KPMG Law LLP logo

14 June 2024

On 29 May 2024, the Data Protection Commission (“DPC”) released its annual report for 2023 (the “Report”).

In a recent article, our team summarised the highlights of the Report, noting the increased workload of the DPC and the main trends in respect of complaints, inquiries, data breaches, and supervisory engagement.

Below, to provide further insight into the approach of the DPC, we take a closer look at some of the key topics and themes noted by the DPC throughout the Report.

Amicable resolutions

The Report notes the important role of the amicable resolution process as part of the DPC’s handling of complaints and shows the willingness of the DPC to facilitate this process.

Under the Data Protection Act 2018, the DPC must consider whether a complaint can be amicably resolved within a reasonable period. If the DPC believes an amicable resolution is reasonably likely, then it can take appropriate steps to facilitate this.

When complaints arise, data controllers should bear in mind the readiness of the DPC to initiate the amicable resolution process depending on the facts of the case.

The Report notes that in the DPC’s experience a high proportion of complaints are amenable to amicable resolution in a timely fashion, benefitting both data controllers and data subjects. Interestingly, when assessed against the tendencies of other supervisory authorities across the EU, the DPC has concluded significantly more complaints by way of amicable resolution.

In 2023, the DPC resolved 578 complaints through the amicable resolution process.

Demonstrating accountability

The Report emphasises the importance of documentation and records when it comes to demonstrating compliance with data protection laws, as required under Article 5(2) of the GDPR.

Various case studies and sections of the Report refer to a failure of data controllers to sufficiently evidence their decision-making, thereby failing to demonstrate compliance.

The DPC makes specific mention of circumstances where a data controller is relying on legitimate interests as a legal basis. In these cases, in addition to a robust legitimate interest assessment, the Report stresses the need for strong supporting material and evidence to justify reliance on this legal basis.

In light of this, organisations should be mindful to keep detailed records of supporting evidence where appropriate when justifying the reasons for processing personal data. Comprehensive data protection policies and procedures, and incorporating privacy by design, can assist with compliance in this regard.

Data Protection Officers

The DPC has been notified of the designation of 3,520 data protection officers (“DPOs”) as of the end of 2023.

The Report, as well as the DPC’s Regulatory Strategy 2022-27, recognises the crucial role that DPOs play in championing data protection in their organisations.

The Report highlights that the DPC is committed to supporting DPOs, and often engages directly with DPO networks. Further, 2023 saw the DPC conduct a fact-finding exercise for the purpose of participating in discussions in relation to the European Data Protection Board’s Coordinated Enforcement Framework concerning DPOs.

During this review, the DPC found substantive issues in three areas:

  1. Resources: the Report noted that approximately 33% of respondents replied that they do not have the resources sufficient to fulfil the role of a DPO.
  2. Conflicts of interest concerns under Article 38.6 of the GDPR.
  3. Tasks of the DPO: approximately 36% indicated that the data protection officers’ tasks are performed in addition to other tasks, but not as the main task. In that regard it was noted that many of the non-data protection tasks did not compliment the role of a DPO such as Health and Safety Officer, Human Resource Officer, Employee Engagement Manager, Communications Officer.

Organisations should ensure that DPOs are well supported and resourced, and the tasks of the DPO are appropriate and proportionate to the role. Articles 37 – 39 of the GDPR are instructive in this regard, and given the significance of the role, it is vital that DPOs have the expert data protection knowledge required to perform their tasks and are not distracted from this task by other compliance roles.

Children’s data protection rights

Children’s data protection rights are a priority focus area for the DPC.

This is apparent from the spotlight on children’s rights in the Report, and the inclusion of the topic as a main focus in the DPC’s Regulatory Strategy 2022-2027.

The DPC was active in this space in 2023, producing four guides in relation to children’s data protection rights under the GDPR which addressed various issues including the age of digital consent.

Further, the Report details how, throughout 2023, the DPC engaged with educational bodies in the context of data protection practices in education settings. The DPC has commenced drafting a new “Data Protection Toolkit for Schools” which includes a detailed guidance document, a sample data protection impact assessment template, and tips on what to include in relevant school privacy policies.

Decisions and fines issued by the DPC in 2023 emphasise the high threshold to be met when processing children’s personal data and protecting children’s data protection rights. Data controllers must be able to clearly justify and document the processing of children’s personal data, and where possible, incorporate proper data protection procedures and practices by design and default. The Report notes that transparency of processing and communication with data subjects is also key.

The DPC was also nominated as a representative member of the newly formed Task Force on Age Verification under the Digital Services Act and has engaged extensively with Coimisuin na Mean in relation to Ireland’s first Online Safety Code, which is due to come into force later this year.

CCTV

One of the key focus areas for the DPC as highlighted in the Report is the deployment and use of surveillance technologies, particularly at large scale or in areas where there is a higher expectation of privacy (such as restrooms). The DPC published a revised version of its CCTV guidance to provide clarity to data organisations in this regard.

The Report details several cases involving the use of surveillance technologies such as CCTV systems, Advanced Number Plate Recognition technology and body-worn cameras.

The DPC stresses that where these technologies are used, the lawful basis for processing personal data must meet the standard of precision, clarity and foreseeability required under EU law. Several inquiries into local authorities during 2023 resulted in fines and temporary bans on the operation of CCTV cameras in certain locations.

The decisions underline that organisations (including governmental entities and local authorities) must have a clear justification and lawful basis for the use of CCTV footage and other surveillance measures. CCTV must only be deployed when it is necessary and proportionate to do so.

A further case study contained in the Report involves the use of CCTV in a restaurant restroom, which was installed by an organisation for the purpose of preventing anti-social behaviour and other risks. The DPC noted that the data controller had not adequately demonstrated that the CCTV was necessary, as no strong evidence of previous incidents or issues was provided, nor evidence to suggest that CCTV would prevent anti-social behaviour and/or reduce the risk of slips, trips or falls.

The DPC ordered that the restaurant switch off the cameras and securely delete all footage stored until a comprehensive assessment demonstrating justification for the CCTV was concluded.

This case reiterates the importance of not only completing risk assessments – the DPC requested a copy of the legitimate interest assessment – but supporting the conclusion of those risk assessments with strong documentary evidence.

During 2023, the DPC also consulted in relation to three draft codes of practice prepared under the Circular Economy and Miscellaneous Provisions Act 2022. The aim of the DPC was to ensure that the codes provided a clear legal basis for local authorities to use CCTV and other recording technologies where necessary, proportionate and in the public interest to do so. The three codes of practice were finalised by the end of 2023.

The DPC’s updated CCTV guidance can be found here. (PDF, 525KB)

Final word

In the Report, noteworthy references are made to two separate topics, being reprimands and AI.

The DPC issued numerous reprimands in 2023. The DPC’s power to issue reprimands was expanded by the addition to section 109 of the Data Protection Act 2018 allowing the DPC to issue reprimands outside of the inquiry process.

Organisations should note that while in certain cases the DPC may issue reprimands as the sole corrective measure, reprimands will form part of any consideration of potential future action by the DPC against a data controller.

Regarding developments in connection with AI, the DPC is taking a proactive approach. The DPC is engaging with tech companies and stakeholders to ensure data protection concerns are taken into account and incorporated into the design of AI software and products at an early stage.

We advise organisations to leverage their existing GDPR toolkits in preparation for complying with the GDPR as they roll out their AI programme.

Get in touch

If you have any queries related to the work and activities of the Data Protection Commission, please do not hesitate to contact our team below. We would be delighted to hear from you.

Emma Ritchie

Emma Ritchie

Head of Data Protection & Privacy, KPMG Law LLP

David McMunn

David McMunn

Director & Head of Technology & Digital Law, KPMG Law LLP

Tom Hyland

Tom Hyland

Director, Consulting, KPMG in Ireland

Jack Lehane

Jack Lehane

Manager, KPMG Law LLP

Read more in Data Protection & Privacy Law