In a turn up for the books the Irish Data Protection Commission (DPC) is being investigated for possible General Data Protection Regulation breaches in relation to the body’s data protection officer being prevented from successfully completing their work.
Article 80 of GDPR states that it is permissible for a person to nominate a not-for-profit body acting in the public interest to lodge a complaint with a national regulator where he or she alleges infringements of their rights under the EU law. Along with this, GDPR also permits not-for-profit bodies to seek “an effective judicial remedy” on behalf of such complainants, where they believe their rights have been infringed.
Using Article 80 Digital Rights Ireland, on behalf of technology journalist and Irish Times columnist Karlin Lillington, submitted the complaint. Digital Rights Ireland is a data privacy advocacy group.
The data protection officer was on annual leave in August when the amendments were enacted. A Freedom of Information request The changes were made when and records obtained under the Freedom of Information Acts showed that the officer stated he would not have agreed to the amendments and he had no prior knowledge to them.
A senior investigator with the Data Protection Commission replied, in a statement released in response to the complaint on November 23rd, said that “we consider that potential breaches of the GDPR have been highlighted”. It went on to say that the commission said it was “making enquiries into this matter” with the department and would provide an update soon. This is despite claims, last Wednesday that the Department of Social Protection remains “unaware” of any ongoing investigation into the incident in question.
Under GDPR, which was introduced by the European Union on May 25 this year, the data protection officer must be independent and an organisation employing one is not permitted to give them any instructions regarding their duties.
In most cases, the penalty for a company or organisation breaching GDPR legislation is 4% of annual global revenue or €20m, whichever figure is higher. However, privacy legislation enacted by the Irish Government has restricted any possible to €1 million.