MOVE Ireland – €1,500 Fine (Ireland, 2021)

The controller is Men Overcoming Violence Ireland ("MOVE"), a registered charity that works in the area of domestic violence, with a primary aim of supporting the safety and wellbeing of women and their children who are experiencing, or have experienced violence/abuse in an intimate relationship. MOVE does this by facilitating men (participants) in weekly group sessions. The personal data breach concerned the loss of eighteen SD Cards that may have contained recordings of group sessions of MOVE’s programme where participants discuss their behaviour and attitudes with regard to domestic violence with a facilitator. Whilst the recording of group sessions focused on the delivery of sessions by the facilitators, some of the participants may have been seen and heard in the recordings; furthermore the personal data on the SD Cards included participants’ disclosure of behaviours, feelings and attitudes towards current or ex partners, other family members and friends, who may have been named by the participants. MOVE submitted that 80 to 120 men may have been affected by this personal data breach and, at least, one facilitator per each recorded session. The Irish DPA (DPC) held that MOVE infringed Article 5(1)(f) GDPR and Article 32(1) GDPR by failing to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk presented by its processing by means of recording group sessions on SD Cards containing participants’ and facilitators’ personal data. The DPC imposed an administrative fine of €1500 on MOVE. Furthermore, it issued MOVE with a reprimand in respect of the infringements and ordered it to bring its processing activities into compliance with Article 5(1)(f) GDPR and Article 32(1) GDPR.