The Irish Data Protection Commission (DPC) is under investigation for potential General Data Protection Regulation (GDPR) breaches in connection with a data protection officer of the body being stopped from successfully completing GDPR-related tasks.
Article 80 of GDPR says that it is allowable for an individual to nominate a not-for-profit organization working in the public interest to submit a complaint to a national regulator where he or she claims infringements of their legal rights under the EU regulation. Additionally, GDPR allows not-for-profit organizations to look for “an effective judicial remedy” regarding such complaints, when they feel their legal rights have been violated.
While the data protection officer was on annual leave last August, the changes were made. A Freedom of Information request to obtain the records revealed the changes. But the data protection officer said he wouldn’t have approved the amendments and that he had no prior awareness about them. Under GDPR, the data protection officer should be independent and his employer-organization is not allowed to give any directives concerning his duties.
The Data Protection Commission’s senior investigator replied to the complaint on November 23rd confirming potential breaches of GDPR requirements have been noted and the commission is inquiring about this matter and will give an update soon, in spite of claims that the Department of Social Protection is not aware of the ongoing investigation regarding the incident involved.
Generally, the penalty that a company or organization can face for violating GDPR legislation is 4% of yearly global income or €20 million, whichever amount is greater. However, the Irish Government has enacted privacy legislation restricting any possible penalties to €1 million.