CKT

2 George’s Quay, Cork T12 TR2A

Ormond Building, 31-36 Ormond Quay, Upper Dublin 7 D07 E303

DPC Annual Report 2024

  • August 22, 2025
  • Posted by: Colm Hurley
  • Category: News
No Comments
Chain with Lock over Keyboard

The Data Protection Commission (“DPC”) published its Annual Report for 2024 on 19 June 2025 detailing emerging trends, major fines and updated practical case studies. In this article Conor White, Senior Associate and Sarah Biggin, Trainee Solicitor provide an overview of the key highlights from the report and examine the approach taken by the DPC in various case studies.

Trends

In 2024, the DPC experienced a continued surge in public engagement and complaints. It received over 30,000 contacts in 2024, with subject access requests being the most common issue, typically due to non-response or dissatisfaction with the reply provided by the data controllers in question.

The DPC opened 11,091 new cases in 2024 and concluded 10,510, with 2,357 cases being resolved through the formal complaint-handling process.

7,781 breach notifications were received, representing an 11% increase from 2023. Around half of these breach notifications were a result of correspondence being sent to the wrong recipient.

146 investigations into unsolicited electronic marketing were completed, with eight companies being prosecuted. The companies were ordered to make charitable contributions in lieu of a conviction and fine, amounting to €9,725 donations across the eight cases.

Major Fines

The DPC concluded 11 inquiries in 2024, resulting in administrative fines totalling €652 million. Significant decisions included the following:

  • LinkedIn: In October 2024, the DPC fined LinkedIn €310 million following an inquiry into the lawfulness, fairness and transparency of its processing of EU/EEA members for the purposes of behavioural analysis and targeted advertising.
  • Meta Platforms Ireland: In December 2024, the DPC fined Meta Platforms Ireland €251 million following two inquiries into breaches involving user tokens, initially reported in 2018. In its decision the DPC concluded that Meta had failed to implement appropriate technical and organisational measures and safeguards to ensure data protection.

Shaping Policy

In 2024, the DPC’s role in policy shaping grew significantly, with the DPC providing input and observation on over 56 pieces of proposed legislation. This is a significant increase on 2023 when the figure stood at 37.

The DPC also led efforts to provide greater clarity to the application of data protection requirements in AI model training and development. It requested a statutory opinion from the European Data Protection Board on AI model development and a formal opinion was adopted by the European Data Protection Board in December 2024, leading to a harmonised European standard.

Case Studies

The 2024 Annual Report also set out some interesting case studies that highlight common issues and practical takeaways for organisations when processing personal data:

  1. Access Request Redactions

Following an access request, an individual received redacted records from their former employer. The former employer sought to rely on Article 15(4) GDPR which provides that the right to obtain a copy of personal data undergoing processing should not adversely affect the rights and freedoms of others. The individual submitted a complaint to the DPC citing concern over the former employer’s reliance on Article 15(4) and their belief that the organisation had not released all the personal data held.

The DPC advised that a balancing of rights exercise should be conducted to balance the right of access of the individual to their personal data against the identified risk to a third party that may be brought about by the disclosure of the information, prior to seeking to rely on said exemption. Following a re-examination of the records by the former employer, the individual was provided with partially redacted records.

This case study highlights that where an organisation has concerns relating to compliance with an access request, it should endeavour to comply with the request insofar as possible whilst ensuring that the rights and freedoms of any third parties are adequately protected.

  1. Parent making an erasure request for child who is now an adult

A charity contacted the DPC seeking advice on whether they could erase a child’s data following a request from a parent. The child in question was now 18 and the DPC advised that as the child was now a legal adult, they had legal capacity to exercise their own data protection rights, including right to erasure. Whilst the parent could no longer directly request the erasure of the data on behalf of the adult child, the affected individual could provide their parent with a signed letter of authority, allowing the parent to act on their behalf.

This case study shows that once an individual reaches 18 years of age, their rights under the GDPR are solely theirs to exercise and they have full control over their own data protection rights. Parents or guardians may act for them, but only with consent.

  1. Use of CCTV to monitor waiting area without adequate transparency measures 

An individual made a complaint to the DPC after they uncovered that they had been unknowingly recorded via CCTV by their employer. The DPC found that the employer had a CCTV policy in place prior to the individual commencing employment, however this policy was drafted prior to the introduction of the GDPR and had not been updated since. The employer argued that the purpose of the CCTV system, was to ensure the health and safety of staff and clients. The DPC found that the employer had no valid legal basis for recording under Article 6 GDPR and did not fulfil its transparency obligations under Article 13 of the GDPR.

This case highlights that organisations have a duty to be transparent and must clearly inform individuals when their personal data is being collected.

  1. Sharing personal data with third parties without consent

A law firm dealing with an estate, shared a letter received from a individual who was owed a debt from the estate.  The law firm shared the letter with the beneficiaries and executors to the estate without the individual’s consent. The law firm’s position was that as the individual had voluntarily written to them, they had assumed it had the individual’s consent to share the correspondence with the beneficiaries and executors. Furthermore, the law firm claimed it had shared the letter as part of its contract to administer the estate.

The DPC found that the firm could not demonstrate that the individual had consented through a clear affirmative act in a freely given, specific, informed and unambiguous manner as required under Articles 4 and 7 GDPR. The DPC noted that it would have been sufficient for them to simply inform the beneficiaries and executors that the individual had relinquished their claim without sharing the letter itself.

This case study highlights the importance of obtaining valid consent that is freely given, specific, informed and unambiguous.

Conclusion

The DPC’s 2024 Annual Report reflects a growing roe for the DPC in national and international data protection concerns. Of relevance to data controllers, there is evidence of increased capacity on behalf of the DPC to proactively guide parties on best practice as well as to progress investigations to conclusion. Taken as a whole data subjects rights are becoming stronger from an enforceability perspective.