The Data Protection Commissioner – Court Ruling (Ireland, 2022)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
An Irish hospice used CCTV in a staff area without properly informing employees of the purpose, leading to a court ruling against the data protection authority's initial decision. This case shows the importance of transparency when using surveillance at work. Employers should clearly communicate why and how they collect data.
What happened
An Irish hospice placed CCTV cameras in a staff tearoom without adequately informing employees of the data processing purpose.
Who was affected
Employees of the Irish hospice who were recorded by the CCTV cameras in the staff tearoom.
What the authority found
The Court of Appeal upheld that the hospice failed to inform the employee about the purpose of data processing, violating fair processing requirements under the Data Protection Act 1988.
Why this matters
This ruling emphasizes the need for clear communication about surveillance practices in the workplace. Employers should ensure that staff are fully informed about data collection and its purposes to comply with privacy laws.
National Law Articles
An Irish Hospice placed CCTV cameras in the staff tearoom, following advice from Gardai (Irish Police) after graffiti had been left on a table saying: "Kill all whites, ISIS is my life". The incident happened in 2015, shortly after terrorist attacks in Paris. A sign was placed beside each camera which read: “Images are recorded for the purposes of health and safety and crime prevention.” The same information was included in the hospice policy. The CCTV footage, that was reviewed as part of security investigation, revealed numerous unauthorised breaks of the data subject, who was one the hospice employees at that time. Although there was no suggestion that the data subject had any involvement in the graffiti incident, the data collected from the CCTV prompted disciplinary proceedings against him. The data subject made a complaint to the DPC. The complaint was rejected, on the basis that the CCTV images were not processed beyond the original security purpose. It was argued by the hospice that the evidence for the data subject's disciplinary proceedings was based on records from a key fob used by the data subject to enter the tearoom. The data subject appealed to the Circuit Court. The Circuit Court upheld the DPC’s decision. The data subject appealed again to the High Court. The High Court found that the DPC incorrectly interpreted the term "processing" under the Data Protection Act 1988. The DPC appealed the decision to the Court of Appeal. The Court of Appeal upheld the High Court decision. The Court decided that: 1. The data subject was not made aware, at or before the time when the data was obtained, of the purpose for which the data was intended to be processed, contrary to the fair processing requirement of the Section 2D of the Data Protection Act 1988. 2. Based on the Court’s analysis of Article 29 of the Data Protection Directive of 1995 entitled “Working Party on the Protection of Individuals with regard to the Processing of Personal Data”, the CCTV dat
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for The Data Protection Commissioner in IE
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. The Data Protection Commissioner - Ireland (2022). Retrieved from cookiefines.eu
Last updated: