DPC (Ireland) - IN-20-7-2

From GDPRhub
DPC - IN-20-7-2
LogoIE.png
Authority: DPC (Ireland)
Jurisdiction: Ireland
Relevant Law: Article 5 GDPR
Article 32 GDPR
Type: Investigation
Outcome: Violation Found
Started: 12.08.2020
Decided: 27.02.2023
Published: 13.03.2023
Fine: 750,000 EUR
Parties: Bank of Ireland
National Case Number/Name: IN-20-7-2
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): English
Original Source: Irish DPA (DPC) (in EN)
Initial Contributor: LR

The Bank of Ireland was fined €750,000 following a data breach. The DPC found that the controller had not adequately assessed the risks of the processing, nor implemented the appropriate security measures.

English Summary

Facts

This case concerns the Bank of Ireland (BOI) (the controller) and a data breach on the “BOI365” online banking platform. Between 30 January 2020 and 6 May 2020 the Irish DPA (DPC) received ten personal data breach notifications. In six of these breaches, unauthorised persons gained access to customer accounts online as a result of bank staff not following procedures correctly. The other four breaches were a result of flaws in the customer information system.

On 12 August 2020, the DPC commenced an inquiry and the controller provided submissions on 25 November 2022 concerning: risk; methodology for assessment; testing; training and quality assurance; and categorisation of BOI’s actions.

Holding

Issuing its decision, the DPC sought to determine whether the BOI has infringed Article 5(1)(f) GDPR and Article 32 GPDR in respect of its processing of personal data via the “BOI365” Service. The DPC’s holding addressed two main issues, the assessment of the risks and the appropriate level of security.

Firstly, concerning the assessment of risks, the controller had argued that up until this instance, as far as they were aware, there had never been an instance of fraud or identity theft arising from these types of events. Therefore, in assessing the risk, it had appeared that it was only a potential harm. However, the DPC dismissed this argument, finding that, even if the risk had not materialised into a harm previosuly, this does not reduce the severity of the risk itself. They found that there is a high risk of fraud and identity theft, particularly to vulnerable users, and that these risks are heightened further by the large quantity of data stored on the platform. Overall, in terms of severity, the processing on the BOI365 platform posed a high risk to the rights and freedoms of data subjects.

Secondly, regarding the appropriate level of security, it has held that BOI had a range of Data Protection Governance policies and procedures in place to ensure the integrity and security of customers’ personal data. However, these policies and procedures did not include additional controls to minimise the possibility of human error occurring. Furthermore, the DPC found that, while training should be informed by the risks arising from the processing activities, the issues associated with merging customer accounts were not explained to staff in detail. In addition, the data governance policies did not include additional controls to prevent human error. Regarding security measures, there was a lack of testing the measures in place, and an absence of organisational oversight.

In light of the above, the DPC found that BOI had infringed the principle of integrity and confidentiality of Article 5(1)(f) GDPR and Article 32(1) GDPR by failing to ensure appropriate security of the personal data related to its customer accounts. In accordance with Article 58(2) GDPR, the DPC issued an order to bring processing into compliance, reprimanded the controller for the violations, and imposed an administrative fine of €750,000.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.