Decisions
Inquiry into Tusla Child and Family Agency (Tusla)
Area: Public authority
Topic: Children - legal basis
Articles: 5(1)(d), 32(1), 32(4), 33(1)
DPC Reference: IN-18-11-4
Decision Date: 12 August 2020
This inquiry was commenced in respect of 71 personal data breaches notified by Tusla to the DPC. The decision considered a broad range of Tusla’s processing operations and the findings included:
-
Five distinct findings of infringements of Article 32(1) of the GDPR in respect of Tusla’s obligation implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk presented by its various processing operations.
-
A finding that Tusla infringed Article 32(4) of the GDPR by failing to take steps to ensure that any natural person acting under their authority does not process personal data except on instructions from Tusla.
-
A finding that Tusla infringed Article 5(1)(d) of the GDPR on the four occasions by failing to ensure that the personal data that it processed was accurate and, where necessary, kept up to date.
-
A finding that Tusla infringed Article 33(1) of the GDPR on 8 occasions by failing to notify the personal data breaches without undue delay.
The corrective powers exercised:
-
The decision imposed two distinct administrative fines on Tusla for its infringements of Article 32(1) and Article 33(1) in circumstances where some of the processing operations under consideration were not “the same or linked processing operations” within the meaning of Article 83(3) of the GDPR. The amount of the fines were €50,000 and €35,000 respectively.
-
The decision ordered Tusla to bring its processing operations identified in the decision into compliance with Article 32(1) of the GDPR by implementing appropriate organisational measures to ensure a level of security appropriate to the risks.
-
The decision issued a reprimand to Tusla regarding its infringements of Articles 5(1)(d), 32(1), 32(4), and 33(1) of the GDPR
Decisions
Inquiry into Kerry County Council
Area: Public authority
Topic: CCTV - LED
Articles: 5(1)(a)
DPC Reference: 02-SIU-2018
Decision Date: 25 March 2020
This inquiry is one of a number of own-volition inquiries into a broad range of issues pertaining to surveillance technologies deployed by State authorities. The findings made in the decision include:
- A finding that the Litter Pollution Act 1997, the Waste Management Act 1996, and the Local Government Act 2001 do not provide a lawful basis for Kerry County Council’s use of CCTV to detect litter offences. The DPC comprehensively considered these Acts and found that they do not regulate this processing of personal data as is required by the Law Enforcement Directive, as transposed by the Data Protection Act 2018. Furthermore, the decision found that the Acts do not to meet the standards of clarity, precision, and foreseeability in respect of such processing as required by the case-law of the Court of Justice and the European Court of Human Rights.
- The other findings in the decision include infringements relating to appropriate signage and general transparency, the lack of written rules or guidelines governing staff access to the CCTV, the use of smartphones or other recording devices in the CCTV monitoring room, the practice of sharing login details for accessing CCTV footage, auditing the audit trails of CCTV footage, and the requirement for Data Protection Impact Assessments, amongst others.
The corrective powers exercised:
- A temporary ban on the processing of personal data through the CCTV cameras at the five locations used for detecting and taking enforcement action against those engaged in littering and the CCTV cameras at Amenity Walk.
- An order to Kerry County Council to bring its processing of personal data into compliance taking certain action specified in the decision.
- A reprimand in respect of Kerry County Council’s infringements.