Privacy & Information Security Law Blog

On March 7, 2023, the Irish Data Protection Commission (“DPC”) published its Annual Report for 2022 (the “Report”). The Report contains details on several areas of the DPC’s work, including complaints from data subjects received by the DPC, personal data breach notifications received by the DPC and statutory inquiries conducted by the DPC.

Highlights from the Report include:

• During 2022, the DPC received 2,700 complaints from data subjects under the General Data Protection Regulation (“GDPR”). Almost half of the complaints related to data subject access requests, while other common issues related to fair processing and direct marketing.
• During 2022, the DPC received 5,828 personal data breach notifications, 5,695 of which were valid GDPR personal data breaches. Of the notifications, 52% were from the private sector, 44% were from the public sector and the remaining 4% were from the voluntary and charity sector. The Report also includes a high-level breakdown of the categories of personal data breaches notified. The category with the highest number of notifications was unauthorized disclosure by postal material to an incorrect recipient. Other categories include unauthorized disclosure through email, lost or stolen official documents, hacking and unauthorized access of online accounts.
• During 2022, the DPC conducted 17 large-scale inquiries and imposed administrative fines in excess of €1 billion and multiple reprimands and compliance orders.
• During 2022, the DPC received 125 valid cross-border complaints as the Lead Supervisory Authority and 12 valid cross-border complaints as a Concerned Supervisory Authority.

In her forward to the Report, Data Protection Commissioner Helen Dixon stated “2022 was a year in which the conclusion of comprehensive DPC enforcement action brought clarity to the application and enforcement of many novel and complex issues under the GDPR.” Looking forward, the Commissioner indicated that the DPC’s work in 2023 “is set to continue this trend” as the DPC seeks to “pursue the issues of greatest consequence for data subjects, drive compliance, and, most importantly, safeguard individuals’ rights.”

Read the press release.