Resources

Inquiry into the Irish Credit Bureau DAC

(IN-19-7-2)

Date of Decision: 23 March 2021

This inquiry was commenced in respect of a personal data breach that the Irish Credit Bureau (‘ICB’) notified to the DPC on 31 August 2018. The ICB is a credit reference agency that maintains a database on the performance of credit agreements between financial institutions and borrowers. The personal data breach occurred when the ICB implemented a code change to its database that contained a technical error. As a result, between 28 June 2018 and 30 August 2018, the ICB database inaccurately updated the records of 15,120 closed accounts. The ICB disclosed 1,062 inaccurate account records to financial institutions or data subjects before fixing the issue. All of the inaccurate account records disclosed to the financial institutions stated that the accounts had been closed more recently than they actually had been, but none misstated that a balance was outstanding on the accounts.

  • The decision found that the ICB infringed Article 25(1) of the GDPR by failing to implement appropriate technical and organisational measures designed to implement the principle of accuracy in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of the GDPR and protect the rights of data subjects.
  • The decision found that the ICB infringed Article 5(2) and 24(1) of the GDPR by failing to demonstrate compliance with its obligation, pursuant to Article 25(1) of the GDPR, to undertake appropriate testing of proposed changes to its database.
  • The decision found that the ICB did not infringe Article 26(1) of the GDPR in circumstances where the ICB members are not joint controllers in respect of the ICB’s database.

The corrective powers exercised:

  • The decision imposed an administrative fine on the ICB in the amount of €90,000 in respect of the infringements.
  • The decision issued the ICB with a reprimand in respect of the infringements.
  • Having regard to the measures implemented by the ICB since the personal data breach and during the inquiry, it was not necessary for the decision to order the ICB to take specific action to bring its processing operations into compliance with the GDPR

For more information, you can download a copy of the full decision at this link: Irish Credit Bureau DAC March 2021 (PDF, 1,427 KB).