CASE STUDIES

"GDPR 2018 - 2023"

www.linkedin.com/in/charishkpal
41 Loss of control of paper files

Case Summary Actions Taken

A public sector health service provider discovered a data
breach when patient medical records were found in an
abandoned storage cabinet on an unoccupied hospital
premises. The breach was exacerbated when an
unauthorized individual gained access to the restricted
premises and posted photographs of the files on social
media.
The organization immediately reported the breach to
the Data Protection Commission (DPC), complying
with GDPR Article 33.
A representative from the organization was
dispatched to secure and remove the files from the
unoccupied premises.

QUOTE
"stop dreaming and
Resolution Key Takeaway

start doing"
The breached patient records were secured, and the
organization took steps to ensure the files were no longer
accessible to unauthorized individuals.
The organization cooperated with the DPC's investigation
and implemented recommendations provided by the
DPC.
This case underscores the critical need for proper
records management policies and security measures.
It's essential to track files, maintain secure storage
facilities, and establish clear procedures for record
retention or deletion to prevent unauthorized access
and data breaches.

The GDPR rules relevant to this case include Article 33 (Notification of a personal data breach)
GDPR Rule and general principles around data security and accountability outlined throughout the GDPR.
Compliance with these rules is essential to prevent and respond to data breaches effectively.
42 Ransomeware Attack

Case Summary Actions Taken

An organization operating in the leisure industry reported
a ransomware attack to the Data Protection Commission
(DPC). The attack potentially encrypted or disclosed the
personal data of up to 500 customers and staff stored on
the organization's server. The breach was traced back to
a compromised modem router, but backup data was
securely stored in the cloud.
The organization promptly notified the DPC about the
ransomware attack, aligning with GDPR Article 33.
They took immediate steps to isolate the
compromised server and prevent further unauthorized
access.

Resolution QUOTE Key Takeaway

The organization worked closely with the DPC, This case emphasizes the importance of robust

"stop dreaming and

implementing recommendations to improve its
information and communication technology (ICT)
infrastructure.
cybersecurity measures, employee training, and
proactive responses to data breaches. Maintaining
secure backup systems and conducting regular

start doing"
They conducted a thorough analysis to ensure no further
security assessments are vital for GDPR compliance
and data protection.
malware was present.

Enhanced security measures were put in place to protect

the processing of personal data.

Employee training on cybersecurity risks was initiated.

Relevant GDPR rules include Article 33 (Notification of a personal data breach) and the GDPR's
fundamental principles for data security and accountability. Compliance with these rules, as well
GDPR Rule
as the DPC's recommendations, helped the organization address the breach and enhance its
data protection practices.
43 Disclosure of CCTV footage via social media

Case Summary Actions Taken

A property management company notified the Data
Protection Commission (DPC) that an employee of a
security company, contracted by them, used a personal
mobile phone to record CCTV footage of two members of
the public engaged in an intimate act, which had been
captured by the management company's security
cameras. The employee subsequently shared the video
via WhatsApp with a limited number of individuals.
The property management company communicated
with staff who received the footage, instructing them
to delete it and refrain from further dissemination.
The DPC was promptly informed of the incident,
complying with GDPR Article 33.

Resolution
QUOTE Key Takeaway

"stop dreaming and

Both the property management company and the security
company were able to demonstrate the existence of
adequate data protection policies and procedures.
This case highlights the significance of not only
having data protection policies and procedures in
place but also ensuring adequate oversight and

start doing"
The property management company, in response to DPC
recommendations, improved oversight and supervision to
supervision to enforce compliance. Training and clear
guidelines are essential to prevent personal data
ensure compliance with these policies. breaches.
Additional data protection training was delivered to staff
with an emphasis on personal data breaches.
Signage prohibiting the use of personal mobile devices
in the CCTV control room was displayed.

Relevant GDPR rules include Article 33 (Notification of a personal data breach) and the GDPR's
emphasis on accountability, oversight, and compliance with data protection policies. By
GDPR Rule
enhancing oversight and implementing additional training, the property management company
worked to address shortcomings in its data protection practices.
44 Breach Notification (Voluntary Sector) — Ransomware Attack

Case Summary Actions Taken

In May 2020, the Irish Data Protection Commission
(DPC) received a breach notification from an Irish data
processor and a data controller operating in the voluntary
sector, who had enlisted the processor for web hosting
and data management services. The breach resulted
from a ransomware attack that occurred in the data
center used by the processor, where malware gained
access through a Remote Desktop Protocol (RDP) port
The data processor and data controller promptly
notified the DPC in compliance with GDPR Article 33.
The DPC initiated communication with both parties,
seeking to understand potential non-compliance areas
related to data protection regulation.

QUOTE
on the server.

"stop dreaming and

Resolution Key Takeaway

The DPC engaged intensively with both the data This case underscores the importance of ensuring

start doing"
controller and processor, issuing technical and data protection compliance and oversight, especially
organizational questionnaires to identify areas of potential when engaging data processors. Adequate
non-compliance. agreements, oversight, and agreements for
The DPC concluded the case by providing international data transfers are crucial for GDPR
recommendations to both the data controller and compliance.
processor.
Ongoing engagement between the DPC and both parties
ensured the implementation of DPC recommendations.

Relevant GDPR rules include Article 33 (Notification of a personal data breach) and Article 28,
which outlines the requirements for data processing agreements and the responsibilities of data
GDPR Rule
controllers and processors. Engaging intensively with the DPC and implementing their
recommendations helped both parties address potential non-compliance areas.
45 Breach Notification - Erroneous Publication on Twitter

Case Summary Actions Taken

A public sector organization informed the Data Protection The organization notified the DPC about the
Commission (DPC) that they had unintentionally inadvertent publication, complying with GDPR Article
published personal data through their social media 33.
platform, specifically Twitter. This publication of personal The offending tweet was removed without undue
data occurred in violation of the organization's policy to delay.
anonymize all content that could potentially identify
individual data subjects. The organization attributed the
incident to human error, and the offending tweet was
promptly removed.

Resolution
QUOTE Key Takeaway

"stop dreaming and

The DPC examined the matter and, based on the actions
taken to mitigate the risk of a recurrence, concluded its
investigation.
This case emphasizes the importance of human error
as a potential source of data breaches. It also
underscores the need for organizations to have clear

start doing"
The DPC issued additional recommendations to the
organization, focusing on the proper use of social media
policies in place for anonymizing content and secure
access control to social media platforms to prevent
platforms and secure access control. the unintentional disclosure of personal data.

Relevant GDPR rules include Article 33 (Notification of a personal data breach) and the GDPR's
principles regarding data protection and accountability. Compliance with these principles and the
GDPR Rule
DPC's recommendations is essential for addressing data breaches and preventing their
recurrence.
46 Breach Notification - Bank Details sent by WhatsApp

Case Summary Actions Taken

A private financial sector organization notified the Data
Protection Commission (DPC) about an incident where a
customer requested their IBAN and BIC numbers, and a
staff member, who personally knew the customer, used
their personal mobile phone to send the information via
WhatsApp. Unfortunately, the staff member sent details
related to another customer to the requesting individual.
The organization promptly notified the DPC of the
data breach in accordance with GDPR Article 33.
The customer who received the incorrect information
contacted the organization and deleted the data from
their device.
The organization reminded its staff to use only
authorized methods of communication for handling
such requests.

Resolution
QUOTE Key Takeaway

"stop dreaming and

The DPC issued several recommendations, including
using approved organizational communication tools,
ensuring staff understand acceptable and non-acceptable
This case underscores the importance of following
approved organizational communication practices,
especially when handling sensitive customer data.

start doing"
behavior when using such tools, and providing
appropriate GDPR and Data Protection Act 2018 training
Adequate training and awareness of data protection
obligations are crucial to prevent unauthorized data
to staff. disclosures.

Relevant GDPR rules include Article 33 (Notification of a personal data breach) and the GDPR's
principles regarding data protection and accountability. Compliance with these principles, along
GDPR Rule
with the DPC's recommendations, is essential for addressing data breaches and improving data
protection practices.
47 Breach Notification - Processor Coding Error

Case Summary Actions Taken

The Data Protection Commission (DPC) received
separate breach reports from 12 credit unions that
utilized the services of the same data processor based in
the UK. The processor's breach resulted from a coding
error made when implementing measures related to the
Covid-19 pandemic response. Credit unions report
information to the Central Bank of Ireland for the Central
Credit Register (CCR), which lenders and credit rating
Credit unions reported the issue to the DPC as a
breach in accordance with GDPR Article 33.
The affected credit unions engaged with the
processor directly and through a user group to identify
affected records, establish correct coding procedures,
and send corrected CCR returns to the Central Bank.

QUOTE
agencies use to verify borrowers' debts and credit
histories.

Resolution Key Takeaway

"stop dreaming and

The data processor worked with the credit unions to
rectify the coding error and ensure accurate CCR returns.
Effective processing contracts are crucial for ensuring
that processors assist controllers in meeting their

start doing"
These cases highlight the importance of processing
contracts that properly implement the requirements of
obligations, including security of processing and
reporting and responding to breaches. Collaboration
Article 28 of the GDPR. between data controllers and processors is essential
in rectifying data breaches.

The primary GDPR rule relevant to these cases is Article 28, which outlines the responsibilities
and requirements for data processing contracts, particularly in terms of security of processing,
GDPR Rule
reporting, and responding to breaches. Compliance with these contractual obligations is vital for
maintaining data protection and data accuracy.
48 Repeated similar breaches

Case Summary Actions Taken

Over a 12-month period, the Data Protection Commission
(DPC) received multiple notifications of similar breaches
from a data controller in the financial sector. The
controller provided services through a nationwide retail
network operated by a third party, acting as its processor.
These breaches occurred when existing customers used
different addresses during purchases at the processor's
outlets, leading to sales documents being sent to old
The DPC identified a pattern of breaches and raised
the issue with the controller, prompting them to
acknowledge the systemic problem requiring senior
management attention.
Interim measures were adopted, including staff
retraining, increased supervision, and on-screen
notices for processor staff to confirm customer
address accuracy.

QUOTE
addresses, not the new ones registered with the
controller. Recent changes in the controller's customer
database systems were not synchronized with sales
The controller worked on a technical solution, and
interim measures were implemented.

procedures, causing the issue. The controller had

"stop dreaming and

instructed the processor to ensure address changes
before accepting purchase requests, but some counter
staff didn't consistently follow these procedures.

Resolution start doing" Key Takeaway

The controller modified its IT systems to prevent sales
documents from being sent to incorrect customer
addresses, successfully stopping recurring breaches.
This case highlights the DPC's role in monitoring
breaches to identify systemic issues, the importance
of coordinated information systems, and the
unintended consequences of system changes.
Controllers must also ensure that processors clearly
understand and adhere to data processing
procedures to protect data subjects and comply with
the GDPR.

Relevant GDPR principles include Article 33 (Notification of a personal data breach) and Article
GDPR Rule 28, emphasizing the need for processors to follow agreed-upon procedures. Controllers and
processors must work together to avoid systemic issues that can lead to data breaches.
49 Unauthorised disclosure arising from video conferencing

Case Summary Actions Taken

During the pandemic, an educational institute used video
conferencing for student presentations, which were recorded
for external examiners. The plan was to keep these
recordings private from students. However, after two
sessions, the lecturers' discussions about the students' work
were also recorded. It was mistakenly believed that only the
lecturers could access these discussions, but in reality, all
The organization reported the breach to the Data
Protection Commission (DPC).
The recordings accessible to students were
deleted, and the excerpts were removed from
social media. The DPC conducted an assessment
and provided comprehensive recommendations.

QUOTE
participants, including students, had access. The students
received automatic links to these files, which contained
personal remarks about some students. Consequently,
students accessed and shared these recordings, including
the personal comments, on messaging apps and social

"stop dreaming and

media, breaching privacy and confidentiality unintentionally.

Resolution start doing" Key Takeaway

The breach was resolved, and steps were taken to remove
the shared excerpts.
The DPC issued recommendations to improve IT equipment
usage and ensure compliance with data protection policies.
This case underscores the risks associated with
video conferencing technology and similar tools. It
emphasizes the importance of ensuring that those
who operate such applications are familiar with
how they work and follow data protection laws.
Controllers must also ensure that data protection
policies and procedures align with current
practices and technologies.

Relevant GDPR rules include the principles of data protection, data minimization, and the
importance of ensuring that personal data is processed in compliance with data protection laws.
GDPR Rule
This case emphasizes the need for careful handling of data in education and the use of
technology to prevent unintended breaches.
50 Disclosure due to misdirected email

Case Summary Actions Taken

A statutory body responsible for investigating complaints
about experts' professional conduct, training, or
competence reported a personal data breach. The
breach occurred when a letter regarding a complaint
against a specialist was mistakenly attached to an email
and sent to an incorrect address. The attached letter
contained personal data, including health data, and was
encrypted. However, the password for decrypting the
The statutory body promptly notified the Data
Protection Commission (DPC) of the breach, as
required by GDPR Article 33.
The organization informed all affected individuals
about the breach, the risks involved, and the
measures taken in response, in compliance with
GDPR Article 34.

QUOTE
letter was sent in a separate email to the same incorrect
address.

Resolution Key Takeaway

"stop dreaming and

The DPC reminded the organization of its ongoing
obligation to secure accidentally disclosed personal data
This case underscores that misaddressed emails are
a common cause of data breaches. While encryption

handling personal data. start doing"

and the importance of ensuring email security when
The statutory body initiated a comprehensive review of all
its data protection processes, policies, and procedures.
is a valuable tool for protecting against accidental
disclosures, it is advisable to use a separate, secure
medium, such as a phone call or SMS message, to
share encryption passwords to mitigate the risk of
sending it to the wrong recipient.

The relevant GDPR rules in this case include Article 33 (Notification of a personal data breach)
and Article 34 (Communication of a personal data breach to the data subject). The case
GDPR Rule
highlights the importance of ongoing vigilance in securing personal data and the necessity for
robust data protection processes.