Decisions
Decisions
Explore summaries and full text of Decisions published by the Data Protection Commission.
Fines Explained
In addition to imposing corrective measures, over €4 billion in fines have been levied against organisations as a result of DPC inquiries. To date, approximately €20 million in fines has been collected.
The law provides that fines imposed by the DPC do not become payable until they are confirmed in Court. If no appeal is made against the DPC’s decision, the DPC must apply to the Circuit Court to confirm the fine under the Data Protection Act 2018.
If an appeal is made against the DPC’s decision, the fine cannot be collected pending that appeal. Such appeals are brought either in the Circuit Court or in the High Court, depending on the monetary value of the fine.
Inquiry into City of Dublin Education and Training Board (CDETB)
This decision arises from an own-volition inquiry that the DPC commenced in July 2019. The inquiry related to a personal data breach notified by City of Dublin Education and Training Board …
See More InformationInquiry into Maynooth University
This decision arises from an own-volition inquiry that the DPC commenced in July 2019. The inquiry related a personal data breach notified by Maynooth University in November 2018. The…
See More InformationInquiry into Meta Platforms Ireland Limited
On 26 September 2024, the Irish Data Protection Commission (DPC) adopted a final decision in an own-volition statutory inquiry, concerning the processing of user passwords on the Facebook…
See More InformationInquiry into Bank of Ireland 365
The inquiry was commenced after BOI notified the DPC of a series of 10 data breaches relating to the BOI365 banking app. The data breach notifications concerned individuals gaining…
See More InformationInquiry into Centric Health Ltd
The DPC commenced the Inquiry following a ransomware attack affecting patient data held on Centric’s patient administration system which was notified to the DPC on 5 December 2019. As a…
See More InformationInquiry into Kildare County Council
This inquiry sought to assess whether Kildare County Council was processing personal data in compliance with the GDPR and the Data Protection Act 2018. The inquiry examined a number of the…
See More InformationInquiry into A&G Couriers Limited T/A Fastway Couriers (Ireland)
This inquiry was commenced in respect of a personal data breach that A&G Couriers Limited T/A Fastway Couriers, Ireland (Fastway) notified to the DPC on 4 March 2021. Fastway is a…
Article(s): 32
Inquiry into Virtue Integrated Elder Care Ltd (VIEC)
The inquiry was commenced after VIEC notified a personal data breach to the DPC on 19 August 2020. VIEC operates and manages five nursing homes on the Southside of Dublin and in County…
See More InformationInquiry into Ark Life Assurance Company dac
This decision arose from an own-volition inquiry commenced by the DPC pursuant to section 110 of the Data Protection Act 2018 to consider whether Ark Life had complied with the GDPR in…
Article(s): 32
Inquiry into Allianz plc
This decision arose from an own-volition inquiry commenced by the DPC pursuant to section 110 of the Data Protection Act 2018 to consider whether Allianz had complied with the GDPR in…
Article(s): 32
Inquiry concerning 12 Facebook personal data breaches
The DPC has adopted a decision, imposing a fine of €17 million on Meta Platforms Ireland Limited (formerly Facebook Ireland Limited) (“Meta Platforms”). The decision followed an inquiry by…
See More InformationInquiry into Bank of Ireland Group plc
This inquiry was commenced in respect of 22 personal data breach notifications that Bank of Ireland Group plc (“BOI”) made to the Data Protection Commission (“DPC”) between 9 November 2018…
See More InformationInquiry into Slane Credit Union
This inquiry was commenced in respect of a personal data breach that Slane Credit Union notified to the DPC on 30 November 2018. Slane Credit Union was established on 16 February 1968 as a…
See More InformationInquiry into a Consultancy Provider
This inquiry was commenced in respect of a personal data breach that the Personal Injuries Assessment Board (‘PIAB’) reported to the Data Protection Commission on 10 December 2019. PIAB is…
Article(s): 32
Inquiry into the Teaching Council
This inquiry was commenced in respect of a personal data breach that the Teaching Council (the Council) notified to the DPC on 9 March 2020. The Council is the professional standards body…
See More InformationInquiry into MOVE (Men Overcoming Violence) Ireland
This inquiry was commenced in respect of a personal data breach that MOVE notified to the DPC on 3 February 2020. MOVE is a registered charity, which works in the area of domestic violence,…
See More InformationInquiry into University College Dublin
This inquiry was commenced in respect of 7 personal data breaches that University College Dublin (‘UCD’) notified to the DPC between 8 August 2018 to 21 January 2019. The personal data…
See More InformationInquiries concerning the Health Service Executive
Date of Decisions: 18 August 2020 & 29 September 2020 The DPC commenced inquiry IN-19-9-1 in respect of one personal data breach notified by the HSE to the DPC. The personal data breach…
See More InformationInquiry into Tusla Child and Family Agency
This inquiry was commenced in respect of 71 personal data breaches notified by Tusla to the DPC. The decision considered a broad range of Tusla’s processing operations and the findings…
See More InformationInquiry into University College Dublin
This inquiry was commenced in respect of 7 personal data breaches that University College Dublin (‘UCD’) notified to the DPC between 8 August 2018 to 21 January 2019. The personal data…
See More InformationInquiry into Tusla Child and Family Agency
This inquiry was commenced in respect of one personal data breach notified by Tusla to the DPC. The personal data breach occurred when a social worker for Tusla wrote a safeguarding letter…
See More InformationInquiry into Tusla Child and Family Agency
This inquiry was commenced in respect of three personal data breaches notified by Tusla to the DPC. All three personal data breaches occurred in circumstances where Tusla failed to redact…
Article(s): 32