Inquiry into MOVE (Men Overcoming Violence) Ireland | Data Protection Commission

• Judgment Date: 20 August 2021
• Case Outcome: This inquiry was commenced in respect of a personal data breach that MOVE notified to the DPC on 3 February 2020. MOVE is a registered charity, which works in the area of domestic violence, with a primary aim of supporting the safety and wellbeing of women and their children who are experiencing, or have experienced violence/abuse in an intimate relationship. MOVE does this by facilitating men (participants) in weekly group sessions with a facilitator encouraging them to take responsibility for their violence and changing their attitude and behaviour. The personal data breach concerned the loss of eighteen SD Cards that may have contained recordings of group sessions of MOVE’s programme where participants discuss their behaviour and attitudes with regard to domestic violence with a facilitator. Whilst the recording of group sessions focused on the delivery of sessions by the facilitators, some of the participants may have been seen and heard in the recordings; furthermore the personal data on the SD Cards included participants’ disclosure of behaviours, feelings and attitudes towards current or ex partners, other family members and friends, who may have been named by the participants. MOVE submitted that 80 to 120 men may have been affected by this personal data breach and, at least, one facilitator per each recorded session.
• Year: 2021
• Date: 20 August 2021
• Judgment Number: IN-20-7-1
• Section: Decisions made under data protection act 2018

1



InthematteroftheGeneralDataProtectionRegulation

DPCCaseReference:IN‐20‐7‐1



InthematterofMOVEIreland



DecisionoftheDataProtectionCommissionmadepursuanttoSection111oftheDataProtectionAct

2018

Furthertoanown‐volitioninquirycommencedpursuanttoSection110oftheDataProtectionAct2018





DECISION







Decision‐MakerfortheDataProtectionCommission:



HelenDixon

CommissionerforDataProtection





20August2021









DataProtectionCommission

21FitzwilliamSquareSouth

Dublin2,Ireland













2



Contents

1.Introduction....................................................................................................................................3

2.LegalFrameworkfortheInquiryandtheDecision.........................................................................3

i.LegalBasisfortheInquiry...........................................................................................................3

ii.DataController............................................................................................................................4

iii.LegalBasisfortheDecision.........................................................................................................4

3.FactualBackground.........................................................................................................................4

4.ScopeoftheInquiryandtheApplicationoftheGDPR...................................................................7

5.MOVE’ssubmissionsinrelationtotheDraftDecision...................................................................9

6.IssueforDetermination................................................................................................................12

7.Issue:Articles5(1)(f)and32(1)oftheGDPR................................................................................13

i.AssessingRisk............................................................................................................................15

ii.SecurityMeasuresImplementedbyMOVE..............................................................................18

iii.TheAppropriateLevelofSecurity.............................................................................................22

iv.Findings.....................................................................................................................................25

8.CorrectivePowers.........................................................................................................................25

A.Reprimand.................................................................................................................................26

B.OrdertoBringProcessingintoCompliance..............................................................................27

C.AdministrativeFine...................................................................................................................28

i.WhethertheInfringementsWarrantanAdministrativeFine..............................................28

ii.TheApplicableRangefortheAdministrativeFine...............................................................37

iii.CalculatingAdministrativeFine............................................................................................38

9.RightofAppeal..............................................................................................................................39

Appendix:ScheduleofMaterialsConsideredforthePurposesofthisDecision...............................40





3



1. Introduction



1.1 Thisdocument(‘theDecision’)isadecisionmadebytheDataProtectionCommission(‘the

DPC’)inaccordancewithsection111oftheDataProtectionAct2018(‘the2018Act’).I

makethisDecisionhavingconsideredtheinformationobtainedintheownvolitioninquiry

(‘theInquiry’)pursuanttosection110ofthe2018Act.Amemberoftheinquiryteamof

theDPC(‘theCaseOfficer’)providedMOVE(MenOvercomingViolence)Ireland(‘MOVE’)

withaDraftInquiryIssuesPaperinordertomakesubmissionsonit.



1.2 MOVEwasprovidedwiththeDraftDecision(‘theDraftDecision’)onthisInquiryon20July

2021togiveitthefinalopportunitytomakesubmissions.ThisDecisionisbeingprovided

toMOVEpursuanttosection116(1)(a)ofthe2018ActinordertogiveMOVEnoticeofthe

Decision,thereasonsforit,andthecorrectivepowersthatIhavedecidedtoexercise.



1.3 ThisDecisioncontainscorrectivepowersundersection115ofthe2018ActandArticle

58(2)oftheGeneralDataProtectionRegulation(‘theGDPR‘)arisingfromthe

infringementswhichhavebeenidentifiedherein.Inthisregard,MOVEisrequiredto

complywiththesecorrectivepowers,anditisopentothisofficetoserveanenforcement

noticeonMOVEinaccordancewithsection133ofthe2018Act.



2. LegalFrameworkfortheInquiryandtheDecision



i. LegalBasisfortheInquiry



2.1 TheGDPRisthelegalregimecoveringtheprocessingofpersonaldataintheEuropean

Union.Asaregulation,theGDPRisdirectlyapplicableinEUmemberstates.TheGDPRis

givenfurthereffectinIrishlawbythe2018Act.Asstatedabove,theInquirywas

commencedpursuanttosection110ofthe2018Act.Bywayofbackgroundinthisregard,

underPart6ofthe2018Act,theDPChasthepowertocommenceaninquiryonseveral

bases,includingonfootofacomplaint,orofitsownvolition.



2.2 Section110(1)ofthe2018ActprovidesthattheDPCmay,forthepurposeofsection

109(5)(e)orsection113(2)ofthe2018Act,orofitsownvolition,causesuchinquiryasit

thinksfittobeconducted,inordertoascertainwhetheraninfringementhasoccurredor

isoccurringoftheGDPRoraprovisionofthe2018Act,orregulationundertheAct,that

givesfurthereffecttotheGDPR.Section110(2)ofthe2018ActprovidesthattheDPCmay,

forthepurposesofsection110(1),whereitconsidersitappropriatetodoso,causeanyof

itspowersunderChapter4ofPart6ofthe2018Act(excludingsection135ofthe2018

Act)tobeexercisedand/orcauseaninvestigationunderChapter5ofPart6ofthe2018

Acttobecarriedout.

