Inquiry into Ark Life Assurance Company dac

(IN-21-6-1)

Date of Decision: 26 September 2022

This decision arose from an own-volition inquiry commenced by the DPC pursuant to section 110 of the Data Protection Act 2018 to consider whether Ark Life had complied with the GDPR in relation to its processing operations. The inquiry was initiated after Ark Life had notified 156 personal data breaches to the DPC between December 2018 and May 2020. The data breach notifications primarily concerned the unauthorised disclosure of personal data as a result of address inaccuracies and issues within the postal and email procedures operated by Ark Life.

The decision considered whether Ark Life had complied with Article 32(1) GDPR and in particular whether Ark Life had implemented appropriate technical and organisational measures to ensure a level of risk appropriate to the risks associated with its processing operations. The decision found that Ark Life had complied with its obligations under Article 32(1) GDPR. It was held Ark Life had implemented policies, which were specifically tailored to the risks associated with the processing. Ark Life also provided repeated training to sectors of the business, which were the most susceptible to personal data breaches of this kind. Ark Life also took proactive measures to counter the increasing risk profile of some business units by implementing additional security measures after some personal data breaches occurred. These measures addressed inherent flaws in their processes concerning customer contact details and dealing with returned mail.

Taking into account the quantum of data breaches, the technical and organisational measures implemented by Ark Life and the moderate to low severity of risk to data subjects, DPC has concluded that Ark Life has not infringed Article 32(1). Accordingly, no corrective powers were exercised in this decision.

You can download the full decision at this link: Inquiry concerning Ark Life Assurance Company dac - September 2022 (PDF, 352 KB).