DPC fines DSP €550,000

Ireland’s Data Protection Commission (DPC) has concluded its long-running inquiry into the Department of Social Protection’s (DSP) use of facial-matching technology for Public Services Card (PSC) registration—known as “SAFE 2 registration”—and has found multiple breaches of the General Data Protection Regulation (GDPR).

Launched in July 2021, the probe built upon an earlier 2019 investigation into the PSC system. It specifically examined whether the DSP had a valid legal basis for collecting and retaining biometric facial templates, whether it met its transparency obligations to card applicants, and whether its Data Protection Impact Assessment (DPIA) complied with GDPR requirements for processing special-category data on a large scale (the DSP held templates for roughly 70 percent of Ireland’s adult population).

Key Findings

• The DPC determined the DSP infringed GDPR Article 5(1)(a) (lawfulness, fairness and transparency), Article 6(1) (lawful basis for processing) and Article 9(1) (processing of special-category data) by failing to identify any valid legal ground for collecting biometric facial data.
• It also ruled the DSP breached Article 5(1)(e) (storage limitation) by unlawfully retaining these templates.
• Transparency failings—contravening Articles 13(1)(c) and 13(2)(a)—meant applicants were not properly informed about why or how their sensitive data would be used.
• Finally, the DSP’s DPIA was found deficient under Articles 35(7)(b) and 35(7)(c), as it lacked full assessments of necessity, proportionality and risk mitigation measures.

Corrective Measures

Commissioner Dale Sunderland’s final decision—formally notified to the DSP in mid-June 2025—imposes a reprimand, administrative fines totaling €550,000, and an order requiring the DSP to cease biometric processing within nine months unless it can establish a clear, precise legal basis for SAFE 2 registration. Failure to comply may force the Department to suspend the facial-matching element of the PSC altogether.

Regulator’s Commentary

Deputy Commissioner Graham Doyle emphasised that the inquiry did not challenge the principle of SAFE 2 registration nor uncover any technical security flaws in the DSP’s systems. Instead, the DPC’s concerns revolved around the adequacy of the legislative framework and the Department’s compliance with transparency and DPIA obligations under EU data-protection law.

“It is important to note that none of the findings of infringement identified, nor the corrective powers exercised by the DPC, pertain to the rollout of SAFE 2 registration by the DSP as a matter of principle. The DPC did not find any evidence of inadequate technical and organisational security measures deployed by the DSP in connection with SAFE 2 registration in the context of this inquiry.

This inquiry was concerned with assessing whether the legislative framework presently in place for SAFE 2 registration complies with the requirements of data protection law and whether the DSP operates SAFE 2 registration in a data protection-compliant manner, and the findings announced today identify a number of deficiencies in this regard.”

Civil-Liberties Reaction

The Irish Council for Civil Liberties (ICCL), which challenged the PSC’s biometric scheme for over a decade, welcomed the decision as a vindication of its long-standing objections. ICCL highlighted that collecting and storing millions of facial templates without a proper legal foundation amounted to an unlawful de facto national biometric ID system—and has called for the immediate deletion of the database rather than waiting the full nine-month period.

The DPC will publish its full decision in due course. Meanwhile, the DSP has indicated it will review the ruling with the Attorney General’s Office to determine whether to appeal the enforcement notice or amend the PSC’s legal framework to meet GDPR standards within the prescribed timeframe.

If you are interested in finding out more about the IISF, or would like to attend one of our Chapter Meetings as an invited guest, please contact the
IISF Secretary:

By email:
secretary@iisf.ie

By post:

David Cahill

GTS Security,
Exo Building,
North Wall Quay,
Dublin 1,
D01 W5Y2

Enhance your Cybersecurity knowledge and learn from those at the coalface of information Security in Ireland

Forum SPONSORS 

Invitations for Annual Sponsorship of IISF has now reopened.

(your logo & profile link here)

Sponsors are featured prominently throughout the IISF.IE website, social media channels as well as enjoying other benefits Read more