Decisions

Decisions issued by the Information and Data Protection Commissioner

YearTypeDescriptionDecisionCorrective ActionDecision Appealed
2021Data Protection ComplaintThe controller sent unsolicited direct marketing electronic communications without using the "blind carbon copy".Infringement of Article 32.1(b) GDPR and Regulation 9.2 of S.L. 586.01Reprimand and warning, in terms of Article 58.2 GDPR
2021Data Protection ComplaintUnauthorized disclosure of personal data to a third partyInfringement of Article 32.1(b) GDPRInstructions, in terms of Article 58.2 GDPR
2021Data Breach NotificationPolicy documents were sent out by postal mail to wrong recipients due to a human mistake of an employeeInfringement of Article 5.1(f) GDPRReprimand, in terms of Article 58.2 GDPR
2021Data Protection ComplaintThe controller posted and shared a photograph on social media, disclosing the registration number of the data subject's vehicleInfringement of Articles 5.1 (c) and 6.1 (f) GDPRInstructions, in terms of Article 58.2 GDPR
2021Data Breach NotificationThe controller disclosed personal emails to unauthorised third parties, using "To" field instead of the "blind carbon copy".Infringement of Articles 5.1 (e)/(f) and 32.1 (b) GDPRReprimand, in terms of Article 58.2 GDPR
2021Data Protection ComplaintAlleged infringement of GDPR when the controller unlawfully leaked data subjects' data to third partiesNo evidence which unequivocally demonstrates unauthorised disclosureNilYes
2021Data Protection ComplaintFollowing a formal representation made to a proposed development, the controller published personal details on its websiteInfringement of Article 5.1 (a) GDPROrders, in terms of Article 58.2 GDPR
2021Data Protection ComplaintInfrigement of GDPR when the controller unlawfully leaked individuals' data (namely a medical report) to third partiesInfringement of Article 9.2 GDPRReprimand, in terms of Article 58.2 GDPR
2021Data Protection ComplaintController disclosed personal data relating to the complainant as a private individual in relation to a holiday trip in 2017, without consent or authorisationInfringement of Articles 5.1 (a) and 6.1 GDPRReprimand and orders, in terms of Article 58.2 GDPR
2021Data Protection ComplaintController failed to reply a data subject access request within one (1) month of receipt of such requestInfringement of Articles 12.3, 15.1 and 15.3 GDPRReprimand and orders, in terms of Article 58.2 GDPR
2021Data Protection Complaintcontroller failed to implement the appropriate technical and organisational measures to ensure the ongoing confidentiality of the complainant’s personal dataInfringement of Articles 5.1 (f) and 32.1 (b)Reprimand and warning, in terms of Article 58.2 GDPR
2021Data Protection ComplaintThe controller failed to provide an updated privacy policy on its website at the time of the subject access request. The policy didn't contain the minimum set of information, failing the controller in providing information relating to the processing of personal data pursuant to the transparency.Infringement of Article 37.7, 5.1 (a), 12.1Reprimand, in terms of Article 58.2 GDPR
2021Data Protection ComplaintCCTV camera capturing public access areas and, or spacesInfringement of Articles 5.1(a) and 6.1 GDPRReprimand and orders, in terms of Article 58.2 GDPR
2021Data Protection ComplaintThe controller failed to blur data subjects faces when uploading a footage on social media, and additionally, identified the complainant by name as one of the person in the footage, without consent or authorisationInfringement of Articles 5.1(a) and 6.1 GDPRReprimand and warning, in terms of Article 58.2 GDPR
2021Data Protection ComplaintCCTV camera capturing public access areas and, or spacesInfringement of Articles 5.1(a) and 6.1 GDPRReprimand and orders, in terms of Article 58.2 GDPRYes
2021Personal Data BreachController infringed the principle of integrity and confidentiality when the complainant's personal data concerning health was disclosed to an unauthorised third party Infringement of Articles 5.1(f) and 32.1(b) GDPRReprimand and orders, in terms of Article 58.2 GDPR
2021Data Protection ComplaintComplainant filed a subject access request, however the identity procedure adopted by the controller imposed an unnecessary burden on the data subjectInfringement of Articles 12.2 and 24.2 GDPRReprimand and orders, in terms of Article 58.2 GDPR
2021Data Protection ComplaintAn employee of the controller unlawfully disclosed the complainant's personal data to an unauthorised mannerInfringement of Articles 5.1(f) and 32.1(b) GDPRReprimand and orders, in terms of Article 58.2 GDPR
2021Data Protection ComplaintController infringed the principle of integrity and confidentiality when annual maintenance invoices regarding the controller were disclosed to an unauthorised third partyInfringement of Articles 5.1(f) and 32.1(b) GDPRReprimand and orders, in terms of Article 58.2 GDPR
2021Data Protection ComplaintController published an email address which was inactive and unattended on its website, creating uncertainty amongst the data subjects who tried to file a subject access requestInfringement of Articles 5.1(a) GDPRReprimand and warning, in terms of Article 58.2 GDPR
2021Data Protection ComplaintController unlawfully disclosed by email the complainant's personal data to an unauthorised third party. The complainant explicitly indicated that such data should remain private and confidentialInfringement of Articles 5.1(f) and 32.1(b) GDPRReprimand and orders, in terms of Article 58.2 GDPR
2021Data Protection ComplaintThe controller published a newspaper information notice containing personal data regarding the complainantNo infringement as the processing is necessary for the the purposes of the legitimate interests of controllerNil
2021Data Protection ComplaintThe controller published a newspaper information notice containing personal data regarding the complainantNo infringement as the processing is necessary for the the purposes of the legitimate interests of controllerNil
2021Data Protection ComplaintThe controller published a newspaper information notice containing personal data regarding the complainantNo infringement as the processing is necessary for the the purposes of the legitimate interests of controllerNil
2021Data Protection ComplaintThe controller provided evidence on the action taken upon a subject access request in due timeNo infringement and complaint dismissedNil
2021Data Protection ComplaintThe IDPC did not come across any evidence of unauthorised disclosure of the complainant's personal dataNo infringement and complaint dismissedNil
2021Data Protection ComplaintComplaint is against the use of a CCTV camera installed on a property. However, such camera is not capturing public access areas and, or spacesNo infringement as there is no processing of personal data in terms of article 4(2)GDPRNil
2021Data Protection ComplaintController failed to erase the complainant's personal data following the exercise of the right of erasureInfringement of Article 17.1 GDPRReprimand and warning, in terms of Article 58.2 GDPR
2021Data Protection ComplaintController failed to implement the appropriate technical and organisational measures to ensure the ongoing confidentiality of the complainant’s personal dataInfringement of Articles 5.1 (f) and 32.1 (b) GDPRReprimand and warning, in terms of Article 58.2 GDPR
2021Data Protection ComplaintThe controller failed to provide the complainant with a copy of certain information which falls within the definition of personal dataInfringement of Article 15 GDPRReprimand and orders, in terms of Article 58.2 GDPR
2021Data Protection ComplaintThe complaint is against the use of a CCTV cameras installed on a property. The controller has a compelling legitimate interst, which is of real existence based on a situation of distressNo infringement in terms of data protection lawNil
2021Data Protection ComplaintThe complaint was on the validity and legality of the disciplinary proceedings and other issues of an employment natureOutside the scope of data protection law and complaint dismissedNil
2021Data Protection ComplaintThe controller failed to provide the complainant with a copy of certain information which falls within the definition of personal dataInfringement of Article 15 GDPRReprimand and orders, in terms of Article 58.2 GDPR
2021Data Protection ComplaintCCTV camera capturing public access areas and, or spacesInfringement of Articles 5.1(a) and 6.1 GDPRReprimand and orders, in terms of Article 58.2 GDPR
2021Data Protection ComplaintCCTV camera capturing public access areas and, or spacesInfringement of Articles 5.1(a) and 6.1 GDPRReprimand and orders, in terms of Article 58.2 GDPR
2021Data Protection ComplaintCCTV camera capturing public access areas and, or spacesInfringement of Articles 5.1(a) and 6.1 GDPRReprimand and orders, in terms of Article 58.2 GDPR
2021Data Protection ComplaintCCTV camera capturing public access areas and, or spacesInfringement of Articles 5.1(a) and 6.1 GDPRReprimand and orders, in terms of Article 58.2 GDPR
2021Data Protection ComplaintController failed to erase the complainant's personal data following the exercise of the right of erasureInfringement of Article 17.1 GDPRReprimand and orders, in terms of Article 58.2 GDPR
2021Data Protection ComplaintController failed to provide the complainant with a copy of personal data and failed to erase personal data following the exercise of his/her data subject rightInfringements of Articles 12.3, 12.4, 15.1, 15.3 GDPRReprimand and orders, in terms of Article 58.2 GDPR
2021Data Protection ComplaintController accessed personal data concerning the complainant in an unauthorised mannerInfringements of Articles 5.1(b), 5.1(f), and 32.1(b) GDPRReprimand and warning, in terms of Article 58.2 GDPR
YearTypeDescriptionDecisionCorrective ActionDecision Appealed
2020Data Protection ComplaintUnauthorized use of personal data leading to employment disciplinary proceedingsInfringement of Articles 5.1(c) and 6.1 GDPRReprimand and instructions, in terms of Article 58.2 GDPRNo
2020Data Protection ComplaintPersonal data contained in a condition report disclosed to other occupants of third party properties Infringement of Article 5.1(a) GDPRReprimand and instructions, in terms of Article 58.2 GDPRNo
2020Data Protection ComplaintInstallation of CCTV cameras at an establishment without affixing proper signageInfringement of Articles 13 and 5.1 GDPRReprimand and instructions, in terms of Article 58.2 GDPRNo
2020Data Protection ComplaintCCTV camera capturing public spacesInfringement of Articles 5.1(c) and 6.1 GDPRReprimand and instructions, in terms of Article 58.2 GDPRNo
2020Data Protection ComplaintProcessing of personal data without the consent of the data subjectInfringement of Articles 5.1(a) and 6.1 GDPRReprimand and instructions, in terms of Article 58.2 GDPR
2020Personal Data BreachUnauthorized disclosure of personal data to a third partyInfringement of Article 5.1(f) GDPRReprimand and instructions, in terms of Article 58.2 GDPRNo
2020Personal Data BreachHacking attack attempting to access online users', by making use of usernames and passwords originating from a third-party databaseInfringement of Article 5. (f) GDPRReprimand and instructions, in terms of Article 58.2 GDPRNo
2020Personal Data BreachHacking attack attempting to access online users', by making use of usernames and passwords originating from a third-party databaseInfringement of Article 5 (f)Reprimand and instructions, in terms of Article 58.2 GDPRNo
2020Personal Data BreachHacking attack using bots attempting to login into users' accountController has sufficient and appropriate technical and organisational measures in placeNilNo
2020Personal Data BreachFormer employee processed the controller's data for own purposesInfringement of Article 32.1(b) GDPRReprimand and instructions, in terms of Article 58.2 GDPRNo
2020Personal Data BreachUnauthorized disclosure of the complainant's confidential data to an external clientInfringement of Articles 5.1(f) and 32.1(b) GDPRAdministrative fine of €5,000, in terms of Article 58.2 (i) GDPRNo
2020Personal Data BreachAccidental loss of personal data when a box of documents which contained employment filled-in forms went missingInfringement of Article 32.1(b) GDPRAdministrative fine of €2,500 and orders, in terms of Article 58.2 GDPRNo
2020Personal Data BreachDisclosure of personal email addresses to all the recipients of the emailInfringement of Article 32.1(b) GDPRAdministrative fine of €2,500, in terms of Article 58.2 (i) GDPRNo
2020Personal Data BreachA third party gained unauthorized access to an account held by another individual Infringement of Article 32.1(b) GDPRAdministrative fine of €2,000, in terms of Article 58.2 (i) GDPRNo
2020Personal Data BreachUnauthorized disclosure of personal data to third partiesInfringement of Article 5.1(f) GDPRReprimand and warning, in terms of Article 58.2 GDPRNo
2020Personal Data BreachPersonal data was erroneously disclosed to an unintended recipientThe remedial action taken by the data controller has mitigated the posed riskInstructions, in terms of Article 58.2 GDPRNo
2020Personal Data BreachDisclosure of personal email addresses to all the recipients of the emailInfringement of Articles 5.1(f) and 32.1(b) GDPRAdministrative fine of €2,500, in terms of Article 58.2 (i) GDPRNo
2020Data Protection ComplaintUnsolicited sending of numerous direct marketing electronic communications without consent and right to object request ignoredInfringement of Articles 6,7 and 21 GDPR and regulation 9 of S.L 586.01Administrative fine of €15,000 and orders, in terms of Article 58.2 GDPRYes
2020Personal Data BreachDisclosure of personal email addresses to all the recipients of the emailInfringement of Article 5.1(a) GDPRReprimand and warning, in terms of Article 58.2 GDPRNo
2020Data Protection ComplaintPersonal data undergoing processing was partially provided following a right of access request. Privacy Policy not satisfying the transparency requirementsInfringement of Articles 13 and 15 GDPRAdministrative fine of €20,000, in terms of Article 83.2 GDPRNo
2020Data Protection ComplaintProcessing operations not in compliance with transparency requirementsInfringement of Article 13 GDPRReprimand and orders, in terms of Article 58.2 GDPR
2020Data Protection ComplaintUnsolicited sending of electronic direct marketing communication without consent, privacy policy not in compliance with transparency requirements and right of access request ignoredInfringement of Articles 13 and 15 GDPR and regulation 9 of S.L 586.01Administrative fine of €4,000 and orders, in terms of Article 58.2 GDPRYes
2020Data Protection ComplaintUnauthorized disclosure of personal data related to healthInfringement of Article 9 GDPRReprimand and orders, in terms of Article 58.2 GDPRYes
2020Data Protection ComplaintAdvertising showing complainant's mobile numberInfringement of Articles 5.1 and 6 GDPRAdministrative fine of € 3,000 and orders, in terms of Article 58.2 GDPR
2020Personal Data BreachUnauthorised notification letter, with details of third parties printed on the backInfringement of Articles 5.1(f) and 32.1(b) GDPRAdministrative fine of € 3,000, in terms of Article 58.2 GDPR
2020Data Protection ComplaintController failed to provide information following a right of access request and failed to inform the data subject about a restrictionInfringement of Articles 12.3 and 15.3 GDPR, and regulation 4(e) of S.L. 586.09Administrative fine of € 5,000 and orders, in terms of Article 58.2 GDPR.
2020Data Protection ComplaintCCTV camera capturing public access areas and, or spacesInfringement of Articles 5.1(c) and 6.1 GDPRInstructions, in terms of Article 58.2 GDPR
2020Data Protection ComplaintCCTV camera capturing public access areas and, or spacesInfringement of Articles 5.1(c) and 6.1 GDPRReprimand and orders, in terms of Article 58.2 GDPR
2020Data Protection ComplaintCCTV camera capturing public access areas and, or spacesInfringement of Articles 5.1(c) and 6.1 GDPRReprimand and orders, in terms of Article 58.2 GDPR
2020Data Protection ComplaintCCTV camera capturing public access areas and, or spacesInfringement of Articles 5.1(c) and 6.1 GDPRReprimand and orders, in terms of Article 58.2 GDPR
2020Data Protection ComplaintSharing of an email containing personal data pertaining to the complainant and to his/her daughter with non-authorised recipientsInfringement of Articles 5.1(c), (f), and 32 GDPRReprimand and instruction, in terms of Article 58.2 GDPR
2020Data Protection ComplaintController errouneously addressed an envelope cointaining a confidential letter, resulting to the disclosure of complainant's personal data Infringement of Article 5.1 (f) and 32.1 (b) GDPRReprimand and instruction, in terms of Article 58.2 GDPR
2020Data Protection ComplaintCCTV camera capturing public access areas and, or spacesInfringement of Articles 5.1(c) and 6.1 GDPRReprimand and orders, in terms of Article 58.2 GDPR
2020Data Protection ComplaintCCTV camera capturing public access areas and, or spacesInfringement of Articles 5.1(c) and 6.1 GDPRReprimand and orders, in terms of Article 58.2 GDPR
2020Data Protection ComplaintCCTV camera capturing public access areas and, or spacesInfringement of Articles 5.1(c) and 6.1 GDPRReprimand and orders, in terms of Article 58.2 GDPR
2020Data Protection ComplaintController failed to provide the data subject with information about the processing and a copy of his/her personal fileInfringement of Article 15.1 and 15.3 GDPRReprimand and instruction, in terms of Article 58.2 GDPRYes
2020Data Protection ComplaintController failed to provide the data subject with information about the processing and a copy of his personal fileInfringement of Articles 15.1 and 15.3 GDPRReprimand and instruction, in terms of Article 58.2 GDPR
2020Data Protection ComplaintController has unlawfully disclosed the complainant's personal dataInfringement of Article 6.1 GDPRReprimand and warning, in terms of Article 58.2 GDPR
Skip to content