Editing DPC - Inquiry into University College Dublin (IN-19-7-4)

From GDPRhub

Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then save the changes below to finish undoing the edit.

Latest revision Your text
Line 56: Line 56:
 
The Irish DPA (DPC) fined the University College Dublin (UCD) €70,000 for failing to implement appropriate security measures, storing data longer than necessary, and failing to notify the DPC of a personal data breach without undue delay.
 
The Irish DPA (DPC) fined the University College Dublin (UCD) €70,000 for failing to implement appropriate security measures, storing data longer than necessary, and failing to notify the DPC of a personal data breach without undue delay.
  
==English Summary==
+
== English Summary ==
  
===Facts===
+
=== Facts ===
 
The DPC commenced an inquiry after UCD notified the DPC of seven personal data breaches.
 
The DPC commenced an inquiry after UCD notified the DPC of seven personal data breaches.
  
 
The breaches involved instances where unauthorised third parties accessed UCD email accounts, or where the login credentials for UCD email accounts were posted online
 
The breaches involved instances where unauthorised third parties accessed UCD email accounts, or where the login credentials for UCD email accounts were posted online
  
===Dispute===
+
=== Dispute ===
 
Did the breaches reported by UCD infringe Articles 5(1)(f)- 5(1)(e) and 33(1) GDPR?  
 
Did the breaches reported by UCD infringe Articles 5(1)(f)- 5(1)(e) and 33(1) GDPR?  
  
===Holding===
+
=== Holding ===
 
The DPC held that UCD infringed:
 
The DPC held that UCD infringed:
  
Line 78: Line 78:
 
In addition to imposing an administrative fine on UCD of €70,000, the DPC also ordered UCD to bring its processing operations concerning its email service into compliance with Articles 5(1)(f) and 32(1) GDPR, and issued UCD with a reprimand in respect of the infringements.
 
In addition to imposing an administrative fine on UCD of €70,000, the DPC also ordered UCD to bring its processing operations concerning its email service into compliance with Articles 5(1)(f) and 32(1) GDPR, and issued UCD with a reprimand in respect of the infringements.
  
==Comment==
+
== Comment ==
This is the first fine imposed on an Irish third-level institution and is the sixth GDPR fine imposed by the DPC. Previous fines imposed to Tusla, HSE and Twitter also included failure to implement appropriate security measures to prevent the unauthorised disclosure of personal data and delay in notifying the DPC of a data breach and, in the case of Twitter, failure to adequately document a personal data breach.
+
The ruling is the first of its kind against an Irish third-level institution and is the sixth GDPR fine imposed by the DPC. Previous fines imposed to Tusla, HSE and Twitter also included failure to implement appropriate security measures to prevent the unauthorised disclosure of personal data and delay in notifying the DPC of a data breach and, in the case of Twitter, failure to adequately document a personal data breach.
  
  
==Further Resources==
+
 
 +
== Further Resources ==
 
''Share blogs or news articles here!''
 
''Share blogs or news articles here!''
  
==English Machine Translation of the Decision==
+
== English Machine Translation of the Decision ==
 
The decision below is a machine translation of the English original. Please refer to the English original for more details.
 
The decision below is a machine translation of the English original. Please refer to the English original for more details.
  

Please note that all contributions to GDPRhub are considered to be released under the Creative Commons Attribution-NonCommercial-ShareAlike (see GDPRhub:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To edit this page, please answer the question that appears below (more info):

Cancel Editing help (opens in new window)

Template used on this page: