Data Protection Commission – Court Ruling (Ireland, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The High Court in Ireland decided that the Health Service Executive (HSE) was not responsible for personal data on a work phone that was compromised in a data breach. This is important because it clarifies that organizations may not be liable for personal data stored without their knowledge.
What happened
A fire prevention officer's personal data was compromised after a ransomware attack on the HSE, but the HSE was found not to be the data controller for that data.
Who was affected
The fire prevention officer whose personal email and cryptocurrency accounts were hacked.
What the authority found
The court ruled that the HSE could not be considered the data controller for personal data on the work phone since it was not intended for personal use.
Why this matters
This case sets a precedent for how organizations handle personal data on work devices. Companies should ensure clear policies are in place regarding personal use of work devices to avoid liability.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
The data subject was a fire prevention officer working for the Irish Health Service Executive (HSE) and was provided with a work phone to be used for work purposes. In May 2021, the HSE suffered a significant data breach and ransomware attack which compromised a large number of HSE computers and devices, including the data subject’s work phone. In June 2021, the data subject noticed that his personal email account and personal cryptocurrency account, both of which he had accessed on his work phone, had been compromised. Cryptocurrency to the value of €1,400 had been stolen. After being left unsatisfied with the HSE’s response to a complaint he had filed in relation to the incident, the data subject complained to the DPC on 15 December 2021. In an email to the data subject about the issues he raised, the DPC noted that the HSE was not the data controller in respect of the data subject’s non-work-related personal data which was on the work phone as the device was only supposed to be used for work purposes. It was found that there was “no basis” upon which the HSE could be considered the data controller when the personal data (personal email and cryptocurrency account) was stored on the device without the HSE’s knowledge or agreement. On 15 August 2022, the data subject sought a judicial review before the High Court of the DPC’s decision. The data subject claimed that the work-related data comprised “personal data” under Article 4(1) GDPR, that the HSE was the data controller in respect of it in accordance with Article 4(7) GDPR, and that the DPC had erred in their findings in respect of their decision. This, according to the data subject, rendered their decision “unreasonable” in accordance with the test laid out in Meadows v Minister for Justice, Equality and Law Reform [2010] 2 I.R. 70. This decision established some criteria for which an administrative decision can be judicially reviewed in Ireland. The data subject also claimed that the DPC had failed in their ob
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (1)
Other cases involving Data Protection Commission in IE
Details
About this data
Cite as: Cookie Fines. Data Protection Commission - Ireland (2025). Retrieved from cookiefines.eu
Last updated: