This Decision arises from an own-volition inquiry into the University of Limerick (‘UL’) following a series of personal data breaches that occurred between November 2018 and January 2020. The temporal scope of the Inquiry is from May 2018 to January 2020.
Between 30 November 2018 and 20 January 2020, UL notified the Data Protection Commission (‘DPC’) of 12 personal data breaches, in six of which unauthorised persons gained access to the employee email accounts of UL staff members by means of phishing attacks. The unauthorised users were able some cases to set up forwarding rules which diverted emails containing specified keywords to a folder they had created in the user’s mailbox. The compromised email accounts contained personal data including identity information, contact details, PPS numbers, bank information, medical or legal documentation, staff disciplinary and HR records, and data belonging to students, staff, and external parties.
This DPC carried out this Inquiry under sections 110-111 of the Data Protection Act 2018. It assessed UL’s compliance with Articles 5(1)(f) and 32(1) GDPR (implementation of appropriate technical and organisational measures to ensure appropriate security of the personal data processed on its email service); Article 30(1) GDPR (maintenance of a record of processing activities); Article 33(1) GDPR (notification to the DPC of personal data breaches without undue delay, and in any event within 72 hours of becoming aware of them); Article 34(1) GDPR (notification to concerned data subjects without undue delay of personal data breaches assessed to pose a high risk).
The DPC found that UL did not implement appropriate technical and organisational measures to ensure the security of personal data as required by Articles 5(1)(f) and 32(1) GDPR. The DPC also found that UL’s initial record of processing activity did not fully comply with the requirements of Article 30(1) GDPR, though UL implemented a compliant record of processing activity in May 2020, after the period assessed by the DPC in this Inquiry. The DPC found that three breach notifications were filed more than 72 hours after UL became aware of them, and were not reported without undue delay in accordance with Article 33(1) GDPR. With respect to Article 34(1) GDPR, UL failed in three cases to inform persons affected by a high-risk breach without undue delay. The DPC therefore found infringements of Articles 5(1)(f), 32(1), 30(1), 33(1), and 34(1) of the GDPR.
The DPC’s decisions on corrective measures took account of UL’s significant steps to remediate the deficiencies in its processing of personal data identified in this inquiry. Based on the details of those improvements provided by UL in its submissions, the DPC has decided that it is not necessary or proportionate for it to issue an order for UL to bring that processing into compliance with the GDPR. The DPC’s acknowledgement of those improvements does not however relieve UL of its obligation to continually evaluate the effectiveness of its measures and the measures that are necessary to ensure a level of security that is appropriate to the dynamic risk presented by its processing.
Having carefully considered the infringements identified in this Decision, the DPC has decided to exercise certain corrective powers in accordance with section 115 of the 2018 Act and Article 58(2) GDPR. The corrective powers that the DPC has decided are appropriate to address the infringements in the particular circumstances are:
The administrative fines issued for the above infringements are as follows:
The DPC commends the tenor and tone of UL’s engagement with the DPC since being presented with the DPC’s proposed findings in a draft version of its Decision. These fines are substantially lower than the maximum fines proposed in the draft Decision. The final fines reflect the mitigation occasioned by UL accepting the majority of the findings in the draft Decision, acknowledging responsibility for significant infringements, and proactively taking steps to improve its systems, training, and policies, in order to reduce the likelihood of similar breaches occurring in the future.
The full decision can be downloaded at this link: Inquiry into University of Limerick December 2025 (16MB, PDF).
02nd March 2026
20th February 2026
17th February 2026
10th February 2026
The Data Protection Commission (DPC) has completed an inquiry into the Department of Social Protection’s (DSP) processing of biometric facial templates and the use of associated facial matching technologies as part of the Public Services Card (PSC) registration process, referred to as “SAFE 2 registration”.
This own-volition inquiry, which commended in July 2021, follows a prior DPC investigation into certain aspects of the DSP’s processing of personal data in connection with the issuance of PSCs. That investigation resulted in legal proceedings, in which the DSP appealed an Enforcement Notice issued by the DPC, which were subsequently withdrawn. A joint agreement between the DPC and the DSP as well as the final investigation report from that inquiry were published in December 2021. The final investigation report stated that processing of personal data, including biometric data, by the DSP in respect of SAFE 2 registration was to be addressed separately by the DPC. The current inquiry was established to separately examine the processing of biometric data under SAFE 2 registration, as highlighted in the final investigation report.
SAFE 2 registration is mandatory for applicants seeking a PSC, which is required to access a range of DSP services, including welfare payments. Individuals who do not undergo SAFE 2 registration are unable to access these services. The process involves the collection, storage, and processing of biometric data, specifically facial templates, in relation to a substantial proportion of the population of the State. As biometric data is classified as special category data under the GDPR, it attracts enhanced protections and safeguards.
Given the nature and scale of the processing, the DPC considered that it was essential for the DSP to have a clear and precise legal basis for this processing, accompanied by appropriate safeguards to protect personal data and the fundamental rights of individuals.
The inquiry focused on assessing whether:
The DPC’s decision found that the DSP:
The DPC imposed the following sanctions:
The DPC noted that the findings and corrective measures do not challenge the principle or policy of SAFE 2 registration itself. Furthermore, the inquiry found no evidence of inadequate technical or organisational security measures implemented by the DSP in relation to biometric data processing.
The full decision[1] can be downloaded at this link: Inquiry into Department of Social Protection June 2025 (17MB, PDF).
[1] For completeness, the DSP has noted that the facial matching software provider referenced in the Decision is no longer the current provider in respect of the processing of biometric data that was the subject of the inquiry.
This decision arises from an own-volition inquiry that the DPC commenced in July 2019. The inquiry related to a personal data breach notified by City of Dublin Education and Training Board (‘CDETB’) in November 2018. CDETB is the state education and training authority for Dublin city and is also responsible for Student Universal Support Ireland (‘SUSI’), the national awarding authority for student grants.
SUSI was created in 2012 as a business unit of CDETB. CDETB, through SUSI, operates a website (https://www.susi.ie) on which third-level students can apply, and find information relating to their eligibility, for a higher education grant.
The breach, as notified to the DPC, arose due to a combination of two factors. Firstly, CDETB discovered that its webserver was retaining the personal data of student grant applicants who had uploaded information connected to their grant applications through CDETB’s website. Prior to this discovery, CDETB had assumed that personal data being submitted through its website were being emailed to the relevant SUSI team and were not been retained locally. Secondly, CDETB discovered that there was also malware present on the webserver, which presented a risk that the retained personal data had been unlawfully disclosed.
The breach impacted approximately 13,000 data subjects, identifiable by email address, who had submitted supplementary forms through the SUSI website during 2017 and 2018. The personal data impacted by the breach included names, surnames, birth dates, PPSNs, contact details, identification data and special categories of data (such as data revealing racial or ethnic origin and health data).
The DPC’s inquiry assessed CDETB’s technical and organisational measures for ensuring the security of the personal data that it processed, including whether it had carried out an appropriate risk assessment prior to its implementation of certain additional functionality to its website, and also examined CDETB’s compliance with its obligation to notify the breach to both the DPC and to affected data subjects.
The SUSI website was not originally intended to process personal data. Subsequently, in April 2017, CDETB added functionality to enable grant applicants to submit supplementary requests and information (including personal data) through the website. However, due to inadequate project scoping and risk assessment by CDETB, this information was stored locally on the webserver. The processing affected the personal data of a large number of individuals, so the DPC determined that the risks to be addressed in CDETB’s technical and organisational measures for security were high. As CDETB was not aware that personal data were being stored locally on the webserver, there were no technical and organisational measures in place to ensure that this personal data were being kept secure. The DPC’s inquiry found that, while CDETB had implemented a number of appropriate security measures, some significant failings and omissions were evident:
While CDETB subsequently adopted a wide range of measures to remediate the deficiencies identified during the inquiry, the DPC found that CDETB had infringed Articles 5(1)(f), 32(1) and 32(2) GDPR at the material time by failing to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk presented by its processing of personal data on its website, and by failing to assess the appropriate level of security.
Article 33 GDPR requires data controllers to notify their supervisory authority of every personal data breach that is likely to pose a risk to rights and freedoms of persons. The notification must be made ‘without undue delay, and where feasible, not later than 72 hours after having become aware of it’.
CDETB informed the DPC that it became aware on 16 October 2018 that a breach relating to the security of the processing of personal data had occurred on its SUSI webserver. Following this discovery, CDETB commissioned an investigation into the breach. However, CDETB did not notify the DPC of the breach until 16 November 2018, approximately one month after it had become aware of it. CDETB’s notification to the DPC offered no explanation for this delay.
The DPC’s inquiry established that the personal data breach resulted in a risk to the rights and freedoms of data subjects which CDETB became aware of on 16 October 2018. The breach therefore became notifiable to the DPC at that time and CDETB was obliged to notify the DPC without undue delay. As CDETB did not notify the DPC of the breach until 16 November 2018, the DPC found that CDETB infringed Article 33(1) GDPR by failing to notify the DPC of the breach without undue delay.
Article 34(1) GDPR requires data controllers to communicate a personal data breach to data subjects without undue delay, where the breach is likely to result in a high risk to the rights and freedoms of those data subjects. Article 34(4) GDPR requires data controllers to notify data subjects of a data breach where the relevant supervisory authority (in this case the DPC) requires the controller to do so, after the supervisory authority determines that it is necessary to do so having considered the likelihood of the personal data breach resulting in a high risk to data subjects.
CDETB initially informed the DPC that they would be informing affected data subjects of the data breach. However, CDETB subsequently stated that it would not notify data subjects of the incident until it had considered legal advice. CDETB would eventually inform the DPC that, as a result of receiving an incident report about the data breach, it was of the opinion that the risk to data subjects was low and therefore, there was no obligation to inform data subjects of the breach.
However, the DPC determined that due to the high number of data subjects affected and the broad nature of the personal data involved, there was a high risk to the data subjects concerned. The DPC found that CDETB was under an obligation to notify the affected data subjects without undue delay and that, by failing to do so, CDETB infringed Article 34(1) GDPR.
On 15 January 2019, the DPC issued CDETB with a formal direction under Article 34(4) GDPR to notify all affected data subjects of the breach. The DPC informed CDETB that, due to the nature of the breach and the nature of the personal data potentially impacted, the DPC considered that the risk posed to data subjects could be severe. However, CDETB declined to comply with the DPC’s direction at that time, because in CDETB’s view the threshold for notification to data subjects had not been met. CDETB did not communicate the personal data breach to the affected data subjects until 16 December 2020. As a result, the DPC found that that CDETB infringed Article 34(4) GDPR by failing to communicate the personal data breach to data subjects when required to do so by the DPC as its supervisory authority on 15 January 2019.
The DPC exercised a number of corrective measures on foot of the infringements found in the inquiry. In deciding on the corrective measures to be exercised, the DPC took account of all required factors including the risks posed by the processing, the types of personal data and numbers of persons affected, as well as the remedial steps taken by CDETB. The DPC also had regard to section 141(4) of the Data Protection Act 2018, which sets a maximum of €1,000,000 for administrative fines that may be imposed on ‘public authorities’, a category that includes bodies such as CDETB.
Corrective measures exercised by the DPC were:
However, the DPC commends the tenor and tone of CDETB’s engagement with the DPC since being presented with the DPC’s proposed findings in a draft version of its Decision. These fines, totalling €125,000, are substantially lower than the fining range proposed in the draft Decision, the maximum of which was €210,000. The final fines reflect the mitigation occasioned by CDETB accepting each of the findings of infringements set out in the draft Decision, acknowledging full responsibility for the breach, apologising to both the data subjects affected and the regulator and in proactively taking steps, without having specifically been directed to do so by the DPC, to reduce the likelihood of similar breaches occurring in future.
The full decision is now available for download (20MB, PDF).
The corrigendum to the decision is also available for download (4.5MB, PDF)
On 12 December 2024, the Irish Data Protection Commission (‘DPC’) adopted final decisions in two own-volition statutory inquiries reprimanding Meta Platforms Ireland Limited (‘MPIL’) and imposing administrative fines. The DPC opened the inquiries in response to a personal data breach reported by MPIL (then known as Facebook Ireland Ltd) in September 2018. The inquiry was carried out in accordance with the Data Protection Act 2018 and Article 60 of the EU General Data Protection Regulation (‘GDPR’).
The decisions considered aspects of the fundamental right to data protection under Article 8 of the Charter of Fundamental Rights of the EU as given effect in the GDPR, including the controller’s obligation to report and maintain records of breaches, and to implement measures to protect personal data both by design and default.
The breach arose from MPIL’s use of user tokens in connection with certain features on the Facebook platform. User tokens are coded identifiers that can be used to verify the user of a platform or utility, and to control access to particular platform features and personal data of the user and their contacts. In 2017 MPIL introduced a new video uploading feature. When used in conjunction with Facebook’s ‘View As’ feature (which allows a user’s page to be viewed as another user would see it) and the ‘Happy Birthday Composer’, the video uploader would generate a fully permissioned user token that gave full access to the Facebook profile of that other user. That token could then be used to exploit the same combination of features on other accounts, allowing access to multiple users’ profiles and the data accessible through them. Between 14 and 28 September 2018 unauthorised persons used scripts to exploit this vulnerability and gained access to approximately 29 million Facebook accounts globally, of which approximately 3 million were based in the EU/EEA. Facebook security personnel were alerted to the vulnerability by an anomalous increase in video upload activity and removed the functionality that caused the vulnerability shortly thereafter. MPIL notified the DPC of the breach on 28 September 2018.
The DPC commenced inquiries to investigate compliance with aspects of the GDPR.
|
Number |
Article of the GDPR |
Findings |
|
1 |
Article 33(3) |
MPIL’s breach notification did not include information about the breach that MPIL could and should have included. This included information on the nature of the breach, categories of data subjects affected by the breach, the categories of personal data records affected by the breach, and the likely consequences of the breach. |
|
2 |
Article 33(5) |
MPIL failed to create a contemporaneous documentary record of the facts relating to the breach. |
|
Number |
Article of the GDPR |
Findings |
|
1 |
Article 25(1) |
MPIL failed to implement appropriate technical and organisational measures to ensure that processing was secure against attack and upheld the integrity and confidentiality principles. Separately from the vulnerabilities specifically attributable to the tokens, MPIL failed to make use of alternative and more appropriate measures to ensure that, by design, processing met the required standards of data protection. |
|
2 |
Article 25(2) |
In the context of the processing for which they were deployed, the tokens deployed by MPIL gave unnecessarily broad access to personal data of Facebook users. This failure to ensure that only personal data necessary for the specific purpose of the processing were processed infringed the principle of data protection by default. |
Where the DPC makes a decision under section 111(1)(a) of the Data Protection Act 2018, it must also make a decision under section 111(2) as to whether a corrective power should be exercised in respect of the controller or processor concerned, and if so, the corrective power to be exercised.
Having considered the infringements of the GDPR as set out above, the DPC decided to exercise the following corrective powers, in accordance with Article 58(2) GDPR:
The purpose of the reprimand is to formally recognise the serious nature of the infringements in order to deter future similar non-compliance by MPIL and other controllers or processors carrying out similar processing operations. The infringements concerned the personal data of millions of Facebook users. Furthermore, the DPC found both infringements contributed to a risk of fraud, identity theft and spamming in respect of the data subjects, including children and other vulnerable persons.
In deciding to impose administrative fines totalling €251 million, the DPC gave due regard to the factors set out in Article 83(2) GDPR. The DPC also considered that the administrative fines met the requirements set out in Article 83(1) GDPR of being effective, proportionate and dissuasive.
Before adopting the Decisions, the DPC submitted drafts of them to the other European data protection supervisory authorities (‘Concerned Supervisory Authorities’ or ‘CSAs’) in September 2024, as required by Article 60(3) GDPR. The CSAs did not raise any objections under Article 60(4) GDPR to the draft decisions. Three comments were received from CSAs with regard to each of the draft decisions. The DPC had due regard to these comments, and to final submissions by MPIL, when finalising the Decisions for adoption.
The full decision IN-18-10-1 is now available for download (36MB, PDF).
The full decision IN-18-11-1 is now available for download (36MB, PDF).
This decision arises from an own-volition inquiry that the DPC commenced in July 2019. The inquiry related a personal data breach notified by Maynooth University in November 2018.
The breach affected the email accounts of university employees and allowed unauthorised persons to gain control of up to six accounts. The unauthorised persons used their control of one account to create email rules that concealed messages received from certain addresses. By means of this, the unauthorised persons perpetrated a fraud, leading to a financial loss by one person whose email account had been affected. That person was subsequently compensated by Maynooth University for that loss. The DPC assessed Maynooth University’s technical and organisational measures for ensuring the security of personal data that it processed, and also examined compliance with the controller’s obligation to notify breaches promptly.
The DPC determined that the email system was used for a broad range of purposes affecting the general scope of activities carried out in Maynooth University including HR and related matters. The types of personal data processed included detailed identification, financial and contact information, as well as health and other sensitive categories of personal data. The processing affected the personal data of a large number of individuals, so the DPC determined that the risks to be addressed in Maynooth University’s technical and organisational measures for security were high. The DPC’s inquiry found that, while Maynooth University had implemented a number of appropriate security measures, some significant failings and omissions were evident:
The DPC’s decision finds that Maynooth University’s technical and organisational measures did not properly address the risks posed by its processing, taking account of the nature of the personal data, the purposes for which it was used, and the numbers of persons affected. While Maynooth University subsequently adopted measures to remediate deficiencies identified during the inquiry, and compensated the victim of the financial fraud, the DPC determined that Maynooth University had infringed Articles 5(1)(f) and 32 GDPR by failing to ensure appropriate security for the personal data that it processed, and to implement appropriate technical and organisational measures to ensure such security.
Article 33 GDPR requires data controllers to notify their supervisory authority of every personal data breach that is likely to pose a risk to rights and freedoms of persons. The notification must be made ’without undue delay, and where feasible, not later than 72 hours after having become aware of it’.
The DPC’s inquiry established that, while Maynooth University was aware at an early stage of all facts showing that a personal data breach had occurred which posed risks to persons’ rights and freedoms, it did not report the breach to the DPC until more than 3 weeks later. Instead, after discovering the breach, Maynooth University commissioned an external IT security advisor to report on it and the surrounding circumstances. The report confirmed that the breach should be notified to the DPC, but that step was not taken until 4 days after delivery of the report. The DPC noted that the purpose of requiring prompt notification of breaches includes enabling the supervisory authority to advise and direct action to protect persons from the considerable risks that can be posed by breaches. It followed that, by unnecessarily delaying notification of this breach, Maynooth University had infringed Article 33(1) GDPR.
The DPC’s decisions on corrective measures took account of all required factors including the risks posed by the processing, the types of personal data and numbers of persons affected, as well as the remedial steps taken by Maynooth University. The DPC also had regard to section 141(4) of the Data Protection Act 2018, which sets a maximum of €1,000,000 for administrative fines that may be imposed on ‘public authorities’, a category that includes bodies such as Maynooth University.
Corrective measures taken by the DPC were:
The full decision can be downloaded at this link: Inquiry into Maynooth University November 2024 - (PDF, 1.3MB)
This inquiry is one of a number of own-volition inquiries into a broad range of issues pertaining to surveillance technologies deployed by State authorities. The inquiry sought to assess whether Sligo County Council was processing personal data in compliance with the GDPR and the Data Protection Act 2018. The inquiry examined a number of the Council’s processing operations including its use of CCTV cameras in public places used for the purposes of prosecuting crime or other purposes.
For more information, you can download the full decision at this link: Inquiry into Sligo County Council November 2024 - (PDF, 7.6MB)