MOVE Ireland August 2021

Date20 August 2021
SectionDecisions made under data protection act 2018
1
InthematteroftheGeneralDataProtectionRegulation
DPCCaseReference:IN2071
InthematterofMOVEIreland
DecisionoftheDataProtectionCommissionmadepursuanttoSection111oftheDataProtectionAct
2018
FurthertoanownvolitioninquirycommencedpursuanttoSection110oftheDataProtectionAct2018
DECISION
DecisionMakerfortheDataProtectionCommission:
HelenDixon
CommissionerforDataProtection
20August2021
DataProtectionCommission
21FitzwilliamSquareSouth
Dublin2,Ireland
2
Contents
1.Introduction....................................................................................................................................3
2.LegalFrameworkfortheInquiryandtheDecision.........................................................................3
i.LegalBasisfortheInquiry...........................................................................................................3
ii.DataController............................................................................................................................4
iii.LegalBasisfortheDecision.........................................................................................................4
3.FactualBackground.........................................................................................................................4
4.ScopeoftheInquiryandtheApplicationoftheGDPR...................................................................7
5.MOVE’ssubmissionsinrelationtotheDraftDecision...................................................................9
6.IssueforDetermination................................................................................................................12
7.Issue:Articles5(1)(f)and32(1)oftheGDPR................................................................................13
i.AssessingRisk............................................................................................................................15
ii.SecurityMeasuresImplementedbyMOVE..............................................................................18
iii.TheAppropriateLevelofSecurity.............................................................................................22
iv.Findings.....................................................................................................................................25
8.CorrectivePowers.........................................................................................................................25
A.Reprimand.................................................................................................................................26
B.OrdertoBringProcessingintoCompliance..............................................................................27
C.AdministrativeFine...................................................................................................................28
i.WhethertheInfringementsWarrantanAdministrativeFine..............................................28
ii.TheApplicableRangefortheAdministrativeFine...............................................................37
iii.CalculatingAdministrativeFine............................................................................................38
9.RightofAppeal..............................................................................................................................39
Appendix:ScheduleofMaterialsConsideredforthePurposesofthisDecision...............................40

3
1. Introduction
1.1 Thisdocument(‘theDecision’)isadecisionmadebytheDataProtectionCommission(‘the
DPC’)inaccordancewithsection111oftheDataProtectionAct2018(‘the2018Act’).I
makethisDecisionhavingconsideredtheinformationobtainedintheownvolitioninquiry
(‘theInquiry’)pursuanttosection110ofthe2018Act.Amemberoftheinquiryteamof
theDPC(‘theCaseOfficer’)providedMOVE(MenOvercomingViolence)Ireland(‘MOVE’)
withaDraftInquiryIssuesPaperinordertomakesubmissionsonit.
1.2 MOVEwasprovidedwiththeDraftDecision(‘theDraftDecision’)onthisInquiryon20July
2021togiveitthefinalopportunitytomakesubmissions.ThisDecisionisbeingprovided
toMOVEpursuanttosection116(1)(a)ofthe2018ActinordertogiveMOVEnoticeofthe
Decision,thereasonsforit,andthecorrectivepowersthatIhavedecidedtoexercise.
1.3 ThisDecisioncontainscorrectivepowersundersection115ofthe2018ActandArticle
58(2)oftheGeneralDataProtectionRegulation(‘theGDPR‘)arisingfromthe
infringementswhichhavebeenidentifiedherein.Inthisregard,MOVEisrequiredto
complywiththesecorrectivepowers,anditisopentothisofficetoserveanenforcement
noticeonMOVEinaccordancewithsection133ofthe2018Act.
2. LegalFrameworkfortheInquiryandtheDecision
i. LegalBasisfortheInquiry
2.1 TheGDPRisthelegalregimecoveringtheprocessingofpersonaldataintheEuropean
Union.Asaregulation,theGDPRisdirectlyapplicableinEUmemberstates.TheGDPRis
givenfurthereffectinIrishlawbythe2018Act.Asstatedabove,theInquirywas
commencedpursuanttosection110ofthe2018Act.Bywayofbackgroundinthisregard,
underPart6ofthe2018Act,theDPChasthepowertocommenceaninquiryonseveral
bases,includingonfootofacomplaint,orofitsownvolition.
2.2 Section110(1)ofthe2018ActprovidesthattheDPCmay,forthepurposeofsection
109(5)(e)orsection113(2)ofthe2018Act,orofitsownvolition,causesuchinquiryasit
thinksfittobeconducted,inordertoascertainwhetheraninfringementhasoccurredor
isoccurringoftheGDPRoraprovisionofthe2018Act,orregulationundertheAct,that
givesfurthereffecttotheGDPR.Section110(2)ofthe2018ActprovidesthattheDPCmay,
forthepurposesofsection110(1),whereitconsidersitappropriatetodoso,causeanyof
itspowersunderChapter4ofPart6ofthe2018Act(excludingsection135ofthe2018
Act)tobeexercisedand/orcauseaninvestigationunderChapter5ofPart6ofthe2018
Acttobecarriedout.

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT