Ireland received 136 cross-border complaints under GDPR by end of 2018

Ireland dealt with 136 GDPR One-Stop-Shop complaints from 25 May to 31 December 2018, the Data Protection Commission (DPC) says. Under the GDPR, if a company’s main establishment is in Ireland, this ‘lead supervisory authority’ has primary responsibility for dealing with a complaint or an issue in cross-border cases lodged by individuals with other EU Data Protection Authorities. Ireland’s DPC is the lead supervisory authority for a broad range of US-based multinationals, such as Apple, Facebook, Microsoft, Twitter, Dropbox, Airbnb and LinkedIn.

This new channel of enforcement requires close cooperation between DPAs, many resources, and time. As the complainant communicates directly with the DPA where the complaint is lodged, in many cases the DPA has to translate the information into the relevant national language.

The DPC’s workload has increased significantly due to the multinational technology sector. In the period between 25 May and 31 December 2018, the DPC was notified of 38 personal-data breaches involving 11 multinational technology companies. As of 31 December 2018, the DPC had 15 statutory inquiries (investigations) open in relation to multinational technology companies’ compliance with the GDPR.

The DPC continues to act, or commenced acting, as lead reviewer in relation to 11 applications for Binding Corporate Rules. It is expected that it will issue decisions on several of these applications in the first half of 2019.

See Ireland DPC’s Annual Report.

Learn more about these issues and compliance with Ireland’s Data Protection Act 2018 at the Privacy Laws & Business conference on 8-9 May 2019 in Dublin in association with McCann FitzGerald.