Data Protection Commission – Court Ruling (Ireland, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The data subject was a fire prevention officer working for the Irish Health Service Executive (HSE) and was provided with a work phone to be used for work purposes. In May 2021, the HSE suffered a significant data breach and ransomware attack which compromised a large number of HSE computers and devices, including the data subject’s work phone. In June 2021, the data subject noticed that his personal email account and personal cryptocurrency account, both of which he had accessed on his work phone, had been compromised. Cryptocurrency to the value of €1,400 had been stolen. After being left unsatisfied with the HSE’s response to a complaint he had filed in relation to the incident, the data subject complained to the DPC on 15 December 2021. In an email to the data subject about the issues he raised, the DPC noted that the HSE was not the data controller in respect of the data subject’s non-work-related personal data which was on the work phone as the device was only supposed to be used for work purposes. It was found that there was “no basis” upon which the HSE could be considered the data controller when the personal data (personal email and cryptocurrency account) was stored on the device without the HSE’s knowledge or agreement. On 15 August 2022, the data subject sought a judicial review before the High Court of the DPC’s decision. The data subject claimed that the work-related data comprised “personal data” under Article 4(1) GDPR, that the HSE was the data controller in respect of it in accordance with Article 4(7) GDPR, and that the DPC had erred in their findings in respect of their decision. This, according to the data subject, rendered their decision “unreasonable” in accordance with the test laid out in Meadows v Minister for Justice, Equality and Law Reform [2010] 2 I.R. 70. This decision established some criteria for which an administrative decision can be judicially reviewed in Ireland. The data subject also claimed that the DPC had failed in their ob
GDPR Articles Cited
National Law Articles
The data subject was a fire prevention officer working for the Irish Health Service Executive (HSE) and was provided with a work phone to be used for work purposes. In May 2021, the HSE suffered a significant data breach and ransomware attack which compromised a large number of HSE computers and devices, including the data subject’s work phone. In June 2021, the data subject noticed that his personal email account and personal cryptocurrency account, both of which he had accessed on his work phone, had been compromised. Cryptocurrency to the value of €1,400 had been stolen. After being left unsatisfied with the HSE’s response to a complaint he had filed in relation to the incident, the data subject complained to the DPC on 15 December 2021. In an email to the data subject about the issues he raised, the DPC noted that the HSE was not the data controller in respect of the data subject’s non-work-related personal data which was on the work phone as the device was only supposed to be used for work purposes. It was found that there was “no basis” upon which the HSE could be considered the data controller when the personal data (personal email and cryptocurrency account) was stored on the device without the HSE’s knowledge or agreement. On 15 August 2022, the data subject sought a judicial review before the High Court of the DPC’s decision. The data subject claimed that the work-related data comprised “personal data” under Article 4(1) GDPR, that the HSE was the data controller in respect of it in accordance with Article 4(7) GDPR, and that the DPC had erred in their findings in respect of their decision. This, according to the data subject, rendered their decision “unreasonable” in accordance with the test laid out in Meadows v Minister for Justice, Equality and Law Reform [2010] 2 I.R. 70. This decision established some criteria for which an administrative decision can be judicially reviewed in Ireland. The data subject also claimed that the DPC had failed in their ob
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Data Protection Commission in IE
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Data Protection Commission - Ireland (2025). Retrieved from cookiefines.eu
Last updated: