DPC (Ireland) - DPC Case Reference: IN-19-9-5

From GDPRhub
DPC (Ireland) - DPC Case Reference: IN-19-9-5
LogoIE.png
Authority: DPC (Ireland)
Jurisdiction: Ireland
Relevant Law: Article 4(12) GDPR
Article 32 GDPR
Article 33 GDPR
Article 34 GDPR
Data Protection Act
Type: Investigation
Outcome: Violation Found
Started:
Decided: 14.03.2022
Published: 06.04.2022
Fine: 463,000 EUR
Parties: Bank of Ireland
National Case Number/Name: DPC Case Reference: IN-19-9-5
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): English
Original Source: Data Protection Commission (in EN)
Initial Contributor: gauravpathak

The Irish DPA reprimanded and fined Bank of Ireland €463,000 for not reporting a data breach in due time, as well as for not implementing technical and organisational measures to ensure the security of personal data, in violation of Articles 32(1), 33, and 34 GDPR.

English Summary

Facts

The controller is Bank of Ireland (BOI). Between 9 November 2018 to 27 June 2019, the controller submitted 22 breach notifications to the Irish Data Protection Commission (DPC) in relation to the Central Credit Register (CCR). The CCR “is a centralised system that collects and securely stores information about loans” and is managed by the Central Bank of Ireland.

Every loan in upwards of €500 is to be reported to CCR. This information is then used to “generate individual credit reports on borrowers, which they and, in certain circumstances, lenders can access.”

The controller informed the DPC that inaccurate customer data was uploaded to the CCR by the controller “which gave an erroneous view of BOI’s customers’ finances and credit history.” Considering the nature of breach and possible contravention of Data Protection Act and GDPR, the DPC commenced an investigation, and framed the following four issues.

The Preliminary Issue was whether the incidents described in the breach notifications reported by the controller to the DPC fall within the definition of a “personal data breach” under Article 4(12) GDPR. Issue 1 concerned the question whether the controller had infringed Article 33 GDPR in the manner in which it reported personal data breaches (if any personal data breaches were found in this decision) to the DPC. Issue 2 concerned whether the controller had infringed Article 34 GDPR and Issue 3 considered whether the controller had infringed Article 32 GDPR.

Holding

The DPC examined each of the 22 breach notifications and determined that 19 of them constituted a personal data breach as per Article 4(12) GDPR as they included unauthorised disclosures of customer personal data to the CCR and accidental alterations of customer personal data on the CCR.

Moreover, the controller contravened Article 33 GDPR with respect to 17 personal data breaches as it failed to “report the personal data breach without undue delay” and “provide the information required” under Article 33(3) GDPR in respect of some personal data breaches. The controller also contravened Article 34 GDPR as it did not inform the data subjects about the personal data breaches without undue delay at least in 14 personal data breaches.

The DPC also determined that the controller's "processing of personal data in relation to the CCR presents a high risk, both in likelihood and severity, to the rights and freedoms of natural persons.” However, it found that the controller “failed to implement robust validation procedures and quality assurance controls” and contravened Article 32(1) GDPR.

Considering the nature of the personal data breaches, which were caused due to negligence, and the mitigating factors of BOI having taken corrective steps, the DPC imposed an administrative fine of €463,000 on BOI.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.

Apologies for the inconvenience.

There was a problem with your submission, and the information you inputted in the form will not be delivered to the Data Protection Commission.

Your support ID is: 2832213306082327652 If you wish to notify the DPC of a breach, please send an email to breaches@dataprotection.ie with subject “Breach Notification, following online form error” and include details of the breach incident as per data protection obligations along with the Support ID referred to above.

Otherwise, you may contact the office by email at info@dataprotection.ie regarding your complaint or other contact reason.

---------------------------------------------------- ---------------------------------------------------- ---------------------------------------------------- --------------

Please accept our apologies for the inconvenience.

There was a problem with your submission, and the information you submitted in the form will not be passed to the Data Protection Commission.

Your supporting ID is: 2832213306082327652 If you would like to report a breach to the DPC, please email breaches@dataprotection.ie with the subject “Breach Notification, following a web form error” and submit details of the breach incident in accordance with data protection obligations, as well as the supporting acknowledgment mentioned above. Alternatively, you can contact the office by email at info@dataprotection.ie regarding your complaint or cause other.