Ireland

This Decision arises from an own-volition inquiry into the University of Limerick (‘UL’) following a series of personal data breaches that occurred between November 2018 and January 2020. The temporal scope of the Inquiry is from May 2018 to January 2020.

This own-volition inquiry, which commended in July 2021, follows a prior DPC investigation into certain aspects of the DSP’s processing of personal data in connection with the issuance of PSCs. That investigation resulted in legal proceedings, in which the DSP appealed an Enforcement Notice issued by the DPC, which were subsequently withdrawn. A joint agreement between the DPC and the DSP as well as the final investigation report from that inquirywere published in December 2021. The final invest

The breach arose from MPIL’s use of user tokens in connection with certain features on the Facebook platform. User tokens are coded identifiers that can be used to verify the user of a platform or utility, and to control access to particular platform features and personal data of the user and their contacts. In 2017 MPIL introduced a new video uploading feature. When used in conjunction with Facebook’s ‘View As’ feature (which allows a user’s page to be viewed as another user would see it) and t

For more information, you can download the full decision at this link:Inquiry into Sligo County Council November 2024 - (PDF, 7.6MB)

This decision arises from an own-volition inquiry that the DPC commenced in July 2019. The inquiry related a personal data breach notified by Maynooth University in November 2018.

The DPC has completed a complaint based inquiry into MIG’s processing of personal data in relation to a series of news reports in the print and online editions of the Irish Independent, Herald and Sunday Independent newspapers. The purpose of the inquiry was to examine if any obligations on the controller arising under Articles 5(1)(a), 5(1)(c), 5(2), 6 and 9 GDPR had been engaged and, if engaged, whether MIG infringed those obligations in publishing the personal data relating to the Complainant

In light of the infringements of Articles 13(1)(c) and 13(1)(d) of the GDPR, the DPC issued a reprimand to Apple pursuant to Article 58(2)(b) of the GDPR, and the DPC ordered Apple, pursuant to Article 58(2)(d) of the GDPR to review and revise its document entitled “Apple ID Deletion Terms and Conditions” to address the transparency deficiencies identified in the DPC’s decision. In addition, with regard to Apple’s project, the DPC ordered Apple to provide details of completion of this project to

The DPC finds that Microsoft infringed Article 12(4) of the GDPR in respect of the March erasure request when it failed to inform the complainant of the possibility of seeking a judicial remedy when it responded to them outlining the reasons for not taking action, in part, on the complainant’s erasure request.

The DPC found that Airbnb did not validly rely on Article 6(1)(f) of the GDPR as the legal basis for processing the Complainant’s photographic ID and supplemental photographs; that Airbnb’s requirement that the Complainant verify his identity by submitting a complete and unredacted copy of his photographic ID constituted an infringement of the principle of data minimisation, pursuant to Article 5(1)(c); that by retaining, after the identity verification process was successfully completed and unt

The Data Protection Commission (DPC) adopted its final decision regarding its inquiry into TikTok Technology Limited (TTL) on 1 September 2023.

The DPC fined LinkedIn €310 million for unlawfully processing the personal data of LinkedIn members for behavioural analysis and targeted advertising. The investigation found LinkedIn relied on consent, legitimate interests, and contract performance as legal bases without meeting the conditions of any of these.

The DPC fined TikTok €345 million for failing to protect children's privacy. Findings included: accounts of users aged 13-17 were set to public by default, the Family Pairing feature allowed adults to link to children's accounts without verifying their age, and the 'public' setting defaulted to allowing other users to include children's videos in duet/stitch features.

The DPC issued a €1.2 billion fine against Meta Ireland — the largest GDPR fine to date — for transferring personal data of EU/EEA Facebook users to the United States without adequate safeguards following the invalidation of Privacy Shield by the Court of Justice in the Schrems II ruling.

The DPC fined Instagram €405 million for mishandling the personal data of children and teenagers. The investigation found that children's accounts were set to public by default, and that contact details of minors were publicly accessible.

The DPC fined WhatsApp €225 million for failing to comply with GDPR transparency requirements. WhatsApp did not adequately inform users and non-users about how their data is shared with other Meta companies.