GDPR: Three Years On

25 May, 2021

Three years ago on the 25th May 2018 the European Union’s General Data Protection Regulation (“GDPR”) came into effect. Marking this three year anniversary, we take a look at the key trends emerging from the Data Protection Commission’s (“DPC”) yearly reports from 2018, 2019 and 2020, which provide a useful insight into the role of the Irish regulator and the issues the DPC has been dealing with since the introduction of the GDPR three years ago. 

Complaints. The DPC reports demonstrate that the number of complaints being received from individual data subjects has remained consistently high (albeit that the number of complaints were down for 2020, which may have occurred as a result of the Covid-19 pandemic), and as can be seen from the summary table below, the issue of access rights has remained the most prevalent issue complained of, with the largest number of complaints received year on year. Article 15 of the GDPR provides than an individual may obtain from a controller confirmation of whether or not personal data concerning them is being processing and where that is the case, access to a copy of that personal data. While this fundamental right is enshrined into the legislation in this area, it is clear from the DPC reports that for many organisations, this fundamental right is not being adequately dealt with, and as a result, has become a common complaint amongst data subjects.

The DPC has however acknowledged in its most recent report that an increasing feature of the complaints being received by it is that the complaints are not necessarily data protection related, and has noted its concern with regard to the volume of these non-data protection complaints, which appear to be a misuse of this independent, easily-accessible, free of charge dispute resolution service, for general grievances, rather than data specific complaints.





Total Complaints




Top 5 Complaints Received

1. Access Request

2. Multinational Companies

3. Unfair processing

4. Disclosure

5. Electronic Direct Marketing

1. Access Request

2. Disclosure

3. Fair Processing

4. Marketing Complaints

5. Right to Erasure

1. Access Request

2. Fair Processing

3. Disclosure

4. Direct Marketing

5. Right to Erasure

Security Breach Notifications. The introduction of the GDPR brought with it a mandatory data breach notification obligations for all data controllers, obliging data controllers to notify the DPC of any personal data breach that has occurred, unless the data controller can demonstrate that the personal data breach is “unlikely to result in a risk to the rights and freedoms of natural persons”. This now means that the default position is that all breaches must be notified.

The table below sets out the volume of security breaches which were notified to the DPC over a three year period, and shows the steady increase in the number of breaches reported. The top 5 breach notifications have remained consistent with unauthorised disclosures representing a large proportion of all security breaches notified to the DPC every year.





Security Breaches




Top 5 Breach Notifications

1. Disclosure (Unauthorised) (85%)

2. Paper lost or stolen

3. Hacking

4. Phishing

5. Device lost or stolen

1. Disclosure (unauthorised) (83%)

2. Paper lost or stolen

3. Phishing

4. Unauthorised Access

5. Hacking

1. Disclosure (unauthorised) (86%)

2. Paper lost or stolen

3. Hacking

4. Unauthorised Access

5. Phishing

Statutory Inquiries. Pursuant to the Data Protection Act 2018, the DPC may conduct two different types of statutory inquiry under Section 110 in order to establish whether an infringement of the GDPR or the Data Protection Act 2018 has occurred. These include both a (i) complaint-based inquiry and (ii) an inquiry in the DPC’s own volition.  As can be seen from the table below, in each year since the introduction of the GDPR, the DPC has conducted an increased number of these statutory inquiries, with an increased emphasis on cross border investigations.

From a review of the Statutory Inquiries undertaken in 2020, there are a large number being undertaken on the DPC’s own volition, in particular into large multinational corporations based in Ireland (including Facebook, Twitter and Google) as well as a large number of domestic inquiries into entities such as local authorities, An Garda Síochána, and various state bodies and demonstrates the DPC’s desire to tackle issues that it recognises, without the need for a complaint to have been made by a data subject.





Statutory Inquiries


70 (21 cross border)

83 (27 cross border)

Administrative Fines. Where the DPC decides that an infringement of data protection legislation has occurred on foot of a statutory inquiry, it then decides whether to utilise its corrective powers, which includes the imposition of administrative fines. The first such administrative fine was imposed on TUSLA, the Child and Family Agency of the Irish State, in relation to three personal data breaches. The fine imposed was €75,000.

Since then, the DPC has utilised its powers to impose administrative fines on the following entities:

– August and September 2020: The DPC commenced an inquiry arising out of one personal data breach notified by Ireland’s Health Service Executive (“HSE”) involving documentation containing personal data of 78 individuals, which was disposed of in a public recycling centre and imposed an administrative fine of €65,000 on the HSE.

– December 2020: The DPC imposed a fine of €70,000 on University College Dublin following an inquiry in respect of 7 personal data breaches that the University had notified to the DPC between 2018 and 2019.

– December 2020: The most noteworthy fine imposed by the DPC was on Twitter where the DPC imposed a fine of €450,000 arising out of Twitter’s notification of a breach to the DPC, having regard to whether Twitter had complied with Article 33(1) of the GDPR in terms of the timing of its notification of the breach and whether it had complied with Article 33(5) in respect of its documenting of the breach.

Summary. As can be seen from the DPC reports to date, there has been a steady increase in the public’s awareness of the GDPR by data subjects, who are now seeking to rely on the protections afforded by the GDPR in a number of instances. This in turn has led to a corresponding increase in the volume of complaints and security breach notifications reported to the DPC.

While the number of inquiries and fines by comparison remains low, this public awareness coupled with the administrative fines now emerging means we are likely to see a further utilisation of the DPC’s powers under the GDPR and an increase in the amount of administrative fines and the quantum imposed.  We expect to continue to see an increase in the number of employment related complaints particularly in the context of the Covid-19 pandemic as issues relating to return to work policies or remote working, monitoring of employees and data concerning health may arise.

About the Authors

Laura Myles

Head of Technology & Intellectual Property

Áine Moloney


Translate »