Security
When considering personal data breaches the DPC often identifies inadequacies with respect to the technical and organisational measures in place and the assessments undertaken by the controllers.
City of Dublin Education and Training Board (CDETB)
– Inquiry IN-19-7-3
CDETB discovered that personal data including names, birth dates, PPS numbers and contact information and sensitive personal data such as health data, was being stored on its webserver. CDETB also discovered that there was malware present on the server, presenting the risk that the retained personal data had been unlawfully disclosed.
Among other issues, the DPC found that CDETB had infringed Article 5(1)(f) (the principle of integrity and confidentiality) and Article 32 (security of processing) GDPR for failing to:
(i) undertake a risk analysis to identify, analyse or address any threats to certain of its processing activities prior to the breach;
(ii) adequately archive access, event and error logs, undertake penetration testing or operate a web application firewall; and
(iii) carry out appropriate testing of its technical and organisational measures in order to evaluate their effectiveness and identify weaknesses.
Maynooth University – Inquiry IN-19-9-3
Attackers accessed six staff email accounts at the university and used one account to manipulate internal email traffic and engage in fraud, leading to a financial loss by a person whose email account had been affected.
The DPC found that while the university has implemented several appropriate security measures, some significant failings and omissions were evident:
(i) The DPC found certain technical measures to be inadequate including the failure to use multi-factor authentication in appropriate situations and inadequate measures to keep systems updated and prevent malware.
(ii) In respect of organisational measures, the DPC found the following to be inadequate: policies and staff training on email security and data protection, supervision of email use, the password policy and policies regarding the control and management of personal data breaches.
Key takeaways: The security of processing personal data should be embedded from the outset. Organisations should conduct thorough risk assessments to identify potential risks and inform security measures. The DPC’s recent decisions demonstrate that robust policies, procedures, training and regular evaluation of security practices and processes are essential.
Transparency
The DPC continually emphasises the importance of transparency given the key role it plays with respect to the exercise of data subject rights.
TikTokTechnology Limited (TikTok) – Date of announcement of final decision: 2 May 2025
In the context of the DPC’s inquiry relating to transfers of EEA User Data to China the DPC held that TikTok infringed Article 13(1)(f) GDPR (the requirement to provide information to data subjects regarding the transfer of their personal data outside of the EEA).
The DPC considered that TikTok’s October 2021 privacy policy was inadequate as it did not name the third countries to which personal data were transferred, nor did it explain that processing included remote access to personal data stored in Singapore and the United States by staff based in China. An updated policy provided to the DPC during the inquiry was deemed by the DPC to be compliant with the requirements of Article 13(1)(f) GDPR with respect to the data transfers within the scope of the inquiry. The provision of the revised December 2022 policy limited the duration of the infringement.
The full decision of the DPC has not been published as of date of this briefing.
Department of Social Protection (DSP) – Date of announcement of final decision: 12 June 2025
The DPC found that during its biometric registration process for Public Service Cards, the DSP failed to provide individuals with sufficiently clear and transparent information about how their biometric data was being processed.
The full decision of the DPC has not been published as of date of this briefing.
Key takeaways: Controllers must clearly inform individuals about how their data is processed and provide sufficient detail.
Notification of personal data breaches
Meta Platforms Ireland Limited (MPIL) – Inquiry IN-18-10-1
This inquiry concerned a personal data breach. The DPC found that while MPIL met its obligation to notify the DPC of the breach “without undue delay”, there were failings with respect to the notification itself.
The DPC assessed the information provided and found that MPIL was aware of “material information” about the nature of the data breach before it was notified to the DPC, which MPIL did not include in the notification. The information related to the timeline of the breach and to how the breach was caused. The DPC held that it could be inferred that MPIL understood this information to be material as the information that was omitted from the notification was disseminated publicly about the breach on behalf of MPIL.
The DPC noted that a controller must apply an interpretation of Article 33(3) GDPR that requires it to provide the supervisory authority with all relevant information available to it, regardless of whether such information is outlined as being required in various guidance documents from supervisory authorities and / or the European Data Protection Board.
With regard to Article 33(5) GDPR (documenting the personal data breach), the DPC found that MPIL’s record of the data breach was created in response to and for the purpose of responding to queries raised, rather than a contemporaneous account of the breach. The DPC held that MPIL’s record did not provide the DPC with a holistic view of the data breach and as such MPIL did not comply with its obligation to document it.
Maynooth University – Inquiry IN-19-9-3
In its inquiry into the personal data breach at Maynooth University (referred to above), the DPC found that the university infringed Article 33(1) GDPR by failing to notify it of the breach without undue delay and, where feasible, not later than 72 hours after having become aware of the breach.
The university deferred notification of the breach to the DPC pending receipt of a third-party report the university had commissioned into the incident. The breach was formally notified to the DPC on 19 November 2018. The DPC was satisfied that a notifiable breach was evident to the university before delivery of the report and that it was apparent at the latest by 23 October 2018 that the university email account of an employee had been improperly accessed and rules had been created on it. The DPC noted that this constituted unauthorised access to personal data in or accessible through the email account and therefore the requirement to notify the DPC arose at the latest at that point.
Key takeaways: Controllers must carefully observe each of the requirements of Article 33 GDPR. Notifications to the DPC should be made on time and sufficiently detailed, based on the information available to the controller at the time.
