MOVE Ireland – €1,500 Fine (Ireland, 2021)

The Irish DPA (DPC) has fined the organization MOVE (Men Overcoming Violence) EUR 1,500. MOVE is a charity working in the field of domestic violence. The organization aims to support the safety and well-being of women and their children who have experienced violence in relationships. For this purpose, participants (men) come to weekly sessions in order to change their behavior. On February 3, 2021, the organization reported a data breach in accordance with Art. 33 GDPR. The organization stated that eighteen SD cards had been lost, which may have contained recordings of group sessions of the MOVE program, in which participants discuss their behavior and attitudes regarding domestic violence with a group leader. Some of the participants could be seen and heard on the recordings. In addition, the recordings included footage of participants discussing their behaviors and feelings regarding current or former partners, other family members, and friends who may have been named. Approximately 80-120 participants could have been affected by the data breach, as well as at least one group leader per recorded session. The DPC found that MOVE had breached its obligation under Art. 32 (1) GDPR by failing to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk presented by the processing of personal data through the recording of group sessions.