Ireland

University College Dublin

70,000 €

GDPR enforcement action by Data Protection Authority of Ireland on 2020-12-17.

Rank · Sector

#56

of 356 in Public Sector and Education

Rank · Ireland

#26

of 36

Rank · All fines

#572

of 3,042

Case details

Authority: Data Protection Authority of Ireland
Date: 2020-12-17
Controller / Processor: University College Dublin
Sector: Public Sector and Education
Quoted Articles: Art. 5 (1) e), f) GDPR, Art. 32 (1) GDPR, Art. 33 (1) GDPR
Type of violation: Insufficient technical and organisational measures to ensure information security

Summary

The Irish DPA (DPC) fined University College Dublin (UCD) EUR 70,000 due to seven personal data breaches. Unauthorized third parties were able to access UCD e-mail accounts, and login credentials for UCD e-mail accounts were posted online. It was found that the controller did not take appropriate technical and organisational measures to protect data security when processing personal data in its email service. In addition, the controller stored certain personal data in an email account in a form that allowed identification of the data subjects for longer than necessary for the purpose for which the personal data were processed. Also, the controller did not notify the DPC of a personal data breach in a timely manner.

Open original source Links to the regulator's original publication or another source.