2025 has quickly moved on for GDPRXpert data protection consultants and it is now well worth looking at the most recent Annual Report by the DPC. The report was issued in 2024 and covers activity for the year 2023. It will be interesting to see the year-on-year changes and any new trends when the 2024 report is issued. As soon as that report is made available we will dissect it in a future blog for comparative purposes and see if any discernible trends can be identified.
We touched on the 2023 report briefly in our last blog and noted, “As the report states, 2023 was a busy year in personal data rights protection. The year saw a significant increase in complaints dealt with by the Data Protection Commission (“DPC”) with record fines issued and corrective orders imposed following cross-border and national inquiries. More generally, there were a large number of data protection-related judgments from the Court of Justice of the European Union and continued domestic focus before the Irish courts”. Perhaps not coincidentally, 2023 was also a busy year for GDPRXpert.ie and for many operating a data protection advisory service. In particular, there was a high demand for the outsourced data protection officer service provided by GDPRXpert.ie
There are very good reasons why this is so, but primarily it is because of the increasing amount of time and internal resources organisations must dedicate to data protection compliance. Without any doubt, there is a scarcity within many organisations of properly qualified staff to manage this onerous responsibility. On top of this, it is too risky to overburden a staff member with new data protection responsibilities when the person has already been delegated responsibility for other areas within which they are more at ease, more familiar and singularly competent. It is no surprise there is a growing number of organisations contacting data protection consultants such as GDPRXPERT.ie with a view to outsourcing the role of data protection officer for their organisation. Last year was a record year in this regard and there is no reason to believe this will change in the foreseeable future.
The DPC 2023 report did recognise the increasing demand for data protection officers and viewed it as part of an increasing awareness of the changed dynamics in data protection, especially since the GDPR was introduced. This is partly due to the DPC itself having allocated a mixture of resources with the objective of raising awareness of data protection obligations and educating organisations in regard to reaching data protection compliance.
It is natural that the DPC, whilst continuing its overall awareness building, has now moved to a stronger enforcement mode.
The DPC, nevertheless, emphasised that it continues its mission of safeguarding the data protection rights of individuals and providing clarity for the organisations it regulates by:
- educating stakeholders on their rights and responsibilities;
- taking a fair and balanced approach to complaint handling;
- communicating extensively and transparently with stakeholders;
- participating actively at European Data Protection Board level to achieve consistency; cultivating technological foresight, in anticipation of future regulatory developments;
- sanctioning proportionately and judiciously; and
- retaining and amalgamating the expert capacities of its staff to ensure operational effectiveness.
The DPC in the report referred to its overall strategy as had been set out in its Regulatory Strategy for 2022-2027. It is a strategy based around five interconnected pillars of equal priority:
- Regulate consistently and effectively;
- Safeguard individuals and promote data protection awareness;
- Prioritise the protection of children and other vulnerable groups;
- Bring clarity to stakeholders; and
- Support organisations and drive compliance.
Perhaps ironically, organisations looking for support and striving to drive compliance have been engaging the services of data protection consultants such as GDPRXPERT.ie and begun to use the outsourced data protection officer service. The DPC has become aware of this trend and it is a welcome trend. As mentioned earlier, not all organisations are in a position to appoint a full time or part-time DPO in house.
Data Protection Officers (DPOs) are a key component in Ireland’s data protection compliance record. For DPOs to operate effectively they need the support of Senior Management and to have regular and direct communication lines into their organisation’s Management Board. A key part of the DPC’s strategic goal of supporting organisations and driving compliance is working with Data Protection Officers (DPOs) to increase the knowledge and impact of their role. DPOs play an important role in data protection compliance for the organisations in which they have been designated including through providing advice on data protection impact assessments, and monitoring the implantation and efficacy of data protection policies.
As the contact point for the DPC in their organisations, DPOs are an important group of stakeholders, and the DPC is committed to supporting them (as well as non-designated data protection data protection operatives) in making their roles more effective. Because it is part of the requirements of the GDPR, the DPC must be notified of the formal designation of a DPO by an organisation. At the end of the 2023 the DPC had been notified of the designation of 3,520 DPO broken down by sector as follows:
Notification of Data Protection Officers Public Sector- 357;
Private Sector -2932; and
Not-for-profit Sector- 231.
DPO Networks
Since the application of GDPR in 2018, a valuable resource for the DPC and something that is mutually beneficial to all has been the coming together of networks of DPOs in various sectors in engaging with those sectors. These networks have also provided forums for the sharing of information and the collaborative development of compliance solutions. In 2023 the DPC engaged with a number of networks, including the Civil Service DPO Network, a grouping of DPOs from across the public sector, and the Health Research Data Protection Network, which brings together DPOs working in hospitals, academia and other settings to address issues arising in data protection and health research.
Focusing on the private and semi-state sectors, the DPC engaged with the DPO Network of the Banking and Payments Federation of Ireland, the DPO network of Telecommunications Industry Ireland/IBEC, and the Insurance Ireland DPO Network/Working Group. These engagements are valuable in allowing the DPC to platform current and upcoming data protection issues affecting these sectors. In December 2023, the DPC brought together a group of DPOs and non-designated data protection champions working in NGOs active in the local community sector to encourage the development of a new network for information sharing and problem solving. The DPC intends to expand on this work in 2024, to increase its reach to sectors and organisations that may be less well resourced than others when it comes to managing data protection compliance.
As another sign of the growing appreciation and value of the work of DPOs the DPC report highlighted the 2023 Co-ordinated Enforcement Framework (CEF) Topic, ‘The Designation and Position of Data Protection Officers’. Members of the European Data Protection Board (EDPB) had decided to prioritise this topic on the basis of its practical relevance in the overall data protection governance landscape. DPOs, either outsourced or in house, stand in a unique position within the regulatory architecture of the GDPR. They act as intermediaries of sorts between the Supervisory Authorities, individuals and the business units of an organisation.
The DPC had back in 2022 set out a Regulatory Strategy for 2022-2027 and this emphasised the mutual value and benefits through co-operation and increased communication with DPOs on emerging issues. It seemed the appropriate action to participate and engage in a fact finding role with DPOs and the basic aims were to:
- Help to identify emerging issues;
- Assess the knowledge, expertise and impact of the DPOs; and
- Generate deeper insights into the role at an EU level.
With these aims, in March 2023 the DPC launched a fact finding exercise by means of a detailed questionnaire to over 100 DPOs all over Ireland. This group of DPOs included ones from the public, private and not for profit sector. All completed questionnaires were collated and resulted in some findings related to three broad substantive issues.
Those issues were : a) The resources of the DPO;
b) Conflicts of interest while carrying out the DPO role; and
c) The tasks of the DPO under Art.39.1 (a) to (e).
Some findings
Approximately 33% of respondents replied that they do not have the resources sufficient to fulfil the role of a DPO. Upon further analysis of the responses, it was discovered that the high majority of respondents who stated they do not have adequate resources sufficient to fulfil the role of a DPO came from the Public and Not-for Profit Sector. This supports the position that DPOs are better resourced in the Private Sector.
Approximately 36% indicated that the data protection officers’ tasks are performed in addition to other tasks, but not as the main task. In that regard, it was noted that many of the non-data protection tasks did not complement the role of a DPO such as Health and Safety Officer, Human Resource Officer, Employee Engagement Manager, Communications Officer.
Approximately 80% of DPOs replied they have at least 3 + years of experience working on the application and the interpretation of data protection requirements.
The DPC’s submissions to the EDPB in Appendix1.2: National Reports on the CEF on DPOs at pp.65-69, where the DPC expanded on the three substantive issues referenced above, merit some further commentary.
Resources.
A strong view outlined was that it was increasingly vital that DPOs have adequate and sufficient resources to carry out their tasks as DPOs in an organisation effectively and that the DPO can maintain their expert knowledge (Art 38.2 GDPR). It is concerning that one-third of DPOs state they do not have the adequate resources for the role, and also that some large organisations only have a part-time DPO in place. A part-time position may lead to a lack of clarity as to what is expected in the role and diminish the importance of the role. Such resources can only have a negative impact on the compliance levels of data protection within an organisation. The DPC appreciates that ‘resources’ is not defined under the GDPR; the DPC recommends organisations need to consider the EDPB Guidelines on Data Protection Officers which state the following should be considered by organisations:
- Active support of the DPO’s function by senior management (such as at board level);
- Sufficient time for DPOs to fulfil their duties;
- Adequate support in terms of financial resources, infrastructure (premises, facilities, equipment) and staff where appropriate;
- Official communication of the designation of the DPO to all staff to ensure that their existence and function are known within the organisation;
- Necessary access to other services, such as Human Resources, legal, IT, security, etc., so that DPOs can receive essential support, input and information from those other services; and
- Continuous training. DPOs must be given the opportunity to stay up to date with regard to developments within the field of data protection. The aim should be to constantly increase the level of expertise of DPOs and they should be encouraged to participate in training courses on data protection and other forms of professional development, such as participation in privacy fora, workshops, etc.
The DPC recognised there is no one-size-fits-all while considering further clarity on what could be regarded as providing adequate resources for DPOs in an organisation may be helpful in addressing address this situation. It may be the case that organisations need a template for what is required to have adequate resources in place for the role of a DPO.
Conflicts of Interest.
Article 38(6) GDPR states: ‘The data protection officer may fulfil other tasks and duties. The controller or processor shall ensure that any such tasks and duties do not result in a conflict of interests’. The DPC noted in the submissions received that a number of DPOs alluded to performing other roles within the organisation. Some of these other roles may have the potential for a Conflict of Interests. Some of the roles noted included:
- General Manager
- Chief Financial Officer
- Chief Executive Officer
- Director of Corporate Services
Whilst the GDPR does not prevent a DPO from fulfilling other non-DPO tasks and duties an organisation must ensure the DPO does not carry out tasks that will not lead to a conflict of interests or the impact on the independence of the Role of Data Protection Officer. Recently the CJEU has held that a ‘conflict of interests’ may exist when a DPO holds a role or position within an organisation that involves determining the purposes and the means of the processing of personal data.( CJEU C-453/21 – X-Fab Dresden GmbH & Co. KG). In line with the CJEU decision, the DPC acknowledged that a conflict of interest must be evaluated on a case-by-case basis and will be specific to each individual organisation and their structure. The DPC recommends that organisations consider the published EDPB guidance in this which states, depending on the activities, size and structure of the organisation, it can be good practice for controllers or processors to:
- identify the positions which would be incompatible with the function of DPO;
- draw up internal rules to this effect in order to avoid conflicts of interests;
- include a more general explanation about conflicts of interests;
- declare that their DPO has no conflict of interests with regard to its function as a DPO, as a way of raising awareness of this requirement; and
- include safeguards in the internal rules of the organisation and to ensure that the vacancy notice for the position of DPO or the service contract is sufficiently precise and detailed in order to avoid a conflict of interests.
Tasks of the DPO
Question 15 of the survey had asked ‘Have additional tasks been committed to the data protection officer compared to those envisaged in the GDPR?‘.
The DPC noted that the following other tasks are carried out by the DPO.
- Nearly 1/3 of DPOs are involved in the decision making on the processing of personal data.
- Over half develop the organisation’s data protection processes.
- Over half draft or carry out data protection impact assessments.
- Over half fulfil the data subject requests on their data protection rights.
- Almost half draft or negotiate contract such as data processing agreements.
- Over 25% are responsible for the lawfulness of the processing of personal data.
Following responses received the DPC noted that, in practice, DPOs carry out considerably more tasks with more responsibility than outlined in the GDPR. The DPC observed that some of these tasks are better served by the organisation, not an independent DPO. For example, over 50% of DPOs, as an additional task, state they draft or carry out DPIAs. Whilst the DPO can play a vital role in carrying out a DPIA by being consulted for advice before or during a DPIA project, it is the controller’s task rather than the DPO’s to carry a DPIA when necessary (Article 35(1) GDPR). Additionally, there is a belief within the DPC that DPIAs should ideally come from the controller and, specifically, the special unit within the organisation with the best expertise in the area of the DPIA.
At this stage the DPC then proceeded to outline some of the positives to emerge from the engagement
Positives.
Article 38(1) and 39 GDPR
It was seen as encouraging by the DPC that nearly all organisations had as a requirement that the DPO must be consulted on data protection issues, and for the most part, the DPO was involved or consulted in handling and solving problems related to the processing and protection of personal data in the organisation. (Q25/26). The DPC also saw as a positive that almost all DPOs stated that, in general, the DPO’s opinions are being followed in the organisation. In addition, the high majority, nearly 75% of DPOs, are documenting why their advice is not being pursued, for example, why a DPIA was not deemed necessary prior to the undertaking of a project. The DPO’s recording of why their advice is not followed and their decision-making process will assist an organisation in meeting its accountability obligations under Article 5(2) GDPR.
Data protection consultants such as us here at GDPRXPERT.ie are aware that talk is talk , but actions speak louder than words. How many times have data protection advisers been told , ‘we would love to have a DPO but it is hard to convince management /owners’? This is even in organisations where there is a mandatory obligation to appoint a DPO! The EDPB is still strong on education and awareness building and understandably wants this mode to continue, at least in the short term. Partly for this reason they asked the DPC to outline some actions taken to attain this goal. Had they, for example, already published general guidance (e.g. guides, guidelines, etc.) regarding DPOs (including before launching the coordinated action).
The DPC response was that they had published guidance on appropriate qualifications for a Data Protection Officer on their website. This guidance recommends that the appropriate level of qualification and expert knowledge should be determined according to the personal data processing operations carried out, the complexity and scale of data processing, the sensitivity of the data processed and the protection required for the data being processed. Guidance on Who Needs a DPO under Article 37(1) GDPR? has been published on the website in conjunction with how to notify the DPC of a DPO under Article 37 (7) GDPR.
The next query was: Have you taken action (i.e., fact finding exercises, informal contact, prior consultation, investigation) towards any of the organisations concerning the designation, tasks and/or role of the DPO prior to launching the coordinated action? Please describe the action you have taken and the outcome of this action (e.g. letter, recommendations to the organisation, general guidance, corrective measures such as orders, injunctions with or without an incremental penalty, administrative fines).
Pursuant to its tasks of a supervisory authority contained in Article 57 of the GDPR, in 2020, the DPC commenced a project to assess compliance by public bodies with the Article 37 (1) obligations. From a total of almost 250 public bodies, comprising Government Departments and agencies, as well as Local Authorities, 77 public bodies were identified as being potentially not compliant with the requirements. Engagement is to take place with each of these public bodies setting out how they are to bring themselves in to compliance with Article 37.7 of the GDPR by the end of 2020, raising the sector’s compliance rate from 69% to 96%. The DPC carried out an Own-Volition Inquiry into one of the public bodies as a result of the monitoring and enforcement exercise above. Pursuant to the tasks of a supervisory authority contained in Article 57 of the GDPR , the body was issued with a reprimand in respect of the infringements of Articles 31, 37(1), and 37(7) of the GDPR.
Finally, the DPC was asked for any general impression of the levels of awareness and compliance of the organisations that had been consulted concerning the designation, tasks and/or role of the DPO?
The DPC’s general impression of the levels of awareness and compliance of the organisations concerning the designation, tasks and role of the DPO in general was stated to be quite high. In the large majority, almost 80% of DPOs replied they had at least 3 + years of experience working on the application and the interpretation of data protection requirements (Art 37.5 GDPR). This level of expertise broadly matched the DPO’s relevant experience working in the organisation’s particular industry with over 50% stating they have 8+ years in organisations industry or field. A concern was raised by the DPC, however, that the DPO role in some organisations is considered part-time and as previously noted, this may have an impact on the effectiveness of the role. It was noted that this situation arose more in the voluntary and not-for-profit sectors, which may indicate budgetary constraints in those sectors as opposed to organisations in the private sector. In some cases, the DPO could allocate as little as 10% or 20 % of their working hours to performing their tasks and duties, likely impacting effective data protection compliance in an organisation.
Data Breaches.
The DPC’s Regulatory Strategy 2022-2027 recognises the important role DPOs perform in championing data protection in their organisation. Organisations are obligated to notify data protection breaches to the DPC and such notifications usually come from the DPO who can distinguish minor from major breaches. Working closely with DPOs, The DPC aims to mitigate data breaches where they occur. It is important that an early response is activated to address financial, legal and reputational risks to organisations as well as vindicating the rights of data subjects involved. ( See DPC Report 2023 at 27).
In 2023 there were 6991 valid GDPR breaches and this represented a 20% increase from 2022. The highest category notified to the DPC was ‘unauthorised disclosure’. This category contained cases affecting one or small numbers of individuals and amounted to 52% of total notifications. ( 3461) Out of the 6991 breaches, 3766 related to the private sector, 2968 to the public sector and the remaining 257 came from the voluntary and charitable sector.
In keeping with the trend of previous years, public sector bodies and banks accounted for the ‘top ten’ organisations with the highest number of breach notifications recorded against them, with insurance and telecom companies featuring prominently in the top twenty. Notably, correspondence issuing to incorrect recipients because of poor operational practices and human error – for example inserting a wrong document into an envelope addressed to an unrelated third party – continues to feature prominently.
Here at GDPRXPERT.ie , we always emphasise to our clients that it is often something very simple that leads to a data breach. It is not caused by an overwhelming breach of security but rather by some human error. This is borne out by the statistic from the 2023 Report that 51.66% of breaches are a result of emails or postal material going to the incorrect recipient. ( 1203 for the former, 2255 for the latter). These seem abnormally high but the facts speak for themselves. Clearly a large number can be avoided by extra vigilance before posting or pressing the Send button!!
The report also outlined some of the more notable inquiries and related enforcement actions that concluded in 2023.
Organisations | Decision Issued | Fine Imposed | Corrective Measure Imposed |
WhatsApp Ireland Ltd | January 2023 | €5.5 million | Order re: Articles 5(1)(a) and 6(1) GDPR. |
Kildare County Council
|
January 2023 | €50,000 | Temporary ban on CCTV cameras at a number of locations. Order re: Articles 5(1)(a), 6(1), 13, and 32(1) GDPR. Sections 71, 72, 76, 78, and 82 Data Protection Act 2018. |
Centric Health
|
February 2023
|
€460,000 | Reprimand re: Articles 5(1)(f), 5(2) and 32(1) GDPR. |
Bank Of Ireland
|
February 2023 | €750,000 | Reprimand re: Articles 5(1)(f) and 32(1) GDPR. Order re: Articles 5(1)(f) and 32(1) GDPR. |
Meta (Facebook)
|
May 2023 | €1.2 billion | Suspension of data flows re: Article 46 GPDR. Order re: Article 46 GDPR. |
TikTok
|
September 2023 | €345 million | Reprimand re: Articles 5(1)(a), 5(1)(c), 12(1), 13(1)(e), 24(1), 25(1) and 25(2) GDPR. Order re: Articles 5(1)(a), 5(1)(c), 12(1), 13(1)(e), 24(1), 25(1) and 25(2) GDPR . |
These give a flavour of the issues and fines that are being seen in the context of violations of the GDPR. In the case of Centric Health, Bank of Ireland and Kildare Co.Council , in November 2023 the DPC had its decision to impose the fines confirmed in the Dublin Circuit Court. As part of data protection training GDPRXPERT.ie like to give insights into case law and cases from the DPC. All of these are warmly received by those undergoing training as they give practical examples of the GDPR in action without having to go into the very technical details in all cases.
In a previous blog we looked at the TikTok case referenced above and we may be looking at TikTok again in a future blog in relation to another fine imposed by the DPC, one which they will be appealing. This involves unlawful transfer of personal data to China.
“The Irish Data Protection Commission has today announced its final decision following an Inquiry into TikTok Technology Limited (“TikTok”). This Inquiry was launched by the DPC, in its role as the Lead Supervisory Authority for TikTok, to examine the lawfulness of TikTok’s transfers of personal data of users of the TikTok platform in the EEA to the People’s Republic of China (“China”). In addition, the Inquiry examined whether the provision of information to users in relation to such transfers met TikTok’s transparency requirements as required by the GDPR.
This strong decision, which was made by the Commissioners for Data Protection, Dr Des Hogan and Mr Dale Sunderland, and has been notified to TikTok, finds that TikTok infringed the GDPR regarding its transfers of EEA User Data to China [2] and its transparency requirements . A part of the decision sets out administrative fines totalling €530 million and an order requiring TikTok to bring its processing into compliance within 6 months. On top of this and included with the decision is an order suspending TikTok’s transfers to China if processing is not brought into compliance within this timeframe”.
Concluding Remarks
The Annual Report of the DPC for 2023 shows the breadth of the work undertaken throughout that year and some work that only concluded in 2023 as a result of intensive research and investigation. It is indeed fair to say that the DPC sought to defend an individual’s right to proper protection of their personal data through fair and proportionate regulation, in line with all applicable legal frameworks and a continuously evolving body of case law.
Patrick Rowland for GDPRXPERT.ie
GPRXPERT.ie offers a comprehensive data protection consultancy service with particular emphasis on the onerous responsibilities placed on organisations under the GDPR.