IN-21-2-5

Date of Decision: 20 December 2022

The inquiry was commenced after VIEC notified a personal data breach to the DPC on 19 August 2020. VIEC operates and manages five nursing homes on the Southside of Dublin and in County Louth. The data breach notification concerned an unknown actor who gained access to a VIEC manager email account by way of a phishing attack and set up mail forwarding rules to an external account. As a result of this, the personal data of residents, including special category data such as health and biometric data, was accessed by the unknown actor.

The decision considered whether VIEC had complied with Articles 5(1)(f) and 32(1) GDPR and, in particular, whether VIEC had implemented appropriate technical and organisational measures to ensure a level of risk appropriate to the risks associated with its processing operations.

The decision found that VIEC had infringed its obligations under Articles 5(1) and 32(1) GDPR. The processing by VIEC of personal and special category data on its email system prior to the phishing attack, without adequate security measures, placed such data at risk of being unlawfully accessed.

Corrective Powers Exercised

• The decision issued VIEC with a reprimand in respect of the infringements.
• The decision ordered VIEC to bring its processing by into compliance with Articles 5(1)(f) and 32(1) of the GDPR.
• The decision imposed an administrative fine on VIEC in the amount of €100,000 in respect of the infringement of Article 5(1)(f) GDPR.

You can download the full decision at this link: A&G Couriers Limited T/A Fastway Couriers (Ireland) - December 2022 (PDF, 2.5 MB).