Inquiry into University College Dublin

(IN-19-7-4)

Date of Decision: 17 December 2020

This inquiry was commenced in respect of 7 personal data breaches that University College Dublin (‘UCD’) notified to the DPC between 8 August 2018 to 21 January 2019. The personal data breaches concerned instances where unauthorised third parties accessed UCD email accounts, or where the login credentials for UCD email accounts were posted online.

• The decision found that UCD infringed Articles 5(1)(f) and 32(1) of the GDPR by failing to process personal data on its email service in a manner that ensured appropriate security of the personal data using appropriate technical and organisational measures.
• The decision found that UCD infringed Article 5(1)(e) of the GDPR by storing certain personal data in an email account in a form which permitted the identification of data subjects for longer than necessary for the purpose for which the personal data were processed.
• The decision found that UCD had infringed Article 33(1) of the GDPR by failing to notify one of the personal data breaches to the DPC without undue delay. This personal data breach was notified 13 days after UCD became aware of it.

The corrective powers exercised:

• The decision imposed an administrative fine on UCD in the amount of €70,000 in respect of the infringements.
• The decision ordered UCD to bring its processing operations concerning its email service into compliance with Articles 5(1)(f) and 32(1) of the GDPR.
• The decision issued UCD with a reprimand in respect of the infringements.

For more information, you can download a copy of the full decision at this link: University College Dublin - December 2020 (PDF, 1,347 KB).