News & Media

The Data Protection Commission Announces Conclusion of Inquiry into Maynooth University

06th December 2024

The Data Protection Commission (DPC) has today announced its final decision following an inquiry into a personal data breach in Maynooth University. The DPC commenced this inquiry on an own-volition basis in July 2019. The inquiry related a personal data breach notified by Maynooth University in November 2018. The breach affected the email accounts of university employees, and allowed unauthorised persons to gain control of up to six accounts. The unauthorised persons used control of one account to assist in the commission of a fraud, leading to a financial loss by one of the persons affected.

The DPC assessed Maynooth University’s technical and organisational measures for ensuring the security of personal data that it processed, and also examined compliance with the controller’s obligation to notify breaches promptly.

The DPC’s Decision finds that Maynooth University:

·         Infringed Articles 5(1)(f) and 32 GDPR by failing to ensure appropriate security personal data that it processed, and to implement appropriate technical and organisational measures to ensure such security, and

·         Infringed Article 33(1) GDPR by failing to notify the DPC of the data breach within 72 hours.*

The DPC reprimanded Maynooth University, imposed administrative fines totalling €40,000 and ordered Maynooth University to bring its processing into compliance with the security requirements of the GDPR.

It is vitally important that organisations ensure that personal data is processed in a manner that ensures appropriate security, through the implementation of the necessary technical and organisational measures required under the GDPR. Data Controllers must also ensure that they comply with their statutory obligation to notify the Data Protection Commission without undue delay once they become aware that a personal data breach has occurred.

The DPC will publish the full decision and further related information in due course.

 

*General Data Protection Regulation (EU) 2016/679