Data Protection Decisions
Data Protection decisions issued by the Information and Data Protection Commissioner
| Year | Type | Description | Decision | Corrective Action |
|---|---|---|---|---|
| 2023 | Data protection complaint | A data subject filed a right of access request with the controller. Upon receiving the SAR, the controller forwarded the complainant’s data to a third party. | Infringement of article 15 GDPR. | Controller served with reprimand in terms of article 58(2)(b) GDPR. |
| 2023 | Data protection complaint | Complainant argued that controller unauthorisedly disclosed their personal data to a third party | Inadmissible due to lack of evidence | None |
| 2023 | Data protection complaint | The complainant argued that the controller infringed the GDPR and the EU Charter in handling a request to exercise the right of access. | The complaint’s claims were groundless and the complaint was found inadmissible. | None |
| 2023 | Data protection complaint | The complainant argued that the controller infringed the GDPR and the EU Charter in handling a request to exercise the right to rectification. | The complaint filed their complaint immediately after exercising their right to rectification and prior to the expiry of the statutory period of article 12(3) of the GDPR. The complaint was therefore found inadmissible. | None |
| 2023 | Data protection complaint | Two data subjects filed a complaint alleging that the controller captured and shared a video with media houses without their consent or authorisation | No infringement | N/A |
| Year | Type | Description | Decision | Corrective Action |
|---|---|---|---|---|
| 2022 | Personal Data Breach | Controller infringed principles of security regarding personal and special categories of data of many data subjects | Infringements of Articles 6(1), 9(1), 9(2), 14, 32(1), 5(1)(f), 33(1) and 34(1) GDPR | Administrative fine of €65,000.00. |
| 2022 | Data Protection Complaint | CCTV camera capturing public access areas and, or spaces | Infringement of Articles 5.1(c) and 6.1 GDPR | Reprimand and orders, in terms of Article 58.2 GDPR |
| 2022 | Data Protection Complaint | CCTV camera capturing public access areas and, or spaces | Infringement of Articles 5.1(c) and 6.1 GDPR | Reprimand and orders, in terms of Article 58.2 GDPR |
| 2022 | Data Protection Complaint | Controller has unlawfully disclosed the complainant's personal data | Infringements of Articles 24(2), 32(1)(b) and 32(4) GDPR | Administrative fine of €2,500.00 |
| 2022 | Data Protection Complaint | CCTV camera capturing public access areas and, or spaces | Infringement of Articles 5.1(c) and 6.1 GDPR | Reprimand and orders, in terms of Article 58.2 GDPR |
| 2022 | Data Protection Complaint | The controller failed to respect the principle of data minimisation by collecting excessive data through a registration form | Infringement of Article 5(1)(c) GDPR | Reprimand and orders, in terms of Article 58.2 GDPR |
| 2022 | Data Protection Complaint | The complaint is on the refusal to erase the complainant's personal data from an electronic website | The refusal is justified on the basis of article 17(3)(b) | Complaint has been dismissed in its entirety |
| 2022 | Data Protection Complaint | The controller failed to respect the timeframe prescribed by article 12(3) GDPR to respond the complainant's access request | Infringement of Article 12(3) GDPR | Reprimand and orders, in terms of Article 58.2 GDPR |
| 2022 | Data Protection Complaint | The controller infringed the GDPR for having processed the complainant's personal data included in her identity card without a valid legal basis | Infringement of Article 6(1) GDPR | Reprimand and orders, in terms of Article 58.2 GDPR |
| 2022 | Data Protection Complaint | The controller failed to inform the complainant that the call between the controller’s employee and the complainant was being recorded | Infringement of Article 13 GDPR | Reprimand, in terms of Article 58.2 GDPR |
| 2022 | Personal Data Breach | Controller infringed principles of security regarding personal data of data subjects and failed to implement appropriate technical and organisational measures | Infringements of Articles 32(1) and 32(2) of the GDPR | Administrative fine of €250,000 in terms of Article 58.2 GDPR |
| 2022 | Personal data breach | The controller was subject to a credential stuffing attack. The attacker may have accessed and viewed the personal data of a very limited number of accounts. | Infringement of article 32 GDPR. | Controller instructed to bring its processing operations into compliance with the provisions of the Regulation in terms of article 58(2)(a). |
| 2022 | Personal data breach | The controller was subject to a brute force attack. The attacker may have accessed and viewed the personal data of a very limited number of accounts. | Infringement of article 32 GDPR. | Controller instructed to bring its processing operations into compliance with the provisions of the Regulation in terms of article 58(2)(a). |
| 2022 | Personal data breach | The controller was subject to a brute force attack. The attacker may have accessed and viewed the personal data of a very limited number of accounts. | Infringement of article 32 GDPR. | Controller instructed to bring its processing operations into compliance with the provisions of the Regulation in terms of article 58(2)(a). |
| 2022 | Personal data breach | Personal data was disclosed to trusted party within the controller’s organization | Infringement of article 32 GDPR | Controller instructed to bring its processing operations into compliance with the provisions of the Regulation in terms of article 58(2)(a). |
| 2022 | Personal data breach | A device containing personal and special categories of data was stolen | Infringement of article 32 GDPR | Controller served with a reprimand in terms of article 58(2)(b) and instructed to bring its processing operations into compliance with the provisions of the Regulation in terms of article 58(2)(a). |
| 2022 | Personal data breach | The controller’s main server was affected by a ransomware which encrypted some personal data | Infringement of article 32 GDPR | Controller served with a reprimand in terms of article 58(2)(b) |
| Year | Type | Description | Decision | Corrective Action |
|---|---|---|---|---|
| 2021 | Data Protection Complaint | The controller sent unsolicited direct marketing electronic communications without using the "blind carbon copy". | Infringement of Article 32.1(b) GDPR and Regulation 9.2 of S.L. 586.01 | Reprimand and warning, in terms of Article 58.2 GDPR |
| 2021 | Data Protection Complaint | Unauthorized disclosure of personal data to a third party | Infringement of Article 32.1(b) GDPR | Instructions, in terms of Article 58.2 GDPR |
| 2021 | Data Breach Notification | Policy documents were sent out by postal mail to wrong recipients due to a human mistake of an employee | Infringement of Article 5.1(f) GDPR | Reprimand, in terms of Article 58.2 GDPR |
| 2021 | Data Protection Complaint | The controller posted and shared a photograph on social media, disclosing the registration number of the data subject's vehicle | Infringement of Articles 5.1 (c) and 6.1 (f) GDPR | Instructions, in terms of Article 58.2 GDPR |
| 2021 | Data Breach Notification | The controller disclosed personal emails to unauthorised third parties, using "To" field instead of the "blind carbon copy". | Infringement of Articles 5.1 (e)/(f) and 32.1 (b) GDPR | Reprimand, in terms of Article 58.2 GDPR |
| 2021 | Data Protection Complaint | Alleged infringement of GDPR when the controller unlawfully leaked data subjects' data to third parties | No evidence which unequivocally demonstrates unauthorised disclosure | Nil |
| 2021 | Data Protection Complaint | Following a formal representation made to a proposed development, the controller published personal details on its website | Infringement of Article 5.1 (a) GDPR | Orders, in terms of Article 58.2 GDPR |
| 2021 | Data Protection Complaint | Infrigement of GDPR when the controller unlawfully leaked individuals' data (namely a medical report) to third parties | Infringement of Article 9.2 GDPR | Reprimand, in terms of Article 58.2 GDPR |
| 2021 | Data Protection Complaint | Controller disclosed personal data relating to the complainant as a private individual in relation to a holiday trip in 2017, without consent or authorisation | Infringement of Articles 5.1 (a) and 6.1 GDPR | Reprimand and orders, in terms of Article 58.2 GDPR |
| 2021 | Data Protection Complaint | Controller failed to reply a data subject access request within one (1) month of receipt of such request | Infringement of Articles 12.3, 15.1 and 15.3 GDPR | Reprimand and orders, in terms of Article 58.2 GDPR |
| 2021 | Data Protection Complaint | controller failed to implement the appropriate technical and organisational measures to ensure the ongoing confidentiality of the complainant’s personal data | Infringement of Articles 5.1 (f) and 32.1 (b) | Reprimand and warning, in terms of Article 58.2 GDPR |
| 2021 | Data Protection Complaint | The controller failed to provide an updated privacy policy on its website at the time of the subject access request. The policy didn't contain the minimum set of information, failing the controller in providing information relating to the processing of personal data pursuant to the transparency. | Infringement of Article 37.7, 5.1 (a), 12.1 | Reprimand, in terms of Article 58.2 GDPR |
| 2021 | Data Protection Complaint | CCTV camera capturing public access areas and, or spaces | Infringement of Articles 5.1(a) and 6.1 GDPR | Reprimand and orders, in terms of Article 58.2 GDPR |
| 2021 | Data Protection Complaint | The controller failed to blur data subjects faces when uploading a footage on social media, and additionally, identified the complainant by name as one of the person in the footage, without consent or authorisation | Infringement of Articles 5.1(a) and 6.1 GDPR | Reprimand and warning, in terms of Article 58.2 GDPR |
| 2021 | Data Protection Complaint | CCTV camera capturing public access areas and, or spaces | Infringement of Articles 5.1(a) and 6.1 GDPR | Reprimand and orders, in terms of Article 58.2 GDPR |
| 2021 | Personal Data Breach | Controller infringed the principle of integrity and confidentiality when the complainant's personal data concerning health was disclosed to an unauthorised third party | Infringement of Articles 5.1(f) and 32.1(b) GDPR | Reprimand and orders, in terms of Article 58.2 GDPR |
| 2021 | Data Protection Complaint | Complainant filed a subject access request, however the identity procedure adopted by the controller imposed an unnecessary burden on the data subject | Infringement of Articles 12.2 and 24.2 GDPR | Reprimand and orders, in terms of Article 58.2 GDPR |
| 2021 | Data Protection Complaint | An employee of the controller unlawfully disclosed the complainant's personal data to an unauthorised manner | Infringement of Articles 5.1(f) and 32.1(b) GDPR | Reprimand and orders, in terms of Article 58.2 GDPR |
| 2021 | Data Protection Complaint | Controller infringed the principle of integrity and confidentiality when annual maintenance invoices regarding the controller were disclosed to an unauthorised third party | Infringement of Articles 5.1(f) and 32.1(b) GDPR | Reprimand and orders, in terms of Article 58.2 GDPR |
| 2021 | Data Protection Complaint | Controller published an email address which was inactive and unattended on its website, creating uncertainty amongst the data subjects who tried to file a subject access request | Infringement of Articles 5.1(a) GDPR | Reprimand and warning, in terms of Article 58.2 GDPR |
| 2021 | Data Protection Complaint | Controller unlawfully disclosed by email the complainant's personal data to an unauthorised third party. The complainant explicitly indicated that such data should remain private and confidential | Infringement of Articles 5.1(f) and 32.1(b) GDPR | Reprimand and orders, in terms of Article 58.2 GDPR |
| 2021 | Data Protection Complaint | The controller published a newspaper information notice containing personal data regarding the complainant | No infringement as the processing is necessary for the the purposes of the legitimate interests of controller | Nil |
| 2021 | Data Protection Complaint | The controller published a newspaper information notice containing personal data regarding the complainant | No infringement as the processing is necessary for the the purposes of the legitimate interests of controller | Nil |
| 2021 | Data Protection Complaint | The controller published a newspaper information notice containing personal data regarding the complainant | No infringement as the processing is necessary for the the purposes of the legitimate interests of controller | Nil |
| 2021 | Data Protection Complaint | The controller provided evidence on the action taken upon a subject access request in due time | No infringement and complaint dismissed | Nil |
| 2021 | Data Protection Complaint | The IDPC did not come across any evidence of unauthorised disclosure of the complainant's personal data | No infringement and complaint dismissed | Nil |
| 2021 | Data Protection Complaint | Complaint is against the use of a CCTV camera installed on a property. However, such camera is not capturing public access areas and, or spaces | No infringement as there is no processing of personal data in terms of article 4(2)GDPR | Nil |
| 2021 | Data Protection Complaint | Controller failed to erase the complainant's personal data following the exercise of the right of erasure | Infringement of Article 17.1 GDPR | Reprimand and warning, in terms of Article 58.2 GDPR |
| 2021 | Data Protection Complaint | Controller failed to implement the appropriate technical and organisational measures to ensure the ongoing confidentiality of the complainant’s personal data | Infringement of Articles 5.1 (f) and 32.1 (b) GDPR | Reprimand and warning, in terms of Article 58.2 GDPR |
| 2021 | Data Protection Complaint | The controller failed to provide the complainant with a copy of certain information which falls within the definition of personal data | Infringement of Article 15 GDPR | Reprimand and orders, in terms of Article 58.2 GDPR |
| 2021 | Data Protection Complaint | The complaint is against the use of a CCTV cameras installed on a property. The controller has a compelling legitimate interst, which is of real existence based on a situation of distress | No infringement in terms of data protection law | Nil |
| 2021 | Data Protection Complaint | The complaint was on the validity and legality of the disciplinary proceedings and other issues of an employment nature | Outside the scope of data protection law and complaint dismissed | Nil |
| 2021 | Data Protection Complaint | The controller failed to provide the complainant with a copy of certain information which falls within the definition of personal data | Infringement of Article 15 GDPR | Reprimand and orders, in terms of Article 58.2 GDPR |
| 2021 | Data Protection Complaint | CCTV camera capturing public access areas and, or spaces | Infringement of Articles 5.1(a) and 6.1 GDPR | Reprimand and orders, in terms of Article 58.2 GDPR |
| 2021 | Data Protection Complaint | CCTV camera capturing public access areas and, or spaces | Infringement of Articles 5.1(a) and 6.1 GDPR | Reprimand and orders, in terms of Article 58.2 GDPR |
| 2021 | Data Protection Complaint | CCTV camera capturing public access areas and, or spaces | Infringement of Articles 5.1(a) and 6.1 GDPR | Reprimand and orders, in terms of Article 58.2 GDPR |
| 2021 | Data Protection Complaint | CCTV camera capturing public access areas and, or spaces | Infringement of Articles 5.1(a) and 6.1 GDPR | Reprimand and orders, in terms of Article 58.2 GDPR |
| 2021 | Data Protection Complaint | Controller failed to erase the complainant's personal data following the exercise of the right of erasure | Infringement of Article 17.1 GDPR | Reprimand and orders, in terms of Article 58.2 GDPR |
| 2021 | Data Protection Complaint | Controller failed to provide the complainant with a copy of personal data and failed to erase personal data following the exercise of his/her data subject right | Infringements of Articles 12.3, 12.4, 15.1, 15.3 GDPR | Reprimand and orders, in terms of Article 58.2 GDPR |
| 2021 | Data Protection Complaint | Controller accessed personal data concerning the complainant in an unauthorised manner | Infringements of Articles 5.1(b), 5.1(f), and 32.1(b) GDPR | Reprimand and warning, in terms of Article 58.2 GDPR |
| 2021 | Data Protection Complaint | The controller failed to comply with a right to data portability request, unless an administrative fee is paid. The controller also failed to demonstrate the manifestly unfounded or excessive character of such request | Infringements of Articles 12(5) and 20 GDPR | Reprimand and orders, in terms of Article 58.2 GDPR |
| Year | Type | Description | Decision | Corrective Action |
|---|---|---|---|---|
| 2020 | Data Protection Complaint | Unauthorized use of personal data leading to employment disciplinary proceedings | Infringement of Articles 5.1(c) and 6.1 GDPR | Reprimand and instructions, in terms of Article 58.2 GDPR |
| 2020 | Data Protection Complaint | Personal data contained in a condition report disclosed to other occupants of third party properties | Infringement of Article 5.1(a) GDPR | Reprimand and instructions, in terms of Article 58.2 GDPR |
| 2020 | Data Protection Complaint | Installation of CCTV cameras at an establishment without affixing proper signage | Infringement of Articles 13 and 5.1 GDPR | Reprimand and instructions, in terms of Article 58.2 GDPR |
| 2020 | Data Protection Complaint | CCTV camera capturing public spaces | Infringement of Articles 5.1(c) and 6.1 GDPR | Reprimand and instructions, in terms of Article 58.2 GDPR |
| 2020 | Data Protection Complaint | Processing of personal data without the consent of the data subject | Infringement of Articles 5.1(a) and 6.1 GDPR | Reprimand and instructions, in terms of Article 58.2 GDPR |
| 2020 | Personal Data Breach | Unauthorized disclosure of personal data to a third party | Infringement of Article 5.1(f) GDPR | Reprimand and instructions, in terms of Article 58.2 GDPR |
| 2020 | Personal Data Breach | Hacking attack attempting to access online users', by making use of usernames and passwords originating from a third-party database | Infringement of Article 5. (f) GDPR | Reprimand and instructions, in terms of Article 58.2 GDPR |
| 2020 | Personal Data Breach | Hacking attack attempting to access online users', by making use of usernames and passwords originating from a third-party database | Infringement of Article 5 (f) | Reprimand and instructions, in terms of Article 58.2 GDPR |
| 2020 | Personal Data Breach | Hacking attack using bots attempting to login into users' account | Controller has sufficient and appropriate technical and organisational measures in place | Nil |
| 2020 | Personal Data Breach | Former employee processed the controller's data for own purposes | Infringement of Article 32.1(b) GDPR | Reprimand and instructions, in terms of Article 58.2 GDPR |
| 2020 | Personal Data Breach | Unauthorized disclosure of the complainant's confidential data to an external client | Infringement of Articles 5.1(f) and 32.1(b) GDPR | Administrative fine of €5,000, in terms of Article 58.2 (i) GDPR |
| 2020 | Personal Data Breach | Accidental loss of personal data when a box of documents which contained employment filled-in forms went missing | Infringement of Article 32.1(b) GDPR | Administrative fine of €2,500 and orders, in terms of Article 58.2 GDPR |
| 2020 | Personal Data Breach | Disclosure of personal email addresses to all the recipients of the email | Infringement of Article 32.1(b) GDPR | Administrative fine of €2,500, in terms of Article 58.2 (i) GDPR |
| 2020 | Personal Data Breach | A third party gained unauthorized access to an account held by another individual | Infringement of Article 32.1(b) GDPR | Administrative fine of €2,000, in terms of Article 58.2 (i) GDPR |
| 2020 | Personal Data Breach | Unauthorized disclosure of personal data to third parties | Infringement of Article 5.1(f) GDPR | Reprimand and warning, in terms of Article 58.2 GDPR |
| 2020 | Personal Data Breach | Personal data was erroneously disclosed to an unintended recipient | The remedial action taken by the data controller has mitigated the posed risk | Instructions, in terms of Article 58.2 GDPR |
| 2020 | Personal Data Breach | Disclosure of personal email addresses to all the recipients of the email | Infringement of Articles 5.1(f) and 32.1(b) GDPR | Administrative fine of €2,500, in terms of Article 58.2 (i) GDPR |
| 2020 | Data Protection Complaint | Unsolicited sending of numerous direct marketing electronic communications without consent and right to object request ignored | Infringement of Articles 6,7 and 21 GDPR and regulation 9 of S.L 586.01 | Administrative fine of €15,000 and orders, in terms of Article 58.2 GDPR |
| 2020 | Personal Data Breach | Disclosure of personal email addresses to all the recipients of the email | Infringement of Article 5.1(a) GDPR | Reprimand and warning, in terms of Article 58.2 GDPR |
| 2020 | Data Protection Complaint | Personal data undergoing processing was partially provided following a right of access request. Privacy Policy not satisfying the transparency requirements | Infringement of Articles 13 and 15 GDPR | Administrative fine of €20,000, in terms of Article 83.2 GDPR |
| 2020 | Data Protection Complaint | Processing operations not in compliance with transparency requirements | Infringement of Article 13 GDPR | Reprimand and orders, in terms of Article 58.2 GDPR |
| 2020 | Data Protection Complaint | Unsolicited sending of electronic direct marketing communication without consent, privacy policy not in compliance with transparency requirements and right of access request ignored | Infringement of Articles 13 and 15 GDPR and regulation 9 of S.L 586.01 | Administrative fine of €4,000 and orders, in terms of Article 58.2 GDPR |
| 2020 | Data Protection Complaint | Unauthorized disclosure of personal data related to health | Infringement of Article 9 GDPR | Reprimand and orders, in terms of Article 58.2 GDPR |
| 2020 | Data Protection Complaint | Advertising showing complainant's mobile number | Infringement of Articles 5.1 and 6 GDPR | Administrative fine of € 3,000 and orders, in terms of Article 58.2 GDPR |
| 2020 | Personal Data Breach | Unauthorised notification letter, with details of third parties printed on the back | Infringement of Articles 5.1(f) and 32.1(b) GDPR | Administrative fine of € 3,000, in terms of Article 58.2 GDPR |
| 2020 | Data Protection Complaint | Controller failed to provide information following a right of access request and failed to inform the data subject about a restriction | Infringement of Articles 12.3 and 15.3 GDPR, and regulation 4(e) of S.L. 586.09 | Administrative fine of € 5,000 and orders, in terms of Article 58.2 GDPR. |
| 2020 | Data Protection Complaint | CCTV camera capturing public access areas and, or spaces | Infringement of Articles 5.1(c) and 6.1 GDPR | Instructions, in terms of Article 58.2 GDPR |
| 2020 | Data Protection Complaint | CCTV camera capturing public access areas and, or spaces | Infringement of Articles 5.1(c) and 6.1 GDPR | Reprimand and orders, in terms of Article 58.2 GDPR |
| 2020 | Data Protection Complaint | CCTV camera capturing public access areas and, or spaces | Infringement of Articles 5.1(c) and 6.1 GDPR | Reprimand and orders, in terms of Article 58.2 GDPR |
| 2020 | Data Protection Complaint | CCTV camera capturing public access areas and, or spaces | Infringement of Articles 5.1(c) and 6.1 GDPR | Reprimand and orders, in terms of Article 58.2 GDPR |
| 2020 | Data Protection Complaint | Sharing of an email containing personal data pertaining to the complainant and to his/her daughter with non-authorised recipients | Infringement of Articles 5.1(c), (f), and 32 GDPR | Reprimand and instruction, in terms of Article 58.2 GDPR |
| 2020 | Data Protection Complaint | Controller errouneously addressed an envelope cointaining a confidential letter, resulting to the disclosure of complainant's personal data | Infringement of Article 5.1 (f) and 32.1 (b) GDPR | Reprimand and instruction, in terms of Article 58.2 GDPR |
| 2020 | Data Protection Complaint | CCTV camera capturing public access areas and, or spaces | Infringement of Articles 5.1(c) and 6.1 GDPR | Reprimand and orders, in terms of Article 58.2 GDPR |
| 2020 | Data Protection Complaint | CCTV camera capturing public access areas and, or spaces | Infringement of Articles 5.1(c) and 6.1 GDPR | Reprimand and orders, in terms of Article 58.2 GDPR |
| 2020 | Data Protection Complaint | CCTV camera capturing public access areas and, or spaces | Infringement of Articles 5.1(c) and 6.1 GDPR | Reprimand and orders, in terms of Article 58.2 GDPR |
| 2020 | Data Protection Complaint | Controller failed to provide the data subject with information about the processing and a copy of his/her personal file | Infringement of Article 15.1 and 15.3 GDPR | Reprimand and instruction, in terms of Article 58.2 GDPR |
| 2020 | Data Protection Complaint | Controller failed to provide the data subject with information about the processing and a copy of his personal file | Infringement of Articles 15.1 and 15.3 GDPR | Reprimand and instruction, in terms of Article 58.2 GDPR |
| 2020 | Data Protection Complaint | Controller has unlawfully disclosed the complainant's personal data | Infringement of Article 6.1 GDPR | Reprimand and warning, in terms of Article 58.2 GDPR |