Electronic transfers

Highlights of the 2020 Annual Report of the Information Safety Fee

The Information Safety Fee (“DPC”) just lately printed its 2020 annual report (on “Report”) protecting its regulatory actions between January 1, 2020 and December 31, 2020. The report factors out that the DPC concluded quite a few large-scale investigations in 2020 which resulted in choices on infringements and, in lots of case, to the imposition of corrective measures. These topic to corrective motion included Kerry County Council, TUSLA, Waterford Metropolis and County Council, Ryanair, UCD, HSE, Groupon and Twitter. In Could 2020, the DPC used its positive energy for the primary time by imposing two fines on TUSLA and handed down its first positive in a cross-border case towards Twitter for € 450,000 in December 2020. On the finish of 2020, the DPC had 83 open statutory inquiries (together with 27 cross-border).

Notable highlights embrace:

  • 4,660 complaints obtained below the GDPR. The most important quantity considerations entry requests (27%).
  • 354 Cross-border dealing with of complaints obtained by means of the GDPR one-stop store.
  • 83 statutory inquiries (of which 27 have been cross-border inquiries into the GDPR compliance of multinational expertise corporations).
  • 147 complaints obtained relating to digital direct advertising (66 referring to e-mail advertising; 73 to SMS advertising; and 5 to phone advertising).
  • 6 corporations prosecuted for sending unsolicited SMS or e-mails in violation of ePrivacy 2011 rules. These corporations have been: Three Eire Companies (Hutchinson) Ltd, Mizzoni’s Pizza and Pasta Firm, AA Eire, Three Eire (Hutchinson) Ltd, Ryanair and Windsor Motors.
  • 6,783 Information breach notifications obtained with 6673 registered as legitimate private knowledge breaches (10% improve from 2019). Unauthorized disclosure accounted for 86% of all breach notifications.
  • € 450,000 positive issued to Twitter Worldwide Firm – the primary positive in a cross-border investigation.
  • In Could 2020, the DPC despatched the primary main European draft Article 60 resolution to all different knowledge safety authorities within the EU.
  • The variety of employees elevated to 145 and the DPC finances elevated to 16.9 million euros for 2021, reflecting the elevated workload of the DPC.


The DPC obtained 4,660 complaints from people below the GDPR and 50 complaints referring to its earlier regime, the information safety legal guidelines of 1988 and 2003 (as amended). Total, the variety of complaints obtained has decreased since 2019. Entry requests proceed to be the biggest class of complaints (30%), adopted by truthful therapy (27%) and disclosures (26%) ). The DPC pressured the significance of getting a transparent organizational coverage on the best way to deal with entry requests with a purpose to assist organizations keep away from expensive and time-consuming duplication.

Concerning entry requests, the DPC famous that knowledge controllers usually invoke skilled authorized privilege to justify the retention of non-public knowledge in response to an entry request, in accordance with Article 162 of the Legislation of 2018 on knowledge safety (the “Legislation of 2018”). The DPC famous that with a purpose to assess whether or not the privilege applies, it is going to want appreciable data, together with a proof as to the premise on which the privilege is claimed, and it’ll primarily search a story relating to every doc and, when the privilege referring to the dispute is claimed, data on when a dispute was threatened or thought of.

The report consists of case research that additional make clear the DPC’s grievance dealing with features, together with particulars of circumstances that have been resolved amicably and a case during which the DPC handled an Irish particular person’s grievance. towards the Germany-based e-commerce platform Cardmarket as a part of the One-Cease-Store Mechanism.

Information breach notifications

The DPC obtained 6,683 knowledge breach notifications in 2020, of which 6,673 have been registered as legitimate private knowledge breaches below the GDPR. This represents a ten% improve from 2019. Unauthorized disclosures accounted for 86% of all breach notifications. The DPC famous that it has seen a rise in using social engineering and phishing assaults. He identified that whereas many organizations initially put in place efficient ICT safety measures, they don’t take proactive measures to observe and evaluation these measures or to coach employees on evolving threats.

Statutory inquiries and choices

On the finish of December 2020, the DPC had 83 open statutory investigations, of which 27 have been cross-border investigations. Investigations are both primarily based on complaints or on voluntary inquiries. A number of the excessive profile cross-border investigations embrace:

  • Apple – There are 3 separate investigations primarily based on complaints about Apple. Considered one of these surveys examines whether or not Apple has a authorized foundation for processing private knowledge within the context of behavioral evaluation and focused promoting.
  • Fb – There are 8 separate investigations on Fb Eire and one regarding Fb Inc. These investigations look at a spread of points, together with Fb’s compliance with switch restrictions below Chapter V of the GDPR in gentle of the Schrems resolution II.
  • Google – The DPC has two voluntary surveys on Google. Considered one of them examines whether or not Google has a sound authorized foundation for processing the situation knowledge of its customers.
  • Instagram – There are 3 separate surveys on Instagram (2 of that are voluntary surveys). Considered one of these examines Instagram’s authorized foundation for processing private knowledge referring to Instagram customers below the age of 18 in reference to account settings.
  • LinkedIn – A complaint-based investigation is underway on LinkedIn to find out whether or not it has fulfilled its obligations with regard to the authorized foundation upon which it depends to course of private knowledge in reference to the behavioral evaluation and focused promoting on its platform.
  • WhatsApp – There are 2 separate investigations on WhatsApp, one analyzing whether or not WhatsApp has fulfilled its transparency obligations relating to the dealing with of knowledge between WhatsApp and different Fb corporations.
  • Twitter – The DPC has 3 separate inquiries on Twitter (2 of that are voluntary inquiries). Considered one of them was initiated in response to a lot of violations notified to the DPC since Could 25, 2018, the DPC analyzing whether or not Twitter has fulfilled its obligations to implement acceptable technical and organizational measures to safe the consumer’s private knowledge.

2020 was an essential 12 months for the DPC because it issued its first positive for cross-border investigation towards Twitter of € 450,000 for its dealing with of a private knowledge breach. The DPC additionally had quite a few nationwide inquiries which have been all voluntary inquiries. A few of these topic to nationwide surveys embrace: An Garda Síochána, Financial institution of Eire, Catholic Church, Division of Social Welfare, HSE, Pedagogical Council, numerous universities, TUSLA and no credit check

Scanning and Enforcement Cookie Surveys

In April 2020, the DPC printed steerage on using cookies and monitoring applied sciences. Organizations got a six-month window to deliver the cookies used on their web sites or platforms into compliance with the regulation and the DPC carried out a public consciousness marketing campaign throughout this era. On the finish of that window, the DPC wrote to twenty organizations on the finish of 2020 warning them that confirmations can be issued if the non-compliance was not addressed inside 14 days. Seven organizations ultimately obtained execution notices. The DPC famous that it had began receiving increasingly complaints from the general public about cookies and monitoring applied sciences in 2020, and that this development is predicted to proceed, with regulation enforcement.

Authorized continuing

The report notes that 2020 has been a busy 12 months for litigation with 14 judgments and / or orders issued in proceedings to which the DPC was a celebration. The report additionally examines the debates DPC vs. Fb Eire & Schrems (“Schrems II”) during which the CJEU rendered a judgment on July 16, 2020 in response to a referral request from the Irish Excessive Court docket in 2018 following proceedings initiated by the DPC in 2016 when it requested a referral relating to using customary contractual clauses (“SCC”) for transfers of non-public knowledge from the EU to the US. The CJEU upheld the validity of the SCCs, however supplied an in depth resolution relating to the transfers primarily based on Article 46 GDPR and in addition declared the EU-US Privateness Protect ruling invalid. Following this, the DPC opened an investigation into the transfers of non-public knowledge by Fb to america and this investigation was topic to judicial evaluation by Fb in 2020.


In the context of Covid-19, the DPC has worked with the government in areas such as the national back-to-work safety protocol and the Covid-19 contact tracing application (including providing a report in-depth on the impact assessment of data protection for the application), this activity to continue in 2021. The DPC has consulted the public sector within the framework of the Leaving Certificate Covid-19 agreements.

Binding corporate rules

Assessment and approval and binding corporate rules (“BCR”) applications of multinationals seeking a uniform approach where subsidiaries on a global scale transfer data between them. The DPC was the lead examiner in 42 requests and was contacted by a number of companies wishing to transfer their lead authority for the purposes of the BCR to the DPC. This has been identified as dramatically increasing the workload of DPC in 2020.

Processing of children’s data

In December 2020, the DPC published its “Fundamentals for a Child-Centered Approach to Data Processing with open submissions until 31 March 2021. In 2021, a fundamental initiative of the DPC will be to facilitate a project aimed at develop codes of conduct in relation to the processing of children’s data.

What’s next for 2021?

  • Of the 27 open cross-border statutory investigations, the DPC plans to share between six and seven draft Article 60 decisions this year with other EU data protection authorities. These draft decisions are expected to relate to investigations on Facebook, Instagram, WhatsApp, Google and Verizon, among others.
  • The establishment and approval of codes of conduct for code owners in a given sector in accordance with Articles 40 and 41 of the GDPR is expected to progress, with the DPC expecting to receive the first official draft code in early 2021.
  • The DPC says it will continue to focus on cookie investigations and enforcement measures throughout 2021, given the proposed reform in this area in the form of the Digital Services Act and the digital markets law proposed by the European Commission.
  • The report states that complaints about labor law disputes were widely represented in 2020. Given the continued impact of the Covid-19 pandemic on employers and the data protection implications around tracking employees and return-to-work protocols, this is expected to continue until 2021.

Supply hyperlink

Comment here

placeholder="Your Comment">