Electronic transfers

Eire: CPD Annual Report 2020: Enforcement and transfers dominate agenda

In its second full 12 months of overseeing and regulating GDPR in Eire, the Knowledge Safety Fee (CPD) revealed his Annual report 2020, highlighting the principle observations, rising instructions, and large-scale investigations and choices of 2020.

The primary areas of focus of the DPC in 2020 included enforcement (each GDPR and privateness), breach notifications, knowledge transfers (together with a rise in BCR functions) and an elevated deal with the lead regulatory supervisor (or “ one cease store ”). mechanism.

Violation notifications

Violation notifications to the DPC elevated by 10% in 2020, reaching a complete of 6,628 legitimate notifications. 90% of recorded breach instances had been concluded in 2020. In distinction, solely 70 legitimate knowledge breach notifications had been acquired underneath the On-line Privateness Regulation and 25 notifications underneath the Enforcement Directive. regulation.

About 60% of reported knowledge breaches occurred within the non-public sector. Unauthorized disclosure of non-public knowledge stays the first purpose for breach notifications. Safety vulnerabilities, together with hacking, unauthorized entry, malware, phishing, and ransomware assaults, complete 462 breach notifications. The DPC famous that the proactive measures taken by organizations are inadequate past their preliminary IT techniques implementation. The DPC recommends that organizations:

  • undertake periodic opinions of their IT safety measures;
  • implement a complete coaching plan for workers; and
  • help with recycling and consciousness packages.


The report presents the intensive enforcement work carried out by the DPC in 2020. The DPC dealt with 10,151 instances in 2020 and carried out 83 ongoing statutory inquiries, together with 56 nationwide inquiries and 27 cross-border inquiries. It was a 12 months of firsts for the DPC – it issued its first superb underneath the GDPR and its first determination underneath the consistency mechanism of Article 60 of the GDPR; it additionally turned the primary supervisory authority to set off the dispute decision mechanism of article 65 of the GDPR. Though a complete of 11 choices have been issued this 12 months, we anticipate the DPC to keep up momentum and ship choices in a number of large-scale cross-border statutory inquiries in addition to different nationwide inquiries in 2021.

Selections on new surveillance applied sciences

Two choices issued in 2020 handled surveillance applied sciences, together with video surveillance techniques, which lacked applicable transparency measures and a authorized foundation. Public sector surveillance (via body-worn cameras and drones), in addition to using CCTV cameras by native authorities, had been additionally a spotlight. 9 native authorities had been concerned in statutory investigations in 2020 and vital issues concerning their non-compliance, together with compliance with their obligations as knowledge controllers, had been highlighted by the DPC.

On-line Privateness Enforcement – Web site and Advertising Cookies

Following a large-scale cookie survey in early 2020 and the publication of up to date recommendation on cookies In April, the DPC granted organizations a 6-month interval till October 2020 to deliver their web sites and functions into compliance. Seven organizations have since acquired success notices, primarily associated to the gathering of invalid consent and failure to adjust to transparency obligations. As well as, the DPC concluded 149 digital direct advertising investigations in 2020, after receiving 144 new complaints this 12 months. Six firms had been prosecuted for direct advertising offenses, primarily for failing to acquire the legitimate consent required to ship direct advertising communications by way of e-mail and SMS. The lawsuits emphasize the significance of guaranteeing that CRM techniques seize all unsubscribe updates. The vast majority of the organizations in query haven’t honored buyer unsubscribes resulting from technical failures of their techniques or the shortcoming to supply a approach to unsubscribe.

First huge superb in opposition to a multinational tech firm

The DPC imposed its largest superb of $ 550,000 (roughly € 450,000) on a multinational tech firm for failing to report and doc a private knowledge breach. This case is especially exceptional as a result of it was:

  • the primary draft determination of the DPC to be submitted underneath Article 60 of the GDPR;
  • the primary time {that a} supervisory physique triggered the dispute settlement mechanism of Article 65 of the EDPS;
  • the primary draft determination in a ‘huge tech’ case on which all EU supervisory authorities have been consulted as involved supervisory authorities (ASCs); and
  • the primary superb of the DPC imposed in a cross-border case.

The emphasis continues to be on the amicable decision of complaints with out the involvement of the DPC. Organizations had been reminded to take severely and supply proof to people that complaints are correctly investigated, in addition to to place in place key knowledge safety insurance policies and safeguards to deal with any points. . Going ahead, this can embody setting up applicable codes of conduct and certification to display not less than a fundamental stage of compliance with GDPR ideas.

Knowledge transfers, BCR functions and one-stop-shop

The DPC, along with supervisory authorities throughout Europe, responded to the Schrems II determination revealed by the Courtroom of Justice of the EU in July 2020 and the Controversial draft suggestions from the EDPB which had been launched in November. Because the authority that initiated the Schrems II process, the DPC was significantly energetic following the choice, having opened an investigation into the transfers from Fb to the US following the judgment and being concerned in continuation of the dispute with Fb and Max Schrems.

In 2020, the DPC acted as lead reviewer for Binding Company Guidelines (BCR) requests from 28 organizations. The DPC additionally co-edited as CSA and took part as a part of the Article 64 opinion drafting groups of 5 BCRs. The DPC reported that the workload on this space has elevated after Brexit as firms search to switch their major supervisory authority for BCR functions to the DPC underneath the ‘One-Cease-Store’ mechanism. (OSS) of the GDPR.

The OSS mechanism permits organizations to be topic to regulatory oversight for cross-border processing by an information safety authority in an EU Member State the place they’ve a “principal place of work”. With a purpose to decide whether or not Eire might be thought-about because the principal place of work of a enterprise, the principle questions usually requested by the DPC are:

  • The place are the selections concerning the needs and technique of processing lastly authorized?
  • The place is the director (or directors) with general duty for the administration of cross-border processing?
  • The place is the controller or processor registered as an organization, whether it is positioned in a single territory?

In contemplating the responses to those and different questions, the DPC famous that organizations should be capable to display the precise and efficient train of administration actions in Eire which decide the principle choices as to the needs and technique of therapy underneath secure preparations.

In 2020, the DPC acquired 354 complaints of cross-border processing by way of the OSS mechanism which had been lodged by people with different knowledge safety authorities within the EU.

Concentrate on the monetary providers sector

The DPC has proactively engaged with Irish companies and knowledge safety officers within the FS sector. The DPC has expressed issues concerning the extreme assortment, processing and automatic profiling of buyer knowledge by firms in an effort to adjust to rules. Those that course of giant quantities of buyer knowledge for AML functions ought to undertake a Knowledge Safety Impression Evaluation (DPIA) to evaluate and decrease knowledge safety dangers. The DPC has launched intensive consultations on the creation of recent databases inside the framework of the 4e and 5e AML pointers. In 2020, the DPC additionally interviewed firms within the fast-growing fintech sector in Eire and raised questions on matters reminiscent of worldwide transfers and knowledge topics’ rights.

Processing of youngsters’s knowledge

Following the publication of its draft pointers on processing of youngsters’s knowledge, the CPD centered on kids’s knowledge safety rights, age verification processing, direct advertising / promoting to kids and the difficulty of parental consent. Organizations that cope with kids’s knowledge, reminiscent of fintech, social media, or authorities sectors, ought to be aware of the principle CPD suggestions on this information, often called “Fundamentals”. The DPC encourages the event of codes of conduct for numerous sectors that cope with kids’s knowledge, together with ISPs and suppliers within the training sector.

Knowledge safety officers

The DPC famous 570 DPD registrations in 2020. Counting on its DPO community which was created in 2019, the DPC continues its engagement with public our bodies particularly, of which 77 out of 250 have been recognized as probably non-compliant with the necessities. of the DPD. The DPC has indicated that it’s going to increase its compliance and monitoring actions on this space and that it’s going to undertake a sectoral strategy to this monitoring.

CPD Technique for 2021

Funding for CPD continues to extend. 2020 noticed a rise of 1.6 million euros to its 2019 finances. This may improve headcount and implement an IT infrastructure to assist handle workload, workflow and reporting.

Along with persevering with to observe and implement cookie compliance, companies can anticipate DPO enforcement and knowledge transfers to proceed. A number of main DPC expertise investigations will probably be finalized in 2021 and corrective actions shouldn’t be restricted to financial fines, execution notices and corrective powers are additionally more likely to be deployed in sure instances – such sanctions might happen. ‘show much more expensive if enterprise actions are placed on maintain.

Supply hyperlink

Comment here

placeholder="Your Comment">