Ireland
Irish Teacher Council
GDPR enforcement action by Data Protection Authority of Ireland on 2021-12-02.
Case details
- Authority
- Data Protection Authority of Ireland
- Date
- 2021-12-02
- Controller / Processor
- Irish Teacher Council
- Sector
- Public Sector and Education
- Quoted Articles
- Art. 5 (1) GDPR, Art. 32 (1) GDPR, Art. 33 GDPR
- Type of violation
- Insufficient technical and organisational measures to ensure information security
Summary
The Irish DPA has imposed a fine of EUR 60,000 on the Irish Teaching Council. The Council notified the DPA of a data breach under Art. 33 of the GDPR.
Accordingly, two employees of the Council accessed a phishing email that allowed them to set up an automatic forwarding system from their email accounts to a malicious email account. As a result, 323 emails were forwarded to the unauthorized external email address between February 17, 2020 and March 6, 2020. The emails contained the personal data of 9,735 data subjects and the sensitive personal data of one data subject.
The DPA therefore found that the Council had failed to implement appropriate technical and organizational measures to ensure a level of protection for data subjects' personal data commensurate with the risk.
In addition, the DPA found that the Council failed to report the data breach in a timely manner.
Related fines