Inquiry into Permanent TSB (PTSB)
The inquiry commenced following Permanent TSB’s (‘PTSB’) notification to the DPC of a series of three data breaches relating to PTSB’s ‘Open 24 Contact Centre’. Each of the data breach notifications concerned malicious actors, in possession of certain PTSB client information, contacting PTSB’s Open24 Contact Centre in order to gain access to client accounts.
The decision considered whether PTSB had complied with Articles 5(1)(f), 32(1) and 33(1) GDPR. In particular the DPC considered whether PTSB had implemented appropriate technical and organisational measures to ensure a level of security appropriate to the risks associated with its processing of personal data via the Open 24 Contact Centre, and also whether PTSB had reported the breaches to DPC within the required time periods under the GDPR.
The DPC’s decision found that PTSB:
- infringed the principle of integrity and confidentiality of Article 5(1)(f) GDPR by failing to ensure appropriate security of the personal data related to customer accounts by implementing appropriate technical and organisational measures;
- infringed Article 32(1) GDPR by failing to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk presented by its processing of personal data within the Open24 Contact Centre; and
- infringed Article 33(1) GDPR by its failure to notify the DPC without undue delay and within 72 hours of becoming aware of the breaches.
Corrective Powers Exercised:
- The Decision issued PTSB with a reprimand in respect of the infringements of Articles PTSB;
- The Decision imposed an administrative fine on PTSB in the amount €250,000 in respect of the infringements of Articles 5(1)(f) and 32(1) GDPR; and
- The Decision imposed an administrative fine on €27,500 for the infringement of Article 33(1) GDPR
You can download the full decision at this link: Permanent TSB (PTSB) - April 2026 (PDF, 898KB).