The Data Protection Commission Publishes Final Decision Following Inquiry into University of Limerick
02nd Mí Márta 2026
The Data Protection Commission (DPC) has published its final decision following an inquiry into a personal data breach in University of Limerick.
This decision arises from an own-volition inquiry into the University of Limerick following a series of personal data breaches that occurred between November 2018 and January 2020.
The DPC assessed University of Limerick’s technical and organisational measures for ensuring the security of personal data that it processed, and also examined compliance with the controller’s obligation to notify breaches promptly
The DPC’s decision finds that University of Limerick:
- did not implement appropriate technical and organisational measures to ensure the security of personal data as required by Articles 5(1)(f) and 32(1) GDPR,
- failed in three cases to inform persons affected by a high-risk breach without undue delay in accordance with Article 34(1) GDPR,
- did not fully comply with the requirements of Article 30(1) GDPR in its initial record of processing activity.
- did not report three breach notifications without undue delay in accordance with Article 33(1) GDPR.
The DPC reprimanded University of Limerick and imposed administrative fines totalling €98,000.
The DPC commends University of Limerick’s engagement with the DPC since being presented with the DPC’s proposed findings in a draft version of its decision. The final administrative fines reflect the mitigation occasioned by University of Limerick accepting the majority of the findings in the draft decision, acknowledging responsibility for significant infringements, and proactively taking steps to improve its systems, training, and policies, in order to reduce the likelihood of similar breaches occurring in the future.