DPC’s 2023 Report – increase in access requests, breach notifications and cross border co-operation
The Data Protection Commission (“DPC”) published its 2023 Annual Report on 29 May 2024 (the “Report”). The Report can be accessed here and provides a helpful summary of the DPC’s actions over the course of 2023.
The key themes include:
1. CCTV
The DPC received a significant increase in queries relating to CCTV, in particular areas where there is an increased expectation of privacy such as bathrooms and accordingly published updated guidance in 2023.
A controller who intends to use CCTV should:
- Rely on a lawful basis pursuant to article 6 of the GDPR and only process personal data where it is necessary and proportionate.
- Undertake necessary assessments before installing CCTV to demonstrate accountability.
- Consider measures to protect data subjects such as restricted access to the footage.
- Delete footage regularly.
- Ensure all policies and procedures are up to date.
2. Increased Access Requests and Breach Notifications.
In 2023, the DPC received 6991 valid data breach notifications. This represents a 20% increase from the previous year. Most breaches continue to relate to human error, for example a letter or email sent to the wrong person. A controller must notify the DPC within 72 hours of becoming aware of the breach.
39% of all complaints and queries received by the DPC concerned access requests. Article 15 of the GDPR provides that data subjects are entitled to a copy of the personal data being held about them . In 2023, the DPC issued three enforcement notices to organisations for their failure to comply with article 15 of the GDPR. A data controller should always be conscious of the clock and respond to a subject access request in a timely manner and in any case by 30 days.
A controller should ensure it:
- Monitors the clock – report all breaches to the DPC within 72 hours. Respond to access requests within 30 days. This can be extended by a further two months in limited circumstances.
- A breach notification and subject access request policy is in place.
- Regular training should be provided to staff.
3. Cross Border Inquiries
In addition to national inquiries, the DPC works with its European colleagues on large-scale inquiries and more generally in guidance and standard setting. In 2023, the DPC received 156 valid cross-border complaints as the Lead Supervisory Authority. Since the introduction of the GDPR, the DPC has acted as Lead Supervisory Authority (LSA) for 87% of complaints received.
It concluded 61 cross border inquiries this year and delivered 87% of all GDPR enforcement fines across the EU including the DPC’s inquiry into Meta Platforms Ireland Limited in relation to data transfers from the EU to the USA. The decision imposed a fine of €1.2 billion on Meta Ireland, in addition to an order to bring its processing operations into compliance.
In September 2023, the DPC issued its final decision in its inquiry into TikTok Technology Limited. The inquiry examined the processing of personal data relating to children by TikTok. The Decision ordered TikTok to bring its processing into compliance and imposed fines totalling €345 million.
Outlook for 2024
The Report follows similar themes to previous years while also focusing on the DPC’s 2022 -2027 Regulatory Strategy which sets out its commitment to children and vulnerable adults’ data rights. The DPC will focus on regular offenders - controllers should remember that the DPC do maintain a record of all complaints received which forms part of its consideration for future actions, including inquiries.
Article provided by INPLP member: Laura Fannin (Hayes solicitors LLP, Ireland)
Discover more about the INPLP and the INPLP-Members
Dr. Tobias Höllwarth (Managing Director INPLP)