DPC (Ireland) - IN-19-7-2

From GDPRhub
DPC (Ireland) - IN-19-7-2
LogoIE.png
Authority: DPC (Ireland)
Jurisdiction: Ireland
Relevant Law: Article 5(1)(d) GDPR
Article 5(2) GDPR
Article 24(1) GDPR
Article 25(1) GDPR
Article 26 GDPR
DPC Case Reference: IN-19-7-2
Type: Complaint
Outcome: Upheld
Started:
Decided: 23.03.2021
Published:
Fine: 90000 EUR
Parties: n/a
National Case Number/Name: IN-19-7-2
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): English
Original Source: Decision of the Data Protection Commission made pursuant to Section 111 of the Data Protection Act 2018 (in EN)
Initial Contributor: Tara Taubman-Bassirian

The Irish DPC found ICB infringed article 25(1) by failing to implement appropriate technical and organisational measures designed to implement data-protection principles in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of the GDPR and protect the rights of data subjects. The appropriate technical and organisational measures that the ICB ought to have implemented include a technical measure to prevent payment profile updates to closed accounts. During the period between 28 June 2018 and 30 August 2018 erroneous credit reports were submitted; and a comprehensive documented change management process that makes express provision for, amongst other things, the testing of coding changes and a formal approval procedure for proposed coding changes.

English Summary

Facts

Complaint against IBC, a credit agency, for mis-informing their members -financial institutions- about the performance of credit agreements, resulting on wrong credit scores for borrowers. This 'data breach' of the principle of accuracy, was due to a technical error following a 'code change'. Between 28 June 2018 and 30 August 2018 15,120 accounts were inaccurately closed. This issue was fixed 31 August after ICB was made aware of it in 29th of August.

Dispute

ICB has responded rather promptly to rectify the errors and contacted financial institutions and the Irish DPC. ICB notified 3 of its members whose updates accounted 98% of incorrect account records. the remaining 20 of its members, whose updates accounted 2% of incorrect records, were contacted on 4 and 5 September 2018, the 2% remaining were contacted. ICB argued its change management process complied with ISO27001 and that they faced challenges in ensuring the accuracy of their data directly taken from their members.

Holding

The DPC found the ICB has infringed Articles 25(1), 5(2), and 24(1) of the GDPR. DPC issued the ICB with a reprimand in respect of its infringements of Articles 25(1), 5(2), and 24(1) of the GDPR in addition to the administrative fine in order to give full effect to the obligations in Articles 25(1), 5(2), and 24(1) and to formally recognise the seriousness of the infringements found in this decision. The DPC found that the ICB’s infringement of Article 25(1) of the GDPR warrants the imposition of an administrative fine pursuant to Article 58(2)(i) GDPR in addition to the reprimand. The reason for that decision and the method for calculating that fine were exposed in detail.Taking account of all the circumstances, the figure of €90,000 amounting to 0.9% of the cap available and 2% of the ICB’s turnover was deemed appropriate.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.