RegSol Blog

Data Protection Commission Inquiries

August 2023

1) Inquiry Concerning the Department of Health – June 2023

The Data Protection Commission (“DPC”) has imposed a fine of €22,500 on the Department of Health (“DoH”) after completing an inquiry into certain aspects of it’s processing of personal data in 29 litigation files.

The DPCs statutory inquiry was commenced following public allegations in 2021 that the DoH had unlawfully collected and processed personal data about plaintiffs and their families in the context of litigation surrounding the plaintiff special education needs.

The DPC concluded that the DoH did not infringe Data Protection law by seeking information about the services that were being provided to plaintiffs, however, the DoH did infringe data protection law by asking broad questions that resulted in the provision of sensitive information about the private lives of plaintiffs and their families. The DoH had no lawful basis for processing such data, and also did so in breach of the data minimisation principle.

The DPC imposed the fine of €22,500 for the DoH's infringements of Articles 5(1)(c) (data minimisation principle), 6(1) and 9(1) (lawful basis requirements), 6(4) GDPR (further compatible processing requirements). The DPC also issued a reprimand on the DoH in respect of these infringements, as well as for infringements of Articles 5(1)(c) and 32(1) (security obligations) and 14 (transparency obligations). In addition, the DPC imposed a ban on the DoH processing the excessive personal data and special category data in the litigation files in question for the purposes of determining an appropriate time to settle a case.

For more information, the full decision can be found HERE.

2) Inquiry concerning Airbnb Ireland – June 2023

The DPC has published the final decision, issued on 21st June 2023 in which it imposed a reprimand and corrective measures on Airbnb Ireland UC for violations of the GDPR. The SDPC commences its inquiry following a complaint that Airbnb Ireland had unlawfully requested a copy of the complainants ID to verify their identify, which had not previously been requested by Airbnb. Initial attempts by the complainant to verify their identify had been rejected by Airbnb as the ID provided did not meet their criteria. The complaint contented that this went against the principles of data minimisation and that Airbnb also failed to comply with the principles of transparency and provision of information.

Following its investigation, the DPC found that Airbnb’s retention of a copy of the complainants ID following successful completion of the verification process infringed the principles of data minimisation under Article 5(1)(c) and the principle of storage limitation under Article 5(1)(e). the DPC also found that the continued processing and retention of partially redacted and out of date IDs that had been deemed inadequate or insufficient to verify the identify of the complainant infringed the same principles.

In light of these infringements, the DPC issued a reprimand to Airbnb Ireland. In addition, the DPC made the following orders against Airbnb Ireland to remedy the infringements identified and to prevent similar infringements occurring in the future:

Delete from all of its systems and records the redacted and out of date copies of the complaints IDs
Delete from all of its systems and records the IDs that the complaint uploaded
Revise its internal policies and procedures concerning user verification to endure that

    a. Once the identify of data subjects has been verified to Airbnb Ireland satisfaction, discontinue the         practice of retaining improperly redacted and/or out of date IDs which may be submitted by data            subjects as part of the identify verification process; and

    b. The period for which valid or fraudulent or illegitimate IDs submitted by data subjects as part of            the identity verification process are stored is limited to a strict minimum period.

For more information, the full decision can be found HERE.