Skip to main content

DPC Ireland Regulatory Activity Report 2018 - 2020




25 May 2020 marked the second anniversary of the enactment of GDPR. To mark that anniversary, the DPC published its 2018-2020 Regulatory Activity Report on 23 June 2020. The Report provides a detailed insight into the work of the DPC since the implementation of GDPR. We have outlined below the key aspects from the Report:

  1. Data Breaches

  • 12,437 reported breaches
  • 80% relate to unauthorised disclosures
  • Human error accounted for a significant portion of breaches
  • 5.6 % of reported breaches were as a result of phishing, hacking or lost devices
  • More notifications in the private sector (52%) versus the public sector (28%)
  1. Enforcement Action/Supervision

  • 53 national inquires and 24 cross-border opened
  • As a result of supervision activity, six planned big tech projects postponed or revised 
  • An Garda Síochana – reprimand and corrective powers applied
  • Tusla - reprimand and fine (x2) applied
  • Twitter – inquiry completed and draft decision forwarded to EU concerned data protection authorities (DPAs) in accordance with the Article 60 procedure.
  • DEASP - Enforcement notice issued regarding the use of the Public Services Card (currently under appeal)
  1. Lead Supervisory Authority (LSA) Role

  • Received 746 complaints from peer DPAs where the DPC was identified as the LSA.
  • Received 124 formal and voluntary mutual assistance requests
  1. Summary of the complaints/cases

  • 22.62% involve access requests
  • 22% involve general complaints (unclassified)
  • 15% involve processing (including fair obtaining and further processing)
  • 12% involve disclosure (data shared with a third party)
  • 8% involve right to be forgotten (delisting and/or removal requests)
  • 6% involve direct marketing
  • 8% of cases were resolved amicably
  • 66 Law Enforcement Directive complaints handled
  1. Litigation

  • 9 litigation cases concluded before the Irish courts
  • One case before CJEU (DPC v Facebook Ireland Ltd & Maximillian) regarding standard contractual clauses.
  1. E-Privacy


  • 282 direct marketing complaints opened
  • prosecuted 11 companies for offences under S.I. No. 336/2011 ('the ePrivacy Regulations') which resulted in either fines or charitable donations.
  1. What's next for the DPC?

  • The CJEU judgment in the case of DPC v Facebook Ireland Ltd & Maximillian will be delivered on 16 July 2020.
  • As part of the ARC Project (Raising Awareness Campaign for SMEs), for the next two years, the DPC will continue to engage with SMEs in order to provide a suite of compliance resources to help SMEs in complying with their GDP obligations.
  • Children's Data Protection Rights: The DPC is preparing draft guidance on the processing of children's personal data. This guidance will provide baseline standards for organisations that will interact with children particularly in the digital sphere. This guidance is based on the submissions received in response to the public consultation.
  • Brexit and Transfers: The DPC continues to advise Irish entities transferring data to the UK.
For further information on the Activity Report please contact Julie Austin, Partner, Fieldfisher (Dublin) at

Written by Julie Austin and Lyndsay Mason. 

A phased return to work is taking place in different sectors.  Fieldfisher is committed to supporting you through the transition and beyond.  We continue to be available to our clients either remotely or in person, with your business as usual matters, as well as for C-19 support.    Please review our Covid-19 hub for updates and get in touch if you require further information.

Sign up to our email digest

Click to subscribe or manage your email preferences.


Areas of Expertise