A recent decision of the Information and Data Protection Commissioner sheds light on several data protection concepts often overlooked by controllers and processors. 

Complainant sought access to her son’s occupational and speech therapy sessions files, which service was provided by the school he attended. The therapists assess the individual at the beginning of the year, set goals, and create an annual report stored in the data subject’s file.  The complainant faced a series of challenges, including unresponsive therapists and delays from the school’s Director.

This incident serves as a stark reminder that data protection should not be an afterthought, and the role of Data Protection Officers (DPOs) is far from a mere formality—it is of paramount importance to an organisation. 

The Commissioner highlighted a “serious lack of diligence” by the school, noting several deficiencies, primarily: 

  1. The School’s failure to adhere to the 30-day timeframe for data subject requests;
  2. An inaccessible and deficient privacy policy: it failed to provide clarity on the processed personal data categories, legal basis, purpose of processing, access request procedures, and data retention timelines.
  3. No access to data retention policy; 
  4. Ambiguity about the Director’s role as a controller;
  5. Absence of a defined process for handling data subject rights requests;
  6. Lack of training for employees handling personal data; 
  7. Internal deficiencies revealing a lack of policies for handling personal data in accordance with GDPR Articles 24(1)-(2) and 32(4).

To rectify these shortcomings, the DPA mandated the revision of the school’s data protection policy to align with Article 13 of the GDPR and the establishment of an internal data protection policy as per Article 24. Additionally, a €50,000 fine was imposed, with an additional €50 for each day the violation persisted.

This case serves as a cautionary tale for organisations, underscoring the critical need for robust data protection policies, clear communication channels, and diligent adherence to GDPR guidelines. It reinforces the idea that data protection is not just a legal requirement but a fundamental aspect of responsible and ethical organisational conduct in the digital age.

Stay compliant with the latest data protection regulations. Contact Dalli Advocates for expert guidance on navigating legal updates.

Recommended Posts