DPC - Inquiry into University College Dublin (IN-19-7-4)
DPC - Inquiry into University College Dublin (IN-19-7-4) | |
---|---|
Authority: | DPC (Ireland) |
Jurisdiction: | Ireland |
Relevant Law: | Article 5(1)(f) GDPR Article 5(1)(e) GDPR Article 32(1) GDPR Article 33 GDPR |
Type: | Other |
Outcome: | n/a |
Started: | |
Decided: | 17.12.2020 |
Published: | |
Fine: | 70000 EUR |
Parties: | n/a |
National Case Number/Name: | Inquiry into University College Dublin (IN-19-7-4) |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | English |
Original Source: | Irish Data Protection Commission (in EN) |
Initial Contributor: | Paola L. |
The Irish DPA (DPC) fined the University College Dublin (UCD) €70,000 for failing to implement appropriate security measures, storing data longer than necessary, and failing to notify the DPC of a personal data breach without undue delay.
English Summary
Facts
The DPC commenced an inquiry after UCD notified the DPC of seven personal data breaches.
The breaches involved instances where unauthorised third parties accessed UCD email accounts, or where the login credentials for UCD email accounts were posted online
Dispute
Did the breaches reported by UCD infringe Articles 5(1)(f)- 5(1)(e) and 33(1) GDPR?
Holding
The DPC held that UCD infringed:
- Articles 5(1)(f) and 32(1) GDPR by failing to process personal data on its email service in a manner that ensured appropriate security of the personal data using appropriate technical and organisational measures.
- Article 5(1)(e) GDPR by storing certain personal data in an email account in a form which permitted the identification of data subjects for longer than necessary for the purpose for which the personal data were processed.
- Article 33(1) GDPR by failing to notify one of the personal data breaches to the DPC without undue delay. The DPC noted that this personal data breach was notified 13 days after UCD became aware of it.
In addition to imposing an administrative fine on UCD of €70,000, the DPC also ordered UCD to bring its processing operations concerning its email service into compliance with Articles 5(1)(f) and 32(1) GDPR, and issued UCD with a reprimand in respect of the infringements.
Comment
This is the first fine imposed on an Irish third-level institution and is the sixth GDPR fine imposed by the DPC. Previous fines imposed to Tusla, HSE and Twitter also included failure to implement appropriate security measures to prevent the unauthorised disclosure of personal data and delay in notifying the DPC of a data breach and, in the case of Twitter, failure to adequately document a personal data breach.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
Decision exercising corrective powers made under the Data Protection Act 2018 Inquiry into University College Dublin (IN-19-7-4) Date of Decision: 17 December 2020 This inquiry was commenced in respect of 7 personal data breaches that University College Dublin (‘UCD’) notified to the DPC between 8 August 2018 to 21 January 2019. The personal data breaches concerned instances where unauthorised third parties accessed UCD email accounts, or where the login credentials for UCD email accounts were posted online. The decision found that UCD infringed Articles 5(1)(f) and 32(1) of the GDPR by failing to process personal data on its email service in a manner that ensured appropriate security of the personal data using appropriate technical and organisational measures. The decision found that UCD infringed Article 5(1)(e) of the GDPR by storing certain personal data in an email account in a form which permitted the identification of data subjects for longer than necessary for the purpose for which the personal data were processed. The decision found that UCD had infringed Article 33(1) of the GDPR by failing to notify one of the personal data breaches to the DPC without undue delay. This personal data breach was notified 13 days after UCD became aware of it. The corrective powers exercised The decision imposed an administrative fine on UCD in the amount of €70,000 in respect of the infringements. The decision ordered UCD to bring its processing operations concerning its email service into compliance with Articles 5(1)(f) and 32(1) of the GDPR. The decision issued UCD with a reprimand in respect of the infringements.