News & Media

Data Protection Commission Publishes Final Decision Following Inquiry into Permanent TSB

08th May 2026

The Data Protection Commission (DPC) has announced its final decision following an inquiry into a series of personal data breaches at Permanent TSB (PTSB), which were first reported to the DPC in May 2022.

The breaches occurred when malicious actors, in possession of certain customer information, called PTSB’s ‘Open24 Contact Centre’ and posed as customers to gain access to their accounts and amend account details.

In all three incidents, appropriate security protocols were not followed. The malicious actors were able to change details associated with the accounts and obtain additional account information. As a result, account holders were exposed to an increased risk of additional fraud. The account holders were forced to close their accounts, and, in some cases, suffered financial loss.

As part of the inquiry, the DPC assessed the appropriateness of PTSB’s technical and organisational measures for ensuring the security of personal data that it processed through its Open24 Contact Centre. The DPC also assessed whether PTSB notified the DPC of the breaches within the timeframes required by the GDPR.

The DPC’s decision, which was notified to PTSB last week, finds that PTSB:

  • infringed the principle of integrity and confidentiality of Article 5(1)(f) GDPR by failing to ensure appropriate security of the personal data related to customer accounts using appropriate technical and organisational measures;
  • infringed Article 32(1) GDPR by failing to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk presented by its processing of personal data within the Open24 Contact Centre; and
  • infringed Article 33(1) GDPR by its failure to notify the DPC without undue delay and within 72 hours of becoming aware of the breaches.

In light of the infringements identified above, the DPC has:

  1. reprimanded PTSB;
  2. fined PTSB €250,000 for the infringements of Articles 5(1)(f) and 32(1) GDPR; and
  3. fined PTSB €27,500 for the infringement of Article 33(1) GDPR.

The DPC will publish the full decision in due course.