¾«Æ·¹ú²ú×ÔÏßÎçÒ¹¸£Àû

We use cookies to collect and analyse information on site performance and usage to improve and customise your experience, where applicable. View our Cookies Policy. Click Accept and continue to use our website or Manage to review and update your preferences.


Lessons to learn
20 Oct 2025 data law Print

Lessons to learn

While the DPC’s annual report offers new lessons, several recurring issues highlight the need for continuous learning in this area. Elaine Morrissey takes charge of class

The Data Protection Commission’s and may pose some revision exercises for practitioners regarding compliance within practices and in advising clients. So what lessons should be learned from the report in these areas?

The answer is to focus on the following ‘rules’:

  • Robust supplier oversight,
  • Up-to-date processes and procedures,
  • Legal-basis analysis,
  • Effective communication with data subjects and the regulator, and
  • Staff-training programmes.

While a picture paints a thousand words, the numbers from the report will keep any privacy professional up at night.

Painting by numbers

First, the stats:

  • €652 million in administrative fines issued,
  • 32,000 contacts to the DPC,
  • 10,510 cases resolved,
  • 7,781 breach notifications,
  • 146 electronic direct-marketing investigations concluded, and
  • Eight companies prosecuted.

While 7,781 data-breach notifications (up 11% from 2023) is eye-catching, the data behind this number is eye-watering.

Half the reported breaches were caused by communications to the wrong person. This means that approximately 3,890 breaches handled by the DPC were as a result of correspondence being sent to an incorrect individual.

This occurs where post or emails are sent to the wrong person and/or address. Breaches range from minor disclosures (for example, name and contact info) to trusted parties, to more serious breaches, where financial or medical details are available to unknown parties, particularly free email accounts.

There is no ability to successfully recall an email sent to Gmail and similar email services.

Consideration needs to be given to the postal process, checking attachments, password-protecting attachments, and other methods to share documents, such as file-sharing tools.

TOMs wait

From the report and the case studies, it’s clear that lack of appropriate technical and organisational measures (TOMs) are an ongoing issue.

Maynooth University’s breach of employee email accounts highlighted insufficient TOMs and late-breach notification to the DPC.

The university was ordered to put in place TOMs, including multifactor authentication and a robust password-management process and to complete “mandatory data-protection and cybersecurity training for all staff, appropriate to their role and level of risk, and updated as the risk landscape changes”.

An example of practical training is that, when an employee fails a test phishing email, they must complete specific phishing email training. Such a test and training is practical, and targets the employees who are vulnerable to falling for such emails.

While people think they won’t fall for such a trap, phishing attacks are becoming more sophisticated and harder to spot, particularly in the avalanche of emails that the working world has become.

The case studies provide an example where an employee falls victim to a phishing attack, with subsequent preventative measures, including increased staff training and awareness.

Specialist subject

In terms of data-subject rights requests (DSRRs), which include the right to access data (DSAR) and right to erasure, DSARs accounted for 34% of complaints received by the DPC.

This demonstrates that data subjects (individuals) are aware of and willing to invoke their rights.

Common issues on DSRRs, particularly on DSARs are:

  • Failure of the organisation to respond on time (within a month),
  • Documents provided with redactions that are insufficiently explained to data subjects or where redactions have been excessively used. While redactions may be legitimate, they tend to frustrate data subjects and raise data subjects’ suspicions about what’s been omitted.

The report provides a strong reminder on the reliance on exemptions – that is, relying on exemptions to not provide personal data to the data subject: “The reason the exemption is being applied should be clearly explained to the individual”; “any exemptions applied should be documented”; and “organisations must always be able to explain to the DPC why they have applied specific exemptions”.

There has been much debate over the last few years regarding the need for organisations to request proof of identity from a data subject before they will proceed with a DSRR.

This issue is not new and has appeared in previous DPC reports (for example, the 2022 annual report and the complaint against Airbnb Ireland UC, concluded in 2024).

For the 2024 report, Groupon Ireland Operations Limited are in the hot seat, where the DPC found that Groupon had infringed GDPR by requiring the data subject to provide ID before they would respond to the data-subject’s requests.

While ID verification may be required, it’s important that organisations consider whether additional verification is required and what is the best method of verification, taking into account the data-minimisation principle. As ever, it’s important to document such procedures and decision-making.

The report and case studies are useful reminders of how best to approach DSRRs; for example, appropriate training of staff, effective communication with data subjects, and robust analysis of legal basis, rights, and exemptions.

Practitioners can utilise the Law Society and the DPC’s websites for .

Candid camera

Another area of focus is that ‘big brother is watching’, and data subjects are not happy.

Given the volume of complaints regarding CCTV, the DPC has issued several , all of which can be found on the DPC’s website.

However, CCTV complaints remain a constant issue. It falls into two camps: CCTV use by organisations and CCTV use by individuals.

For individuals to keep within the ‘household exemption’ of the GDPR – that is, to fall outside the scope of the GDPR – all use of CCTV, including ‘smart doorbells’, must be strictly within the perimeter of an individual’s own property and be used solely for domestic purposes.

If an individual’s CCTV captures images of public property or their neighbour’s property, they lose the benefit of the household exemption and fall under the scope of the GDPR.

The lesson is to check cameras to ensure their range is within the perimeter of the property.

From a commercial perspective, organisations must ensure adequate signage and transparency, use CCTV appropriately rather than have blanket coverage, remember that CCTV images are personal data, subject to DSRRs, and implement proper retention schedules with deletion processes.

Time and again

One of the themes throughout the report and case studies is the importance of timely and transparent communication. Examples include delays in breach notification, delays in responding to DSRRs, and not providing a sufficient response to the data subject.

There are several cases where the organisation does amend its response and/ or its processes following intervention of the DPC – for example, an organisation reducing the redactions in a DSAR or no longer seeking to rely on an exemption following input from the DPC.

Lack of good communication and delays in responses all inevitably lead to the need for more resources to deal with the issue.

It’s important to remember that any communication with a data subject has the potential to be seen by the DPC and/ or a court.

It’s imperative that there is an agreed process for communications to data subjects (or their representatives) and regulators.

No solicitors

Data subjects do not want spam emails that they have not consented to. Data subjects expect their marketing preferences to be complied with.

Marketing emails are another area where data subjects have become familiar with their rights. While there are some limited exemptions, if a client wishes to send marketing emails to a data subject (customer or potential customer), they need that individual’s consent.

In 2024, the DPC issued 49 warning letters to companies on foot of unsolicited marketing communications and prosecuted eight companies in the District Court.

For the eight companies prosecuted, they had all received a prior warning to correct inadequate processes and procedures for electronic marketing and had failed to do so.

As the organisations had failed to act on the warning, the DPC decided to prosecute the cases.

While the fines under the ePrivacy Regulations are not substantial (and, in the case of Supermac’s, they were ordered to pay €3,500 to charity), the reputational cost and the resources used to respond to the call could all have been avoided if the organisation had taken appropriate action.

In a number of cases (for example, Pulse Gym trading as Energie Fitness, Dublin 8, and Supermac’s Ireland Limited), the organisations referred to failures of their third parties.

This highlights the need to have adequate supplier (third-party) assessment and ongoing due diligence, including a compliant data-processing agreement.

The report states: “It is critical that, before embarking on electronic marketing campaigns, companies carry out robust testing and checks with their service providers to ensure that they have the valid and up-to-date consent of the individuals on their marketing lists and that their opt-out mechanisms are fully functional.”

Call me AI

It would be remiss not to mention the work of the DPC in relation to artificial intelligence (AI). It has been leading in this space for some time now.

The report references the European Data Protection Board opinion on the processing of personal data in the context of AI models, which resulted from a request by the DPC. (Further details on that opinion can be found in the April 2025 Gazette.)

The DPC has engaged with a range of organisations that are developing large language models. A deputy commissioner has within their remit the EU AI Act.

In a first for the DPC, in August 2024, it applied to the High Court for interlocutory relief regarding the processing of personal data by X (formerly Twitter) to train its AI model, Grok, and other AI. Further details on this case are available in the report and on the DPC’s website.

It is expected that the 2025 annual report will have an even greater focus on AI. What will be one to watch is how data subjects react. Will we see a rise in DSRRs, or more complex DSRRs arising from organisations’ use of AI to process personal data and to build models?

More than ever, timely and effective communication will be required to respond to data subjects and/or their representatives and the regulator. Use the ‘rules’ to help your practice and clients stay compliant.

Elaine Morrissey is chair of the Law Society’s IP and Data Protection Law Committee. 

Elaine Morrissey
Elaine Morrissey is a member of the Law Society’s Intellectual Property and Data Protection Law Committee and is assistant global DPO at ICON.
Copyright © 2025 Law Society Gazette. The Law Society is not responsible for the content of external sites – see our Privacy Policy.