Inquiry into Bank of Ireland Group plc

(IN-19-9-5)

Date of Decision: 14 March 2022

This inquiry was commenced in respect of 22 personal data breach notifications that Bank of Ireland Group plc (“BOI”) made to the Data Protection Commission (“DPC”) between 9 November 2018 and 27 June 2019. The notifications related to the corruption of information in the BOI’s data feed to the Central Credit Register (“CCR”), a centralised system that collects and securely stores information about loans. The incidents included unauthorised disclosures of customer personal data to the CCR and accidental alterations of customer personal data on the CCR.

The decision considered as a preliminary issue whether the incidents met the definition of a “personal data breach” under the GDPR, and found that 19 of the incidents reported did meet this definition.

The decision found infringements of the following provisions of the GDPR:

  • Article 33 of the GDPR, which requires controllers to report personal data breaches to the DPC in certain circumstances, was infringed by BOI in respect of 17 of the incidents reported. The infringements varied in respect of each personal data breach. In a number of incidents, Article 33(1) was infringed by BOI’s failure to report the personal data breach without undue delay. Article 33(3) was also infringed by BOI’s failure to provide sufficient detail to the DPC in respect of some personal data breaches;
  • Article 34 of the GDPR, which requires controllers to report personal data breaches to data subjects in certain circumstances, was infringed by BOI in respect of 14 of the incidents reported. The infringements concerned a failure by BOI to issue communications to data subjects without undue delay in circumstances where the personal data breaches were likely to result in a high risk to the data subjects’ rights and freedoms; and
  • Article 32(1) of the GDPR was infringed by BOI by failing to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk presented by its processing of customer data in transferring information to the CCR.

The corrective powers exercised:

  • The decision imposed administrative fines on BOI for the infringement of Article 32(1) of the GDPR and certain of the infringements of Articles 33 and 34 of the GDPR. The total amount of administrative fines imposed was €463,000.
  • The decision ordered BOI to bring its processing into compliance with Article 32(1) of the GDPR by ordering it to make certain changes to its technical and organisational measures.
  • The decision issued BOI with a reprimand in respect of all of the infringements of Articles 33, 34 and 32(1) of the GDPR identified in the decision.

For more information, you can download a copy of the full decision at this link: Bank of Ireland Group plc March 2022 (PDF, 1,457 KB).