DPC - Inquiry into University College Dublin (IN-19-7-4)

From GDPRhub
DPC - Inquiry into University College Dublin (IN-19-7-4)
LogoIE.png
Authority: DPC (Ireland)
Jurisdiction: Ireland
Relevant Law: Article 5(1)(f) GDPR
Article 5(1)(e) GDPR
Article 32(1) GDPR
Article 33 GDPR
Type: Other
Outcome: n/a
Decided: 17.12.2020
Published:
Fine: 70000 EUR
Parties: n/a
National Case Number/Name: Inquiry into University College Dublin (IN-19-7-4)
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): English
Original Source: Irish Data Protection Commission (in EN)
Initial Contributor: Paola L.

The Irish DPA (DPC) fined the University College Dublin (UCD) €70,000 for failing to implement appropriate security measures, storing data longer than necessary, and failing to notify the DPC of a personal data breach without undue delay.

English Summary[edit | edit source]

Facts[edit | edit source]

The DPC commenced an inquiry after UCD notified the DPC of seven personal data breaches.

The breaches involved instances where unauthorised third parties accessed UCD email accounts, or where the login credentials for UCD email accounts were posted online

Dispute[edit | edit source]

Did the breaches reported by UCD infringe Articles 5(1)(f)- 5(1)(e) and 33(1) GDPR?

Holding[edit | edit source]

The DPC held that UCD infringed:

- Articles 5(1)(f) and 32(1) GDPR by failing to process personal data on its email service in a manner that ensured appropriate security of the personal data using appropriate technical and organisational measures.

- Article 5(1)(e) GDPR by storing certain personal data in an email account in a form which permitted the identification of data subjects for longer than necessary for the purpose for which the personal data were processed.

- Article 33(1) GDPR by failing to notify one of the personal data breaches to the DPC without undue delay. The DPC noted that this personal data breach was notified 13 days after UCD became aware of it.

In addition to imposing an administrative fine on UCD of €70,000, the DPC also ordered UCD to bring its processing operations concerning its email service into compliance with Articles 5(1)(f) and 32(1) GDPR, and issued UCD with a reprimand in respect of the infringements.

Comment[edit | edit source]

This is the first fine imposed on an Irish third-level institution and is the sixth GDPR fine imposed by the DPC. Previous fines imposed to Tusla, HSE and Twitter also included failure to implement appropriate security measures to prevent the unauthorised disclosure of personal data and delay in notifying the DPC of a data breach and, in the case of Twitter, failure to adequately document a personal data breach.


Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the English original. Please refer to the English original for more details.

             Decision exercising corrective powers made under the Data Protection Act 2018



Inquiry into University College Dublin

(IN-19-7-4)

Date of Decision: 17 December 2020


This inquiry was commenced in respect of 7 personal data breaches that University

College Dublin (‘UCD’) notified to the DPC between 8 August 2018 to 21 January 2019. The
personal data breaches concerned instances where unauthorised third parties accessed
UCD email accounts, or where the login credentials for UCD email accounts were posted

online.

      The decision found that UCD infringed Articles 5(1)(f) and 32(1) of the GDPR by

       failing to process personal data on its email service in a manner that ensured
       appropriate security of the personal data using appropriate technical and

       organisational measures.


      The decision found that UCD infringed Article 5(1)(e) of the GDPR by storing certain
       personal data in an email account in a form which permitted the identification of

       data subjects for longer than necessary for the purpose for which the personal
       data were processed.


      The decision found that UCD had infringed Article 33(1) of the GDPR by failing to

       notify one of the personal data breaches to the DPC without undue delay. This
       personal data breach was notified 13 days after UCD became aware of it.




The corrective powers exercised

      The decision imposed an administrative fine on UCD in the amount of €70,000 in

       respect of the infringements.
      The decision ordered UCD to bring its processing operations concerning its email

       service into compliance with Articles 5(1)(f) and 32(1) of the GDPR.
      The decision issued UCD with a reprimand in respect of the infringements.