An individual lodged a complaint with the DPC after they had viewed a rental property. In their complaint, they alleged that the letting agency had requested excessive personal data during the application process.

According to the individual, as they were unsuccessful in their application to rent the property, they made an erasure request to the letting agency under Article 17 of the GDPR for the deletion of their personal data. The letting agency responded to the individual advising that it had erased the personal data and confirmed that it had not shared personal data with any third parties. While the individual was satisfied with the response they received from the letting agent, they still had concerns regarding the amount of personal data that had been requested in the first instance. On this basis, they submitted a complaint to the DPC.

As part of the complaint handling process, the DPC contacted the letting agency requesting clarity on the different types of personal data it was requesting as part of the application process. The organisation confirmed it requested copies of identification; proof of current address; employment and previous landlord references; two-month bank statements; and a PPS number. The letting agency stated that the information was required for it to ensure the identity of the applicant and that the applicant can afford the property.

The DPC found that the organisation did not meet the principle of data minimisation under Article 5(1)(c) of the GDPR, which states: ‘personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed’. The DPC determined that the volume of personal data requested from the individual as a prospective tenant was excessive for the initial stage of an application process.

Four years after the conclusion of an investigation into suspected plagiarism in an educational setting, an individual requested to have aspects of the internal report regarding the investigation rectified. The report was compiled following an independent investigation in which the individual was interviewed as a witness and not as the subject of the investigation.

The individual submitted the rectification request to the data controller, the individual’s employer. As part of their request, the individual stated that there were a number of instances where the personal data in the report was inaccurate, incomplete or misleading, and requested that these instances be rectified in accordance with Article 16 of the GDPR. In its response to the individual, the education provider stated that it could not rectify the report but it could restrict access to it. As the individual was dissatisfied with this response, they submitted a complaint to the DPC.

In this instance, the DPC examined whether the educational provider was correct in its initial refusal of the rectification request. The education provider confirmed to the DPC that due to the passage of time since the report had been created, the investigator’s notes had been destroyed as such it was unable to check the alleged inaccuracies and that as it was not the author of the report it could not alter the contents. The education provider offered, as a proposal for amicable resolution, to add a supplementary statement recording the individual’s position to the report.

The individual refused the proposal as they were of the view that the report was incomplete as not all the evidence they provided was referred to in the report, and where it was quoted, they felt it was taken out of context.

It is important to note, that it is not the role of the DPC, nor is it encompassed within the right to rectification under Article 16 of the GDPR, to reassess or to repeat the work of an independent investigator, nor to undermine the professional opinion of an expert. The independent investigator provided their professional assessment of all evidence and testimony gathered during the investigation, and it was their professional discretion as to what material was relevant to be included in the report. The purpose of the individual’s testimony was to inform the independent investigator in order to assist with the investigation. The fact that the individual disagrees with the assessment did not constitute the report as being inaccurate or incomplete.

The education provider further offered to delete the report which would cease the processing of the individual’s personal data. Once again, the individual did not accept this offer.

The DPC was of the view that the report should be erased where it was no longer necessary for the education provider to retain it. Alternatively, the education provider should add the supplementary statement to provide a more accurate account of the events.

This case relates to an individual who alleged their personal data, in the form of their name, address and email address had been unlawfully retained and processed by a property management company.

The individual received an unsolicited email containing a newsletter from the company, despite not having a business relationship with the company for a number of years. The individual contacted the company requesting an explanation as to why the company had retained the individual’s personal data. The company stated that it was previously the managing agent for a

particular residential development that the individual had a business interest in. It advised that it had sent the email in error. The company informed the individual that it had now deleted their personal data from its database.

The individual was not satisfied with this response from the company and submitted a complaint to the DPC. Following engagement with the DPC the company explained it had been the managing agent for an owner

management company and following the termination of its contract with the owner management company, it had failed to delete the individual’s personal data from its database.

As part of the examination of this complaint, the DPC sought to establish if the company had a lawful basis for processing the individual’s personal data by retaining it following the end of the respective contract. The company informed the DPC that it was relying on Article 6(1)(a) of the GDPR which states that processing shall be lawful where a data subject has given their consent. The company further stated that under the Property Services (Regulation) Act 2011 it was required to retain data for a period of no less than six years. The company further indicated that it was an oversight on its part that it had retained the individual’s personal data beyond the six-year retention period. It also established that an administrative error had resulted in the individual receiving the unsolicited email.

The company acknowledged that it no longer had a lawful basis to process the individual’s personal data by retaining it post the six-year period and confirmed that it had deleted all personal data relating to the individual. The company also confirmed what steps it had taken to improve the procedures for managing its database of contacts to ensure unlawful processing of this type did not recur.

Accordingly, the company did not adhere to the principles relating to processing of personal data in accordance with Article 5(1)(b) of the GDPR (‘purpose limitation’) when it used the individual’s contact details to send them a newsletter when it should not have retained the individuals’ contact details for this period of time. It also did not adhere to Article 5(1)(e) of the GDPR (‘storage limitation’) when it retained the individual’s personal data which permitted the identification of the individual for longer than was necessary for the purpose for which the personal data was original obtained.

The DPC issued recommendations to the controller around its obligations to ensure that all processing is lawful, fair and transparent, as required under Article 5 of the GDPR and that appropriate technical and organisational measures are implemented to ensure and to be able to demonstrate that processing is performed in accordance with the GDPR.

The DPC received a query from an individual relating to what appeared to be the unintentional inclusion of their property on an advert published by a property website. The individual advised that the property website had published on its website an image of a property for sale as well as a number of other neighbouring properties. The owner of one of these other properties was the individual that contacted the DPC.

The individual first contacted the DPC via email raising their concern and followed up a short time later with a phone call to the DPC Helpdesk. During the Helpdesk call, the individual advised the DPC that the image contained, a photograph of their house along with their address.

In response to this information, the individual was advised about the six lawful bases for processing personal data under Article 6 of the GDPR. They were also advised of the definition of personal data as set out in the GDPR; information concerning or relating to a living person who is identified or identifiable (such a person is referred to as a ‘data subject’).

The individual was further advised that while an image of a property alone may not constitute personal data, an image containing the property address as well as a house number, may entitle them to request erasure of this data from the property website. The DPC recommended that in the first instance, the individual make contact, in writing, with the owners of the property website requesting the removal of their property from the published images on the website.

Having followed the advice provided by the DPC, the individual reverted to the DPC to advise that owners of the property website had promptly complied with their request and had removed the image of their property from its website.