DPC (Ireland) - DPC Case Reference: IN-19-9-5

From GDPRhub
Revision as of 09:31, 6 April 2022 by Gauravpathak (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Ireland |DPA-BG-Color=background-color:#013d35; |DPAlogo=LogoIE.png |DPA_Abbrevation=DPC (Ireland) |DPA_With_Country=DPC (Ireland) |Case_Numbe...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
DPC (Ireland) - DPC Case Reference: IN-19-9-5
LogoIE.png
Authority: DPC (Ireland)
Jurisdiction: Ireland
Relevant Law: Article 4(12) GDPR
Article 32 GDPR
Article 33 GDPR
Article 34 GDPR
Data Protection Act
Type: Investigation
Outcome: Violation Found
Started:
Decided: 14.03.2022
Published:
Fine: 463,000 EUR
Parties: Bank of Ireland
National Case Number/Name: DPC Case Reference: IN-19-9-5
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): English
Original Source: Data Protection Commission (in EN)
Initial Contributor: gauravpathak

The Irish DPA reprimanded and fined Bank of Ireland €463,000 for contravening Article 32, 33, and 34 GDPR.

English Summary

Facts

Bank of Ireland (BOI) is the data controller. Between 9 November 2018 to 27 June 2019, BOI submitted 22 breach notifications to the Data Protection Commission (DPC) in relation to the Central Credit Register. The CCR “is a centralised system that collects and securely stores information about loans” and is managed by the Central Bank of Ireland.

Every loan in upwards of € 500 is to be reported to CCR. This information is then used to “generate individual credit reports on borrowers, which they and, in certain circumstances, lenders can access.”

BOI informed the DPC that inaccurate customer data uploaded to the CCR by BOI “which gave an erroneous view of BOI’s customers’ finances and credit history.” Considering the nature of breach and possible contravention of Data Protection Act and GDPR, the DPC commenced an investigation, and framed the following four issues-

“Preliminary Issue: Whether the incidents described in the breach notifications reported by BOI to the DPC fall within the definition of a “personal data breach” under Article 4(12) of the GDPR; Issue 1: Whether BOI has infringed Article 33 of the GDPR in the manner in which it reported personal data breaches (if any personal data breaches are found in this Decision) to the DPC; Issue 2: Whether BOI has infringed Article 34 of the GDPR; and Issue 3: Whether BOI has infringed Article 32 of the GDPR.”

Holding

The DPC examined each of the 22 breach notifications and determined that 19 of them constituted a personal data breach as per Article 4(12) GDPR. Moreover, BOI contravened Article 33 GDPR with respect to 17 personal data breaches as it failed to “report the personal data breach without undue delay” and “provide the information required” under Article 33(3) GDPR in respect of some personal data breaches. BOI also contravened Article 34 GDPR as it did not inform the data subjects about the personal data breaches without undue delay at least in 14 personal data breaches.

The DPC also determined that “BOI’s processing of personal data in relation to the CCR presents a high risk, both in likelihood and severity, to the rights and freedoms of natural persons.” However, it found that BOI “failed to implement robust validation procedures and quality assurance controls” and contravened Article 32 GDPR.

Considering the nature of the personal data breaches, which were caused due to negligence, and the mitigating factors of BOI having taken corrective steps, the DPC imposed an administrative fine of €463,000 on BOI.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details. 

Apologies for the inconvenience.

There was a problem with your submission, and the information you inputted in the form will not be delivered to the Data Protection Commission.

Your support ID is: 2832213306082327652 If you wish to notify the DPC of a breach, please send an email to breaches@dataprotection.ie with subject “Breach Notification, following online form error” and include details of the breach incident as per data protection obligations along with the Support ID referred to above.

Otherwise, you may contact the office by email at info@dataprotection.ie regarding your complaint or other contact reason.

---------------------------------------------------- ---------------------------------------------------- ---------------------------------------------------- --------------

Please accept our apologies for the inconvenience.

There was a problem with your submission, and the information you submitted in the form will not be passed to the Data Protection Commission.

Your supporting ID is: 2832213306082327652 If you would like to report a breach to the DPC, please email breaches@dataprotection.ie with the subject “Breach Notification, following a web form error” and submit details of the breach incident in accordance with data protection obligations, as well as the supporting acknowledgment mentioned above. Alternatively, you can contact the office by email at info@dataprotection.ie regarding your complaint or cause other.
Retrieved from "https://gdprhub.eu/index.php?title=DPC_(Ireland)_-_DPC_Case_Reference:_IN-19-9-5&oldid=25132"
Creative Commons Attribution-NonCommercial-ShareAlike
Powered by MediaWiki