Bank of Ireland – €463,000 Fine (Ireland, 2022)

The controller is Bank of Ireland (BOI). Between 9 November 2018 to 27 June 2019, the controller submitted 22 breach notifications to the Irish Data Protection Commission (DPC) in relation to the Central Credit Register (CCR). The CCR “is a centralised system that collects and securely stores information about loans” and is managed by the Central Bank of Ireland. Every loan in upwards of €500 is to be reported to CCR. This information is then used to “generate individual credit reports on borrowers, which they and, in certain circumstances, lenders can access.” The controller informed the DPC that inaccurate customer data was uploaded to the CCR by the controller “which gave an erroneous view of BOI’s customers’ finances and credit history.” Considering the nature of breach and possible contravention of Data Protection Act and GDPR, the DPC commenced an investigation, and framed the following four issues. The Preliminary Issue was whether the incidents described in the breach notifications reported by the controller to the DPC fall within the definition of a “personal data breach” under Article 4(12) GDPR. Issue 1 concerned the question whether the controller had infringed Article 33 GDPR in the manner in which it reported personal data breaches (if any personal data breaches were found in this decision) to the DPC. Issue 2 concerned whether the controller had infringed Article 34 GDPR and Issue 3 considered whether the controller had infringed Article 32 GDPR. The DPC examined each of the 22 breach notifications and determined that 19 of them constituted a personal data breach as per Article 4(12) GDPR as they included unauthorised disclosures of customer personal data to the CCR and accidental alterations of customer personal data on the CCR. Moreover, the controller contravened Article 33 GDPR with respect to 17 personal data breaches as it failed to “report the personal data breach without undue delay” and “provide the information required” under Article