Inquiry into Bank of Ireland 365 ('BOI') - February 2023

(IN-20-7-2)

Date of Decision: 27 February 2023

The inquiry was commenced after BOI notified the DPC of a series of 10 data breaches relating to the BOI365 banking app. The data breach notifications concerned individuals gaining unauthorised access to other people’s accounts via the BOI365 app.

The decision considered whether BOI had complied with Articles 5(1)(f) and 32(1) GDPR and, in particular, whether BOI had implemented appropriate technical and organisational measures to ensure a level of risk appropriate to the risks associated with its processing of data via the BOI365 app. After investigation, the decision found that BOI had infringed its obligations under Articles 5(1) and 32(1) GDPR as the technical and organisation measures in place at the time were not sufficient to ensure the security of the personal data processed on the BOI365 app.

Corrective Powers Exercised:

  • The decision issued BOI with a reprimand in respect of the infringements Articles 5(1)(f) and 32(1) GDPR.
  • The decision ordered BOI to bring its processing into compliance with Articles 5(1)(f) and 32(1) GDPR.
  • The decision imposed an administrative fine on BOI in the amount of €750,000 in respect of the infringement of Article 5(1)(f) GDPR.

For more information, you can download the full decision at this link: Inquiry into Bank of Ireland 365 - February 2023 (PDF, 1.8mb).