Decisions
Inquiry into TikTok Technology Limited
On 30 April 2025, the Irish Data Protection Commission (the ‘DPC’) adopted a final decision in an own-volition statutory inquiry, concerning TikTok Technology Limited’s (‘TikTok’) transfers of EEA User Data to China. The inquiry was carried out in accordance with the Data Protection Act 2018 and Article 60 of the EU General Data Protection Regulation (GDPR).
Article(s): 13, 46. 58
Inquiry into Centric Health Ltd. (“Centric”) - February 2023
The DPC commenced the Inquiry following a ransomware attack affecting patient data held on Centric’s patient administration system which was notified to the DPC on 5 December 2019. As a result of this, 70,000 data subjects were affected by of access to, unauthorised alteration of, and loss of availability of their personal and special category data.
Article(s): 5(1)(a)
Inquiry into Virtue Integrated Elder Care Ltd (VIEC)
The inquiry was commenced after VIEC notified a personal data breach to the DPC on 19 August 2020. VIEC operates and manages five nursing homes on the Southside of Dublin and in County Louth. The data breach notification concerned an unknown actor who gained access to a VIEC manager email account by way of a phishing attack and set up mail forwarding rules to an external account.
Article(s): 5(1)(f), 32(1)
Inquiry into Allianz plc
This decision arose from an own-volition inquiry commenced by the DPC pursuant to section 110 of the Data Protection Act 2018 to consider whether Allianz had complied with the GDPR in relation to its processing operations.
Article(s): 32(1)
Inquiry into a Consultancy Provider
This inquiry was commenced in respect of a personal data breach that the Personal Injuries Assessment Board (‘PIAB’) reported to the Data Protection Commission on 10 December 2019. PIAB is an independent statutory body that deals with personal injury claims.
Article(s): 5(1)(a), 32(1)
Inquiry into Tusla Child and Family Agency (Tusla)
This inquiry was commenced in respect of 71 personal data breaches notified by Tusla to the DPC. The decision considered a broad range of Tusla’s processing operations and the findings included:
Article(s): 5(1)(d), 32(1), 32(4), 33(1)
Inquiry into Tusla Child and Family Agency - August 2020
This inquiry was commenced in respect of 71 personal data breaches notified by Tusla to the DPC. The decision considered a broad range of Tusla’s processing operations and the findings included:
Article(s): 32(4), 33(1), 5(1)(d), 32(1)
Inquiry into Kerry County Council
This inquiry is one of a number of own-volition inquiries into a broad range of issues pertaining to surveillance technologies deployed by State authorities. The findings made in the decision include:
Article(s): 5(1)(a)