The new DPC website is currently under construction. Our latest guidance in relation to GDPR, which comes into effect on 25th May, 2018, can be found at gdprandyou.ie and via pages on this website starting with "NEW" as per the navigation pane on the left. All other material on this site relates to the previous legislative regime under the Data Protection Acts 1988-2003 ("the Acts"). While the Acts may continue to apply in some circumstances, as of 25th May, 2018 the GDPR is the primary piece of legislation governing data protection.

Data Protection Commission

22nd August, 2018 - Statement by Data Protection Commission in relation to Eir breach notification


On the 10th August 2018, the Data Protection Commission (DPC) was notified by Eir of a potential data vulnerability involving approximately 1500 of their laptops, which arose as a result of an incorrect configuration. This vulnerability had resulted in standard encryption being removed from these laptops. The DPC was later notified that one laptop had been stolen. The type of personal data involved is the name, email, mobile and account numbers of some 36,642 Eir Customers, as well as name and contact details of 177 Eir employees.

 Eir has continued to update the Commission on this incident, and the remedial action being taken. As of yesterday Eir reported that out of the 1,484 laptops impacted, 1,438 laptops have been re-encrypted, a further 25 are re-encrypting or awaiting re-encryption and 21 remain unencrypted. Eir also confirmed that it will be contacting the persons affected by the theft. The DPC continues to closely monitor this situation.


This incident underlines the concerns previously expressed by the DPC in respect of the technical and structural security measures being employed by organisations who process personal data, and the need for stringent safety measures to be central to the business model of any entity which processes personal data.