foirne DPC ar níos mó ná 80 cruinniú duine sa Bhruiséil a bhain le gníomhaíochtaí an EDPB, lena n-áirítear gníomhaíochtaí dhá cheann déag de na foghrúpaí EDPB:
• Teorainneacha, Taisteal agus Forfheidhmiú an Dlí;
� 81
• Comhoibriú;
• Comhlíonadh, r-Rialtas agus Sláinte;
• Forfheidhmiú;
• Cúrsaí Airgeadais;
• Tascfhórsa Fining;
• Aistrithe Idirnáisiúnta;
• Úsáideoirí TF;
• Príomhfhorálacha;
•Na meáin shóisialta;
• Comhairleoireacht Straitéiseach; agus
• Teicneolaíocht.
Chuir baill foirne an CCS go mór le forbairt treoirlínte agus tuairimí i bhfoghrúpaí saineolacha uile an EDPB le linn 2019. Is é an DPC comhordaitheoir an fhoghrúpa saineolaithe sna Meáin Shóisialta agus bhí sé ina chomhrapóirtéir ar obair an fhoghrúpa sin ar thosaíochtaí rialála a bhaineann le próiseáil sonraí pearsanta ag cuideachtaí meán sóisialta, le bliain anuas.
Le linn 2019, d'óstaigh an CCS comhghleacaithe ón Ríocht Aontaithe, ón Íoslainn, ón Ísiltír, ó Lucsamburg agus ón tSualainn, agus thug siad cuairt ar chomhghleacaithe sa Ríocht Aontaithe, sa Ghearmáin agus sa Bheilg. Bhí na díospóireachtaí déthaobhacha seo agus malartú taithí an-luachmhar chun comhsheasmhacht a chinntiú. Leanfaidh na cruinnithe seo ar aghaidh i 2020.
Comhlachtaí Maoirseachta Eorpacha ar Chosaint Sonraí
Le linn 2019, lean an CCS de bheith rannpháirteach go gníomhach i gcláir oibre na gComhlachtaí Maoirseachta Eorpacha do chórais mhórscála TF an AE ar nós Europol, Eurodac, Eurojust, an Córas Eolais Custaim (CIS) agus córas Faisnéise an Mhargaidh Inmheánaigh (IMI). Ina theannta sin, leanamar orainn ag glacadh páirte mar
bhreathnóirí ar mhaoirseacht chomhordaithe ar Chórais Faisnéise Schengen agus Víosaí (SIS II agus VIS).
Maidir le SIS II, le linn 2019, lean an CCS de bheith ag obair i gcomhar leis an nGarda Síochána agus leis an Roinn Dlí agus Cirt & Comhionannais maidir le rannpháirtíocht na
� 82
hÉireann i ngnéithe áirithe neamh-theorann acquis Schengen agus nasc le SIS II. Leanfaidh an clár oibre chun rannpháirtíocht na hÉireann a chur chun cinn i 2020.
Rannpháirtíocht Eorpach Eile
Labhair ionadaithe an CCS ag comhdhálacha agus imeachtaí i mórán Ballstát de chuid an LEE le linn 2019, lena n-áirítear an Bheilg, an Ghearmáin, an Fhrainc, an Ríocht Aontaithe agus an tSlóivéin. Ghlac roinnt ball foirne DPC páirt sa cheardlann bhliantúil láimhseála cásanna d'údaráis mhaoirseachta um chosaint sonraí na hEorpa, ó thíortha LEE agus neamh-LEE, a d'óstáil an Maoirseoir Eorpach ar Chosaint Sonraí (MECS) sa Bhruiséil i mí na Samhna. Bhí an-áthas orainn freisin comhghleacaí ó údarás maoirseachta Dhúiche na Réine-Phalaitíneachta a óstáil, a chaith seachtain sa DPC i mí Dheireadh Fómhair.
I mí na Nollag 2019, shínigh an CCS clár dhá bhliain i gcomhar lenár gcomhghleacaithe Cróitis agus Ollscoil Vrije na Beilge, a mhaoinigh Coimisiún an AE den chuid is mó. Is í aidhm an chláir feasacht, eolas agus tuiscint ar Fhiontair Bheaga-Mheánmhéide (FBManna) san Eoraip a mhéadú, ar phrionsabail na cosanta sonraí, ionas go neartófar a leibhéil chomhlíonta sa todhchaí. Tosóidh an clár go luath i 2020.
Rannpháirtíocht Idirnáisiúnta
Téann an CCS i dteagmháil le húdaráis mhaoirseachta, le heagraíochtaí idirnáisiúnta agus le reachtóirí ón taobh amuigh den AE, chun faisnéis a roinnt ar chleachtais agus ar eispéiris an CCS. Cuidíonn an rannpháirtíocht seo lena chinntiú go dtuigtear ár gcur chuige rialála féin, agus cuidíonn sé linn freisin na difríochtaí i gcur chuige rialála i dtíortha eile a thuiscint, lena n-áirítear an tionchar atá aige seo ar dhaoine agus ar eagraíochtaí.
Bhí an Coimisinéir os comhair Choiste Tráchtála, Eolaíochta agus Iompair na SA i mí Bealtaine, mar chuid de scrúdú an Choiste ar ionchais na dtomhaltóirí maidir le príobháideacht sonraí. Ina theannta sin, tháinig sí os comhair an Ard-Choiste Idirnáisiúnta ar Dhífhaisnéis agus ‘Fake News’ ag an éisteacht a tionóladh i mBaile Átha Cliath i mí na Samhna, agus d'fhreastail parlaiminteoirí ó dheich dtír uirthi. D'óstáil an DPC toscaireachtaí i rith na bliana ó thíortha lena n-áirítear an Astráil, an Nua-Shéalainn agus na Stáit Aontaithe, i measc nithe eile.
Freisin mar chuid den ghníomhaíocht seo, d'fhreastail foireann shinsearach DPC ar Chomhdháil Idirnáisiúnta na gCoimisinéirí Cosanta Sonraí agus Príobháideachais (ICDPPC) i Tirana, an Albáin, a tionóladh i mí Dheireadh Fómhair. Is fóram domhanda é an ICDPPC le go bhféadfaidh údaráis um chosaint sonraí eolas agus léargais a roinnt. Tar éis na comhdhála, athraíodh ainm an fhóraim ICDPPC go dtí an Global Assembly Assembly (GPA). D'fhreastail an CCS freisin ar chruinniú Údarás Cosanta Sonraí na
� 83
nOileán agus na nOileán (BIIDPA) i nGeirsí Meitheamh 2019. Reáchtálfaidh an CCS an chéad chomhdháil bhliantúil BIIDPA i mBaile Átha Cliath i Meitheamh 2020.
� 84
11. Comhairliúchán maidir le Próiseáil Sonraí Leanaí
Comhairliúchán Poiblí maidir le Próiseáil Shonraí Pearsanta Leanaí agus Cearta Leanaí mar Ábhair Sonraí faoin GDPR
Cúlra – an tAonad Beartas Leanaí a cheapadh
Bunaíodh an tAonad Beartas Leanaí in 2018 mar chuid d’oibleagáid an DPC faoin GDPR chun feasacht agus tuiscint ar na saincheisteanna a bhaineann le próiseáil sonraí pearsanta leanaí a chur chun cinn, chomh maith leis na caighdeáin shonracha atá de dhíth chun sonraí pearsanta leanaí a chosaint, agus cearta leanaí mar ábhair sonraí. Coimisinéir Cúnta atá ina cheann aonaid, duine a thuairiscíonn chuig Leas-Choimisinéir (Ceann Dlí). I ndiaidh dó obair fiosrúcháin a dhéanamh go luath in 2018, ba léir don aonad go gciallaíonn an suntas a bhaineann le leanaí faoin RGCS go raibh gá le comhairliúchán speisialta chun tuairimí na bpáirtithe ábhartha go léir a bhailiú, go háirithe leanaí iad féin.
An comhairliúchán a sheoladh
Lean comhairliúchán poiblí an DPC maidir le próiseáil shonraí pearsanta leanaí agus cearta leanaí mar ábhair sonraí faoin GDPR ó mhí na Nollag 2018 go mí Aibreáin 2019. Dhírigh sé ar roinnt ceisteanna a theastaigh ón DPC a chur ar an bpobal maidir leis an léirmhíniú ar phríomhfhorálacha sa GDPR i ndáil le leanaí. Roinneadh an comhairliúchán ina dhá shruth: Sruth 1, a seoladh i mí na Nollag, a dhírigh ar pháirtithe leasmhara fásta agus a thug cuireadh do na páirtithe leasmhara go léir– lenar áiríodh tuismitheoirí, oideachasóirí, eagraíochtaí cearta leanaí agus eile – a gcuid freagraí a chur ar aghaidh maidir le ceann amháin nó níos mó den 16 cheist a leagadh amach sa doiciméad comhairliúcháin a foilsíodh ar láithreán gréasáin an DPC. Seoladh Sruth 2 Lá Idirnáisiúnta na Cosanta Sonraí (28 Eanáir 2019) agus d’fhéach sé le leanaí agus daoine óga a dhéanamh rannpháirteach go díreach sa seomra ranga trí bhíthin próiseas comhairliúcháin agus plean ceachta nuálach a ceapadh go sonrach.
Rinne an DPC teagmháil le gach bunscoil agus iarbhunscoil in Éirinn – chomh maith le hionaid Ógtheagmhála – chun iad a chur ar an eolas faoin gcomhairliúchán agus chun cuireadh a thabhairt dóibh a bheith páirteach ann. Scaip an DPC pacáiste d’ábhair phleananna ceachta a raibh tástáil déanta orthu cheana, le tacaíocht ó Oifig an Ombudsman do Leanaí (OCO), i sraith ceardlann phíolótacha i mí Dheireadh Fómhair 2018. Ceapadh an plean ceachta chun cabhrú le múinteoirí saincheisteanna cosanta sonraí a phlé lena gcuid daltaí agus bhí béim faoi leith ar chosaint sonraí i gcomhthéacs na meán sóisialta. Cuireadh “SquadShare”, aip shamhailteach a chruthaigh an DPC chun críocha oideachais, faoi bhráid na ndaltaí, agus tugadh spreagadh dóibh a gcearta
� 85
cosanta sonraí a fhiosrú fad ar fhoghlaim siad faoi théarmaí agus coinníollacha na haipe samhailtí sin. Tugadh cuireadh do na daltaí ansin a bhfreagraí a thabhairt ar shé cheist ar phóstaeir aiseolais agus iad a chur ar ais chuig an DPC ar an ríomhphost agus sa phost.
Aiseolas agus tuarascálacha tosaigh
Fuair an DPC 30 aighneacht ar fad ó pháirtithe leasmhara fásta, lenar áiríodh cuideachtaí teicneolaíochta agus meán sóisialta, carthanachtaí um chearta leanaí, comhlachtaí san earnáil phoiblí, lucht acadúil agus cumainn trádála. Le Sruth 2 den chomhairliúchán, bailíodh tuairimí thart ar 1200 leanbh agus duine óg ar fud na hÉireann. Ba mhór an spreagadh an méid spéise a cruthaíodh leis an dá shruth den chomhairliúchán. Rinneadh ionadaíocht mhaith ar pháirtithe leasmhara fásta ar feadh na n-earnálacha go léir agus rinneadh ionadaíocht mhaith ar leanaí ar feadh na n-aoisghrúpaí go léir. Forbairtí thar a bheith dearfacha iad sin.
Chaith an tAonad Beartas Leanaí roinnt míonna i mbun anailíse ar aighneachtaí na bhfreagróirí go léir i ndiaidh an comhairliúchán a bheith tugtha chun críche. Foilsíodh dhá thuarascáil tosaigh, ceann le haghaidh gach sruth den chomhairliúchán, i mí Iúil agus i mí Mheán Fómhair 2019 (ar ar tugadh “Some Stuff You Just Want to Keep Private!” agus “Whose Rights Are They Anyway?”). Cuireadh na treochtaí cáilíochtúla agus cainníochtúla a tugadh faoi deara sna freagraí go léir ar an gcomhairliúchán i láthair sa dá thuarascáil, chomh maith leis an gciall a bhain an DPC as na torthaí sin. Tá moladh agus aitheantas nach beag faighte ag an gcomhairliúchán go dtí seo. Ainmníodh Grúpa Oibre um Oideachas Digiteach (DEWG) an ICDPPC é mar phríomh-thionscnamh idirnáisiúnta faoi Phlean Gníomhaíochta DEWG ó thaobh cur leis an bhfeasacht faoi chearta digiteacha a bheith á gcleachtadh ag leanaí iad féin (Awareness-raising on the exercise of digital rights by the children themselves”?). Cuireadh ar an ngearrliosta é freisin mar cheann de dhá iomaitheoir sa chatagóir Oideachas agus Feasacht an Phobail i nGradaim ICDPPC 2019, as a thionscnamh comhairliúcháin a bhí bunaithe ar leanaí.
Na chéad chéimeanna eile
Tá an doiciméad Treoirphrionsabail, faoi chearta cosanta sonraí leanaí agus faoi phróiseáil sonraí leanaí á thabhairt chun críche ag an DPC anois. Tá an doiciméad beartaithe a bheith ina threoir do rialaitheoirí sonraí agus do pháirtithe leasmhara maidir leis an tslí le haghaidh a thabhairt ar na saincheisteanna a tháinig chun solais i gcomhairliúchán an DPC, agus aird á tabhairt ar an aiseolas ó rannpháirtithe. Go sonrach, tabharfaidh na treoirphrionsabail sin freagraí ar na ceisteanna seo a leanas; cén tslí agus cén t-am ar cheart go mbeadh leanaí in ann a gcearta cosanta sonraí a fheidhmiú dóibh féin agus ról na dtuismitheoirí agus na gcaomhnóirí maidir leis sin; cén fhaisnéis ar cheart a thabhairt do leanaí faoin úsáid a mbaintear as a sonraí pearsanta;
� 86
cén tslí ar cheart an aois maidir le toiliú digiteach a chur i bhfeidhm le haghaidh phróiseáil gan toiliú; agus cad iad na himthosca faoina gceadófar próifíliú leanaí chun críocha fógraíochta nó margaíochta? Tá sé beartaithe ag an DPC na Treoirphrionsabail sin a fhoilsiú go luath in 2020 agus reáchtálfar comhairliúchán poiblí eile ar an doiciméad sin chun tuairimí páirtithe leasmhara a chur san áireamh sula bhfoilseofar é.
In éineacht leis na Treoirphrionsabail, foilseoidh an DPC treoir ar leithligh a bheidh éasca do leanaí a thuiscint agus a mhíneoidh a gcearta faoin dlí maidir le cosaint sonraí dóibh, chomh maith leis na rioscaí a d’fhéadfadh teacht chun cinn sa chás go nochtann siad a sonraí pearsanta ar líne. Ar deireadh, oibreoidh an DPC le páirtithe leasmhara tionscail, rialtais agus deonacha, agus a gcomhlachtaí ionadaíocha, de bhun an chomhairliúcháin, chun leagan amach cóid iompair i ndáil le próiseáil shonraí leanaí a spreagadh, de réir Alt 32 den Acht um Chosaint Sonraí 2018. Príomhthionscnamh de chuid Aonad Beartas Leanaí an DPC a bheidh in oibriú i dtreo chód iompair sa réimse seo a fhorbairt in 2020.
� 87
Cumarsáid
Rannpháirtíocht Dhíreach Lean an DPC ar aghaidh lena sceideal for-rochtana gníomhach le linn na bliana 2019 trí phlé le bonn leathan páirtithe leasmhara Éireannacha agus idirnáisiúnta. Labhair an Coimisinéir agus a foireann, chuir siad i láthair nó seachas sin thug siad cúnamh ag imeachtaí ar os cionn 180 ócáid le linn na bliana. Mar shampla:
Go náisiúnta:
• Seoladh tuarascáil taighde ‘Falling Through the Cracks’; • Comhdháil Cosanta Sonraí Bliantúil an PDP 2019; • Ag Tabhairt Aire do Ghnó 2019; • Seimineár Cosanta Sonraí an Chumainn Náisiúnta Príomhoidí agus Príomhoidí
Tánaisteacha; • Cruinniú Mullaigh Digiteach 2019; • Líonra Ghairmithe Óga IIEA; • Comhdháil Bhliantúil Luath-óige Éireann; • Comhdháil Bhliantúil NSSO; agus • Coinbhinsiún Dlíthiúil Mic Léinn UCD 2019.
Go hidirnáisiúnta:
• An 7ú Comhdháil den Gheilleagar Digiteach Trasatlantach AmCham • Coiste Dlí Teicneolaíochta Chumann an Bharra Idirnáisiúnta – 6ú Comhdháil
Dhébhliantúil maidir le Dlí Teicneolaíochta; • Fóram Airgeadais Eurofi 2019; • Sooner than you think – sraith teicneolaíocht Bloomberg; agus • Cumann Idirnáisiúnta Chruinniú Mullaigh Príobháideachais Lucht Gairme
Washington DC • Chomhdháil IAPP an Bhruiséil
Coistí Parlaiminteacha (Oireachtas):
• An Comhchoiste um Dhlí agus Ceart agus Comhionannas;
• An Coiste um Chuntais Phoiblí;
• An Comhchoiste um Chumarsáid, Gníomhú ar son na hAeráide agus an Comhshaol; agus
• An Príomh-Choiste Idirnáisiúnta ar Dhífhaisnéis agus ar Nuacht Bréagach.
� 88
Rannpháirtíocht leis na meáin Lean próifíl agus spéis na meáin sa DPC ag fás ag leibhéal náisiúnta agus idirnáisiúnta le linn na bliana 2019. Ag baile, bhí an Coimisinéir agus daoine eile den ardbhainistíocht ar an teilifís náisiúnta, ar an raidió náisiúnta agus réigiúnach agus rinne siad a gcion sna meáin dhigiteacha agus sna meáin chlóite ar feadh na bliana. Tháinig formhór rannpháirtíocht na meáin as imscrúduithe, m.sh. foilsiú tuarascáil imscrúdaithe an DPC ar an gCárta Seirbhísí Poiblí i mí Lúnasa. Ar ócáidí eile, bhí an DPC rannpháirteach in agallaimh chun labhairt faoi shaincheisteanna praiticiúla a raibh údar imní/spéis ag an bpobal iontu, ar nós grianghraif a thógáil ag imeachtaí scoile agus thug na meáin aird shuntasach freisin ar fhreastal an DPC ar éisteachtaí Coistí Oireachtais éagsúla ar feadh na bliana.
Ón taobh idirnáisiúnta, bhí Coimisinéir agus foireann an DPC rannpháirteach ar bhonn rialta le raon leathan soláthróirí meáin, lena n-áirítear Bloomberg, BBC, CNN, Politico, an Wall Street Journal, an New York Times, an Financial Times, gan ach líon beag a lua. Dhírigh formhór na rannpháirtíochta seo ar fheidhmiú an Ionaid Ilfhreastail agus ar fhiosrúcháin reachtúla atá oscailte ag an DPC ó thaobh comhlachtaí teicneolaíochta ilnáisiúnta, chomh maith lena bheith ag déileáil le sáruithe agus le saincheisteanna a tháinig chun cinn san earnáil teicneolaíochta le linn na bliana. Thug na meáin idirnáisiúnta aird shuntasach ar fhreastal an DPC ar éisteacht Choiste Seanaid Stáit Aontaithe Mheiriceá i mí na Bealtaine 2019.
Foilseacháin agus Treoir Lean an DPC le treoir chuimsitheach ar réimse leathan ábhar i bhfoirm podchraoladh, blag, agus treoir fhoirmiúil a thabhairt cothrom le dáta, a chur ar fáil agus a scaipeadh don phobal agus d’eagraíochtaí araon, chun daoine a chur ar an eolas maidir leis an dlí cosanta sonraí agus na cearta agus na hoibleagáidí éagsúla a ghabhann leis. Clúdaíodh ábhair ghinearálta sa treoir seo chomh maith le treoir níos mionsonraithe a chur ar fáil ar shaincheisteanna atá i mbéal an phobail nó atá casta.
Áirítear ar roinnt de na hábhair ar chuir an DPC foilseacháin agus treoir ar fáil maidir leo sa bhliain 2019:
• an buneolas maidir le cosaint sonraí; • treoir do rialaitheoirí agus d’ábhair sonraí araon maidir le húsáid CCTV; • treoir maidir le sonraí pearsanta a iarraidh ar thionóntaí ionchasacha • ceisteanna a chuirtear go minic maidir le hiarratais rochtana ábhair sonraí; agus • treoir ar phrionsabail cosanta sonraí agus an bonn dlí a d’fhéadfadh forais a chur
ar fáil do phróiseáil sonraí pearsanta.
� 89
Tá an réimeas fógra éigeantach maidir le sárú faoin GDPR ó thaobh fáil, anailís agus gníomh ar fhógraí sáraithe mar réimse suntasach fáis don DPC. I bhfianaise an méid sin, chuir an DPC a ‘mearthreoir’ d’oibleagáidí fógra maidir le sárú agus ‘treoir phraiticiúil’ níos mionsonraithe araon ar fáil a chuir treoir phraiticiúil bhreise ar fáil bunaithe ar thaithí an DPC agus taithí rialtóirí tar éis an chéad bhliain den GDPR a bheith ar an bhfód.
Lean an DPC freisin le treoir theicniúil a chur ar fáil agus a thabhairt cothrom le dáta araon, a dhírigh go príomha ar shlándáil ar líne agus ar shlándáil dhigiteach, chomh maith le himpleachtaí cosanta sonraí ar theicneolaíochtaí nua agus ar theicneolaíochtaí atá ag teacht chun cinn. D’fhoilsigh an DPC treoir a bhí dírithe ar shlándáil maidir le hionsaithe fioscaireachta agus innealtóireachta sóisialta, gléasanna iniompartha stórála agus soláthróirí néalseirbhísí, chomh maith le treoir i leith gnáthrioscaí ar líne a bhféadfadh ábhair sonraí a theacht trasna orthu.
I bhfianaise na bhforbairtí ó thaobh an Bhreatimeachta atá beartaithe ag an Ríocht Aontaithe, d’fhoilsigh an DPC treoir ar aistrithe idirnáisiúnta sonraí pearsanta sa chás go dtarlaíonn Breatimeacht gan ord ná eagar agus ceisteanna a chuirtear go minic ó thaobh an Bhreatimeachta, chomh maith lenár dtreoir ghinearálta ar aistriú sonraí pearsanta chuig tríú tíortha nó chuig eagraíochtaí idirnáisiúnta a thabhairt cothrom le dáta.
Ábhar ar líne Bhí cur ar fáil agus scaipeadh podchraoltaí agus blaganna mar phríomhghné de straitéis chumarsáide seachtrach an DPC sa bhliain 2019, le podchraoladh rialta ‘Bí ar an eolas maidir le do chuid Sonraí’, chomh maith le sraith blaganna a chuireann an fhírinne ar na súile do dhaoine agus atá i mbéal an phobail agus a chuireann béim ar réimsí spéise an phobail i gcoitinne, chomh maith le treoir ábhartha atá foilsithe ag an DPC a léiriú. Áirítear ar ábhair a clúdaíodh, ‘An nDeirtear é Sin sa GDPR i nDáiríre?’, ‘ag tógáil grianghraif ag imeachtaí scoile’, ‘faireachas físeáin sa bhaile’, ‘cad ba chóir a dhéanamh má fhaigheann tú sonraí pearsanta in áit phoiblí, ‘ag déanamh ionadaíochta ar shealbhóirí cuntais’, blag a ‘chuireann an fhírinne maidir le siopadóireacht na Nollag ar na súile do dhaoine’.
Treoir an EDPB D’oibrigh an DPC go dlúth freisin lenár gcomhúdaráis cosanta sonraí tríd an mBord Eorpach um Chosaint Sonraí (EDPB) le doiciméid threorach a chur ar fáil maidir le dlí cosanta sonraí AE. D’fhoilsigh an EDPB le linn na bliana 2019, treoirlínte agus dréacht-threoirlínte ar ábhar ar nós Cóid Iompair agus comhlachtaí monatóireachta, gléasanna físeán, cosaint sonraí trí dhearadh agus trí réamhshocrú, an ceart go ligfí i ndearmad agus innill chuardaigh. Tá naisc chuig treoirlínte agus foilseacháin an EDPB le fáil ar láithreán gréasáin an DPC freisin.
� 90
Na meáin shóisialta Lean an DPC ag baint úsáide as na meáin shóisialta chun tacú lena ghníomhaíochtaí maidir le feachtas feasachta agus cumarsáide. Sa bhliain 2019, lean an DPC lena chuid gníomhaíochtaí meáin shóisialta ar fud Twitter, Instagram agus LinkedIn. Tá dúbailt tagtha ar an lucht leanúna ar fud na trí ardán, agus bhí os cionn 20,000 i gceist faoi dheireadh na bliana 2019. Rinneadh scaipeadh orgánach le beagnach 3.3 milliún, agus rinneadh teagmháil leis na céadta de mhílte cuntas gach aon mhí.
Tá an DPC ag leanúint ar aghaidh lena rannpháirtíocht ar na meáin shóisialta trí ghrafaic fhaisnéise a bhfuil tionchar amhairc acu, físeán agus Formáid Idirmhalartaithe Grafaice (gif’nna), atá mar uirlisí éifeachtacha ó thaobh scaipeadh treorach agus a thacaíonn le gníomhaíochtaí feasachta an DPC.
Láithreán gréasáin an DPC Tá láithreán gréasáin an DPC, www.dataprotection.ie, mar acmhainn thábhachtach do dhaoine aonair agus do rialaitheoirí sonraí. Cuireann foirmeacha gréasáin an DPC bealaí áisiúla ar fáil do lucht úsáide an láithreáin gréasáin chun gearáin, fógraí maidir le sáruithe, agus ceisteanna ginearálta a chur go díreach faoi bhráid an DPC. Chomh maith leis sin foilsíodh preaseisiúintí agus ráitis, treoir, blaganna agus podchraoltaí ar shaincheisteanna ábhartha dár bpáirtithe leasmhara go minic sa bhliain 2019.
� 91
Príomh-thionscadail an DPC
Straitéis Rialála 2020-2025
Leanadh leis an obair ar Straitéis Rialála nua an DPC, don tréimhse 2020 go 2025, i rith 2019. Leis an tionscadal seo, tugtar deis dúinn athscrúdú a dhéanamh ar an tslí a bhféadfadh ár gcuid oibre an tionchar is mó is féidir a imirt, leis na hacmhainní atá ar fáil dúinn, agus na rioscaí is mó do chearta daoine á gcur san áireamh. Cinntítear leis freisin go ndéanfaimid machnamh ar an tslí is fearr lenár n-eagrú féin chun an tionchar sin a chur i gcrích sna 5 bliana amach romhainn, fiú agus athrú ag teacht i gcónaí ar ár dtimpeallacht rialála, ó thaobh athruithe sa tsochaí, ar an teicneolaíocht, ar an dlí agus ar an AE.
Mar chuid dár n-anailís ar an gcomhthéacs ina ndéanaimid rialáil, reáchtála mar sraith fócasghrúpaí leis an bpobal i mí Iúil. An aidhm a bhí leis na fócasghrúpaí sin, tuiscint a fháil ar thuairimí daoine ar chearta cosanta sonraí, ar ról an DPC, ar an tslí ar cheart comhlíonadh leis an dlí um chosaint sonraí a spreagadh, a éascú agus a uasmhéadú, agus ar an tslí ar cheart neamhchomhlíonadh a rialáil.
An doiciméad comhairliúcháin ar Spriocthorthaí an DPC a bhí mar phríomh-aschur an tionscadail sin in 2019. Dírítear sa doiciméad sin ar na Spriocthorthaí a bhfuil ár ndóchas leo agus ar an tslí a gcabhraíonn gníomhaíochtaí an DPC na torthaí sin a bhaint amach.
An dréacht-Straitéis Rialála féin a bheidh mar an dara príomh-aschur ón doiciméad, ina ndéanfar anailís ar an tslí a bhféadfaidh an DPC tosaíocht a thabhairt do na gníomhaíochtaí sin agus iad a sholáthar laistigh na hacmhainní teoranta atá ar fáil dúinn. Déanfar comhairliúchán poiblí oscailte eile maidir leis an dréacht-Straitéis Rialála agus seans go rachaimid i gcomhairle go díreach le comhlachtaí ionadaíocha, grúpaí abhcóideachta agus eagraíochtaí eile. Foilseofar Plean Tomhais agus Chur i bhFeidhm Straitéise freisin, amach in 2020, ina leagfar amach an tslí a gcuirfear na tosaíochtaí straitéiseacha i bhfeidhm trí bhíthin príomh-thionscadail agus príomh-thionscnaimh. Leagfar amach an tslí a ndéanfar tionchar ár Spriocthorthaí a thomhas sa Phlean sin freisin.
� 92
Ag teacht lenár nDualgas maidir le Comhionannas san Earnáil Phoiblí agus Cearta an Duine, leagfar amach sa Straitéis Rialála, ar bhealach a bheidh inrochtana don phobal, na saincheisteanna maidir le cearta an duine agus comhionannas a bhaineann le hobair an DPC agus ár bpleananna beartaithe chun déileáil leis na saincheisteanna sin.
Oifigeach Cuntasaíochta an DPC
Go dtí 2019 agus an bhliain sin san áireamh, bhí maoiniú an DPC san áireamh i mbuiséad na Roinne Dlí agus Cirt agus Comhionannais, agus vótáil an Dáil ar an mbuiséad sin gach bliain; is é sin le rá, bhí an DPC san áireamh i Vóta na Roinne go dtí anois. Dá bharr sin, bhí caiteachas an DPC go dtí seo san áireamh ar shainchúram Oifigigh Chuntasaíochta Ard-Rúnaí na Roinne, ó thaobh cuntas a choimeád ar rialtacht agus cuibheas an chaiteachais i Vóta na Roinne, ar barainneacht agus éifeachtúlacht in úsáid acmhainní, agus ar na córais, nósanna imeachta agus cleachtais a úsáidtear chun meastóireacht a dhéanamh ar éifeachtacht oibríochtaí.
Bhí athrú ar an struchtúr sin san áireamh san Acht um Chosaint Sonraí 2018 (Acht 2018). Faoi Alt 25 d’Acht 2018, a chuaigh i bhfeidhm le héifeacht ón 1 Eanáir 2020, is é an Coimisinéir, nó Cathaoirleach an Choimisiúin, an tOifigeach Cuntasaíochta maidir le caiteachas an DPC anois. Bainistíonn an DPC a chaiteachas féin go díreach anois agus aistríodh maoiniú an DPC ó Vóta na Roinne go dtí Vóta ar leithligh an DPC féin (Vóta 44) le gur féidir an rialú díreach agus an chuntasaíocht dhíreach sin a dhéanamh.
Mar ullmhúchán don athrú stádais sin, cheap an DPC foireann tionscadail Oifigigh Chuntasaíochta i rith 2019. Bhí an fhoireann freagrach as na hathruithe a bhí de dhíth le go dtabharfadh an DPC faoin rialú agus faoin gcuntasaíocht sin go díreach, a ullmhú agus a chur i bhfeidhm. Bhain siad sin go príomha le hAirgeadas, Rialachas, Soláthar agus Seirbhísí Corparáideacha, agus d’oibríomar le comhghleacaithe ó na rannóga sin sa Roinn, chun na hathruithe a shainmhíniú agus a chur i bhfeidhm. Rinneamar caidreamh leis an Roinn Caiteachais Phoiblí agus Athchóirithe (DPER) agus leis an Oifig Náisiúnta um Sheirbhísí Comhroinnte (NSSO) maidir leis na hathruithe.
Príomh-aschur an tionscadail a bhí i gCreat Rialachais Chorparáidigh an DPC, ina 6
leagtar amach socruithe rialachais an DPC, lena n-áirítear bunú Choiste nua Iniúchta agus Riosca an DPC. Ciallaíonn na gníomhaíochtaí leathnaithe agus breise nach mór dár bhfeidhmeanna corparáideacha tacaíochta a sholáthar anois go mbeidh costais bhreise
� 93
phá agus neamhphá á dtabhú ag an DPC ó 2020 ar aghaidh, le go bhféadfaidh an DPC a oibleagáidí maidir leis an oifigeach cuntasaíochta a fheidhmiú go hiomlán.
Leanfar le Céim 2 de na hathruithe maidir leis an Oifigeach Cuntasaíochta i rith 2020, agus iad nasctha leis an tionchar a bheidh ag Acmhainní Daonna agus Párolla, go príomha.
An Clár um Athrú Oibríochtúil
I rith 2019, bhí roinnt tionscnamh agus feabhsúchán san áireamh inár gclár um athrú oibríochtúil a bhí dírithe ar nósanna imeachta, próisis, córais agus bainistiú faisnéise inmheánach an DPC, iad go léir faoi stiúir ár n-aonaid Feidhmíochta Oibríochtúla, mar shampla:
• Mionchoigeartú leanúnach ar ár nósanna imeachta maidir le caighdeáin inmheánacha, chun an líon cásanna atá againn, ár leathnú eagrúcháin agus soiléiriú breise ar ár gcumhachtaí faoi Acht 2018 a chur san áireamh;
• Tabhairt faoi roinnt feabhsúchán praiticiúla agus réitithe fadhbanna i gCóras Faisnéise an Mhargaidh Inmheánaigh (IMI) an AE chun bainistiú a dhéanamh ar an bhfaisnéis a roinntear le húdaráis maoirseachta cosanta sonraí EDPB eile;
• An úsáid a mbainimid as bainistiú faisnéis agus príomh-staitisticí a mhéadú, agus iad a úsáid mar bhonn eolais d’athruithe eagrúcháin, feabhsúcháin ar phróisis agus tosaíochtaí oibríochtúla;
• Feabhas a chur ar na foirmeacha gréasáin ar láithreán gréasáin an DPC chun iad a dhéanamh níos éasca le húsáid. Tá tuilleadh feabhsúchán beartaithe go luath in 2020;
• Ár n-uirlisí bainistithe cáis a threisiú chun tacú le riachtanais faisnéise na bainistíochta agus chun freastal níos fearr a dhéanamh ar an líon foirne atá ag fás;
Bhí gach ceann de na tionscnaimh sin i rith 2019 tábhachtach lena chinntiú go mbainfidh an DPC an leas is mó is féidir as ár gCóras Bainistithe Cás nua, a dtosóimid ar a chur i bhfeidhm i rith 2020.
� 94
Gnóthaí Corparáideacha
Rialachas Corparáideach – Cód Cleachtais chun Comhlachtaí Stáit a Rialú
Comhlacht neamhspleách is ea an DPC a bunaíodh faoin Acht um Chosaint Sonraí 2018 agus is san Acht sin a leagtar amach na riachtanais rialachais atá air. Cuireann an DPC caighdeáin arda i bhfeidhm maidir le rialachas corparáideach agus oibríonn sé lena chinntiú go gcomhlíonann sé na riachtanais atá leagtha amach do gach comhlacht san earnáil phoiblí sa Chód Cleachtais chun Comhlachtaí Stáit a Rialú (2016), le haird tugtha don struchtúr ar leith atá ag an DPC maidir le rialachas reachtúil.
Mar chuid de riachtanais an Chóid Cleachtais, tá Comhaontú Árachais maidir le Rialachas Corparáideach curtha i bhfeidhm ag an DPC leis an Roinn Dlí agus Cirt agus Comhionannais. Leagtar amach sa Chomhaontú seo an creat leathan do rialachas corparáideach ina n-oibríonn an DPC, agus sainítear róil agus freagrachtaí barrthábhachtacha atá mar bhonn agus mar thaca don chaidreamh idir an DPC agus an Roinn Dlí agus Cirt agus Comhionannais. Ós rud é go bhfuil an DPC neamhspleách maidir lena fheidhmeanna a chur i gcrích faoi fhorálacha an Achta um Chosaint sonraí 2018 agus GDPR, níl sé faoi réir Comhaontú um Fheidhmeanna a Sholáthar leis an Roinn Dlí agus Cirt agus Comhionannais.
I gcomhréir leis an gCód Cleachtais chun Comhlachtaí Stáit a Rialú, éilítear ar an DPC Ráiteas ar Rialú Inmheánach a chur ar fáil ar bhonn bliantúil. Leagtar amach Ráiteas an DPC ina gclúdaítear tréimhse na tuarascála seo in Aguisín XX.
Bainistíocht Riosca
Leagtar amach i mBeartas um Bhainistíocht Riosca an DPC a chur chuige i leith bainistíocht riosca agus na róil agus freagrachtaí atá ag an SMC, ag cinn aonaid, ag bainisteoirí agus ag an bhfoireann. Chomh maith leis sin, leagtar amach sa bheartas na gnéithe barrthábhachtacha a bhaineann leis an bpróiseas um bainistíocht riosca, agus mar a dhéanann an DPC rioscaí don eagraíocht a chinneadh agus a thaifeadadh. Cuireann an DPC na nósanna imeachta atá leagtha amach ina beartas bainistithe riosca i bhfeidhm agus coinníonn sé clár rioscaí de réir threoirlínte na Roinne Airgeadais. Áirítear leis sin measúnacht chuí a dhéanamh ar na príomhrioscaí atá ann don DPC, a bhfuil sé i gceist léi cur síos a dhéanamh ar an riosca agus na bearta nó straitéisí a bhaineann leis d’fhonn na rioscaí sin a rialú agus a mhaolú go héifeachtach. Déanann an tAonad um Ghnóthaí Corparáideacha an clár rioscaí a thiomsú agus is iad comhaltaí an SMC a dhéanann athbhreithniú air ar bhonn rialta.
� 95
Mar léiriú ar phríomthosaíochtaí an DPC, is mar seo a leanas na príomhrioscaí a ndearna an oifig bainistiú orthu le linn na tréimhse atá faoi athbhreithniú:
• Cumas eagrúcháin a fhorbairt chun feidhmeanna feabhsaithe na heagraíochta faoin reachtaíocht GDPR agus náisiúnta a bhaint amach. Áiríodh leis sin saineolas fhoireann an DPC a fhorbairt chomh maith le baill foirne nua a fhostú a bhfuil tacar scileanna acu maidir le dlí, sainfhiosrúchán agus teicneolaíocht faisnéise.
• Cóiríocht fheiliúnach a aithint chun riachtanais an DPC mar eagraíocht atá ag fás a bhaint amach.
• A chinntiú go ndéantar struchtúir rialála, próisis ghnó agus feidhmeanna atá éifeachtach agus éifeachtúil a chomhtháthú agus a dhaingniú go héifeachtach ar bhonn leanúnach ar fud an DPC de réir mar a bheidh feidhmeanna agus freagrachtaí maoirseachta nua agus feabhsaithe atá leagtha amach sa GDPR, LED agus san Acht um Chosaint Sonraí 2018 á gcur i bhfeidhm, chomh maith le hionracas, gairmiúlacht agus cáil idirnáisiúnta an DPC a choinneáil agus a fheabhsú.
• In 2019, cuireadh próisis ghnó agus beartais i bhfeidhm chun bainistiú díreach a dhéanamh ar fheidhmeanna mar feidhmeanna airgeadais, párolla, HR, ICT agus iniúchta inmheánaigh nuair a aistreoidh an DPC i dtreo a bheith ina Oifigeach Cuntasaíochta dó féin ón 1 Eanáir 2020.
Acht na dTeangacha Oifigiúla
Cuireadh tús leis an gceathrú Scéim Teanga de chuid an DPC faoi Acht na dTeangacha Oifigiúla 2003 le héifeacht ón 1 Samhain 2017 agus beidh sí i bhfeidhm go dtí mí Dheireadh Fómhair 2020. Leanann an DPC de sheirbhísí Gaeilge a chur ar fáil de réir ár gCairt do Chustaiméirí agus eolas a chur ar fáil i nGaeilge trínár láithreán gréasáin.
Dualgas na hEarnála Poiblí um Chearta an Duine agus Comhionannas
Féachann an DPC lena chuid oibleagáidí a bhaint amach faoi Alt 42 den Acht fá Choimisiún na hÉireann um Chearta an Duine agus Comhionannas 2014 agus tá bearta curtha i bhfeidhm aige lena chinntiú go dtabharfar aird ar chearta an duine agus ar chomhionannas le linn beartais agus nósanna imeachta a fhorbairt agus le linn dul i mbun rannpháirtíochta le páirtithe leasmhara chun a shainordú a chomhlíonadh maidir le ceart bunúsach an AE ar chosaint sonraí a chosaint.
Inár gcuid foilseachán, tagraítear do Dhualgas na hEarnála Poiblí um Chomhionannas agus Cearta an Duine inár Ráiteas Straitéiseach do 2019 agus san aighneacht buiséid ar mhaoiniú do 2020. Cuireadh Dualgas na hEarnála Poiblí um Chomhionannas agus
� 96
Cearta an Duine san áireamh agus an comhairliúchán poiblí á dhréachtú maidir le Straitéis Rialála an DPC 2020 – 2025 – Comhairliúchán ar Spriocthorthaí.
Tá roinnt bealaí forbartha agus curtha i bhfeidhm ag an DPC dár bpáirtithe leasmhara chun cumarsáid a dhéanamh ar bhonn aonair agus chun treoir a chur ar fáil ar bhealach inrochtana. Leagtar amach láithreán gréasáin an DPC mar aon le faisnéis eile atá foilsithe le prionsabail an ghnáth-Bhéarla san áireamh, agus tá acmhainní fuaime foilsithe ag an DPC freisin. Aithníodh dúthracht an DPC i leith phrionsabail an ghnáth-Bhéarla le gradam ‘ardmholadh’ ag Gradaim Ghnáth-Bhéarla NALA. Leagtar amach an láithreán gréasáin le comhlíonadh phrionsabail na hinrochtaineachta san áireamh, lena n-áirítear Tionscnamh Inrochtaineachta Gréasáin (WAI), Treoirlínte maidir le hinrochtaineacht ábhair ar an nGréasán 2.0 AAA, agus caighdeáin ARIA. Chomh maith leis sin, cuireann an DPC deasc chabhrach ar fáil chun freastal ar chustaiméirí nach bhfuil in ann teacht ar an láithreán.
Tá Oifigeach Rochtana ag an DPC a ghníomhaíonn mar idirghabhálaí don chustaiméir agus don rannóg ábhartha.
Saoráil Faisnéise
Ón 14 Aibreán 2015 i leith, tá an DPC faoi réir an Achta um Shaoráil Faisnéise (FOI) i bpáirt maidir le taifid nach mbaineann ach amháin le riarachán ginearálta na hOifige. Tá eolas maidir le hiarratas a dhéanamh faoi FOI ar fáil ar láithreán gréasáin an DPC. Tá loga nochtuithe maidir le gach iarratas ar fhaisnéis neamhphearsanta faoin Acht FOI ar fáil faoi ‘Scéim Foilseacháin um SF’ ar an láithreán gréasáin.
Le linn 2019, fuair an DPC líon iomlán de 46 iarratas faoin Acht FOI. Den líon sin, measadh 33 díobh a bheith lasmuigh de raon an Achta ar an mbunús gur bhain said le taifid arna gcoinneáil ag an DPC seachas taifid a bhain le riarachán ginearálta na hoifige. Tá achoimre ar na hiarratais FOI a fuair an DPC le linn 2019 leagtha amach sa tábla thíos. Ní dhearnadh achomharc chuig an gCoimisinéir Faisnéise i ndáil le cás ar bith.
Iarratas de réir cineáil Iomlán don chatagóir Toradh
Saincheisteanna Riaracháin 9 6 ceadaithe
1 ceadaithe i bpáirt
2 a ndeachthas i ngleic leo lasmuigh de FOI
Ceisteanna lasmuigh de raon na nAchtanna
37 33 lasmuigh de raon
4 aistarraingthe
� 97
Maidir le Rialachán na gComhphobal Eorpach (Rochtain ar Fhaisnéis faoin gComhshaol), I.R. Uimh. 133 de 2007, ní bhfuair an DPC aon iarratas ina leith.
� 98
Tuarascáil maidir le Fuinneamh 2019
Forléargas ar Úsáid Fuinnimh
BAILE ÁTHA CLIATH
21 Cearnóg Mhic Liam
Tá ceannoifig an DPC lonnaithe ag 21 Cearnóg Mhic Liam, Baile Átha Cliath 2. Baineann tomhaltas fuinnimh na hoifige le leictreachas amháin, a úsáidtear don teas, soilsiú agus úsáid trealaimh.
Foirgneamh faoi chosaint is ea 21 Cearnóg Mhic Liam agus tá sé díolmhaithe ón gcóras rátála fuinnimh dá réir.
Oifig bhreise
Faoi láthair, tá spás oifige breise ag an DPC i mBaile Átha Cliath chun freastal ar an méadú atá tagtha ar líon na mball foirne. An OPW a d’aimsigh an oifig seo agus ghlac an DPC seilbh uirthi i mí Dheireadh Fómhair 2018. Coinneofar an oifig seo go dtí go mbeidh ceannoifig bhuan nua ar fáil chun freastal a dhéanamh ar fhoireann agus oibríochtaí an DCP i mBaile Átha Cliath. 828 méadar cearnach atá an oifig sin.
Baineann tomhaltas fuinnimh na hoifige le leictreachas amháin, agus is éard atá i gceist leis an tomhaltas sin teas, soilsiú agus úsáid trealaimh.
B2 an rátáil fuinnimh atá ag an bhfoirgneamh.
CÚIL AN tSÚDAIRE
Tá achar 444 méadar cearnach in oifig an DPC i gCúil an tSúdaire atá lonnaithe ar an urlár uachtarach d’fhoirgneamh dhá stór a tógadh in 2006.
Baineann tomhaltas fuinnimh na hoifige le leictreachas do shoilsiú agus úsáid trealaimh agus úsáidtear gás nádúrtha don teas.
C1 an rátáil fuinnimh atá ag an bhfoirgneamh.
Bearta a Glacadh
� 99
Glacann an DPC páirt sa chóras ar líne SEAI ar mhaithe lena chuid úsáid fuinnimh a thuairisciú i gcomhréir le Rialacháin na gComhphobal Eorpach (Éifeachtúlacht Fuinnimh Úsáide Deiridh agus Seirbhísí Fuinnimh) 2009 (I.R. Uimh. 542 de 2009)
Is mar seo a leanas an úsáid fuinnimh don oifig do 2018 (figiúirí deireanacha deimhnithe ón SEAI ar fáil):
Forléargas ar Bheartas Comhshaoil/ ráiteas don eagraíocht
Tá an Coimisiún um Chosaint Sonraí dúthrachtach faoi oibriú de réir bheartais comhshaoil agus inbhuanaitheachta Rialtas na hÉireann.
Achoimre ar thionscnaimh maidir le hinbhuanaitheacht chomhshaoil
• Cuireadh deireadh le plaisteach aonúsáide a cheannach ó mhí Eanáir 2019 i leith
• Soilsiú LED curtha in ionad soilsiú fluaraiseach san oifig i gCúil an tSúdaire de réir mar a theipeann ar aonaid nó de réir mar a theastaíonn bolgáin nua
• Soilsiú braiteora in úsáid in oifig amháin (Oifig Bhreise)
• Athbhreithniú ar bun ar an gcóras téimh in oifig amháin (Cearnóg Mhic Liam)
• Comórtas tairisceana nua á reáchtáil do sheirbhísí bailithe bruscair lena n-áireofar seirbhís araide múirín do Chúl an tSúdaire & Cearnóg Mhic Liam.
• Costais do shoilsiú laghdaithe thart ar 10% i gCearnóg Mhic Liam i ndiaidh tástáil chomhshaoil DSE agus soilse a bhaint.
An Dramhaíl a Ghintear a Laghdú
Leictreach Gás Nádúrtha
Baile Átha Cliath
Cearnóg Mhic Liam 88,440KwH
Oifig Bhreise 14,687KwH *
Cúil an tSúdaire 40,102KwH 51,308
� 100
• Baineann an DPC úsáid as socrú réamhshocraithe do phrintéirí ina ndéantar doiciméid a chló go déthaobhach.
• Chomh maith leis sin chuir an DPC dhá scáileán ar fáil do bhaill foirne le nach mbeadh gá doiciméid a phriontáil chun iad a athbhreithniú / a chur i gcomparáid le doiciméid eile le linn oibriú ar chásanna.
• Cuireann an DPC araidí do Dramhábhar Ginearálta agus d’Athchúrsáil ar fáil ag ionaid ar fud na n-oifigí.
Athchúrsáil a Uasmhéadú
Is é beartas an DPC an dramhpháipéar ar fad a stialladh ar bhealach slán. Cuirtear consóil ar fáil i suíomhanna ar fud na n-oifigí. Déantar páipéar stiallta a athchúrsáil.
Soláthar Inbhuanaithe
Cloíonn soláthair agus próisis an DPC go hiomlán le Soláthar Inbhuanaithe.
I gconarthaí lónadóireachta, sonraítear gan úsáid a bhaint as plaistigh aonúsáide.
� 101
Aguisín 1: Cásdlí Chúirt Bhreithiúnais an Aontais Eorpaigh (CJEU)
Chuir an CJEU roinnt breithiúnas suntasach i gcrích le linn 2019 maidir le dlí an AE mar a bhaineann sé le cosaint sonraí a léiriú. Tugtar achoimre thíos ar phríomhghnéithe na mbreithiúnas seo sa mhéid is go mbaineann siad le saincheisteanna a bhaineann le cosaint sonraí.
TK v Asociaţia de Proprietari bloc M5A-ScaraA (Cás C-708/18)
Príomhshaincheisteanna: córas físfhaireachais i réadmhaoin phríobháideach, bunús dlí, toiliú, leas dlisteanach, comhréireacht. Breithníodh an cás faoin Treoir um Chosaint Sonraí (atá aisghairthe anois) (Treoir 95/46/EC).
Fíorais
Baineann an cás seo leis an mbunús dleathach a bhain le córas físfhaireachais sna limistéir choiteanna i bhfoirgneamh árasán sa Rómáin. Mar gheall gur tharla eachtraí buirgléireachta agus gadaíochtaí i roinnt árasán agus i limistéir choiteanna san fhoirgneamh árasán agus mar gheall go ndearnadh loitiméireacht go minic ar an ardaitheoir, chinn cumann comhúinéirí an fhoirgnimh córas físfhaireachais a shuiteáil chun monatóireacht a dhéanamh ar dhaoine agus iad ag dul isteach agus amach as an bhfoirgneamh. Foráladh don fhéidearthacht seo faoi dhlí na Rómáine. Níor chuidigh bearta a glacadh roimhe sin, is iad sin gaireas idirchumarsáide agus córas iontrála cárta maighnéid a shuiteáil, le cosc a chur ar chionta den chineál céanna tarlú arís. Mar gheall air sin, lorg úinéir arásán amháin san fhoirgneamh árasán ordú urghaire chun an córas físfhaireachais seo a bhaint anuas, agus d’áitigh sé gur sárú ar a chearta le saol príobháideach a chaitheamh a bhí ann agus go raibh dlí na Rómáine á shárú.
Trí bhíthin réamhthagartha don CJEU, chuir Cúirt Réigiúnach Bhúcáirist roinnt ceisteanna maidir le bundlí na Rómáine agus ceistíodh an raibh sé comhréireach córas físfhaireachais a shuiteáil i limistéir choiteanna i bhfoirgneamh cónaithe chun críocha leas dlisteanach a bhain le sábháilteacht agus cosaint daoine aonair agus réadmhaoine nó seachas sin, an bhfuil gá le toiliú a fháil ó dhaoine aonair maidir le próiseáil sonraí dá leithéid.
Breithiúnas
Cuireadh cinneadh an CJEU ar fáil an 11 Nollaig 2019. D’áitigh an CJEU nach mór sonraí pearsanta a phróiseáil sa chomhthéacs go gcaithfidh córas físfhaireachais cloí ar an gcéad dul síos leis na prionsabail maidir le cáilíocht sonraí (Airteagal 6 de Threoir 95/46
� 102
(an Treoir um Chosaint Sonraí)) agus sa dara háit, le ceann de na critéir chun próiseáil sonraí a dhlisteanú (mar a liostaítear in Airteagal 7 den Treoir um Chosaint Sonraí). Thug an CJEU ar aird go leagtar amach in Airteagal 7 liosta uileaghabhálach agus sriantach de sé bhunús trína bhféadfaí próiseáil sonraí pearsanta a mheas a bheith dleathach. Is de bhun leasanna dlisteanacha an rialaitheora nó tríú páirtí ceann de na bunúis sin (Airteagal 7(f)). Thuairimigh an CJEU nach féidir le Ballstáit prionsabail nua a bhaineann le dleathacht próiseáil sonraí pearsanta a chur isteach ná riachtanais bhreise a fhorchur seachas iad sin a leagtar amach cheana féin sa Treoir um Chosaint Sonraí.
Ag tagairt do chinntí roimhe seo, d’athdhearbhaigh an CJEU, d’fhonn cloí le leasanna dlisteanacha chun próiseáil sonraí a dhlisteanú, nach mór trí choinníoll charnacha a chomhlíonadh. Is é an chéad choinníoll ná nach mór leasanna dlisteanacha arna leanúint ag an rialaitheoir a bheith i láthair agus i bhfeidhm ag an am a phróiseáiltear na sonraí. Ar an dara dul síos, ní mór go mbeadh sé riachtanach na sonraí pearsanta a phróiseáil chun críocha na leasanna dlisteanacha a bhfuiltear ag tabhairt fúthu. Ní mór an riachtanas seo a léiriú go docht, is é sin le rá, ní féidir an críoch a bhaint amach ar bhealach chomh héifeachtach trí mhodhanna eile nach bhfuil chomh teorantach ar chearta agus saoirsí bunúsacha na n-ábhar sonraí. Ar an tríú dul síos, toisc go bhféadfadh cearta an ábhair sonraí leasanna dlisteanacha arna leanúint ag an rialaitheoir a shárú faoi Airteagal 7(f), éilítear faoin gcoinníoll seo cothromaíocht a aimsiú idir cearta agus leasanna freasúracha a bhraitheann ar na himthosca ar leith. Maidir le sonraí ó fhoinsí neamhphoiblí a phróiseáil, tá sé bunriachtanach tromchúis na sáruithe ar chearta ábhar sonraí a mheas, ag glacadh san áireamh, i measc nithe eile, cineál na sonraí pearsanta atá i gceist ar nós chomh híogair is a d’fhéadfadh na sonraí sin a bheith, an bealach agus na modhanna faoi leith ina bpróiseáiltear na sonraí ar nós líon na ndaoine a bhfuil teacht acu ar na sonraí sin agus na bealaí ina bhfaightear rochtain orthu, agus ionchais réasúnacha an ábhair sonraí nach bpróiseálfar a chuid nó a cuid sonraí pearsanta. Maidir leis an gcás faoi láthair, dúirt an CJEU nach mór cothromaíocht a aimsiú idir na gnéithe sin agus tábhacht na leasanna dlisteanacha arna leanúint ag comhuinéirí an fhoirgnimh árasán maidir leis an gcóras físfhaireachais, sa mhéid is go bhféachtar lena chinntiú, tríd an gcóras físfhaireachais seo, réadmhaoin, sláinte agus beatha na gcomhúinéirí sin a chosaint.
Chomh maith leis sin, dheimhnigh an Chúirt nach bhfuil sé riachtanach toiliú a fháil ón ábhar sonraí nuair a dhéantar sonraí pearsanta a phróiseáil de bhun leasanna dlisteanacha rialaitheora nó leasanna dlisteanacha tríú páirtí sa chomhthéacs seo.
Shocraigh an CJEU maidir le forálacha dlí na Rómáine trína n-údaraítear córas físfhaireachais a shuiteáil i limistéir choiteanna i bhfoirgneamh cónaithe chun críche leasanna dlisteanacha a leanúint maidir le sábháilteacht agus cosaint daoine aonair agus réadmhaoine, nár cuireadh bac orthu faoin Treoir um Chosaint Sonraí – fad is gur
� 103
chomhlíon an phróiseáil sa chóras físfhaireachais na coinníollacha a leagtar síos in Airteagal 7(f). Ba chúram don Chúirt atreoraithe a bhí ann an measúnú seo a dhéanamh.
Bundesverband der Verbraucherzentralen und Verbraucherverbände — VerbraucherzentraleBundesverband eV v Planet49 GmbH (Cás C-673/17)
Príomhshaincheisteanna: toiliú maidir le fianáin, ticbhoscaí ar cuireadh tic leo roimh ré. Breithníodh an cás seo faoin Treoir um Chosaint Sonraí (atá aisghairthe anois) (Treoir 95/46/EC) agus an GDPR araon, agus i ndáil le Treoir 2002/58, arna leasú ag Treoir 2009/136 (an Treoir maidir le ríomhPhríobháideachas).
Fíorais
Lorg an German Federation of Consumer Organisation (VerbraucherzentraleBundesverband eV) urghaire in aghaidh cuideachta cluichíochta ar line, Planet49 GmbH, inar ordaíodh don chuideachta staonadh ó úsáid a bhaint as ticbhosca ar cuireadh tic leis roimh ré chun toiliú úsáideoirí a fháil chun faisnéis a stóráil nó rochtain a fháil uirthi i bhfoirm fianán a suiteáladh ar threalamh teirminéalach na n-úsáideoirí sin. D’eagraigh Planet49 crannchur bolscaireachta inar iarradh ar rannpháirtithe a gcuid ainmneacha agus seoltaí a chur isteach ar fhoirm chláraithe ar leathanach gréasáin. Bhí dhá ráiteas san fhoirm maidir le comhaontú; bhí ticbhosca ar cuireadh tic leis roimh ré mar chuid de cheann de na ráitis agus ní raibh ticbhosca dá leithéid mar chuid den cheann eile. Mar chuid den ráiteas ar cuireadh tic leis roimhe ré, lorgaíodh comhaontú na rannpháirtithe a dhearbhú maidir le fianáin a chur. Bhí na fianáin a cuireadh ar threalamh teirminéalach na rannpháirtithe nasctha le hainmneacha agus seoltaí na rannpháirtithe a cuireadh ar fáil ar an bhfoirm chláraithe, dá bhrí sin bhí sé i gceist leis an ráiteas ar cuireadh tic leis roimh ré údarú a thabhairt chun sonraí pearsanta seachas sonraí anaithnid a phróiseáil.
Tháinig an cheist os comhair Chúirt Chónaidhme na Gearmáine a chinn bac a chur ar imeachtaí agus roinnt ceisteanna a tharchur chuig an CJEU do réamhrialú maidir le riachtanas in Airteagal 5(3) den Treoir 2002/58, arna leasú ag Treoir 2009/136 (an Treoir maidir le ríomhPhríobháideachas) nach mór go dtabharfadh úsáideoirí toiliú maidir le faisnéis a stóráil nó rochtain a fháil uirthi i bhfoirm fianán ar a gcuid trealamh teirminéalach.
Breithiúnas
� 104
Chuir an CJEU a chinneadh ar fáil an 1 Deireadh Fómhair 2019. Cé go ndearnadh an réamhthagairt sular tháinig an GDPR i bhfeidhm, rinneadh breithiúnas an CJEU i ndiaidh don GDPR teacht i bhfeidhm. Chomh maith leis sin, lorg an German Federation of
Consumer Organisation ordú i gCúirteanna na Gearmáine go staonfadh Planet 49 ó ghníomhaíocht amach anseo. Chinn an CJEU ar dtús nach mór na ceisteanna a tarchuireadh a fhreagairt ag féachaint don Treoir um Chosaint Sonraí agus don GDPR araon.
Maidir le bailíocht toilithe i leith fianáin, thug an CJEU ar aird go sainmhínítear ‘toiliú’ sa Treoir maidir le ríomhPhríobháideachas mar thoiliú a chomhfhreagraíonn don sainmhíniú a thugtar sa Treoir um Chosaint Sonraí, ach mar sin féin, bhí an Treoir um Chosaint Sonraí aisghairthe faoin GDPR, agus foráladh go ndéanfaí tagairtí don Treoir sin a fhorléiriú mar thagairtí don GDPR. Chinn an CJEU nach féidir an riachtanas maidir le toiliú a chomhlíonadh ach amháin trí iompraíocht ghníomhach. Ar an gcéad dul síos, bhraith an CJEU ar an riachtanas nach mór toiliú ‘a thabhairt go soiléir’ (Airteagal 7(a) den Treoir um Chosaint Sonraí) ar an mbunús nach féidir deireadh a chur le débhríocht ach amháin trí iompraíocht ghníomhach. Ar an dara dul síos, bhreithnigh an CJEU nach féidir toiliú a thoimhdiú agus nach mór é a bheith mar thoradh ar iompraíocht ghníomhach. Chomh maith leis sin, bhreithnigh an CJEU go ndearbhaítear iompraíocht ghníomhach faoi GDPR agus tugadh ar aird go bhfuil an sainmhíniú a thugtar maidir le toiliú níos déine fós sa GDPR ná mar atá sa Treoir um Chosaint Sonraí ar an mbunús go n-éilítear toiliú gníomhach go sainráite in aithrisí an GDPR agus go n-eisítear go sainráite an fhéidearthacht maidir le húsáid a bhaint as ticbhoscaí ar cuireadh tic leo roimh ré chun toiliú bailí a fháil. Agus an sainmhíniú ar thoiliú á chur i bhfeidhm, d’áitigh an CJEU nach bhfuil toiliú bailí má cheadaítear fianáin a chur trí bhíthin ticbhosca ar cuireadh tic leis roimh ré nach mór don úsáideoir a dhíroghnú chun toiliú a dhiúltú.
Chomh maith leis sin, bhreithnigh an CJEU ar cheart an Treoir maidir le ríomhPhríobháideachas a léirmhíniú ar bhealach difriúil ag brath ar shonraí pearsanta nó sonraí neamhphearsanta a bheith á stóráil nó á rochtain i dtrealamh teirminéalach. Bhí na fianáin a d’úsáid Planet49 nasctha le hainmneacha agus seoltaí na rannpháirtithe sa chrannchur bolscaireachta, agus dá bhrí sin, b’ionann iad a stóráil agus sonraí pearsanta a phróiseáil. Thug an CJEU ar aird go mbaineann Airteagal 5(3) den Treoir maidir le RíomhPhríobháideachas le faisnéis a stóráiltear i dtrealamh teirminéalach, is cuma an fhaisnéis a bheith ina sonraí pearsanta nó gan í a bheith.
Chomh maith leis sin, bhreithnigh an CJEU raon na faisnéise nach mór a chur ar fáil d’úsáideoirí i bhfianaise an riachtanais in Airteagal 5(3) den Treoir maidir le Ríomhphríobháideachas nach mór faisnéis shoiléir agus uileghabhálach a chur ar fáil do na húsáideoirí sin sula dtugtar toiliú. Luaigh an Chúirt nach mór don úsáideoir a bheith in ann na hiarmhairtí a bhaineann le haon toiliú a d’fhéadfadh an t-úsáideoir a thabhairt
� 105
a dhéanamh amach go héasca agus a bheith in ann feidhmiú na bhfianán a úsáidtear a thuiscint. Chomh maith leis sin, áirítear leis an bhfaisnéis nach mór a chur ar fáil d’úsáideoirí an tréimhse a mbeidh na fianáin i bhfeidhm agus cibé a bheidh nó nach mbeidh teacht ag tríú páirtithe ar na fianáin.
G. C. agus Eile v Commission Nationale de l'Informatique et des Libertés (CNIL) (Déréférencement de donnéessensibles), (Cás C-136/17)
Príomhshaincheisteanna: an ceart go ligfí i ndearmad, an ceart ar dhíthagairtiú, oibleagáidí ar oibritheoirí inneall cuardaigh, catagóirí speisialta de shonraí pearsanta, faisnéis maidir le himeachtaí coiriúla. Breithníodh an cás seo faoin Treoir um Chosaint Sonraí (atá aisghairthe anois) (Treoir 95/46/EC) agus an GDPR araon.
Fíorais
Mar oibritheoir inneall cuardaigh, dhiúltaigh Google géilleadh d’iarratais ó cheathrar ar leith (polaiteoir áitiúil; iaroifigeach caidrimh phoiblí de chuid Eaglais na hEoleolaíochta; duine a ceistíodh mar chuid d’imscrúdú breithiúnach maidir le maoiniú polaitíochta; agus duine a ciontaíodh roimhe sin mar gheall ar chionta gnéasacha a dhéanamh in aghaidh leanaí) chun naisc éagsúla le leathanaigh eile tríú páirtí (lena n-áirítear ailt phreasa) a díthagairtiú i liosta na dtorthaí a taispeánadh ar Google mar thoradh ar chuardaigh a dhéanamh in aghaidh a n-ainmneacha. Rinne na daoine aonair sin gearán le hÚdarás um Chosaint Sonraí na Fraince (CNIL) a dhiúltaigh fógra foirmiúil a sheirbheáil ar Google chun an díthagairtiú a iarradh a chur i gcrích. Thug an ceathrar an cás os comhair Conseil d’État (Cúirt Uachtarach Riaracháin na Fraince) agus d’iarr Conseil d’État ar an CJEU na hoibleagáidí atá ar oibritheoir inneall cuardaigh a shoiléiriú maidir le hiarratas ar dhíthagairtiú a láimhseáil faoin Treoir um Chosaint Sonraí.
Breithiúnas
Baineadh cinneadh an CJEU amach an 24 Meán Fómhair 2019. Chinn an CJEU ar dtús nach mór na ceisteanna a tarchuireadh a fhreagairt ag féachaint don Treoir um Chosaint Sonraí agus don GDPR araon.
Ba í an chéad tsaincheist roimh an CJEU ná an mbaineann an dianchosc agus na srianta atá ar chatagóirí speisialta de shonraí pearsanta le hoibritheoirí inneall cuardaigh freisin, sonraí ar nós sonraí ina nochtar bunús cine nó eitneach, tuairimí polaitíochta, creidimh reiligiúnacha nó fealsúnachta, ballraíocht i gceardchumann, sonraí maidir le sláinte nó saol gnéis, ciontuithe coiriúla nó bearta slándála. D’áitigh an CJEU go mbaineann an dianchosc agus na srianta atá ar chatagóirí speisialta de shonraí pearsanta a phróiseáil le hoibritheoirí inneall cuardaigh sa chaoi chéanna is a
� 106
mbaineann le haon rialaitheoir sonraí eile. Mar sin féin, d’athdhearbhaigh an Chúirt a cinneadh in Google Spain, C-131/12 agus tugadh ar aird nach bhfuil freagracht ar oibritheoir innill cuardaigh ach amháin as an tagairt do leathanach gréasáin tríú páirtí. Dá réir sin, baineann an dianchosc agus na srianta atá ar chatagóirí speisialta de shonraí pearsanta a phróiseáil le hoibritheoir inneall cuardaigh i gcomhthéacs aon iarratais ar dhíthagairtiú a fhaightear ón ábhar sonraí.
Maidir leis an tsaincheist i ndáil le hiarratas ar dhíthagairtiú a bhaineann le catagóirí speisialta de shonraí pearsanta, is éard a luaigh an CJEU ná, nuair a fhaigheann oibritheoir innill cuardaigh iarratas dá leithéid, éilítear i bprionsabal, faoi réir eisceachtaí áirithe, géilleadh don iarratas sin. Mar sin féin, d’fhéadfadh an t-oibritheoir diúltú don iarratas ar dhíthagairtiú má chruthaítear go leanann na naisc ábhartha chuig sonraí a d’fhoilsigh an t-ábhar sonraí go soiléir. I gcás ar bith, ní mór don oibritheoir a chinntiú cibé a bhfuil fíorghá leis an nasc a chur san áireamh chuig leathanach gréasáin ar a bhfuil catagóirí speisialta de shonraí pearsanta foilsithe i liosta na dtorthaí a thaispeántar i ndiaidh cuardach a dhéanamh ar ainm an ábhair sonraí sin chun saoráil faisnéise úsáideoirí idirlín a chosaint a d’fhéadfadh spéis a bheith acu rochtain a fháil ar an leathanach gréasáin sin trí bhíthin cuardach dá leithéid. Chuir an CJEU in iúl go bhfuil gá le tástáil cothromaithe a dhéanamh idir cearta an ábhair sonraí maidir le príobháideachas agus sonraí pearsanta a chosaint ar lámh amháin, agus saoráil faisnéise d’úsáideoirí idirlín ar an lámh eile, bunaithe ar na himthosca sonracha a bhaineann le gach iarratas agus an cineál faisnéise, mar aon lena híogaireacht, a thabhairt san áireamh i gcomhthéacs shaol príobháideach an ábhair sonraí sin mar aon le leas an phobail maidir leis an bhfaisnéis sin a fháil. Thug an CJEU ar aird go bhféadfadh leas an phobail athrú de réir an róil atá ag an ábhar sonraí sa saol poiblí.
Sa chomhthéacs faoi leith a bhaineann le hiarratas a dhéanamh ar shonraí a dhíthagairtiú a bhaineann le himeachtaí coiriúla a tugadh in aghaidh an ábhair sonraí nuair atá an fhaisnéis sin as dáta anois maidir leis na forbairtí agus na himeachtaí, d’áitigh an CJEU, bunaithe ar imthosca an iarratais, nach mór d’oibritheoir innill cuardaigh a mheas, le linn tréimhse an iarratais, an bhfuil sé de cheart ag an ábhar sonraí atá i gceist nach mbeidh an fhaisnéis i gceist nasctha a thuilleadh le hainm an ábhair sonraí ar liosta torthaí a thaispeántar i ndiaidh cuardach a dhéanamh ar a ainm/ar a hainm. Sa chás seo fiú, ní mór don oibritheoir tástáil cothromaithe a chur i bhfeidhm idir cearta an ábhair sonraí ar phríobháideachas agus sonraí pearsanta a chosaint agus saoráil faisnéise d’úsáideoirí idirlín. Mar sin féin, nuair atá fíorghá leis an nasc i gceist a chur san áireamh, éilítear ar oibritheoir innill cuardaigh liosta na dtorthaí a choigeartú ar bhealach ina dtugtar pictiúr iomlán don úsáideoir idirlín a léiríonn an stádas dlí reatha, rud a chiallaíonn go háirithe, nach mór go dtaispeánfaí naisc chuig leathanaigh gréasáin ina bhfuil faisnéis maidir leis sin sa chéad áit ar an liosta.
� 107
Google LLC, comharba i ndlí do Google Inc. v Commission Nationale de l'Informatique et des Libertés (CNIL), (Cás C-507/17)
Príomhshaincheisteanna: an ceart go ligfí i ndearmad, an ceart ar dhíthagairtiú, oibleagáidí ar oibritheoirí innill cuardaigh, naisc a bhaint i ngach síneadh ainm fearainn nó i gcinn Eorpacha amháin. Breithníodh an cás seo faoin Treoir um Chosaint Sonraí (atá aisghairthe anois) (Treoir 95/46/EC) agus an GDPR araon.
Fíorais
In 2015, sheirbheáil Údarás Cosanta Sonraí na Fraince (CNIL) fógra foirmiúil ar Google á rá, nuair a dhéantar iarratas ó dhuine nádúrtha a cheadú chun naisc chuig láithreáin gréasáin a bhaint ó liosta na dtorthaí a thaispeántar i ndiaidh cuardach a dhéanamh bunaithe ar ainm an duine sin, nach mór do Google an bhaint sin a chur i bhfeidhm i ngach ceann dá síntí ainm fearainn. Dhiúltaigh Google an fógra foirmiúil sin a chomhlíonadh, agus níor baineadh ach na naisc i gceist ó liosta na dtorthaí a taispeánadh i ndiaidh cuardaigh a dhéanamh sna síntí ainm fearainn a chomhfhreagraíonn do leaganacha dá inneall cuardaigh i mBallstáit AE.
In 2016, i ndiaidh a fháil amach gur theip ar Google an fógra foirmiúil sin a chomhlíonadh laistigh den tréimhse fhorordaithe, ghearr an CNIL pionós ar Google. Thaisc Google iarratas leis an the Conseil d’État (Cúirt Uachtarach Riaracháin na Fraince) chun an pionós a chur ar neamhní. Mar réamhthagairt, chuir an Conseil d’État roinnt ceisteanna ar aghaidh chuig an CJEU sa chomhthéacs seo lena mbreithniú.
Breithiúnas
Baineadh cinneadh an CJEU amach an 24 Meán Fómhair 2019. Chinn an CJEU ar dtús nár mhór na ceisteanna a cuireadh ar aghaidh a fhreagairt ag féachaint don Treoir um Chosaint Sonraí agus don GDPR araon.
Maidir leis an tsaincheist a bhaineann le raon feidhme críche an chirt ar dhíthagairtiú agus prionsabail an chirt ar dhíthagairtiú a athdhearbhú mar a dearbhaíodh roimhe seo sa chinneadh Google Spain C-131/12, bhreithnigh an CJEU go n-éilítear ar oibritheoir innill cuardaigh an díthagairtiú a chur i gcrích sna leaganacha sin amháin den inneall cuardaigh a chomhfhreagraíonn do Bhallstáit. Chun leibhéal cosanta comhsheasmhach agus ard a chinntiú ar fud an AE, d’áitigh an CJEU nach mór don oibritheoir an díthagairtiú a iarrtar a chur i gcrích ní hamháin ar an leagan den inneall cuardaigh a
� 108
chomhfhreagraíonn do Bhallstát cónaithe an duine atá ag baint leas as an díthagairtiú sin ach ar na leaganacha den inneall cuardaigh a chomhfhreagraíonn do gach Ballstát AE.
Chomh maith leis sin, chuir an CJEU in iúl cé nach n-éilítear faoi dhlí an AE ar oibritheoir innill cuardaigh an díthagairtiú a iarrtar a chur i gcrích ar gach síneadh ainm fearainn an innill chuardaigh, ní thoirmeascann sé cleachtas dá leithéid. Dá réir sin, thuairimigh an Chúirt i gcomhthéacs an fhíorais, go bhféadfadh leas an phobail chun rochtain a fháil ar fhaisnéis athrú ó Bhallstát go Ballstát (mar shampla, de bhun maolaithe atá ar fáil sa Treoir um Chosaint Sonraí agus sa GDPR), fanann údarás maoirseachta nó breithiúnach de chuid Ballstát inniúil chun breithniú a dhéanamh ar cheart ábhair sonraí ar phríobháideachas agus sonraí pearsanta a bhaineann leis nó léi a chosaint agus an ceart ar shaoráil faisnéise i gcomhthéacs caighdeán náisiúnta cosanta maidir leis na cearta sin. Mar sin, d’fhéadfadh údarás maoirseachta nó breithiúnach an t-oibritheoir a ordú, nuair is cuí, chun iarratas ar dhíthagairtiú a chur i gcrích i ndáil le gach leagan den inneall cuardaigh sin.
Fashion ID GmbH & Co.KG v Verbraucherzentrale NRW eV(Cás C-40/17)
Príomhshaincheisteanna: breiseáin shóisialta, rialúcháin, leasanna dlisteanacha, toiliú, dualgas maidir le cur ar an eolas. Breithníodh an cás seo faoin Treoir um Chosaint Sonraí (atá aisghairthe anois) (Treoir 95/46/EC).
Fíorais
Miondíoltóir éadaigh ar line is ea Fashion ID ar leabaíodh an breiseán sóisialta Facebook ‘Like’ ina láithreán gréasáin. Nuair a thug úsáideoir idirlín cuairt ar láithreán gréasáin Fashion ID, aistríodh sonraí pearsanta an chuairteora sin chuig Facebook mar thoradh ar an mbreiseán sóisialta Facebook ‘Like’ a bheith curtha ar an láithreán gréasáin. Bunaithe ar na fíorais a bhí le fáil sa réamhthagairt chuig an CJEU, dhealraigh sé gur tharla an t-aistriú sin gan an cuairteoir a bheith ar an eolas go raibh a chuid sonraí á n-aistriú chuig Facebook agus beag beann ar é nó í a bheith ina bhall nó ina ball de Facebook agus beag beann ar chliceáil sé nó sí an cnaipe Facebook ‘Like’.
Cháin Cumann seirbhíse poiblí sa Ghearmáin (Verbraucherzentrale NRW) a bhfuil de chúram air leasanna tomhaltóirí a chosaint, Fashion ID as sonraí pearsanta cuairteoirí ar a láithreán gréasáin a aistriú chuig Facebook ar an mbonn gur tharla an t-aistriú sin gan toiliú a fháil uathu agus ar an mbonn gur sáraíodh an dualgas chun cuairteoirí a chur ar an eolas maidir le sonraí pearsanta ábhartha a bheith á bpróiseáil mar a leagtar amach sa dlí maidir le cosaint sonraí.
� 109
Lorg an cumann urghaire os comhair Chúirt Réigiúnach Düsseldorf in aghaidh Fashion ID chun iallach a chur air deireadh a chur leis an gcleachtas maidir leis an mbreiseán sóisialta ’Like’ a leabú ina láithreán gréasáin. Dheonaigh an Chúirt Réigiúnach an urghaire i bhfabhar an chumainn. Ina dhiaidh sin, rinne Fashion ID achomhairc chuig Ard-Chúirt Réigiúnach Düsseldorf maidir leis an gcinneadh sin. Ansin chuir an Ard-Chúirt Réigiúnach roinnt ceisteanna mar réamhthagairt chuig an CJEU. Bhí na ceisteanna sin dírithe ar cibé an raibh nó nach raibh Fashion ID ina rialaitheoir ar na sonraí a bailíodh tríd an mbreiseán sóisialta fiú mura raibh sé in ann tionchar a imirt ar an bpróiseáil sonraí sin; cibé an raibh sé indéanta brath ar bhunús dlí na leasanna dlisteanacha chun an breiseán sóisialta a leabú nó cibé an raibh gá toiliú a fháil ó ábhair sonraí i ndáil leis an bpróiseáil; agus cé ba cheart an dualgas a chomhlíonadh maidir le hábhair sonraí a chur ar an eolas i ndáil le sonraí a phróiseáil nuair a leabaíonn oibritheoirí láithreáin gréasáin breiseán sóisialta de chuid tríú páirtí.
Breithiúnas
Baineadh cinneadh an CJEU amach an 29 Iúil 2019. Ar dtús bhreithnigh an CJEU cibé an bhféadfaí cumainn cosanta tomhaltóirí a chosc ar imeachtaí dlí a thabhairt nó a chosaint in aghaidh duine a líomhnaítear a bheith freagrach as dlí um chosaint sonraí a shárú. Ag meabhrú ar bhunchuspóirí an dlí um chosaint sonraí chun cosaint éifeachtach agus iomlán a chinntiú ar chearta agus saoirsí bunúsacha daoine nádúrtha, agus, go háirithe, an ceart ar phríobháideachas maidir le sonraí pearsanta a phróiseáil, d’áitigh an CJEU ós rud é go bhforálann Ballstát ina reachtaíocht náisiúnta don fhéidearthacht do chumann cosanta tomhaltóirí chun imeachtaí dlí a thionscnamh ní bhaintear de chuspóirí na cosanta sin, ach is amhlaidh a chuireann sé leis na cuspóirí sin a bhaint amach.
Maidir leis an tsaincheist a bhaineann le bheith mar rialaitheoir ar bhreiseán sóisialta, d’áitigh an CJEU gur féidir oibritheoir láithreáin gréasáin (ar nós Fashion ID) a leabaíonn breiseán sóisialta de chuid tríú páirtí ar a láithreán gréasáin (ar nós cnaipe Facebook ‘Like’), atá in cúis le brabhsálaí [i ngaireas] cuairteora chuig an láithreán sin ábhar ó sholáthraí an bhreiseáin sin a iarraidh agus, chun na críche sin, sonraí pearsanta an chuairteora a tharchur chuig an soláthraí sin, a mheas a bheith ina chomhrialaitheoir, in éineacht leis an tríú páirtí ar leis an breiseán sóisialta. Mar sin féin, bhreithnigh an Chúirt go bhfuil freagracht an oibritheora teoranta don oibríocht nó tacar oibríochtaí a bhaineann le sonraí pearsanta a phróiseáil ar ina leith sin a chinneann oibritheoir an láithreáin gréasáin na críocha agus na modhanna go hiarbhír i.e. na sonraí i gceist a bhailiú agus a nochtadh trína dtarchur.
Maidir leis an tsaincheist a bhaineann le leasanna dlisteanacha nó breiseáin shóisialta, chinn an CJEU, i gcás ina leabaíonn oibritheoir láithreáin gréasáin breiseán sóisialta ar a láithreán gréasáin atá ina chúis le brabhsálaí cuairteora chuig an láithreán gréasáin sin
� 110
a bheith ag iarraidh ábhar ó sholáthraí an bhreiseáin sin agus, chun na críche sin, sonraí pearsanta an chuairteora a tharchur chuig an soláthraí sin, tá sé riachtanach go leanfaidh an t-oibritheoir sin agus an soláthraí sin leas dlisteanach chun críche na n-oibríochtaí próiseála faoi seach d’fhonn bonn cirt a bheith leis na hoibríochtaí i ndáil le gach ceann díobh.
Maidir leis an tsaincheist a bhaineann le toiliú agus faisnéis a chur ar fáil maidir le breiseáin shóisialta, mheabhraigh an CJEU ar dtús go bhfuil an dualgas chun toiliú an ábhair sonraí a fháil agus an dualgas chun iad a chur ar an eolas ar an rialaitheoir sin a chinneann go hiarbhír críocha agus modhanna na hoibríochta nó tacar oibríochtaí ábhartha a bhaineann le sonraí pearsanta a phróiseáil. D’áitigh an CJEU nach mór toiliú a thabhairt sula ndéantar sonraí pearsanta ábhair sonraí a bhailiú agus a nochtadh (a tharchur ar aghaidh, i bhfocail eile) chuig tríú páirtí. I gcásanna dá leithéid, dúirt an CJEU gur ar oibritheoir an láithreáin gréasáin, seachas ar sholáthraí an bhreiseáin shóisialta atá an fhreagracht maidir leis an toiliú sin a fháil. Bhí sé sin amhlaidh toisc nach mbeadh sé ag teacht le cosaint éifeachtúil agus tráthúil a dhéanamh ar chearta an ábhair sonraí dá mba rud é nár tugadh an toiliú ach don chomhrialaitheoir atá bainteach ina dhiaidh sin, is é sin soláthraí an bhreiseáin shóisialta. Is trí chuairteoir ag tabhairt cuairt ar an láithreán gréasáin sin a thionscnaítear sonraí pearsanta a phróiseáil. Mar sin féin, ní bhaineann an toiliú nach mór a thabhairt don oibritheoir ach leis an oibríocht nó tacar oibríochtaí a bhaineann le sonraí pearsanta a phróiseáil ar ina leith a chinneann an t-oibritheoir go hiarbhír na críocha agus na modhanna. Maidir leis an dualgas maidir le cur ar an eolas, tá an dualgas seo de dhualgas ar oibritheoir an láithreáin ghréasáin ar an mbealach céanna ach ní gá go mbainfeadh an fhaisnéis nach mór a chur ar fáil chuig an ábhar sonraí ach leis an oibríocht nó tacar oibríochtaí a bhaineann le sonraí pearsanta a phróiseáil ar ina leith sin a chinneann an t-oibritheoir go hiarbhír na críocha agus na modhanna.
Sergejs Buivids v Datuvalstsinspekcija(Cás C-345/17)
Príomhshaincheisteanna: taifead físeáin i stáisiún póilíní, físeán a thaifeadadh, díolúine iriseoireachta. Breithníodh an cás seo faoin Treoir um Chosaint Sonraí (atá aisghairthe anois) (Treoir 95/46/EC).
Fíorais
Thaifead an tUasal Buivids físeán i stáisiún póilíní de chuid phóilíní náisiúnta na Laitvia le linn dó ráiteas a dhéanamh i gcomhthéacs imeachtaí riaracháin a bhí tugtha ina aghaidh. D’fhoilsigh sé an físeán ar an láithreán gréasáin Youtube ina dhiaidh sin. I
� 111
ndiaidh don fhíseán a bheith foilsithe, chinn Gníomhaireacht Náisiúnta um Chosaint Sonraí na Laitvia gur sháraigh an tUasal Buivids an dlí maidir le cosaint sonraí toisc nár chuir sé na póilíní ar an eolas faoin gcuspóir beartaithe maidir le sonraí pearsanta a bhain leo a phróiseáil agus toisc nár chuir sé aon fhaisnéis ar fáil do Ghníomhaireacht Náisiúnta um Chosaint Sonraí na Laitvia maidir leis an gcuspóir a bhain leis an bhfíseán a thaifeadadh agus a fhoilsiú. Mar gheall air sin, d’iarr Gníomhaireacht Náisiúnta um Chosaint Sonraí na Laitvia ar an Uasal Buivids an físeán a bhaint anuas de Youtube agus de láithreáin gréasáin eile.
Thug an tUasal Buivids caingean roimh Chúirt Riaracháin Dúiche na Laitvia inar lorgaíodh dearbhú go raibh cinneadh na Gníomhaireachta Náisiúnta um Chosaint Sonraí neamhdhleathach. Chomh maith leis sin d’éiligh an tUasal Buivids cúiteamh mar gheall ar an dochar a d’fhulaing sé. Dhíbh Cúirt Riaracháin Dúiche na Laitvia an caingean agus dhíbh Cúirt Riaracháin Réigiúnach na Laitvia an t-achomharc ina dhiaidh sin. Rinne an tUasal Buivids achomharc le Cúirt Uachtarach na Laitvia chun a cheart ar shaoirse tuairimí a nochtadh a agairt. Mar réamhthagairt don CJEU, chuir Cúirt Uachtarach na Laitvia roinnt ceisteanna maidir le cibé an dtagann an gníomh maidir le póilíní a thaifeadadh i mbun a gcuid dualgas a chur i gcrích i stáisiún póilíní agus an gníomh maidir leis na bhfíseán seo a taifeadadh a fhoilsiú ar an idirlíon laistigh de raon feidhme an Treoir um Chosaint Sonraí agus cibé an bhféadfaí a chur ina leith gur sonraí pearsanta a phróiseáil chun críocha iriseoireachta atá i gceist.
Breithiúnas
Baineadh cinneadh an CJEU amach an 14 Feabhra 2019. D’áitigh an CJEU ar dtús maidir leis an ngníomh aonuaire maidir le físeán a thaifeadadh le ceamara digiteach agus an físeán a fhoilsiú ina bhfuil sonraí pearsanta ar láithreán gréasáin ar a bhfuil úsáideoirí físeáin in ann breathnú ar fhíseáin, iad a sheoladh agus a roinnt, gurb ionann sin agus na sonraí sin a phróiseáil go hiomlán nó i páirt trí mheán uathoibríoch.
Bhreithnigh an CJEU gur féidir a mheas gurbh ionann an físeán i gceist a thaifeadadh agus a fhoilsiú agus sonraí pearsanta a phróiseáil a thagann laistigh de raon feidhme na Treorach um Chosaint Sonraí. Dúradh sa Chúirt nárbh ionann an físeán agus oibríocht phróiseála a bhaineann le slándáil phoiblí, cosaint, slándáil Stáit nó gníomhaíochtaí an Stáit i réimsí an dlí choiriúil, ós rud é a bheith mar thoradh ar ghníomhaíocht duine aonair príobháideach. Ina theannta sin, ní fhéadfaí gníomhaíocht dá leithéid a mheas a bheith go hiomlán pearsanta laistigh de chomhthéacs gníomhaíochtaí tís ós rud é, mar a tharlaíonn sé, gur fhoilsigh an tUasal Buivids an físeán i gceist ar láithreán gréasáin d’fhíseáin inar féidir le húsáideoirí físeáin a sheoladh, a roinnt agus breathnú orthu, agus ar an mbealach sin, ag tabhairt cead do líon éiginnte daoine teacht ar na sonraí pearsanta atá san fhíseán.
� 112
Maidir leis an tsaincheist a bhaineann le sonraí pearsanta a phróiseáil chun críocha iriseoireachta, i ndiaidh meabhrú ar an riachtanas maidir le cothromaíocht a aimsiú idir an ceart ar chosaint sonraí agus an ceart ar shaoirse tuairimí a nochtadh, d’athdhearbhaigh an CJEU nach mór an ceart ar shaoirse tuairimí a nochtadh a léiriú go leathan agus gurb ionann gníomhaíochtaí iriseoireachta agus iad sin a bhfuil sé de chuspóir acu faisnéis, tuairimí nó smaointe a nochtadh don phobal, gan bheann ar an modh a úsáidtear chun faisnéis, tuairimí nó smaointe dá leithéid a chur ar aghaidh. I gcomhthéacs an cháis, chinn an Chúirt, ós rud é nár iriseoir gairmiúil a bhí san Uasal Buivids, gur chosúil nár cuireadh as an áireamh an fhéidearthacht go dtiocfadh sé laistigh de raon feidhme díolúine iriseoireachta tríd an bhfíseán i gceist a thaifeadadh agus a fhoilsiú ar láithreán gréasáin d’fhíseáin inar féidir le húsáideoirí físeáin a sheoladh, a roinnt agus breathnú orthu. Mar sin féin, luaigh an CJEU nach féidir gach faisnéis a fhoilsítear ar an idirlíon a bhaineann le sonraí pearsanta a chatagóiriú mar ghníomhaíochtaí iriseoireachta. Léirigh an CJEU gur faoin gcúirt atreoraithe a bhí sé a chinneadh cibé ar dhealraigh sé ón bhfíseán i gceist gurbh é an t-aon chuspóir a bhí leis an bhfíseán a thaifeadadh agus a fhoilsiú ná chun faisnéis, tuairim nó smaointe a nochtadh don phobal ag glacadh san áireamh go háirithe na himthosca fíorasacha agus cibé ar foilsíodh an físeán i gceist ar láithreáin idirlín chun críche aird a tharraingt ar an míchleachtas líomhnaithe a mhaígh an tUasal Buivids. D’fhonn a chinntiú go bhféadfadh díolúine iriseoireachta a bheith i gceist, níor mhór don Chúirt atreoraithe gan an díolúine seo a bhreithniú ach amháin nuair atá gá leis chun dhá cheart bhunúsacha a thabhairt chun réitigh, is iad sin, an ceart ar phríobháideachas agus an ceart ar shaoirse tuairimí a nochtadh, agus gan é a dhéanamh ach sa mhéid go bhfuil fíorghá leis. Chomh maith leis sin, d’áitigh an CJEU maidir le cothromaíocht a aimsiú idir an dá cheart bhunúsacha seo, nach mór don Chúirt atreoraithe a chur san áireamh, i measc nithe eile, cur le díospóireacht ar leas an phobail, cé chomh míchlúiteach is atá an duine lena mbaineann, ábhar na tuairisce nuachta, iompar an duine lena mbaineann roimhe sin, ábhar, cineál agus iarmhairtí an fhoilsithe, agus an chaoi agus na cúinsí trína bhfuarthas an fhaisnéis mar aon le fírinneacht na faisnéise.
Deutsche Post AG v Hauptzollamt Köln(Cás C496/17)
Príobhshaincheisteanna: sonraí pearsanta, uimhir aitheantais cánach, próiseas údaraithe údarás custaim. Breithníodh an cás seo faoin Treoir um Chosaint Sonraí (atá aisghairthe anois) (Treoir 95/46/EC) agus an GDPR araon.
Fíorais
De bhun Rialachán Cur Chun Feidhme (AE) 2015/2447 ón gCoimisiún (a bhaineann le rialacha custaim a chur i bhfeidhm), d’iarr údarás custaim na Gearmáine (an
� 113
Hauptzollamt) go dtabharfadh Deutsche Post freagra ar cheistneoir féinmheastóireachta chun críocha a mheas cibé ar cheart do Deutsche Post a bheith údaraithe ag oibreoir eacnamaíoch údaraithe (AEO). (Faoi stádas AEO cuirtear ar chumas eintitis leas a bhaint as simplithe áirithe faoi reachtaíocht chustaim). Faoin bpróiseas measúnaithe seo, iarradh faisnéis áirithe (lena n-áirítear uimhreacha aitheantais cánach) faoi úinéirí, scairshealbhóirí, stiúrthóirí agus oifigigh eile de chuid Deutsche Post, lena n-áirítear iad sin a bhfuil freagracht orthu maidir le cúrsaí custaim, chomh maith le sonraí na n-oifigí cánach a bhfuil freagracht orthu as cáin a ghearradh ar na daoine sin.
De bhun an iarratais seo, thug Deutsche Post caingean os comhair Chúirt Airgeadais Düsseldorf, ag agóid i gcoinne na hoibleagáide maidir le huimhreacha aitheantais cánach na ndaoine i gceist agus sonraí na n-oifigí cánach a bhfuil freagracht orthu as cáin a ghearradh orthu a sheoladh.
Ansin tharchuir Cúirt Airgeadais Düsseldorf ceisteanna áirithe chuig an CJEU do réamhrialú. D’iarr Cúirt na Gearmáine a chinntiú cibé, i bhfianaise Airteagal 8(1) den Chairt agus prionsabal na comhréireachta, go bhféadfadh an Hauptzollamt sonraí pearsanta, ar nós uimhreacha aitheantais cánach de chuid ábhar sonraí agus sonraí na n-oifigí cánach a bhfuil freagracht orthu as measúnú a dhéanamh ar an gcáin ioncam atá le híoc ag na daoine sin.
Breithiúnas
Baineadh cinneadh an CJEU amach an 16 Eanáir 2019. Léirigh an breithiúnas Rialachán 2015/2447 trí thagairt don Treoir um Chosaint Sonraí agus do GDPR araon. Ar dtús, mheabhraigh an CJEU gurb ionann sonraí cánach, ar nós uimhreacha aitheantais cánach, agus sonraí pearsanta. Mar sin féin, de réir Rialachán 2015/2447, ní mór don Hauptzollamt, mar údaráis náisiúnta custaim na Gearmáine, na prionsabail a bhaineann le cáilíocht sonraí agus dlisteanacht maidir le sonraí a phróiseáil a chomhlíonadh le linn dó sonraí pearsanta a phróiseáil agus a chuid gníomhaíochtaí a chur i gcrích.
Sa chás seo, bhailigh an fostóir uimhreacha aitheantais cánach daoine nádúrtha ar dtús lena chinntiú go rabhthas ag cloí le reachtaíocht maidir le cáin ioncaim agus go sonrach, lena chinntiú go bhféadfadh an fostóir cloí lena oibleagáid chun cáin ioncaim a bhaint agus a bhailiú ag an bhfoinse. Sna himthosca sin, chinn an CJEU go raibh sonraí pearsanta a bheith á mbailiú ag údarás custaim náisiúnta (ar nós an Hauptzollamt), d’fhonn cinneadh a dhéanamh ar iarratas chun críche stádas AEO maidir leis an eintiteas, riachtanach chun Rialachán 2015/2447 a chomhlíonadh. Go sonrach, ní mór d’údarás custaim náisiúnta a chinntiú ní hamháin cibé an gcomhlíonann iarratasóir chun críche stádas AEO Rialachán 2015/2447, ach cibé an ndearna aon daoine nádúrtha ábhartha laistigh d’eagraíocht an iarratasóra sin aon sárú tromchúiseach nó sáruithe
� 114
leanúnacha sa reachtaíocht sin nó na rialacha cánach ag féachaint dá leibhéal freagrachta laistigh d’eagraíocht an iarratasóra, beag beann ar cibé an bhfuil aon bhaint ag na sáruithe sin le gníomhaíocht gheilleagrach an iarratasóra. Sa mhéid sin, thug an CJEU ar aird go mbailítear sonraí agus go ndéantar iad a phróiseáil chun críocha sonraithe, soiléire agus dlisteanacha dá bhrí sin. Ina theannta sin, thug an CJEU le fios go láidir go bhfuil na sonraí a bhailíonn údaráis custaim náisiúnta, is é sin le rá, uimhreacha aitheantais cánach daoine nádúrtha a liostaítear i Rialachán 2015/2447, leordhóthanach, ábhartha agus nach bhfuil siad iomarcach i ndáil leis na críocha ar ina leith sin a bailíodh na sonraí.
Shocraigh an CJEU ar deireadh maidir le sonraí pearsanta a bheith á mbailiú ag údarás custaim náisiúnta, ar nós an Hauptzollamt, ó iarratasóir ar stádas AEO, d’uimhreacha cánach a leithdháiltear chun críocha cáin ioncaim, a bhaineann leis na daoine nádúrtha amháin atá i bhfeighil an iarratasóra nó a dhéanann rialú maidir lena bhainistiú agus iad sin atá i bhfeighil cúrsaí custaim an iarratasóra, agus sonraí na n-oifigí ar a bhfuil freagracht as cáin a ghearradh ar na daoine sin, go bhfuil sé ceadaithe sa mhéid is go gcuireann sonraí dá leithéid ar chumas na n-údarás sin faisnéis a fháil maidir le sáruithe tromchúiseacha nó leanúnacha sa reachtaíocht custaim nó i rialacha cánach, nó maidir le cionta coiriúla tromchúiseacha a rinne na daoine nádúrtha sin maidir lena ngníomhaíocht gheilleagrach.
� 115
Augisín II
Dlíthíocht maidir le Clásail Chonarthacha Chaighdeánacha
Coimisinéir Cosanta Sonraí v. Facebook Ireland Limited agus Maximilian Schrems [Taifead Uimh. 2016/ 4809 P]
An 31 Bealtaine 2016, chuir an Coimisinéir (Coimisinéir Cosanta Sonraí) tús le himeachtaí in Ard-Chúirt na hÉireann ag iarraidh tarchur chuig Cúirt Bhreithiúnais an A o n t a i s E o r p a i g h ( C J E U ) i n d á i l l e b a i l í o c h t “ C l á s a i l C h o n a r t h a c h a Chaighdeánacha” (SCCanna). Is éard atá in SCCanna, sásra, a bunaíodh le roinnt cinntí ag Coimisiún an AE, faoinar féidir sonraí pearsanta a aistriú ón AE chuig SAM faoi láthair. Thóg an Coimisinéir na himeachtaí sin de réir an nós imeachta arna leagan amach ag an CJEU ina bhreithiúnas den 6 Deireadh Fómhair 2015 (a chuir deireadh leis an gcóras maidir le sonraí pearsanta a aistriú ón AE go SAM faoi thearmann). Rialaigh an CJEU nach mór d’údarás cosanta sonraí san AE an nós imeachta sin (a bhain le tarchur chuig an CJEU a lorg) a leanúint sa chás go measann údarás cosanta sonraí an AE go bhfuil bunús maith le gearán arna dhéanamh ag ábhar sonraí maidir le hionstraim AE, amhail cinneadh de chuid Choimisiún an AE.
(1) Cúlra
Bunaíodh na himeachtaí a rinne an Coimisinéir leis an ngearán bunaidh a rinne an tUasal Maximillian Schrems chuig an gCoimisinéir i Meitheamh 2013 faoi Facebook, maidir le haistriú sonraí pearsanta ag Facebook Ireland chuig a mháthairchuideachta, Facebook Inc., in SAM. Bhí imní ar an Uasal Schrems go raibh nó go bhféadfadh rochtain a bheith á déanamh go neamhdhleathach ag gníomhaireachtaí slándála stáit in SAM de bharr gur aistrigh Facebook Ireland a shonraí pearsanta chuig Facebook Inc. Tháinig imní ar an Uasal Schrems i bhfianaise nochtadh ag Edward Snowden faoi chláir áirithe a dúradh a bhí i bhfeidhm ag Gníomhaireacht Náisiúnta Slándála SAM, go háirithe clár dar teideal “PRISM”. Dhiúltaigh an Coimisinéir a bhí ann ag an am imscrúdú a dhéanamh ar an ngearán sin ar an mbonn gur bhain sé le cinneadh de chuid Choimisiún an AE (a bhunaigh an córas Tearmainn chun sonraí a aistriú ón AE go dtí SAM) agus ar an mbonn sin go raibh ceanglas air faoin dlí náisiúnta agus AE reatha an cinneadh sin de chuid Choimisiún an AE a fheidhmiú. Thionscain an tUasal Schrems athbhreithniú breithiúnach in aghaidh chinneadh an Choimisinéara gan imscrúdú a dhéanamh ar a ghearán. Mar thoradh ar an gcaingean sin, rinne Ard-Chúirt na hÉireann an chás a tharchur chuig an CJEU, agus thug an Chúirt sin a cinneadh an 6 Deireadh Fómhair 2015.
(2) Nós imeachta an CJEU maidir le gearáin faoi chinntí Choimisiún an AE
� 116
Tugadh soiléiriú le rialú an CJEU an 6 Deireadh Fómhair 2015, sa chás go ndéantar gearán chuig údarás cosanta sonraí AE a bhaineann le héileamh go bhfuil cinneadh de chuid Choimisiún an AE neamhréireach le cosaint a thabhairt do phríobháideacht, cearta bunúsacha agus saoirse bhunúsach, go gcaithfidh an t-údarás cosanta sonraí ábhartha scrúdú a dhéanamh ar an ngearán cé nach féidir leis an údarás cosanta sonraí féin an cinneadh sin a chur ar leataobh nó é a dhífheidhmiú. Rialaigh an CJEU, sa chás go measann an t-údarás cosanta sonraí go bhfuil bunús maith leis an ngearán, go gcaithfidh sé tabhairt faoi imeachtaí dlíthiúla os comhair na Cúirte náisiúnta agus sa chás go bhfuil an t-amhras céanna ar an gCúirt náisiúnta faoi bhailíocht an chinnte sin de chuid Choimisiún an AE, ní mór don Chúirt Náisiúnta ansin an cás a tharchur chuig an CJEU le haghaidh réamhrialú ar bhailíocht an chinnte sin de chuid Choimisiún an AE. Mar a tugadh ar aird thuas, bhain an CJEU ina bhreithiúnas an 6 Deireadh Fómhair 2015 an cinneadh de chuid Choimisiún an AE a bhí mar bhonn taca don chóras maidir le sonraí pearsanta a aistriú ón AE chuig SAM faoi thearmann. (3) Dréacht-chinneadh an Choimisinéara
I ndiaidh an córas maidir le sonraí pearsanta a aistriú faoi thearmann a bheith bainte, rinne an tUasal Schrems a ghearán a athfhoirmliú agus a chur ar aghaidh arís chun an imeacht sin a chur san áireamh. D’aontaigh an Coimisinéir leanúint ar aghaidh ar bhunús an ghearáin athfhoirmlithe sin. Rinne an Coimisinéir scrúdú ansin ar ghearán an Uasail Schrems i bhfianaise airteagail áirithe de Chairt um Chearta Bunúsacha an Aontais Eorpaigh (an Chairt), lena n-áirítear Airteagal 47 (an ceart chun leigheas éifeachtach nuair a sáraítear cearta agus saoirsí atá ráthaithe ag dlíthe an AE). Agus imscrúdú á dhéanamh aige ar ghearán athfhoirmlithe an Uasail Schrems, chinn an Coimisinéir gur lean Facebook Ireland ar aghaidh ag aistriú sonraí pearsanta go dtí Facebook Inc. in SAM ag brath go mór ar úsáid SCCanna. Ag eascairt as a himscrúdú ar ghearán athfhoirmlithe an Uasail Schrems, bhí an Coimisinéir den réamhthuairim (mar a cuireadh in iúl i ndréacht-chinneadh an 24 Bealtaine 2016 agus faoi réir ag tuilleadh aighneachtaí ó na páirtithe) go raibh bunús maith le gearán an Uasail Schrems. Bunaíodh sin ar dhréacht-thoradh an Choimisinéara nach bhfuil leigheas dlí atá comhréireach le hAirteagal 47 den Chairt ar fáil in SAM do shaoránaigh an AE a ndéantar a sonraí a aistriú chuig SAM áit a d’fhéadfadh sé a bheith i mbaol rochtana agus próiseáilte ag gníomhaireachtaí Stáit SAM chun críocha slándála náisiúnta ar bhealach nach bhfuil comhréireach le hAirteagail 7 agus 8 den Chairt. Bá é réamhthuairim eile an Coimisinéara nach dtugann SCCanna aghaidh ar an easpa seo maidir le leigheas atá comhréireach le hAirteagal 47 agus gur dócha mar sin go ndéanfaidh SCCanna iad féin cion in aghaidh Airteagail 47 sa mhéid is go n-
� 117
airbheartaíonn siad aistriú sonraí pearsanta shaoránaigh an AE chuig SAM a dhlisteanú.
(4) Na hImeachtaí agus an Éisteacht
Chuir an Coimisinéir tús mar sin le himeachtaí dlíthiúla in Ard-Chúirt na hÉireann ag lorg dearbhaithe maidir le bailíocht chinntí de chuid Choimisiún an AE i ndáil le SCCanna agus réamh-tharchur chuig an CJEU ar an tsaincheist sin. Níor lorg an Coimisinéir faoiseamh sonrach ar bith sna i gcoinne Facebook Ireland ná i gcoinne an Uasal Schrems. Mar sin féin, ainmníodh an dá thaobh mar pháirtithe leis na himeachtaí d’fhonn deis a thabhairt dóibh (ach ní oibleagáid a chur orthu) a bheith rannpháirteach go hiomlán de bharr go mbeidh tionchar ag toradh na n-imeachtaí ar bhreithniú an Choimisinéara ar ghearán an Uasail Schrems i gcoinne Facebook Ireland. Roghnaigh an dá pháirtí a bheith rannpháirteach go hiomlán sna himeachtaí. Rinne deich dtríú páirtí leasmhar iarratas bheith curtha leis na himeachtaí mar amicus curiae (“cairde na cúirte”) agus rialaigh an Chúirt gur cheart ceithre cinn de na deich bpáirtí sin (Rialtas SAM, BSA The Software Alliance, Digital Europe agus EPIC (Electronic Privacy Information Centre)) a chur leis mar amici.
Tharla éisteacht na n-imeachtaí roimh an mBreitheamh Costello in Ard-Chúirt na hÉireann (an Rannán Tráchtála) in imeacht 21 lá i Feabhra agus i Márta 2017 agus forchoimeádadh breithiúnas ag deireadh na héisteachta. Go hachomair, rinneadh aighneachtaí dlí thar ceann: (i) gach ceann de na páirtithe, eadhon an Coimisinéir, Facebook Ireland agus an tUasal Schrems; agus (ii) gach ceann de “chairde na Cúirte”, mar a luadh thuas. Chuala an Chúirt fianaise ó bhéal freisin ó 5 fhinnéithe ar saineolaithe ar dhlí SAM iad, mar seo a leanas: • Ashley Gorski Uasal, finné is saineolaí thar ceann an Uasail Schrems; • An tOllamh Neil Richards, finné is saineolaí thar ceann an DPC; • An tUasal Andrew Serwin, finné is saineolaí thar ceann an DPC; • An tOllamh Peter Swire, finné is saineolaí thar ceann Facebook; agus • An tOllamh Stephen Vladeck, finné is saineolaí thar ceann Facebook.
Sa tréimhse eatramhach idir deireadh na trialach agus tabhairt an bhreithiúnais an 3 Deireadh Fómhair 2017 (féach thíos), thug na páirtithe roinnt nuashonruithe don Chúirt ar chásdlí agus ar fhorbairtí eile.
(5) Breithiúnas na hArd-Chúirte
� 118
Thug an Breitheamh Costello breithiúnas an 3 Deireadh Fómhair 2017 le breithiúnas i scríbhinn de 152 leathanach. Chuir an Chúirt achoimre fheidhmeach ar an mbreithiúnas ar fáil freisin.
Sa bhreithiúnas, chinn an Breitheamh Costello go raibh bunús maith leis na cúiseanna imní a léirigh an Coimisinéir ina dréacht-chinneadh den 24 Bealtaine 2016, agus gur cheart cinn áirithe de na saincheisteanna a ardaíodh sna himeachtaí sin a tharchur chuig an CJEU ionas go bhféadfadh an CJEU rialú a dhéanamh faoi bhailíocht chinntí de chuid an Choimisiúin Eorpaigh a bhunaigh SCCanna mar mhodh chun aistrithe sonraí pearsanta a dhéanamh. Go sonrach, fuair an Chúirt go raibh bunús maith le dréacht-chinntí an DPC mar a bhí leagtha amach ina dréacht-chinneadh den 24 Bealtaine 2016, nár léirigh dlíthe agus cleachtais SAM meas ar cheart shaoránach de chuid an AE faoi Airteagal 47 den Chairt i dtaobh leigheas éifeachtach roimh bhinse neamhspleách (rud a bhfuil feidhm leis i ndáil le sonraí gach ábhar sonraí AE a bhfuil a sonraithe aistrithe chuig SAM, thug an Chúirt ar aird).
Ina breithiúnas den 3 Deireadh Fómhair 2017, chinn an Breitheamh Costello freisin, de bharr gur thug na páirtithe le fios gur mhaith leo go gcloisfí iad i ndáil leis na ceisteanna a bhí le tarchur chuig an CJEU, go liostódh sí na nithe i gcomhair aighneachtaí ó na páirtithe agus go gcinnfeadh sí ansin na ceisteanna le tarchur chuig an CJEU. Rinne na páirtithe leis an gcás, in éineacht leis na amicus curiae, aighneachtaí chuig an gCúirt, inter alia, ar na ceisteanna a bhí le tarchur, an 1 Nollaig 2017 agus an 16, 17 agus 18 Eanáir 2018. I rith na n-éisteachtaí sin, rinneadh aighneachtaí freisin thar ceann Facebook agus Rialtas SAM i leith “earráidí ” a líomhain siad a bhí déanta sa bhreithiúnas den 3 Deireadh Fómhair 2017. D’fhorchoimeád an Chúirt breithiúnas ar na nithe sin.
(6) Ceisteanna le tarchur chuig an CJEU
An 12 Aibreán 2018, thug an Breitheamh Costello fógra do na páirtithe faoina hiarratas ar réamhrialú ón CJEU de bhun Airteagal 267 den TFAE. Leagtar amach sa doiciméad seo 11 cheist shonracha atá le tarchur chuig an CJEU, chomh maith le cúlra leis na himeachtaí.
An dáta céanna, thug an Breitheamh Costello le tuiscint go raibh roinnt leasuithe déanta aici ar a breithiúnas den 3 Deireadh Fómhair 2017, maidir le hailt 175, 176, 191, 192, 207, 213, 215, 216, 220, 221 agus 239 go sonrach. I rith na héisteachta sin, thug Facebook le tuiscint gur mian leis machnamh a dhéanamh ar cibé an ndéanfadh sé achomharc in aghaidh chinneadh na hArd-Chúirte an tarchur chuig an CJEU a dhéanamh agus, dá ndéanfadh, bac a chur ar an tarchur arna dhéanamh ag an Ard-
� 119
Chúirt chuig an CJEU. Ar an mbunús sin, liostaigh an Ard-Chúirt an cás don 30 Aibreán 2018.
Nuair a tháinig na himeachtaí os comhair na hArd-Chúirte an 30 Aibreán 2018, rinne Facebook iarratas ar bhac ar tharchur na hArd-Chúirte chuig an CJEU ar feitheamh achomharc a rinne sé in aghaidh an tharchuir. Rinne na páirtithe aighneachtaí i ndáil le hiarratas Facebook ar bhac.
An 2 Bealtaine 2018, thug an Breitheamh Costello a breithiúnas ar iarratas Facebook ar bhac ar tharchur na hArd-Chúirte chuig an CJEU. Ina breithiúnas dhiúltaigh an Breitheamh Costello iarratas Facebook ar bhac agus fuair go ndéanfaí an méid is lú éagóir dá ndiúltódh an Ard-Chúirt aon bhac agus dá ndéanfadh sí an tarchur chuig an CJEU láithreach.
(7) Achomharc chuig an gCúirt Uachtarach
An 11 Bealtaine 2018, lóisteáil Facebook achomharc agus d’iarr cead achomharc a dhéanamh chun na Cúirte Uachtaraí in aghaidh na mbreithiúnas den 3 Deireadh Fómhair 2017, bhreithiúnas athbhreithnithe an 12 Aibreán 2018 agus bhreithiúnas an 2 Bealtaine 2018 a dhiúltaigh bac. Éisteadh iarratas Facebook ar chead chun achomharc a dhéanamh chun na Cúirte Uachtaraí an 17 Iúil 2018. Le linn dheireadh na bliana 2018, bhí mórán éisteachtaí nós imeachta sa Chúirt Uachtarach mar réiteach d’éisteacht shubstainteach. Tharla an éisteacht shubstainteach ar an achomharc thar 21, 22, agus 23 Eanáir 2018 roimh phainéal 5 bhreitheamh Cúirte Uachtaraí ar a raibh an Príomh-Bhreitheamh – An Breitheamh Clarke Uasal, An Breitheamh Charleton Uasal, An Breitheamh Dunne Uasal, An Breitheamh Finlay Geoghegan Uasal agus An Breitheamh O’Donnell Uasal. Rinneadh argóint ó bhéal thar ceann Facebook, an DPC, Rialtas na Stát Aontaithe agus Uasal Schems. Bhain na ceisteanna lárnacha a d’éirigh as an achomharc le cibé an bhféadfadh an Chúirt Uachtarach, mar cheist dlí, dul siar ar fhíricí a bhain le dlí na Stát Aontaithe a bhí glactha ag an Ard-Chúirt. Tháinig sé seo aníos ó líomhaintí a rinne Facebook agus Rialtas na Stát Aontaithe gur chuimsigh breithiúnas na hArd-Cúirte, a bhí mar bhonn agus thaca ag an tagairt a rinneadh don CJEU, earráidí éagsúla fíriciúla i dtaobh dhlí na Stát Aontaithe.
Ar 31 Bealtaine 2019 thug an Chúirt Uachtarach a príomh-bhreithiúnas, a bhí 77 leathanach ar fad. Go hachomair, dhíbh an Chúirt Uachtarach achomharc Facebook ina iomláine. Á dhéanamh sin di chinn an Chúirt Uachtarach:
• Ní raibh sé oscailte di, faoi dhlí na hÉireann ná an AE, aon achomharc in aghaidh chinneadh na hArd-Cúirte tagairt a dhéanamh don CJEU a éisteacht. Ní raibh sé oscailte don Chúirt Uachtarach, ach an oiread, aon achomharc a bhain le téarmaí dá leithéad (i.e. na ceisteanna sonracha faoi cé acu Ard-Chúirt a rinne tarchur chun CJEU). Chinn an Chúirt Uachtarach go bhfuil an saincheist maidir le tarchur
� 120
chun an CJEU le socrú ag Ard-Chúirt na hÉireann agus aici sin amháin. Dá bhrí sin ní raibh sé iomchuí don Chúirt Uachtarach, i gcomhthéacs achomharc Facebook, breithiúnas a dhéanamh faoi anailís na hArd-Chúirte a lean go dtí an cinneadh go raibh an Chúirt ar aon intinn maidir leis an imní a bhí ar an DPC mar a bhain sé le bailíocht chinneadh an SCC. Bhí sé seo amhlaidh toisc go raibh an tsaincheist seo ceangailte go dofhuascailte le cinneadh na hArd-Chúirte chun tagairt a dhéanamh don CJEU agus ní raibh sé oscailte do Facebook é seo a leanúint mar phointe achomhairc.
• Ach bhí sé oscailte don Chúirt Uachtarach machnamh a dhéanamh faoi an raibh fíorais mar a fuair an Ard-Chúirt (i.e. na fíorais sin a bhí mar bhonn agus mar thaca ag an tarchur a rinneadh don CJEU) inbhuanaithe trí thagairt don fhianaise a bhí curtha faoi bhráid na hArd-Chúirte, nó ar cheart go gcuirfí na fíorais sin ar ceal.
• Ós rud é go ndearna Facebook argóint faoi phríomh-shaincheisteanna áirithe fíorais a bhí aimsithe ag an Ard-Chúirt faoi dhlí na Stát Aontaithe, bunaithe ar an sainfhianaise a cuireadh os comhair na hArd-Chúirte, ní raibh aon chinntí fíorais aitheanta ag an gCúirt Uachtarach a bhí neamh-inbhuanaithe. Dá bhrí sin ní dhearna an Chúirt Uachtarach aon cheann de na fíorais a bhí aimsithe ag an Ard-Chúirt a aisiompú. Ina áit sin bhí an Chúirt Uachtarach den tuairim gur bhain na cáintí a rinne Facebook ar bhreithiúnas na hArd-Chúirte le carachtracht iomchuí na bhfíoras bunúsach seachas leis na fíorais i ndáiríre.
(8) Éisteacht os comhair an CJEU
Reáchtáil an CJEU (Ard-Sheomra) éisteacht ó bhéal a bhain leis an tagairt a rinne Ard-Chúirt na hÉireann dó ar 9 Iúil 2019. Shuigh an CJEU le ballraíocht de 15 breitheamh, lena n-áirítear Uachtarán an CJEU, an Breitheamh Koen Lenaerts. An Breitheamh Rapóirtéir atá ceaptha ná an Breitheamh Thomas von Danwitz. An tArd-Abhcóide atá sannta don chás ná Henrik Saugmandsgaard Øe.
Ag an éisteacht rinne an DPC, Uas. Schems agus Facebook aighneachtaí ó bhéal roimh an CJEU. Ceadaíodh don cheithre pháirtí leis, a bhí ceangailte mar amicus curiae (“cairde na cúirte”) don chás roimh Chúirt na hÉireann (SAM, EPIC, BSA Iontaobhas Business Software Alliance agus Digital Europe) aighneachtaí ó bhéal a dhéanamh. Ina theannta sin rinne Parlaimint na hEorpa, Coimisiún na hEorpa, agus roinnt Ballstát (An Ostair, An Fhrainc, An Ghearmáin, Éire, An Ísiltír agus an Ríocht Aontaithe) a raibh idirghabháil déanta ag gach tír díobh sna himeachtaí, aighneachtaí ó béal chomh maith ag an éisteacht roimh an CJEU. Ina theannta sin, ar chuireadh an CJEU, rinne Bord Cosanta Sonraí na hEorpa (EDPB) cur i láthair roimh an CJEU ar shaincheisteanna sonracha.
(9) Tuairim an Ard-Abhcóide
� 121
Tugadh Tuairim an Ard-Abhcóide Saugmandsgaard Øe (an AG) ar 19 Nollaig 2019.
Sa Tuairim seo, mar réamhábhair, nótáil an AG gur thug an DPC imeachtaí i leith ghearán an Uasail Schrems roimh an gCúirt náisiúnta tagartha de réir alt 65 de bhreithiúnas CJEU den 6 Deireadh Fómhair 2015 (mar a bhfuil breis cur síos déanta air thuas). Chinn an AG leis go raibh an t-iarratas ar réamhrialú inghlactha.
Maidir leis na ceisteanna a chuir an CJEU ar aghaidh ag Ard-Chúirt na hÉireann, theorannaigh an AG a bheithniú d’aon ghnó, do bhailíocht Chinneadh an Coimisiúin a bhí bunúsach do na SCCanna (Cinneadh na SCCanna). Ón tús, nótáil an tArdabhcóide go raibh a chuid anailíse sa Tuairim treoraithe ag an mian le cothromaíocht a fháil idir an gá a bhí le méid réasúnach réadúlachta a léiriú ar mhaithe le hidirghníomhú le páirteanna eile den domhain a cheadú agus an gá a bhí leis na luachanna bunúsacha a aithnítear i ndlíchóras an AE, a chuid Ballstát agus sa Chairt um Chearta agus Saoirsí Bunúsacha, a dhearbhú. Bhí sé den dearcadh chomh maith nach mór Cinneadh na SCCanna a scrúdú mar a bhain le forálacha an GDPR (seachas don Treoir um Chosaint Sonraí (Treoir 95/46)) ag teacht le hAirteagal 94 (2) GDPR agus nótáil an AG freisin go ndéanann na forálacha ábhartha den GDPR atáirgeadh go bunúsach ar fhorálacha comhfhreagracha na Treorach um Chosaint Sonraí.
Bhí an AG den tuairim go mbaineann dlí an AE le haistriú sonraí pearsanta ó Bhallstát go tríú tír ina ndéanann an t-aistriú sin cuid de ghníomhaíocht thráchtála. Mar a bhain leis seo, an tuairim a bhí ag an AG ná go mbaineann dlí an AE le haistriú den chineál seo beag beann ar go bhféadfadh na sonraí pearsanta a aistrítear a bheith próiseáilte ag údaráis phoiblí na tríú tíre ar mhaithe le slándáil náisiúnta na tíre sin a chosaint. Maidir le nádúr na SCCanna bhí an AG den tuairim gurb ionann iad na SCCanna agus meicníocht ghinearálta a bhaineann le haistrithe beag beann ar tríú tír a bhfuil siad ag dul agus an leibhéal cosanta atá ráthaithe inti.
Maidir leis an triail don leibhéal cosanta a theastaíonn faoi na cosaintí (a d’fhéadfadh a bheith curtha ar fáil ag SCCanna) atá i gceist in Airteagal 46 den GDPR sa chás go bhfuil sonraí pearsanta á n-aistriú amach as an AE go tríú tír nach bhfuil cinneadh leormhaith aici, ba é tuairim an AG nár mhór go mbeadh an leibhéal cosanta a bhí á thairiscint ag cosaintí dá leithéid a bheith chomh coibhéiseach céanna tríd is tríd leo sin atá á dtairiscint d’ábhair shonraí san AE ag an GDPR agus ag an gCairt um Chearta Bunúsacha. Mar sin, ní thagann aon athrú ar na riachtanais chun cearta bunúsacha a chosaint atá ráthaithe faoin gCairt ag braith ar an mbonn dlí atá leis an aistriú sonraí.
Ag leanúint do scrúdú mionsonrach ar nádúr agus inneachar na SCCanna, bhain an AG de thátal as nach raibh Cinneadh na SCCanna bailí mar a bhain leis an gCairt. Bhí sé den
� 122
tuairim, ós rud é gurbh í an aidhm a bhí leis na SCCanna cúiteamh a dhéanamh as aon easnaimh i gcosaint sonraí pearsanta a bheadh á thairiscint ag tríú tír, ní fhéadfadh bailíocht Chinneadh na SCCanna a bheith ag braith ar an leibhéal cosanta sa tríú tír. Ach ní mór ceist na bailíochta a mheas trí thagairt a dhéanamh d’fholláine na gcosaintí a bhí á dtairiscint ag na SCCanna chun leigheas a fháil ar na heasnaimh chosanta sa tríú tír. Ní mór go gcuirfeadh an measúnú seo san áireamh na cosaintí a chuimsíonn cumhachtaí na n-údarás maoirseachta faoin GDPR. Ós rud é go leagann na SCCanna freagracht ar an rialaitheoir (an t-onnmhairtheoir), agus sna húdaráis mhalartacha maoirseachta, chiallaigh sé seo nár mhór go ndéanfadh an rialaitheoir aistrithe a mheas ar bhonn cáis, agus sa mhalairt, ag an údarás maoirseachta chun a mheas an raibh na dlíthe sa tríú tír mar bhac ar leibhéal dóthanach cosanta a bheith ann le haghaidh na sonraí aistrithe, ionas nach mór aistrithe sonraí a chosc nó a chur ar fionraí.
Lean an AG ar aghaidh ansin chun breithniú a dhéanamh faoi nádúr oibleagáidí an rialaitheora, a bhí i mbun onnmhairiú sonraí pearsanta, a chuimsigh, de réir an AG, oibleagáid éigeantach aistrithe sonraí a chur ar fionraí nó deireadh a chur le conradh allmhaireora mura bhféadfadh an t-allmhaireoir cloí le forálacha na SCCanna. Rinne an AG oibleagáidí an allmhaireora a bhreithniú ina leith seo agus rinne sé roinnt breathnóireachta faoi nádúr scrúdú dlíthe na tríú tíre ar chóir a bheith déanta ag an onnmhaireoir agus ag an allmhaireoir.
Rinne an AG tagairt leis do chearta na ndaoine is ábhar na sonraí a chreideann go bhfuil briseadh forálacha na SCCanna ann, le gearán a dhéanamh le húdaráis mhaoirseachta, agus lean sé le breithniú a dhéanamh faoi céard a mheas sé ról an údaráis maoirseachta a bheith sa chomhthéacs sin. Go bunúsach, mheas an AG i gcás, i ndiaidh scrúdaithe, go measann údarás maoirseachta nach dtagann sonraí a aistrítear go tríú tír faoi chosaint iomchuí mar nach bhfuiltear ag cloí le SCCanna, ní mór don údarás céimeanna iomchuí a thógáil chun an neamhdhleathacht seo a leigheas, más gá, trí fhionraíocht an aistrithe a ordú. Nótáil an AG aighneachtaí an DPC nach bhféadfaí leas a bhaint as an gcumhacht le haistrithe a chur ar fionraí ach ar bhonn cáis agus nach dtabharfadh sé aghaidh ar shaincheisteanna sistéamacha ag éirí as easpa dhóthain cosanta i tríú tír. Ar an bpointe sin, thagair an AG do dheacrachtaí praiticiúla a bhain le rogha reachtúil chun an fhreagracht a chur ar údaráis mhaoirseachta chun a chinntiú go gcomhlíontar cearta daoine is ábhar do shonraí i gcomhthéacs aistrithe nó sreafaí sonraí chuig faighteoir ar leith, ach dúirt sé nár bhreathnaigh sé dó gur fhág na deacrachtaí sin go raibh Cinneadh an SCC neamhbhailí.
Cé gur nótáil sé nach raibh tarchur chuig an CJEU faoi cheist bhailíocht na Scéithe Príobháideachta déanta go sonrach ag Ard-Chúirt na hÉireann, mheas an AG gur ardaigh cuid de na ceisteanna a bhí ardaithe ag Ard-Chúirt na hÉireann go hindíreach
� 123
bailíocht na gcinntí dóthanacha a rinne Coimisiún na hEorpa i leith na Scéithe Príobháideachta. Mheas an AG go mbeadh sé ró-luath ag an am ag an gCúirt rialú ar bhailíocht na Scéithe Príobháideachta i gcomhthéacs an tarchuir seo cé gur nótáil sé go bhféadfadh na freagraí ar na ceisteanna a d’ardaigh Ard-Chúirt na hÉireann faoin Sciath Phríobháideachta a bheith cabhrach ar deireadh don DPC amach anseo, chun cinneadh a dhéanamh ar cheart na haistrithe i gceist a chur ar fionraí go hiomlán mar gheall ar easpa líomhnaithe cosaintí iomchuí. Ach rinne an AG tagairt chomh maith don bhféidearthacht go bhféadfadh an DPC, sa scrúdú a leanfadh ar ghearán an Uas. Schrems, i ndiaidh bhreithiúnas na Cúirte a bheith tugtha, cinneadh a dhéanamh nach bhféadfadh an chúirt an gearán a chinneadh mura mbeadh rialú déanta ag an CJEU i dtosach faoi an raibh an Sciath Phríobháideachta a bheith ann mar bhac don DPC an chumhacht a fheidhmiú leis na haistrithe i gceist a chur ar fionraí. Nótáil an AG, i gcásanna mar sin, dá mbeadh an DPC in amhras faoi bhailíocht na Scéithe Príobháideachta, go mbeadh sé oscailte don DPC an cheist a chur faoi bhráid Chúirt na hÉireann arís ar mhaithe le go ndéanfaí tarchur eile ar an bpointe seo chuig an CJEU.
Ach, in ainneoin gur thóg an AG an seasamh gur ceart don Chúirt, i gcomhthéacs an tarchuir seo, staonadh ó rialú ar bhailíocht na Scéithe Príobháideachta ina breithiúnas, lean sé ar aghaidh le cur in iúl, sa chás eile, roinnt “tuairimí nach bhfuil uileghabhálach” faoi thionchair agus bailíocht an chinnidh ar an Sciath Phríobháideachta. Bhí na tuairimí seo leagtha síos thar thart ar 40 leathanach d’anailís mhionsonrach, lena n-áirítear anailís ar réimse gach a bhain le “coibhéis riachtanach” cosanta i stát tríú páirtí, na trasnaíochtaí féideartha le cearta an té is ábhar do shonraí maidir le sonraí a aistrítear chuig na Stáit Aontaithe mar a bhainfeadh le gníomhaireachtaí náisiúnta faisnéise, an gá le agus comhréireacht a leithéid de thrasnaíochtaí agus dlíthe agus cleachtais na Stát Aontaithe, lena n-áirítear iad sin atá bainteach leis an gceist faoi an bhfuil réiteach éifeachtach breithiúnach sna Stáit Aontaithe do dhaoine ar aistríodh a gcuid sonraí chuig na Stáit Aontaithe agus go raibh a gcuid cearta cosanta sonraí faoi réir trasnaíochtaí ag gníomhaireachtaí faisnéise na Stát Aontaithe. Tar éis dó an anailís seo a dhéanamh chríochnaigh an AG ar deireadh trí amhras a chur in iúl i dtaobh comhréireachta na Scéithe Príobháideachta le forálacha dlí an AE.
Níl Tuairim an AG ina ceangal ar an CJEU. Táthar ag súil go dtabharfaidh an CJEU a bhreithiúnas ar na nithe a tharchuir Ard-Chúirt na hÉireann chuige ag pointe éigin in 2020.
Ábhair atá bainteach le himeachtaí
� 124
Tá na breithiúnais éagsúla a bhfuil tagairt déanta dóibh thuas, na ceisteanna a rinneadh a tharchur chuig an CJEU, an sainfhianaise thar ceann an DPC agus tras-scríbhinní na trialach roimh an Ard-Chúirt ar fáil ar shuíomh gréasáin an DPC.
� 125
Augisín III
Imscrúdú an DPC ar phróiseáil atá an DEASP a dhéanamh ar shonraí pearsanta maidir leis an gCárta Seirbhísí Poiblí.
Tuarascáil an DPC An 15 Lúnasa 2019, rinne an DPC a tuarascáil maidir leis an gcéad chuid dá himscrúdú a sheachadadh maidir le próiseáil sonraí pearsanta á bhí á dhéanamh ag an Roinn Gnóthaí Fostaíochta agus Coimirce Sóisialaí (DEASP) maidir leis an gCárta Seirbhísí Poiblí (PSC), le próiseas clárúcháin “SAFE 2” an DEASP a chur san áireamh.
D'fhoilsigh an DEASP an tuarascáil ar a láithreán gréasáin féin an 17 Meán Fómhair 7
2019, in éineacht lena freagra féin. 8
Dhírigh an chéad chuid d’imscrúdú an DPC ar líon áirithe agus líon teoranta saincheisteanna sonracha. Go háirithe, rinne an DPC scrúdú ar an mbonn dlí a raibh na sonraí pearsanta á bpróiseáil ag an DEASP maidir leis an PSC, agus cibé ar shásaigh an fhaisnéis a cuireadh ar fáil do na hábhair sonraí maidir le próiseáil a sonraí pearsanta sa chomhthéacs sin na ceanglais dlí is infheidhme i dtéarmaí trédhearcachta. (Táthar ag leanúint ar aghaidh le himscrúdú an DPC ar ghnéithe áirithe eile den phróiseáil atá á dhéanamh ag an DEASP maidir leis an PSC, mar atá mionsonraithe thíos).
Creat dlíthiúil d’imscrúdú an DPC
Mar go raibh scéim an PSC (agus imscrúdú an DPC) ar siúl sular tháinig an GDPR i bhfeidhm (cuireadh tús leis an imscrúdú i mí Deireadh Fómhair 2017), thángthas ar thorthaí an DPC trí thagairt a dhéanamh d’oibleagáidí áirithe a fhorchuirtear ar rialaitheoir faoina hAchtanna um Chosaint Sonraí, 1988 agus 2003 seachas an GDPR. (Tá sé sin sainordaithe go sonrach faoin Acht um Chosaint Sonraí 2018 a tugadh isteach sa bhliain 2018 le héascú a dhéanamh ar fheidhmiú gnéithe áirithe den GDPR ag leibhéal náisiúnta). Ar mhaithe le críochnúlacht, ba chóir a thabhairt ar aird go n-áirítear sa tuarascáil freisin roinnt ábhar (nach bhfuil ceangailteach) a thugann aghaidh ar fhorálacha infheidhme an GDPR.
Torthaí Thángthas ar ocht gcinn do thorthaí i dtuarascáil an DPC. Baineann trí cinn acu sin leis saincheist ó thaobh bonn dlí; agus baineann na chúig cinn eile saincheisteanna ó thaobh trédhearcachta.
Le fáil ag http://m.welfare.ie/en/pressoffice/Pages/pr170919.aspx 7
Faoin reachtaíocht infheidhme, níl sé oscailte don DPC an tuarascáil a fhoilsiú iad féin. D’eisigh 8
an DPC ráiteas ar a láithreán gréasáin féin a thug breac-chuntas ar scóip an imscrúdaithe agus a thug achoimre ar thorthaí na tuarascála.
� 126
Bhí seacht gcinn de na hocht dtoradh i gcoinne seasamh an DEASP sa mhéid is go bhfuair an DPC amach go bhfuil, nó go raibh, neamhchomhlíonadh i gceist maidir le forálacha infheidhme an dlí cosanta sonraí.
I dtéarmaí achoimrithe, fuair an DPC amach: • Go raibh bonn dlí le próiseáil sonraí pearsanta áirithe a rinne an DEASP maidir le
PSC’nna a eisiúint chun críocha bailíochtú a dhéanamh ar chéannacht duine atá ag éileamh, ag fáil nó ag teacht i láthair i gcomhar íocaíocht sochair faoin dlí cosanta sonraí infheidhme.
• Nach raibh bonn dlí le próiseáil sonraí pearsanta áirithe a rinne an DEASP maidir le PSC’nna a eisiúint chun críocha idirbhearta idir daoine aonair agus comhlachtaí poiblí sonracha eile (m.sh. comhlachtaí eile seachas an DEASP féin) faoin dlí cosanta sonraí infheidhme; go sonrach, próiseáil den sórt a sháraíonn Alt 2A de na hAchtanna um Chosaint Sonraí, 1988 agus 2003.
• Go sáraíonn coinneáil bun-doiciméid agus faisnéis a chuir daoine ar fáil a bhí ag déanamh iarratas ar an DEASP chun PSC a fháil ar bhonn éiginnte Alt 2(1)(c)(iv) de na hAchtanna um Chosaint Sonraí, 1988 agus 2003 mar go bhfuil sonraí den sórt sin á gcoinneáil ar feadh tréimhsí níos faide ná mar atá riachtanach chun na críocha ar bailíodh na sonraí i dtús báire.
• Nach gcomhlíonann an scéim, i dtéarmaí trédhearcachta, Alt 2D de na hAchtanna um Chosaint Sonraí, 1988 agus 2003, mar nach bhfuil an fhaisnéis atá á chur ar fáil ag an DEASP don phobal maidir le próiseáil a sonraí pearsanta maidir le PSC’nna a eisiúint leordhóthanach.
De réir ráiteas an DPC an 16 Lúnasa 2019 (á dtagraítear dó thuas), tá cinneadh déanta ag an DPC nach gcaithfear le PSC’nna atá eisithe ag an DEASP cheana féin a bheith neamhbhailí agus mar a chéile le daoine aonair a bhfuil sochair á rochtain acu – lena n-áirítear saorthaisteal - agus úsáid á bhaint acu as an PSC, go mbeidh siadsan fós in ann an méid sin a dhéanamh.
Ceanglais le haghaidh a thabhairt ar sháruithe atá aitheanta sa tuarascáil
Agus a tuarascáil á seachadadh, chuir an DPC in iúl don DEASP go n-iarchuirfidh siad gníomh forfheidhmithe le deis a thabhairt don Roinn na bearta nach mór di a fheidhmiú a aithint le scéim an PSC a thabhairt chun comhlíontachta leis an reachtaíocht cosanta sonraí agus leis na sáruithe a aithníodh sa tuarascáil a réiteach. D’iarr an DPC ar an DEASP a plean feidhmithe a fhorbairt agus a chur faoi bhráid laistigh de 6 seachtaine, agus a chinntiú go bhfuil na bearta atá riachtanach chun an scéim a thabhairt chun comhlíontachta i bhfeidhm tráth nach deireanaí ná an 31 Nollaig 2019. Ar leithligh, áfach, d’iarr an DPC ar an DEASP dhá chéim shonracha a ghlacadh laistigh de thréimhse 21 lá:
(1) Stopadh den phróiseáil na sonraí go léir a bhfuiltear ag tabhairt fúthu maidir le PSC’nna a eisiúint, sa chás PSC a bheith á eisiúint amháin chun críche idirbhirt idir
� 127
líon duine den phobal agus comhlacht poiblí sonrach (m.sh. comhlacht poiblí eile seachas an DEASP féin).
(2) Na comhlachtaí poiblí go léir a chur ar an eolas a éilíonn PSC a chur ar fáil mar réamhchoinníoll chun idirbheart a dhéanamh le (nó seirbhís phoiblí a sholáthar do) dhuine den phobal, nach mbeidh an DEASP i riocht le PSC’nna a eisiúint do dhaoine den sórt sin amach anseo.
Freagra an DEASP ar thorthaí an DPC
Scríobh an DEASP chuig an DPC an 3 Meán Fómhair 2019, ag rá, tar éis di ábhar na tuarascála a bhreithniú go cúramach, chomh maith leis an gcomhairle a fuarthas ó oifig an Ard-Aighne, go raibh an tAire sásta, d’ainneoin seasamh an DPC, go raibh bonn dlí láidir le próiseáil na sonraí pearsanta maidir leis an PSC. Dhírigh an litir freisin ar sheasamh an Aire go sásaíonn an fhaisnéis a cuireadh ar fáil d’úsáideoirí na scéime ceanglais reachtúla infheidhme maidir le trédhearcacht. I gcoinne an chúlra sin, thug an litir ar aird gur bhreithnigh an tAire go mbeadh sé míchuí agus go bhféadfadh sé a bheith in aghaidh an dlí na bearta a bhí á n-éileamh ag an DPC a ghlacadh. Dá réir sin, léiríodh sa litir gur chinn an tAire go leanfaidh an DEASP ar aghaidh le scéim an PSC agus le próiseas fíordheimhnithe céannachta SAFE 2 a fheidhmiú, gan aon athrú.
In ainneoin diúltú na tuarascála agus diúltú bearta a leagan amach agus a fheidhmiú leis an scéim a thabhairt chun comhlíontachta, moladh sa litir den 3 Meán Fómhair go mbeadh cruinniú ag an DEASP agus ag an DPC mar sin féin le fiosrú a dhéanamh cibé an bhféadfaí bearta a chomhaontú a sheachnóidh imeachtaí forfheidhmithe.
D'eisigh an tAire (chomh maith leis an Aire Caiteachais Phoiblí agus Athchóirithe) ráiteas ar an dáta deanna, i dtéarmaí inar léiríodh ábhar na litreach den 3 Meán Fómhair.
D’fhreagair an DPC an DEASP trí litir dar dáta an 5 Meán Fómhair 2019, inar míníodh na cúiseanna ar bhreithnigh an DPC, i bhfianaise diúltú na tuarascála, agus an cinneadh a bhí luaite ag an Aire, leanúint ar aghaidh le feidhmiú na scéime PSC, gan athrú, nach bhféadfadh aon bhunús a bheidh le rannpháirtíocht idir na páirtithe sa bhealach – nó chun na críche - a bhí molta. Críochnaíodh an litir trína thabhairt ar aird, nuair nár ghlac an DEASP le torthaí na tuarascála, agus nuair a bhí sé soiléir nach gcuirfidh an DEASP aon phlean feidhmithe le chéile nó i bhfeidhm, le haghaidh a thabhairt ar na pointí neamhchomhlíontachta a aithníodh laistigh de na torthaí seo, nach raibh feidhm níos mó leis an mbonn inar iarchuir an DPC gníomh forfheidhmithe. Dá réir sin, léiríodh sa litir go leanfaidh an DPC ar aghaidh leis an fhorfheidhmiú anois.
Tar éis tuilleadh comhfhreagrais a mhalartú idir na páirtithe san idirthréimhse, d’fhoilsigh an DEASP a chuid freagraí maidir le tuarascáil an DPC ar a láithreán gréasáin an 17 Deireadh Fómhair 2019 mar aon le ráiteas an Aire. Chomh maith lena rá arís nár ghlac an tAire nó an DEASP leis na torthaí a bhí i dtuarascáil an DPC, rinneadh tuairimí an Aire agus an DEASP a lua arís sa fhreagra agus sa ráiteas go raibh bonn dlí láidir ag an PSC agus mar sin go leanfaidh an DEASP ar aghaidh le PSC’nna a eisiúint lena n-úsáid ag líon comhlachtaí poiblí ar fud na hearnála poiblí. Cháin freagra an DEASP gnéithe
� 128
áirithe den tuarascáil freisin, an próiseas imscrúdaithe a lean an DPC, chomh maith leis an bpróiseas inar iarr an DPC ar an DEASP a bheith rannpháirteach le bearta a aithint chun sáruithe a aithníodh sa tuarascáil ar an dlí cosanta sonraí a réiteach. Mheabhraigh an DEASP arís eile, i dtéarmaí a bhí an-soiléir, an seasamh á ghlacadh acu, sé sin leanúint ar aghaidh le feidhmiú an PSC agus le próiseas clárúcháin SAFE mar atá déanta acu go dtí seo.
Gníomh forfheidhmiúcháin ag an DPC
Ar deireadh eisíodh fógra forfheidhmithe faoi Alt 10 de na hAchtanna um Chosaint Sonraí 1988 agus 2003 an 6 Nollaig 2019. Díríonn an fógra sin, atá dírithe ar an Aire (atá ag feidhmiú tríd an DEASP), ar raon céimeanna a ghlacadh ar mhaithe leis na sáruithe atá aitheanta i dtuarascáil an DPC a réiteach.
Ó shin, rinne an tAire an fógra forfheidhmithe a achomharc chun na Cúirte Cuarda. Táthar ag súil go n-éistfear an t-achomharc ag pointe éigin le linn na bliana 2020.
Leanúint ar aghaidh le himscrúdú an DPC ar ghnéithe eile den phróiseáil
Ar leithligh, tá an DPC ag leanúint leis an imscrúdú ar roinnt gnéithe eile den phróiseáil ar thug an DEASP maidir le PSC’nna agus le córas clárúcháin SAFE 2 a eisiúint, lena n-áirítear, slándáil na próiseála, an phróiseáil atá an DEASP a dhéanamh ar mheaitseáil aghaidheanna maidir leis an PSC agus cásanna maidir le húsáid shonrach an PSC.
� 129
Aguisín IV Ráiteas ar Rialuithe Inmheánacha i leith an CCS don tréimhse 1 Eanáir
2019 go 31 Nollaig 2019
Raon feidhme na Freagrachta
Ar son an CCS, admhaím an fhreagracht as a chinntiú go ndéantar córas éifeachtach rialaithe inmheánaigh a chothabháil agus a fheidhmiú. Cuireann an fhreagracht seo riachtanais an Chóid Chleachtais um Rialachas Comhlachtaí Stáit (2016) san áireamh.
Cuspóir an Chórais Rialaithe Inmheánaigh
Tá córas rialaithe inmheánaigh an CCS deartha chun riosca a bhainistiú go leibhéal inghlactha seachas chun deireadh a chur leis. Dá bhrí sin, ní féidir leis an gcóras ach dearbhú réasúnach agus ní dearbhú absalóideach a thabhairt go ndéantar sócmhainní a chosaint, go ndéantar idirbhearta a údarú agus a thaifeadadh i gceart, agus go ndéantar earráidí ábhartha nó neamhrialtachtaí a chosc nó a bhrath go tráthúil.
Tá an córas rialaithe inmheánaigh, a thagann leis an treoir a d'eisigh an Roinn Caiteachais Phoiblí agus Athchóirithe, i bhfeidhm in oifig an CCS don tréimhse ón 1 Eanáir go dtí an 31 Nollaig 2019 agus suas go dtí dáta faofa an ráitis airgeadais don tréimhse sin.
Cumas Riosca a Láimhseáil
Feidhmíonn CBS an CCS mar choiste riosca don eagraíocht.
Déanann an fheidhm Iniúchta Inmheánaigh iniúchtaí ar rialuithe airgeadais agus eile sa CCS, ag teacht lena chlár bliantúil iniúchtaí. Rinne Aonad Iniúchta Inmheánaigh an DJE iniúchadh ag an CCS i rith 2019.
Tá beartas bainistíochta riosca forbartha ag foireann bhainistíochta an CCS a leagann amach a mian riosca, na próisis bhainistíochta riosca atá i bhfeidhm agus róil agus freagrachtaí na foirne maidir le riosca. Tá an polasaí eisithe don fhoireann go léir a bhfuiltear ag súil go n-oibreoidh siad laistigh de bheartais bhainistíochta riosca an CCS, agus chun an bhainistíocht ar rioscaí atá ag teacht chun cinn agus laigí a rialú agus a bheith freagrach as rioscaí agus rialuithe laistigh dá réimse oibre féin.
Creat Riosca agus Rialaithe
Tá córas bainistithe riosca curtha i bhfeidhm ag an CCS a aithníonn agus a thuairiscíonn príomhrioscaí agus na gníomhartha bainistíochta atá á nglacadh chun aghaidh a thabhairt ar na rioscaí sin agus, a mhéid is féidir, a mhaolú.
Aithníonn clár riosca na príomhrioscaí atá os comhair an CCS; tá siad seo aitheanta, measúnaithe agus grádaithe de réir a dtábhacht. Déanann an SMC athbhreithniú agus
� 130
nuashonrú ar an gclár ar bhonn ráithiúil. Úsáidtear toradh na measúnuithe seo chun acmhainní a phleanáil agus a leithdháileadh chun a chinntiú go mbainistítear rioscaí go leibhéal inghlactha. Sonraítear sa chlár riosca na rialuithe agus na gníomhartha is gá chun rioscaí agus freagracht as oibriú na rialuithe a shanntar d'fhoireann shonrach a mhaolú.
Dearbhaím go bhfuil timpeallacht rialaithe ina bhfuil na heilimintí seo a leanas i bhfeidhm:
• Tá nósanna imeachta maidir le gach príomhphróiseas gnó doiciméadaithe.
• Sannadh freagrachtaí airgeadais ag leibhéal bainistíochta le cuntasacht chomhfhreagrach.
• Tá córas buiséadaithe cuí ann le buiséad bliantúil a choimeádann an bhainistíocht shinsearach faoi athbhreithniú.
Tá córais ann atá dírithe ar shlándáil na gcóras teicneolaíochta faisnéise agus cumarsáide a chinntiú. Cuireann Rannán TFC an DJE seirbhísí TFC ar fáil don DPC. Tá ráiteas dearbhaithe curtha ar fáil acu a leagann amach na próisis rialaithe atá i bhfeidhm in 2019.
• Tá córais i bhfeidhm chun sócmhainní an CCS a chosaint. Ní tharlaíonn aon mhaoiniú deontais do ghníomhaireachtaí seachtracha.
• Soláthraíonn an Oifig Náisiúnta um Sheirbhísí Comhroinnte seirbhísí comhroinnte Acmhainní Daonna agus Párolla. Soláthraíonn Oifig Náisiúnta na Seirbhísí Comhroinnte dearbhuithe bliantúla ar na seirbhísí a chuirtear ar fáil. Déantar iad a iniúchadh faoi phróisis deimhniúcháin ISAE 3402.
Monatóireacht agus Athbhreithniú Leanúnach
Tá nósanna imeachta foirmiúla bunaithe chun monatóireacht a dhéanamh ar phróisis rialaithe, agus cuirtear na heaspaí rialaithe in iúl dóibh siúd atá freagrach as gníomh ceartaitheach agus as bainistíocht, nuair is cuí, ar bhealach tráthúil. Dearbhaím go bhfuil na córais mhonatóireachta leanúnacha seo a leanas i bhfeidhm:
• Sainaithníodh príomhrioscaí agus rialuithe gaolmhara agus cuireadh próisis i bhfeidhm chun monatóireacht a dhéanamh ar oibriú na bpríomhrialuithe sin agus chun aon easnaimh a aithníodh a thuairisciú.
• Déanann Aonad Iniúchta Inmheánaigh an DJE iniúchadh bliantúil ar rialuithe airgeadais agus eile.
� 131
• Tá socruithe tuairiscithe bunaithe ag gach leibhéal ina bhfuil freagracht as bainistíocht airgeadais sannta.
• Déantar athbhreithniú rialta ag an mbainistíocht shinsearach ar thuarascálacha feidhmíochta agus airgeadais tréimhsiúla agus bliantúla a léiríonn feidhmíocht i gcomparáid le buiséid / réamhaisnéisí.
Soláthar
Dearbhaím go bhfuil nósanna imeachta i bhfeidhm ag an CCS chun a chinntiú go gcomhlíontar rialacha agus treoirlínte soláthair reatha, agus gur chomhlíon an CCS na nósanna imeachta sin idir an 1 Eanáir agus an 31 Nollaig 2019.
Athbhreithniú ar Éifeachtacht
Dearbhaím go bhfuil nósanna imeachta i bhfeidhm ag an CCS chun monatóireacht a dhéanamh ar éifeachtacht a nósanna imeachta bainistíochta agus rialaithe riosca. Déanann monatóireacht na n-iniúchóirí inmheánacha agus seachtracha, Coiste Iniúchta na Roinne Dlí agus Cirt agus Comhionannais agus an CBS eolas ar mhonatóireacht agus athbhreithniú an DPC ar éifeachtacht an chórais um rialú inmheánach airgeadais.
Déanann Aonad Iniúchta Inmheánaigh an DJE feidhm Iniúchta Inmheánaigh an CCS faoi mhaoirseacht an Choiste Iniúchta ar Vóta 24 (Dlí agus Cirt) chun dearbhú a thabhairt do rialuithe inmheánacha agus do mhaoirseacht.
Rinne an tAonad Iniúchta Inmheánaigh iniúchadh ag an CCS le linn 2019 agus rinne sé athbhreithniú ar éifeachtacht na rialuithe inmheánacha. Ba chóir a thabhairt faoi deara gur shín sé seo thar rialuithe airgeadais agus gur scrúdaíodh rialuithe TFC, cleachtais bhainistíochta agus próisis rialachais eile. Dearbhaím gur choinnigh CBS an CCS athbhreithniú ar rialuithe inmheánacha idir 1 Eanáir agus 31 Nollaig 2019.
Helen Dixon
Coimisinéir um Chosaint Sonraí
� 132
Aguisín 5: Tuarascáil ar Nochtadh Cosanta a fuair an Coimisiún um Chosaint Sonraí in 2019
Tá an beartas atá á fheidhmiú ag an gCoimisiún um Chosaint Sonraí (CCS) faoi théarmaí an Achta um Nochtadh Cosanta 2014 deartha chun gach oibrí a éascú agus a spreagadh chun imní dáiríre a ardú go hinmheánach faoi éagóir a d'fhéadfadh tarlú san ionad oibre ionas gur féidir na hábhair imní seo a fhiosrú tar éis phrionsabail ceartas nádúrtha agus aghaidh a thabhairt air ar bhealach a oireann do chúinsí an cháis.
Éilíonn Alt 22 den Acht um Nochtadh faoi Chosaint 2014 ar chomhlachtaí poiblí tuarascáil a ullmhú agus a fhoilsiú i bhfoirm gan ainm, faoin 30 Meitheamh gach bliain.
De bhun an cheanglais seo, deimhníonn an CCS: i 2019:
• Ní bhfuarthas aon nochtadh cosanta inmheánach (ó fhoireann an CCS).
• Fuarthas sé nochtadh cosanta (atá leagtha amach sa tábla thíos) ó dhaoine aonair lasmuigh den CCS maidir le saincheisteanna a bhaineann le cosaint sonraí laistigh d'aonáin eile. Ardaíodh na cásanna seo leis an DPC ina ról mar ‘duine forordaithe’ mar a fhoráiltear dó faoi Alt 7 den Acht um Nochtadh Cosanta (liostaithe in IR 339/2014 arna leasú le IR 448/2015).
Uimhir Thagartha
Cineál Dáta Faighte Stadus Toradh
1/19/1/16 Roinn 7 (seachtrach, chuig 'duine forordaithe')
6 Samhain 2019 Oscailte - faoi scrúdú
1/19/1/15 Roinn 7 (seachtrach, chuig 'duine forordaithe')
3 Aibreán 2019 Dúnta Dúnta - níor lean an gearánaí an cheist.
� 133
1/19/1/14 Alt 7 (seachtrach, go “duine forordaithe”)
16 Márta 2019 Oscailt á imscrúdú faoi Airteagal 57 (1) (f) den GDPR
1/19/1/13 Roinn 7 (seachtrach, chuig 'duine forordaithe')
1 Márta 2019 Dúnta Dúnta - ní nochtadh cosanta - le láimhseáil mar ghearán DP caighdeánach
1/19/1/12 Roinn 7 (seachtrach, chuig 'duine forordaithe')
2 Marta 2019 Dúnta Dúnta - níor lean an gearánaí an cheist.
1/19/1/11 Roinn 7 (seachtrach, chuig 'duine forordaithe')
4 Feabhra 2019 Dúnta Dúnta - theip ar an ngearánaí fianaise a sholáthar maidir le sáruithe cosanta sonraí.
� 134
Aguisín VI: Ráitis Airgeadais don Bhliain 1 Eanáir go 31 Nollaig 2019
Tá an Cuntas ar Admhálacha agus Íocaíochtaí don bhliain 1 Eanáir go 31 Nollaig 2019 á réiteach ag an DPC agus cuirfear leis an tuarascáil seo é nuair a bheidh an t-iniúchadh i leith na bliana sin tugtha chun críche ag an Ard-Reachtaire Cuntas agus Ciste.
� 135
Aguisín: Cairt Eagrúcháin
� 136
Com
mis
sion
erH
elen
Dix
on
Cor
pora
te A
ffai
rs &
Com
mun
icat
ions
G
raha
m D
oyle
Stra
tegy
, Ope
ratio
ns
& In
tern
atio
nal
Jenn
ifer
O’S
ulliv
an
Hea
d of
Leg
alA
nna
Mor
gan
Hea
d of
Reg
ulat
ory
Act
ivity
Dal
e S
unde
rlan
d
Hea
d of
Reg
ulat
ory
Act
ivity
John
O’D
wye
r
Hea
d of
Reg
ulat
ory
Act
ivity
To
ny D
elan
ey
Hea
d of
Reg
ulat
ory
Act
ivity
Col
um W
alsh
Inte
rnat
iona
l Aff
airs
&
One
Sto
p Sh
op
Ope
ratio
nsLa
ura
Flan
nery
Ope
ratio
nal
Perf
orm
ance
Emm
a Fl
ood
Acc
ount
ing
Offi
cer
Proj
ect
Ais
ling
O’L
eary
Acc
ount
ing
Offi
cer
Proj
ect &
ICT
Tom
Wal
sh
Reg
ulat
ory
Stra
tegy
Seni
or L
egal
Adv
isor
Dia
rmui
d G
ould
ing
Seni
or L
egal
Adv
isor
Nic
ola
Har
riso
n
Seni
or L
egal
Adv
isor
Alis
on M
cInt
yre
Seni
or L
egal
Adv
isor
Fleu
r O’S
hea
Seni
or L
egal
Adv
isor
Joan
ne N
eary
Seni
or L
egal
Adv
isor
M
eg M
acM
ahon
Seni
or In
vest
igat
orN
icol
a B
ayly
Chi
ldre
n’s
Dat
a Pr
otec
tion
Rig
hts
Jenn
y D
olan
Polic
y &
Gui
danc
e;
Cod
es o
f Con
duct
; S
hane
McN
amee
Tech
nolo
gy P
olic
y;
Cer
tifica
tion
Ult
an O
’Car
roll
Publ
ic S
ecto
r, H
ealth
, &
Volu
ntar
y Se
ctor
C
onsu
ltatio
nD
avid
Mur
phy
Priv
ate
& Fi
nanc
ial
Sect
or C
onsu
ltatio
nG
arre
tt O
’Nei
ll
Mul
tinat
iona
l Su
perv
isio
n &
Enga
gem
ent;
La
w E
nfor
cem
ent
Con
sulta
tion
Cat
hal R
yan
DPC
DPO
Cat
hal R
yan
Am
icab
le R
esol
utio
n; B
reac
h N
otifi
catio
ns &
A
sses
smen
t;
Bre
ach
Com
plai
nts;
Se
ctio
n 10
Dec
isio
nsS
andr
a S
keha
n
Acc
ess
Req
uest
C
ompl
aint
s H
andl
ing
& In
quiri
esM
aure
en K
ehoe
Con
cern
ed S
uper
viso
ry
Aut
horit
y C
ases
&
Dec
isio
ns A
sses
smt.;
A
mic
able
Res
olut
ion;
C
ompl
aint
s H
andl
ing
& In
quiri
esG
ráin
ne H
awke
s
Law
Enf
orce
men
t D
irect
ive
Com
plai
nts
& In
quiri
es;
EU D
atab
ases
; B
orde
rs, T
rans
port
, Law
En
forc
emen
t;D
irect
Inte
rven
tion
Euni
ce D
elan
ey
Inte
rnaL
OTa
l Tra
nsfe
rs
incl
udin
g B
indi
ng
Cor
pora
te R
ules
Nic
ola
Coo
gan
Cro
ss-B
orde
r Inq
uirie
sN
easa
Moo
re
Cro
ss-B
orde
r C
ompl
aint
s H
andl
ing
Nei
ll D
ouga
n
Bre
ach
Inqu
iries
Nia
ll C
avan
agh
Bre
ach
Inqu
iries
Spec
ial I
nves
tigat
ions
; Pr
osec
utio
ns;
e-M
arke
ting
Com
plai
nt H
andl
ing
Firs
t Res
pons
e &
Com
plai
nts
Ass
essm
ent
Dei
rdre
McG
oldr
ick
Com
plai
nts
Han
dlin
g A
nne
Slo
wey
Inqu
iries
K
athl
een
O’S
ulliv
an
Cor
pora
te S
ervi
ces
& Fa
cilit
ies
Rec
ruitm
ent,
Staf
fing,
In
duct
ion
& Tr
aini
ng;
Com
mun
icat
ions
&
Med
ia;
DPO
Net
wor
kM
B D
onne
lly
Fina
nce
& Pr
ocur
emen
tG
raha
m G
eogh
egan
Ris
k &
Gov
erna
nce
Ann
e P
icke
tt