Irish Life Assurance – Court Ruling (Ireland, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Irish Life Assurance mistakenly sent personal and financial letters of a customer to a third party between 2008 and 2020. The customer claimed this caused them distress and sought damages, but the court ruled the case should be dismissed because the customer didn't follow the proper legal process. This case highlights the importance of following legal procedures when making claims about data breaches.
What happened
A customer claimed that Irish Life Assurance sent their personal data to the wrong person over several years.
Who was affected
The customer whose personal and financial information was mistakenly sent to a third party.
What the authority found
The High Court upheld the lower court's decision that the customer needed to obtain authorization from the Personal Injuries Assessment Board before proceeding with the claim.
Why this matters
This ruling emphasizes the necessity of following specific legal steps when claiming damages for data breaches. It serves as a reminder for businesses to ensure they have proper procedures in place for handling personal data.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
The data subject took out a life insurance policy with the controller, an insurance company. Between 2008 and 2020, a few letters containing the data subject’s personal and financial data were mistakenly sent to a third party. In June 2021, the data subject took proceedings to the court of first instance (Circuit Court) claiming that the controller acted negligently and in breach of duty, causing the data subject “distress, upset, anxiety, inconvenience, loss and damage”. The data subject sought a declaration that that the controller violated the GDPR, implemented by Data Protection Act 2018, and the Data Protection Acts of 1988 and 2003, and further sought damages for negligence and breach of duty. However, the court of first instance dismissed the case on the grounds that the data subject had not obtained authorisation from the Personal Injuries Assessment Board (PIAB), an independent body which was set up to make personal injuries claims faster and cheaper. (In most personal injury claims in Ireland, it is required to obtain an authorisation from the PIAB, before taking a claim to court.) The data subject appealed the decision before the court of appeal (High Court), limiting his claim to data breaches that allegedly occurred after the implementation of the GDPR in 2018. He also contended that his claim was not an action for personal injuries as that term is used in the [https://www.irishstatutebook.ie/eli/2003/act/46/section/12/enacted/en/html section 12 of the Personal Injury Assessment Board Act 2003] (the 2003 Act). Instead, it was a claim for non-material damages under the GDPR. The High Court upheld the Circuit court's decision that the PIAB authorisation should have been obtained first and ruled that the action should be dismissed. However, the data subject was granted leave to appeal to the Supreme Court regarding the question of whether a claim for damages for “distress, upset and anxiety” arising from an alleged data breach, falls within the statut
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Violations (1)
Third-party tracking cookies or scripts are loaded without obtaining prior user consent.
Art. 13, 14 GDPR
Related Cases (0)
No other cases found for Irish Life Assurance in IE
This is the only recorded case for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Details
About this data
Cite as: Cookie Fines. Irish Life Assurance - Ireland (2025). Retrieved from cookiefines.eu
Last updated: