DPC (Ireland) - IN-20-7-1: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Ireland |DPA-BG-Color=background-color:#013d35; |DPAlogo=LogoIE.png |DPA_Abbrevation=DPC (Ireland) |DPA_With_Country=DPC (Ireland) |Case_Numbe...")
 
No edit summary
Line 51: Line 51:
}}
}}


The Irish DPC posed an administrative fine of €1500 on Men Overcoming Violence Ireland ("MOVE") for the failure to implement appropriate technical and organisational measures when recording group sessions, which is a violation of Articles 5(1)(f) and 32(1) GDPR.  
The Irish DPA posed an administrative fine of €1500 on Men Overcoming Violence Ireland ("MOVE") for the failure to implement appropriate technical and organisational measures when recording group sessions in violation of Articles 5(1)(f) and 32(1) GDPR.  


== English Summary ==
== English Summary ==
Line 61: Line 61:


=== Holding ===
=== Holding ===
The DPC found that MOVE infringed Articles 5(1)(f) and 32(1) GDPR by failing to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk presented by its processing by means of recording group sessions on SD Cards containing participants’ and facilitators’ personal data.
The Irish DPA (DPC) held that MOVE infringed Articles 5(1)(f) and 32(1) GDPR by failing to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk presented by its processing by means of recording group sessions on SD Cards containing participants’ and facilitators’ personal data.


The DPC imposed an administrative fine of €1500 on MOVE. Furthermore, it issued MOVE with a reprimand in respect of the infringements and ordered it to bring its processing activities into compliance with Articles 5(1)(f) and 32(1) GDPR.  
The DPC imposed an administrative fine of €1500 on MOVE. Furthermore, it issued MOVE with a reprimand in respect of the infringements and ordered it to bring its processing activities into compliance with Articles 5(1)(f) and 32(1) GDPR.  

Revision as of 09:55, 8 March 2022

DPC (Ireland) - IN-20-7-1
LogoIE.png
Authority: DPC (Ireland)
Jurisdiction: Ireland
Relevant Law: Article 5(1)(f) GDPR
Article 32(1) GDPR
Type: Investigation
Outcome: Violation Found
Started: 03.02.2020
Decided: 20.08.2021
Published:
Fine: 1500 EUR
Parties: MOVE Ireland
National Case Number/Name: IN-20-7-1
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): English
Original Source: Irish DPC (in EN)
Initial Contributor: kc

The Irish DPA posed an administrative fine of €1500 on Men Overcoming Violence Ireland ("MOVE") for the failure to implement appropriate technical and organisational measures when recording group sessions in violation of Articles 5(1)(f) and 32(1) GDPR.

English Summary

Facts

The controller is Men Overcoming Violence Ireland ("MOVE"), a registered charity that works in the area of domestic violence, with a primary aim of supporting the safety and wellbeing of women and their children who are experiencing, or have experienced violence/abuse in an intimate relationship. MOVE does this by facilitating men (participants) in weekly group sessions.

The personal data breach concerned the loss of eighteen SD Cards that may have contained recordings of group sessions of MOVE’s programme where participants discuss their behaviour and attitudes with regard to domestic violence with a facilitator. Whilst the recording of group sessions focused on the delivery of sessions by the facilitators, some of the participants may have been seen and heard in the recordings; furthermore the personal data on the SD Cards included participants’ disclosure of behaviours, feelings and attitudes towards current or ex partners, other family members and friends, who may have been named by the participants. MOVE submitted that 80 to 120 men may have been affected by this personal data breach and, at least, one facilitator per each recorded session.

Holding

The Irish DPA (DPC) held that MOVE infringed Articles 5(1)(f) and 32(1) GDPR by failing to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk presented by its processing by means of recording group sessions on SD Cards containing participants’ and facilitators’ personal data.

The DPC imposed an administrative fine of €1500 on MOVE. Furthermore, it issued MOVE with a reprimand in respect of the infringements and ordered it to bring its processing activities into compliance with Articles 5(1)(f) and 32(1) GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.