The DPC’s announcement came following an inquiry by the regulator into 22 data breach notifications made by BOI between November 2018 and June 2019. The DPC found that 19 of the breaches met the definition of a personal data breach. One such breach affected approximately 47,000 data subjects, even though BOI’s initial notification said only one individual was affected. The notifications related to corruption of personal data in BOI’s data feed to the Central Credit Register (“CCR”), a centralised system managed by the Central Bank of Ireland, which collects and stores information about loans. The incidents included unauthorised disclosure by BOI of customer data to the CCR and accidental alteration of certain customer data stored on the CCR – such alterations may have damaged customers’ credit ratings and prevented them getting loans.
Ultimately, the DPC’s inquiry found that BOI breached a number of provisions of the GDPR, including:
- Article 32 - BOI failed to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk presented in transferring customer data to the CCR;
- Article 33 – BOI failed to report 17 data breaches without undue delay; and
- Article 34 – BOI failed to notify data subjects affected by the breach without undue delay in circumstances where the breach was likely to result in a high risk to those data subjects’ rights and freedoms.
In response to the DPC’s decision, BOI said that it “fully acknowledges” and “sincerely apologises” for the breaches and advised that it has taken measures to improve its ongoing CCR reporting. Pursuant to section 143 of the Data Protection Act 2018 (as amended) where an organisation does not appeal the DPC’s decision within 28 days, the DPC must apply to the Circuit Court to affirm its decision.
The decision to fine BOI follows the release of the DPC’s annual report in February 2022 which outlined that the regulator had, as at 31 December 2021, 81 statutory inquiries on hand. Therefore, it is likely we will see more fines being handed down by the DPC as the year progresses.
To see a summary of the DPC’s BOI decision, click here.
