Type of Complaint
Number of Complaints
Percentage of Complaints
Right to Erasure
The Report notes a number of common issues which arise in the investigation of complaints in relation to access requests which would be prudent for data controllers to note:
- The data controller failed to acknowledge an access request,
- The data controller failed to perform an adequate search for the personal data,
- The data controller failed to advise the individual they were withholding data or the exemption they relied upon for same, or
- The data controller failed to issue a response within the required timeframe.
Under s.109(2) of the Data Protection Act 2018, the DPC is permitted, in circumstances where there is a reasonable likelihood of the parties to a complaint reaching an amicable resolution, to take such steps as it considers appropriate to arrange or facilitate such an amicable resolution. The DPC has, for the first time, provided details of complaints concluded in these circumstances. Where the DPC identified the possibility of a swift resolution to a complaint, it proceeds down a “fast-track” basis. In 2021, 463 of the 3,564 complaints concluded by the DPC were concluded by fast-track amicable means.
Data breach notifications
The introduction of GDPR brought about mandatory data breach notification obligations for all data controllers. 2021 saw a total of 6,549 valid data breaches reported to the DPC, representing a 2% decrease on the numbers reported in 2020. The DPC advised that, when assessing the necessity of notifying a breach, a data controller should particularly focus on the impact of a data breach on the rights and freedoms on an affected individual.
In line with previous years, the highest category of data breaches notified was in relation to unauthorised disclosures, accounting for 71% of the total notifications.
The Report notes that a disproportionately large chunk of breach notifications (2,707) originate in public sector organisations in Ireland. Other organisations with high levels of breach notifications include banks, insurance companies and telecoms companies.
The DPC noted that the cause of most unauthorised disclosures was poor operational practices and human error. An increase in the number of breaches caused by the issue of email correspondence to the incorrect recipient was recorded. In terms of breaches caused in relation to hard copy correspondence, a number of breaches occurred due to a failure of the data controller to update data, e.g. the data subject’s address, in a timely manner.
The DPC notes that it is taking a new strategic approach with regards to the handling of breach notifications. To date, the DPC would conduct its own risk and impact assessment and engage with the controller on mitigation actions and notification to data subjects, if required. This practice has ceased since January 2022. In most cases, the DPC will now only provide acknowledgement of receipt of breach notifications and will not issue recommendations or seek further information. However, the Report notes that the absence of further immediate engagement by the DPC will not indicate satisfaction with the notification itself, nor the assessment contained therein. The DPC will continue to assess all notifications individually and, in cases where the DPC deems the issues to warrant further information or a formal statutory inquiry, it will proceed in that way.
The DPC may conduct two types of statutory inquiries: a complaint-based inquiry or an inquiry of the DPC’s own volition. The purpose of either inquiry is to make a formal decision as to whether there was an infringement under GDPR, and, where there is an infringement, to determine whether corrective measures such as fines should be applied. As of the year-end, the DPC were conducting 81 statutory inquiries, including 30 cross-border inquiries.
In 2021, the DPC imposed the below sanctions of fines and corrective measures.
Date of DPC Decision
Administrative Fine €
Other Sanctions/Corrective Measures
Irish Credit Bureau
23 March 2021
Personal data breach
Reprimand in respect of the infringements
WhatsApp Ireland Ltd
28 July 2021
Provision of information and the transparency of that information, to both users and non-users of WhatsApp’s service
Reprimand along with an order for WhatsApp to bring its processing into compliance by taking a range of specified remedial actions
20 August 2021
Personal data breach
Teaching Council of Ireland
2 December 2021
Personal data breach
Reprimand and order to bring its processing operations into compliance with Articles 5(1)(f) and 32(1) of the GDPR by implementing appropriate technical and organisational measures to ensure a level of security appropriate to the risk
Limerick City and County Council
9 December 2021
Unlawful CCTV systems
Temporary ban on the Council’s processing of personal data in respect of certain CCTV cameras and ordered the Council to bring its processing into compliance by taking specified actions, reprimand in respect of infringements
Supervision, consultation and communication
The DPC engages directly with stakeholders in a supervisory role in order to provide context specific guidance. The Report notes that such collaboration can mitigate against potential infringements before they occur. In 2021, the DPC received 1,013 consultation requests.
The DPC engaged with the government departments in relation to the ongoing Covid-19 pandemic to ensure appropriate consideration was given to their obligations under GDPR in the various governmental responses to the pandemic.
The DPC provided guidance and observations on over 40 proposed legislative measures in 2021 which, as noted in the Report, promotes data protection by design within legislation under which the processing of personal data may occur.
Commissioner for Data Protection, Ms Helen Dixon, describes 2021 as a year ‘characterised by significant momentum gain’. Indeed, 2021 saw the volume of work completed by the DPC ever intensify. In addition to the resolving complaints and processing data breach notifications, the DPC progressed a number of large-scale investigations, imposed fines and corrective measures on foot of detailed decisions and published comprehensive guidance on protecting children’s data.
Furthermore, the DPC adopted its ambitious Strategy for the next 5 years, which Ms Dixon states, signals the commitment of the DPC to ‘do more for more people’. Already, changes have been implemented in the way in which the DPC handles data breach notifications. The DPC has also begun to resolve complaints by fast track amicable means where appropriate. This will give the DPC more time to focus on its other objectives.
Ms Dixon notes that a suite of pending of legislation at an EU level, including the NIS2 Directive, the Digital Markets Act, the Digital Services Act, the E-Privacy Regulation, the Artificial intelligence Act and the Data Governance Act, will impact data issues. Co-ordination at both EU and cross-regulatory levels will be crucial to the effective implementation of this legislation. Ms Dixon states that the DPC look forward to continued engagement with the EU Commission, its fellow regulators across the EEA to reach a consensus.
Whether or not we see this legislative change in 2022, the DPC has clearly signalled its commitment to ‘do more for more people’.