ARTICLE
30 June 2025

DPC Publishes Annual Report For 2024

M
Matheson

Contributor

Matheson logo
Established in 1825 in Dublin, Ireland and with offices in Cork, London, New York, Palo Alto and San Francisco, more than 700 people work across Matheson’s six offices, including 96 partners and tax principals and over 470 legal and tax professionals. Matheson services the legal needs of internationally focused companies and financial institutions doing business in and from Ireland. Our clients include over half of the world’s 50 largest banks, 6 of the world’s 10 largest asset managers, 7 of the top 10 global technology brands and we have advised the majority of the Fortune 100.
Explore Firm Details
The Irish Data Protection Commission ("DPC") recently published its Annual Report for 2024 ("Report"). As usual, the Report contains some interesting trends, statistics, and insights into the DPC's regulatory activities...
Ireland Privacy
Anne-Marie Bohan,Davinia Brennan,Carlo Salizzo
+1 Authors
 Your Author LinkedIn Connections

The Irish Data Protection Commission ("DPC") recently published its Annual Report for 2024 ("Report"). As usual, the Report contains some interesting trends, statistics, and insights into the DPC's regulatory activities during 2024. The Report also highlights the significant emphasis which the new Commissioners, Dale Sunderland and Des Hogan place on the values which the DPC should exhibit as a regulator, including "fairness, consistency and transparency", acknowledging that these values should be inherent as they go about their work. In addition, the DPC separately published a Booklet of Case-Studies from 2024, and released its first Public Attitudes Survey. In this article, we consider some of the key highlights of the Report and some interesting case-studies.

THE REPORT

The Report highlights that although the DPC's regulation of Artificial Intelligence ("AI") model training attracted a lot of public interest in 2024, the DPC was active on many other fronts. For example, the DPC brought fourlarge scale inquiries to a conclusion, including three inquiries concerning Meta, and one inquiry concerning LinkedIn. In addition, three new inquiries were commenced into Google (AI model training), the HSE (safety of sensitive personal data) and Ryanair (use of biometric data), both in response to concerns identified by the DPC and to complaints from other parties.

The DPC also took follow-up action in respect of previous Inquiry decisions into the use of children's personal data by TikTok and Instagram. The DPC had specified corrective measures it required the companies involved to address as part of its Inquiry findings. Notwithstanding the fact that the companies are appealing these decisions, the corrective measures orders continued to have effect and the DPC monitored enforcement of these, leading to successful outcomes including children's personal data now being set as private rather than public by default.

ARTIFICIAL INTELLIGENCE

In regard to AI, the DPC intervened in a number of cases where it identified deficiencies and failures in plans to train AI models using personal data of EU/EEA citizens which could expose users to significant risks and harms, including in respect of AI model training by Twitter, Google, and Meta.

In an effort to bring greater clarity to the application of data protection requirements in AI model training and deployment, and to reach a harmonised EU position and level playing field for industry, the DPC requested a statutory opinion from the EDPB. This involved EU/EEA regulators working together over a 14-week period. A formal opinion was adopted by the EDPB in December 2024 (previously discussed here).

With the introduction of the EU AI Act, the DPC was designated as a fundamental rights body, one of 9 such bodies in Ireland (previously discussed here). It has also been proposed by the Irish Government that the DPC will have a role as a markets surveillance authority, along with seven other regulators operating in other sectors, such as the Central Bank, ComReg, and the Competition and Consumer Protection Commission. These authorities, along with a lead regulator (yet to be appointed) will together coordinate enforcement of the AI Act.

Separately, new functions have also been given to data protection authorities under the EU Political Advertising Regulation ("the Regulation") adopted in March 2024. This Regulation will give the DPC an important role in ensuring that during elections personal data is only used for advertising in accordance with the Regulation.

NATIONAL AND EU COOPERATION

In order to deepen the DPC's engagement with their peer European and international data protection and privacy authorities, and in light of the new EU Digital legislation being introduced, the DPC appointed two new Deputy Commissioners last year, including:

  1. Deputy Commissioner responsible for EDPB, International affairs & the AI Act (Gráinne Hawkes) to lead DPC work in this area; and
  2. Deputy Commissioner responsible for Inter-Regulatory Cooperation & ePrivacy Prosecutions (Jennifer Dolan) with the aim of deepening engagement with both national and EU level regulators in other regulatory spheres.

The Report notes that despite bringing additional complexity and volume to the DPC's workload, inter-regulatory cooperation has been set as a DPC priority in the interests of regulatory clarity and consistency.

The DPC's Senior Management Committee now consists of two Data Protection Commissioners (with a third Commissioner soon to be appointed), and 17 Deputy Commissioners (as detailed further in the Report).

QUERIES & COMPLAINTS

The DPC received 32,152 contacts (including queries and complaints) from the public in 2024. The Report confirms that when an individual contacts the DPC raising a concern, it will engage with the organisation whose behaviour is at issue, in particular the organisation's Data Protection Officer ("DPO") where applicable. In most cases this engagement will lead to resolution without further intervention by the DPC.

However, in situations where escalation is necessary the DPC emphasises the importance of it having access to written correspondence between the complainant and the organisation, which details the issues and positions of both parties.

DSARS REMAIN HIGHEST CATEGORY OF COMPLAINTS

During 2024, the DPC received 11,091 new cases (including complaints and requests for advice/guidance). 2,673 of these cases progressed to the formal complaint-handling process (including 194 electronic direct marketing complaints).

Overall, the DPC concluded 2,357 formal complaints in 2024, including 1,367 complaints received prior to 2024. In addition to 8,418 cases being resolved though amicable means. The highest category of complaints (34%) from individuals continued to concern Data Subject Access Requests ("DSARs"), typically due to organisations not responding within the statutory timeframe, or dissatisfaction with the response due to the application of redactions and statutory exemptions.

The Report notes that any statutory exemptions applied should be documented by the organisation, for example in the form of a table. In addition, organisations should explain the reason why the statutory exemption is being applied. The DPC warns that it is not sufficient to merely list the applicable exemptions and relevant provisions of the legislation in the DSAR response letter.

The other most common complaints concerned fair processing of personal data (17%), and the right to erasure (14%). The Report emphasises the importance of organisations communicating effectively with individuals when they make an erasure request, and explaining the reason why their personal data cannot be erased (where applicable). Individuals should also be informed of how long the organisation will continue to process the personal data in question. The more effective the communication between an individual and an organisation, the more likely it is to result in complaints being resolved prior to the DPC's involvement, or through the amicable resolution process facilitated by the DPC.

In addition, the Report notes the new location and address of the DPC, at which complainants can submit their concerns by post (if preferable), namely: 6 Pembroke Row, Dublin 2, D02 X963, Ireland. Organisations will also need to take steps to review and update any references to the DPC's old address in their Privacy Notices.

Enforcement Notices issued where no engagement occurs

Although a large volume of complaints continue to be resolved by means of amicable resolution, the DPC will utilise its powers of enforcement against an organisation when it fails to comply with its data protection obligations.

The most common example of an Enforcement Notice being issued is where an organisation does not engage at all with either the data subject or the DPC. The DPC issued eight Enforcement Notices in 2024, the majority relating to non-response to DSARs.

Electronic Direct Marketing Complaints

The Report notes that the DPC actively investigates and prosecutes offences relating to electronic direct marketing under the ePrivacy Regulations 2011. The DPC completed 146 electronic marketing investigations in 2024; issued 49 warning letters to companies on foot of unsolicited marketing communications; and prosecuted eight companies for sending unsolicited marketing communications without consent. The court directed the companies to make charitable contributions in lieu of a conviction and fine. The donations were relatively low, amounting to a total of €9,725 across all eight cases.

In line with the approach generally taken by the DPC in previous years, all of the companies prosecuted by the DPC in 2024 had received a prior warning to correct inadequate processes and procedures for electronic marketing. The DPC warned that it is critical before embarking on electronic marketing campaigns, that companies carry out robust testing and checks with their service providers to ensure that they have the valid and up-to-date consent of the individuals on their marketing lists and that their opt-out mechanisms are fully functional.

One-Stop-Shop Complaints

Since the implementation of GDPR in May 2018, the DPC has received 1,853 cross-border complaints. The DPC was designated as LSA for 1,612 of these complaints, and has now resolved 82% of these complaints.

Where the DPC was LSA, 63% of cross-border complaints were lodged by complainants with another EU/ EEA supervisory authority and then transferred to the DPC via the OSS mechanism, and 37% of cross-border complaints were lodged with the DPC directly.

In 2024, the DPC concluded 145 cross-border complaints, and submitted 115 notifications of amicable resolutions via the Article 60 cooperation mechanism. Details of these cases can be found on the EDPB website.

DATA BREACHES

In 2024, the DPC received 7,781 valid data breach notifications. This represented an 11% increase (794) on the overall data breach numbers received by the DPC in 2023. Of the notifications received, 7,346 were GDPR notifications. In line with previous years, the highest category of data breaches notified to the DPC in 2024, namely 60% of notifications, concerned unauthorised disclosure of personal data, in incidents affecting single individuals or small groups.

In particular, correspondence issuing to incorrect recipients continued to feature prominently. The DPC attributes such errors to poor operational practices and human error. Staff training on this front, along with disabling auto-complete of email addresses on outlook may assist with reducing the number of these type of breaches. Of the breach notifications received in 2024, 81% were concluded by year-end. The Report notes that the DPC continually monitors breach notifications received to identify trends and inform further investigative and enforcement actions.

The DPC also received 428 data breach notifications under the ePrivacy Regulations 2011 (up 193% on 2023). The Report attributes the increased number of breaches notified to the DPC under the ePrivacy Regulations 2011 as being the result of the entry into force of the EU (Electronic Communications Code) Regulations 2022, and the expanded definition of the term "electronic communications service". This definition brings "over the top" service providers, such as messaging services, within the remit of the ePrivacy Regulations 2011. Regulation 4 of the ePrivacy Regulations 2011 requires such services to report data breaches to the DPC within 24 hours.

The most frequent cause of ePrivacy breaches reported to the DPC arose as a result of:

  • communications directed to the wrong recipients (email addresses / phone numbers / postal addresses / eircodes recorded incorrectly or not updated by individuals); and
  • and social engineering / phishing schemes (third parties gaining access to customer accounts, including access to personal details).

The Report highlights that in 2024, the DPC handled 20 complaints from individuals relating to alleged personal data breaches, which were not resolved through an amicable resolution process.

DECISIONS AND FINES

As of 31 December 2024, the DPC had 89 statutory inquiries on-hand, including 53 cross-border inquiries and 36 domestic inquiries. In 2024, the DPC delivered 11 statutory inquiry decisions, six of which resulted in administrative fines, amounting to a total of €652 million. Four of these administrative fines concerned crossborder statutory inquiries, and two concerned domestic statutory inquiries.

Cross-Border Inquiry Fines

LinkedIn was subject to the largest fine, in the amount of €310m fine (previously discussed here). The other three fines of €11m, €240 and €91m were imposed on Meta in respect of the token breaches, and plaintext password breach (previously discussed here).

Domestic Inquiry Fines

In addition, Sligo County Council and Maynooth University were respectively subject to €29,500 and €40,000 fines. The Sligo County Council fine was imposed following an inquiry into the Council's use of CCTV cameras and automated number plate recognition cameras for the purposes of prosecuting crime and other purposes. The DPC found that the council had no valid legal basis for the processing, and had failed to erect appropriate signage in respect of the CCTV cameras. In addition, a fine was imposed on Maynooth University following a data breach notification by the university concerning unauthorised access to six email accounts of university employees. The unauthorised access led to fraud and financial loss by one affected person. The DPC imposed a fine on the basis that Maynooth University had failed to ensure appropriate security measures, and had also failed to notify the DPC of the personal data breach within the statutory timeframe.

Reprimands

The DPC also imposed reprimands on three organisations in 2024, including: Airbnb, Groupon, and Apple. In two other cases, the DPC's Inquiry resulted in no GDPR infringements being found (including in respect of Apple and Mediahuis Ireland Group Ltd). The reprimands imposed on Airbnb and Groupon concerned excessive and unlawful processing of personal data for identity verification documentation purposes, when data subjects made erasure or access requests.

The Apple Inquiry concerned a complaint that Apple had not properly complied with an erasure request in respect of a user's Apple ID. The DPC examined the legal basis on which Apple relied on to retain the hashed value of the data subject's email address. The DPC found that Apple was entitled to validly rely on the "legitimate interests" legal basis for the purpose of retaining a hashed value of the user's email address following the erasure request, and had complied with its obligations under Article 17 GDPR. However, the DPC imposed a reprimand on Apple, on the grounds that it had infringed its transparency obligations under Articles 13(1)(c) and (d) GDPR. This was due to Apple failing to inform the user of its intention to retain the hashed value of their email address, and of the lawful basis, and legitimate interests for doing so.

Fines - 2025

It is noteworthy that only three fines have been issued by the DPC to date in 2025.

These fines will be covered in next year's Annual Report. These fines include:

  1. a €550,000 fine imposed on Department of Social Protection, in respect of its processing of biometric facial templates, and associated use of facial matching technologies as part of the registration process for the Public Services Card;
  2. a €125,00 fine following the conclusion of the DPC's Inquiry into City of Dublin Education and Training Board ("CDETB") for failure to implement appropriate security measures and report a personal data breach to the DPC and affected data subjects without undue delay; and
  3. a €530m fine on TikTok following the DPC's Inquiry into its transfers of EEA user data to China. Notably, the DPC found that TikTok had failed to comply with the data transfer rules in Chapter V GDPR, and had also failed to comply with its GDPR transparency obligations. In particular, the DPC found that TikTok failed to provide sufficient information to users in its privacy notice regarding its data transfers, including the names of the non-EEA countries it was transferring data to, and the nature of the privacy operations constituting the transfer (namely remote access to personal data stored in Singapore and the US by personnel based in China).

To view the full article click here

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Anne-Marie Bohan
Anne-Marie Bohan
Photo of Davinia Brennan
Davinia Brennan
Photo of Sarah Jayne Hanna
Sarah Jayne Hanna
Photo of Carlo Salizzo
Carlo Salizzo
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More