Irish Data Protection Commission Publishes Annual Report for 2022

On
March
7,
2023,
the
Irish
Data
Protection
Commission
(“DPC”)
published
its

Annual
Report
for
2022
(the
“Report”).
The
Report
contains
details
on
several
areas
of
the
DPC’s
work,
including
complaints
from
data
subjects
received
by
the
DPC,
personal
data
breach
notifications
received
by
the
DPC
and
statutory
inquiries
conducted
by
the
DPC.

Highlights
from
the
Report
include:

• During
  2022,
  the
  DPC
  received
  2,700
  complaints
  from
  data
  subjects
  under
  the
  General
  Data
  Protection
  Regulation
  (“GDPR”).
  Almost
  half
  of
  the
  complaints
  related
  to
  data
  subject
  access
  requests,
  while
  other
  common
  issues
  related
  to
  fair
  processing
  and
  direct
  marketing.
• During
  2022,
  the
  DPC
  received
  5,828
  personal
  data
  breach
  notifications,
  5,695
  of
  which
  were
  valid
  GDPR
  personal
  data
  breaches.
  Of
  the
  notifications,
  52%
  were
  from
  the
  private
  sector,
  44%
  were
  from
  the
  public
  sector
  and
  the
  remaining
  4%
  were
  from
  the
  voluntary
  and
  charity
  sector.
  The
  Report
  also
  includes
  a
  high-level
  breakdown
  of
  the
  categories
  of
  personal
  data
  breaches
  notified.
  The
  category
  with
  the
  highest
  number
  of
  notifications
  was
  unauthorized
  disclosure
  by
  postal
  material
  to
  an
  incorrect
  recipient.
  Other
  categories
  include
  unauthorized
  disclosure
  through
  email,
  lost
  or
  stolen
  official
  documents,
  hacking
  and
  unauthorized
  access
  of
  online
  accounts.
• During
  2022,
  the
  DPC
  conducted
  17
  large-scale
  inquiries
  and
  imposed
  administrative
  fines
  in
  excess
  of
  €1
  billion
  and
  multiple
  reprimands
  and
  compliance
  orders.
• During
  2022,
  the
  DPC
  received
  125
  valid
  cross-border
  complaints
  as
  the
  Lead
  Supervisory
  Authority
  and
  12
  valid
  cross-border
  complaints
  as
  a
  Concerned
  Supervisory
  Authority.

In
her
forward
to
the
Report,
Data
Protection
Commissioner
Helen
Dixon
stated
“2022
was
a
year
in
which
the
conclusion
of
comprehensive
DPC
enforcement
action
brought
clarity
to
the
application
and
enforcement
of
many
novel
and
complex
issues
under
the
GDPR.”
Looking
forward,
the
Commissioner
indicated
that
the
DPC’s
work
in
2023
“is
set
to
continue
this
trend”
as
the
DPC
seeks
to
“pursue
the
issues
of
greatest
consequence
for
data
subjects,
drive
compliance,
and,
most
importantly,
safeguard
individuals’
rights.”

Read
the

press
release.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts