🇮🇪The Irish Data Protection Commissioner (DPC) fined Bank of Ireland €463,000 and reprimanded it for GDPR data-privacy violations.
This investigation was launched in response to 22 personal data breach reports made to the Data Protection Commission (DPC) by Bank of Ireland Group plc (BOI) between 9 November 2018 and 27 June 2019. The notifications were connected to information corruption in the BOI’s data feed to the Central Credit Register (CCR), a centralized system that collects and securely stores loan information. Unauthorized disclosures of customer personal data to the CCR and unintentional revisions of customer personal data on the CCR were among the instances.
When the DPC first approached Bank of Ireland about the issue, it stated that only one client was affected. “It ultimately transpired that approximately 47,000 data subjects were affected by this breach,” the DPC stated, adding that it took Bank of Ireland over 18 months to get a final tally for those affected.
The decision found:
👉Article 33 of the GDPR was infringed by BOI in 17 of the incidents. In some incidents, Article 33(1) was infringed by BOI’s failure to report the personal data breach without undue delay.
👉Article 34 of the GDPR was infringed by BOI in 14 of the incidents. The infringements concerned a failure by BOI to issue communications to data subjects without undue delay in circumstances where the personal data breaches were likely to result in a high risk to data subjects’ rights and freedoms.
👉Article 32(1) of the GDPR was infringed as BOI failed to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk presented by its processing of customer data in transferring information to the CCR. The DPC considers that “Article 32 of the GDPR will not automatically be infringed if an incident occurs which renders personal data inaccurate. Rather, in considering whether the requirements of Article 32 have been met by the controller, it is necessary to assess whether the controller has adequately gauged the level of risks to data subjects and whether the controller has implemented appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
