Global menu

Our global pages

Close

Data Protection Commission Publishes its 2021 Annual Report

  • Ireland
  • Other

24-02-2022

 

The Data Protection Commission (“DPC”) has today published its annual report for 2021.

2021 marks the third full year of the implementation of the GDPR and was a year that saw significant uptake and momentum in data protection regulation and enforcement throughout Europe, including Ireland. Once again we have seen significant increase in complaints, inquiries, data breaches and guidance, with such increases expected to follow in 2022.

Helen Dixon, Commissioner for Data Protection, has emphasised that “2021 was a year of strong regulatory results from the DPC, in which it delivered impactful and far-reaching outcomes for the protection of individuals’ personal data”. This is clearly demonstrated in the statistics highlighted in the report.

The DPC has received a budget increase of €4.1 million this year bringing the total funding for the DPC to €23.2 million. As such, 2022 is likely to be a year of continued regulatory activity and enforcement from the DPC in which the DPC will continue play a leading role throughout Europe.

Some key areas of interest in the DPC annual report include:

Data Breaches

6,549 valid data breach notifications were received by the DPC in 2021. The report provides that 95% of the total recorded breach cases were concluded in 2021.

The report notes that a disproportionately high amount of the breach notifications (2,707) originate from public sector organisations in Ireland. Similar to previous years, the most frequent category of data breaches notified in 2021 was in relation to unauthorised disclosures which accounted for 71% of the total notifications. The DPC stated that the incidents related to unauthorised disclosures were mostly due to poor operational practices and human error.

The DPC has stated that the focus for 2022 will be on prioritising enforcement cases and, as such, the DPC will only be providing an acknowledgement of receipt of the data breach notifications that are submitted and will not be issuing recommendations or requesting further information in most instances. These operational changes will likely impact those organisations that make such notifications in future and reinforces the need for organisations to follow up with additional information and/or clarification information when it becomes available.

Complaints

The DPC received 7,469 queries and 3,419 complaints from individuals in 2021. Common themes in the complaints and queries made by individuals against organisations ranged from issues such as access requests, fair-processing, direct marketing and the right to be forgotten. In 2021, the DPC concluded 7,081 queries and 3,564 complaints, including 1,884 complaints received prior to 2021.

We expect that there will continue to be an increase in complaints during the course of 2022.

• Inquiries

As of the 31 December 2021, the DPC had 81 Statutory Inquires on-hand, including 30 Cross-Border Inquiries.

The DPC concluded 5 large-scale inquiries; sent forward 4 draft decisions to the EU co-decision making process; referred 1 case to the EU dispute resolution mechanism on foot of which the DPC issued a finalised decision; issued a further 9 preliminary drafts of decisions for submissions to regulated entities and complainants in advance of finalisation, and sought submissions on statements of issues or inquiry reports from relevant parties in a further 17 inquiries.

Enforcement Action, Imposition of Fines and Corrective Measures

The annual report features accounts of the outcomes delivered in a number of significant inquires concluded by the DPC. Over the course of 2021, fines and corrective measures were imposed in a number of finalised cases. These decisions not only imposed significant fines on some organisations, they addressed some key issues for controllers, including the level of transparency expected of controllers. Domestically, a significant outcome was also delivered in an inquiry involving Limerick City and County Council and a settlement was also reached with the Department of Social Protection (“DSP”) in relation to the DSP’s processing of personal data when issuing the Public Service Card.

Children’s Data Protection Rights

In 2021, the DPC published its finalised Fundamentals for Child-Orientated Approach to Data Processing (“Fundamentals”), which provides much-needed clarity and direction to organisations involved in the processing of children’s data.

It is important for organisations to note that the Fundamentals have immediate application and operational effect and will form the basis for the DPC’s approach to supervision and enforcement in the area of processing children’s personal data.

Cookies Investigations

During 2021, the DPC continued to carry out its cookies sweep, and examined a significant number of websites to assess compliance with the European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011.

It was notable that the DPC has continued to receive complaints and concerns from members of the public about the use of cookies and tracking technologies. Issues that the DPC targeted in 2021 included the setting of tracking and advertising cookies without consent, the use of cookie banners that obscured the text of the cookies and privacy notices on websites, and the use of pre-ticked boxes or toggles to signal consent for cookies. The DPC noted that that investigations and enforcement in this area will continue to be a key element of the DPC’s activities in 2022.

Conclusion

The full annual report can be found on the DPC website here.

The annual report provides useful and practical guidance for organisations on their obligations under data protection law and maintaining compliance with same. It highlights that while data controllers in Ireland continue to improve their compliance efforts, higher standards of responsiveness to individuals seeking to exercise their rights are still needed in many sectors.

Should your organisation have any data protection queries or wish to discuss any concerns, we are happy to assist and support your organisation through any issues.

 

For more Information, please contact;

 

Marie McGinley, Partner, Head of IP, Technology and DP - MarieMcGinley@eversheds-sutherland.ie

Sophie Delaney, Solicitor, IP, Technology & DP, Corporate - SophieDelaney@eversheds-sutherland.ie

Leona Chow, Solicitor, IP, Technology & DP - LeonaChow@eversheds-sutherland.ie

 

Marie McGinley, Partner

< Go back

Print Friendly and PDF

© Eversheds Sutherland 2023. All rights reserved. Eversheds Sutherland is a global provider of legal and other services operating through various separate and distinct legal entities.

Eversheds Sutherland is the name and brand under which the members of Eversheds Sutherland Limited (Eversheds Sutherland (International) LLP and Eversheds Sutherland (US) LLP) and their respective controlled, managed and affiliated firms and the members of Eversheds Sutherland (Europe) Limited (each an "Eversheds Sutherland Entity" and together the "Eversheds Sutherland Entities") provide legal or other services to clients around the world. Eversheds Sutherland Entities are constituted and regulated in accordance with relevant local regulatory and legal requirements and operate in accordance with their locally registered names. The use of the name Eversheds Sutherland, is for description purposes only and does not imply that the Eversheds Sutherland Entities are in a partnership or are part of a global LLP. The responsibility for the provision of services to the client is defined in the terms of engagement between the instructed firm and the client.