DPC (Ireland) - DPC Case Reference: 03/SIU/2018

From GDPRhub
DPC (Ireland) - DPC Case Reference: 03/SIU/2018
Authority: DPC (Ireland)
Jurisdiction: Ireland
Relevant Law: Article 6 GDPR
Article 12 GDPR
Article 13 GDPR
Article 15 GDPR
Section 38(3) Garda Síochána Act 2005
Type: Investigation
Outcome: Violation Found
Decided: 09.12.2021
Published: 12.01.2022
Fine: €110,000
Parties: n/a
National Case Number/Name: DPC Case Reference: 03/SIU/2018
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): English
Original Source: Irish DPC (in EN)
Initial Contributor: czapla

The Irish DPC imposed an administrative fine of €110,000 against a city council due to numerous failings in meeting data protection obligations in some of its smart city initiatives.

English Summary


In June 2018, the DPC initiated a connected series of own-volition inquiries under sections 110 and 123 of the 2018 Irish Data Protection Act. They concerned surveillance technologies deployed by state and local authorities and An Garda Síochána (the Irish Police) for law enforcement purposes. The DPC inquiries were to establish whether any data processing was in compliance with the data protection laws and to ensure that sufficient accountability measures were in place before further investment into new technologies.

The DPC investigation unveiled the inventory of 401 CCTV cameras that were deployed in various locations across Limerick City and County, including bicycle and walkway routes, housing estates, traveller accommodation sites and public spaces. The cameras were subject to constant real time surveillance. Separately, the Limerick City and County Council (Council) had two drones in operation.


The DPC identified a total of 48 issues in the course of the inquiry. The most important issues determined that the Council:

a) had no lawful basis for the processing of personal data by CCTV cameras for traffic management purposes;

b) lacked a lawful basis for a number of CCTV cameras used for the purposes of countering crime;

c) lacked a lawful basis to carry out surveillance with CCTV cameras which employed Automatic Number Plate Recognition technology;

d) infringed Article 15 GDPR by rejecting subject access requests in respect of CCTV cameras used for traffic management purposes;

e) did not fulfil its transparency obligations under Article 13 GDPR by failing to erect signage in respect of its CCTV processing operations;

f) infringed Article 12 GDPR by failing to make its CCTV Policy more easily accessible and transparent.

The DPC exercised the following corrective powers:

a) A temporary ban on the processing of personal data with CCTV cameras at a number of locations used for the purposes of criminal law enforcement until a legal basis can be identified.

b) A temporary ban on the processing of personal data with CCTV cameras used for traffic management purposes until a legal basis can be identified.

c) An order to the Council to bring its processing of personal data into compliance taking certain actions specified in the decision.

d) A reprimand in respect of a number the Council’s infringements.

e) An administrative fine of €110,000.


Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.