University of Limerick – €98,000 Fine (Ireland, 2025)

In 2020, the University of Limerick (the controller) notified the Irish DPA (DPC) of six personal data breaches that entailed unauthorised access to staff email accounts gained through ‘phishing’. Subsequently, the DPA launched an investigation into the controller. The DPA found infringements of the GDPR and issued a reprimand and a total fine of €98,000 to the controller. Firstly, the DPA found that the security and organisational measures in place at the time of the initial data breach did not meet the standards required by Article 5(1)(f) GDPR and Article 32(1) GDPR. Secondly, the DPA found that the controller infringed Article 30(1) GDPR by failing to maintain a record of processing activities that contained a description of its organisational and technical measures in place to protect the data it processed. Thirdly, the DPA found that the controller failed to notify two of the security incidents without undue delay, in violation of Article 33(1) GDPR. The DPA explained that an internal notification delay within the controller’s organisation did not excuse a delay in notifying the DPA. Fourthly, the DPA found that the controller breached Article 34(1) GDPR by failing to notify 24 data subjects affected by one of the data breaches and 76 data subjects affected by another data breach without undue delay.