DPC (Ireland) - IN-20-7-1

From GDPRhub
DPC (Ireland) - IN-20-7-1
LogoIE.png
Authority: DPC (Ireland)
Jurisdiction: Ireland
Relevant Law: Article 5(1)(f) GDPR
Article 32(1) GDPR
Type: Investigation
Outcome: Violation Found
Started: 03.02.2020
Decided: 20.08.2021
Published:
Fine: 1500 EUR
Parties: MOVE Ireland
National Case Number/Name: IN-20-7-1
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): English
Original Source: Irish DPC (in EN)
Initial Contributor: kc

The Irish DPA posed an administrative fine of €1500 on Men Overcoming Violence Ireland ("MOVE") for the failure to implement appropriate technical and organisational measures when recording group sessions in violation of Article 5(1)(f) GDPR and Article 32(1) GDPR.

English Summary

Facts

The controller is Men Overcoming Violence Ireland ("MOVE"), a registered charity that works in the area of domestic violence, with a primary aim of supporting the safety and wellbeing of women and their children who are experiencing, or have experienced violence/abuse in an intimate relationship. MOVE does this by facilitating men (participants) in weekly group sessions.

The personal data breach concerned the loss of eighteen SD Cards that may have contained recordings of group sessions of MOVE’s programme where participants discuss their behaviour and attitudes with regard to domestic violence with a facilitator. Whilst the recording of group sessions focused on the delivery of sessions by the facilitators, some of the participants may have been seen and heard in the recordings; furthermore the personal data on the SD Cards included participants’ disclosure of behaviours, feelings and attitudes towards current or ex partners, other family members and friends, who may have been named by the participants. MOVE submitted that 80 to 120 men may have been affected by this personal data breach and, at least, one facilitator per each recorded session.

Holding

The Irish DPA (DPC) held that MOVE infringed Article 5(1)(f) GDPR and Article 32(1) GDPR by failing to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk presented by its processing by means of recording group sessions on SD Cards containing participants’ and facilitators’ personal data.

The DPC imposed an administrative fine of €1500 on MOVE. Furthermore, it issued MOVE with a reprimand in respect of the infringements and ordered it to bring its processing activities into compliance with Article 5(1)(f) GDPR and Article 32(1) GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.