Date of final decision: 14 March 2022
Cross-border case or national case: National
Controller: Bank of Ireland Group plc
Legal Reference: Article 32(1), 33 and 34 GDPR
Decision: Infringement of Article 32(1), 33 and 34 GDPR, Order to comply with article 32(1) GDPR, Issued reprimand in respect of all of the infringements of Articles 33, 34 and 32(1) of the GDPR identified, and imposed administrative fines on BOI of €463,000
Key words: Data Breach
Summary of the Decision
Origin of the case
This inquiry was commenced in respect of 22 personal data breach notifications that Bank of Ireland Group plc (BOI) made to the Data Protection Commission (DPC) between 9 November 2018 and 27 June 2019. The notifications related to the corruption of information in the BOI’s data feed to the Central Credit Register (CCR), a centralised system that collects and securely stores information about loans. The incidents included unauthorised disclosures of customer personal data to the CCR and accidental alterations of customer personal data on the CCR.
The decision considered as a preliminary issue whether the incidents met the definition of a “personal data breach” under the GDPR, and found that 19 of the incidents reported did meet this definition.
The decision found:
- Article 33 of the GDPR was infringed by BOI in 17 of the incidents. In some incidents, Article 33(1) was infringed by BOI’s failure to report the personal data breach without undue delay. Article 33(3) was also infringed by BOI’s failure to provide sufficient detail to the DPC in respect of some personal data breaches;
- Article 34 of the GDPR was infringed by BOI in 14 of the incidents. The infringements concerned a failure by BOI to issue communications to data subjects without undue delay in circumstances where the personal data breaches were likely to result in a high risk to data subjects’ rights and freedoms; and
- Article 32(1) of the GDPR was infringed as BOI failed to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk presented by its processing of customer data in transferring information to the CCR.
- The decision imposed administrative fines on BOI for the infringement of Article 32(1) of the GDPR and certain of the infringements of Articles 33 and 34 of the GDPR. The total amount of administrative fines imposed was €463,000.
- The decision ordered BOI to bring its processing into compliance with Article 32(1) of the GDPR by ordering it to make certain changes to its technical and organisational measures.
- The decision issued BOI with a reprimand in respect of all of the infringements of Articles 33, 34 and 32(1) of the GDPR identified in the decision.
For further information: full decision
The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.