Ireland’s Data Protection Commission issued a report last week (via TechCrunch) that covered its activities during the first six months of 2018, in which it highlighted a complaint against LinkedIn. It found that the company used millions of e-mail addresses of non-LinkedIn users to target ads on Facebook.

Following a complaint against the company, the DPC conducted an audit and found that it violated data protection regulations. In a bid to grow its user base, LinkedIn “processed hashed email addresses of approximately 18 million non-LinkedIn members,” and then used them to target those individuals with ads on Facebook. As TechCrunch points out, numerous companies moved their data processing operations to Ireland prior to the implementation of new European data regulations. The DPC says that the “complaint was ultimately amicably resolved,” and that LinkedIn has ceased those practices.

However, the body was “concerned with the wider systemic issues identified” in its report, and undertook a second audit to see if LinkedIn had adequate “ technical security and organisational measures.” It found that the site was “undertaking the pre-computation of a suggested professional network for non-LinkedIn members,” and ordered them to stop and delete associated data that existed prior to May 2018.

In a statement to TechCrunch, the company says that it cooperated with the investigations, and that the strong processes and procedures we have in place were not followed and for that we are sorry. We’ve taken appropriate action, and have improved the way we work to ensure that this will not happen again.”