DPC (Ireland) - IN-20-7-2: Difference between revisions
(Created page with "{{DPAdecisionBOX |Jurisdiction=Ireland |DPA-BG-Color=background-color:#013d35; |DPAlogo=LogoIE.png |DPA_Abbrevation=DPC |DPA_With_Country=DPC (Ireland) |Case_Number_Name=IN-...") |
(Replaced the link of the original source with a working link.) |
||
(One intermediate revision by one other user not shown) | |||
Line 11: | Line 11: | ||
|Original_Source_Name_1=Irish DPA (DPC) | |Original_Source_Name_1=Irish DPA (DPC) | ||
|Original_Source_Link_1=https://www.dataprotection.ie/sites/default/files/uploads/2023-03/Final% | |Original_Source_Link_1=https://www.dataprotection.ie/sites/default/files/uploads/2023-03/Final%20Decision%20IN-20-7-2%20Bank%20of%20Ireland%20%28BOI%29%20365.pdf | ||
|Original_Source_Language_1=English | |Original_Source_Language_1=English | ||
|Original_Source_Language__Code_1=EN | |Original_Source_Language__Code_1=EN | ||
Line 75: | Line 75: | ||
Issuing its decision, the DPC sought to determine whether the BOI has infringed [[Article 5 GDPR#1f|Article 5(1)(f) GDPR]] and Article 32 GPDR in respect of its processing of personal data via the “BOI365” Service. The DPC’s holding addressed two main issues, the assessment of the risks and the appropriate level of security. | Issuing its decision, the DPC sought to determine whether the BOI has infringed [[Article 5 GDPR#1f|Article 5(1)(f) GDPR]] and Article 32 GPDR in respect of its processing of personal data via the “BOI365” Service. The DPC’s holding addressed two main issues, the assessment of the risks and the appropriate level of security. | ||
Firstly, concerning the assessment of risks, the controller had argued that there had never been an instance of fraud or identity theft arising from these types of events | Firstly, concerning the assessment of risks, the controller had argued that up until this instance, as far as they were aware, there had never been an instance of fraud or identity theft arising from these types of events. Therefore, in assessing the risk, it had appeared that it was only a potential harm. However, the DPC dismissed this argument, finding that, even if the risk had not materialised into a harm previosuly, this does not reduce the severity of the risk itself. They found that there is a high risk of fraud and identity theft, particularly to vulnerable users, and that these risks are heightened further by the large quantity of data stored on the platform. Overall, in terms of severity, the processing on the BOI365 platform posed a high risk to the rights and freedoms of data subjects. | ||
Secondly, regarding the appropriate level of security, it has held that BOI had a range of Data Protection Governance policies and procedures in place to ensure the integrity and security of customers’ personal data. However, these policies and procedures did not include additional controls to minimise the possibility of human error occurring. Furthermore, the DPC found that, while training should be informed by the risks arising from the processing activities, the issues associated with merging customer accounts were not explained to staff in detail. In addition, the data governance policies did not include additional controls to prevent human error. Regarding security measures, there was a lack of testing the measures in place, and an absence of organisational oversight. | Secondly, regarding the appropriate level of security, it has held that BOI had a range of Data Protection Governance policies and procedures in place to ensure the integrity and security of customers’ personal data. However, these policies and procedures did not include additional controls to minimise the possibility of human error occurring. Furthermore, the DPC found that, while training should be informed by the risks arising from the processing activities, the issues associated with merging customer accounts were not explained to staff in detail. In addition, the data governance policies did not include additional controls to prevent human error. Regarding security measures, there was a lack of testing the measures in place, and an absence of organisational oversight. |
Latest revision as of 15:49, 23 March 2023
DPC - IN-20-7-2 | |
---|---|
Authority: | DPC (Ireland) |
Jurisdiction: | Ireland |
Relevant Law: | Article 5 GDPR Article 32 GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | 12.08.2020 |
Decided: | 27.02.2023 |
Published: | 13.03.2023 |
Fine: | 750,000 EUR |
Parties: | Bank of Ireland |
National Case Number/Name: | IN-20-7-2 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | English |
Original Source: | Irish DPA (DPC) (in EN) |
Initial Contributor: | LR |
The Bank of Ireland was fined €750,000 following a data breach. The DPC found that the controller had not adequately assessed the risks of the processing, nor implemented the appropriate security measures.
English Summary
Facts
This case concerns the Bank of Ireland (BOI) (the controller) and a data breach on the “BOI365” online banking platform. Between 30 January 2020 and 6 May 2020 the Irish DPA (DPC) received ten personal data breach notifications. In six of these breaches, unauthorised persons gained access to customer accounts online as a result of bank staff not following procedures correctly. The other four breaches were a result of flaws in the customer information system.
On 12 August 2020, the DPC commenced an inquiry and the controller provided submissions on 25 November 2022 concerning: risk; methodology for assessment; testing; training and quality assurance; and categorisation of BOI’s actions.
Holding
Issuing its decision, the DPC sought to determine whether the BOI has infringed Article 5(1)(f) GDPR and Article 32 GPDR in respect of its processing of personal data via the “BOI365” Service. The DPC’s holding addressed two main issues, the assessment of the risks and the appropriate level of security.
Firstly, concerning the assessment of risks, the controller had argued that up until this instance, as far as they were aware, there had never been an instance of fraud or identity theft arising from these types of events. Therefore, in assessing the risk, it had appeared that it was only a potential harm. However, the DPC dismissed this argument, finding that, even if the risk had not materialised into a harm previosuly, this does not reduce the severity of the risk itself. They found that there is a high risk of fraud and identity theft, particularly to vulnerable users, and that these risks are heightened further by the large quantity of data stored on the platform. Overall, in terms of severity, the processing on the BOI365 platform posed a high risk to the rights and freedoms of data subjects.
Secondly, regarding the appropriate level of security, it has held that BOI had a range of Data Protection Governance policies and procedures in place to ensure the integrity and security of customers’ personal data. However, these policies and procedures did not include additional controls to minimise the possibility of human error occurring. Furthermore, the DPC found that, while training should be informed by the risks arising from the processing activities, the issues associated with merging customer accounts were not explained to staff in detail. In addition, the data governance policies did not include additional controls to prevent human error. Regarding security measures, there was a lack of testing the measures in place, and an absence of organisational oversight.
In light of the above, the DPC found that BOI had infringed the principle of integrity and confidentiality of Article 5(1)(f) GDPR and Article 32(1) GDPR by failing to ensure appropriate security of the personal data related to its customer accounts. In accordance with Article 58(2) GDPR, the DPC issued an order to bring processing into compliance, reprimanded the controller for the violations, and imposed an administrative fine of €750,000.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.