Enforcement

€125,000 fine - Data Protection Authority of Ireland

The Irish DPA has imposed a fine of EUR 125,000 on the City of Dublin Education and Training Board. The controller suffered a data breach due to insufficient technical and organisational measures, concerning around 13,000 data subjects. The controller also failed to inform the DPC and the data subjects without undue delay.

125.000 euro boete - Ierse Autoriteit voor Gegevensbescherming.

De Ierse autoriteit voor gegevensbescherming (DPA) heeft een boete van 125.000 euro opgelegd aan het "City of Dublin Education and Training Board". De verantwoordelijke partij heeft een datalek geleden als gevolg van onvoldoende technische en organisatorische maatregelen, waarbij gegevens van ongeveer 13.000 personen betrokken waren. Bovendien heeft de verantwoordelijke partij de autoriteit voor gegevensbescherming en de betrokken personen niet tijdig op de hoogte gesteld.

€550,000 fine - Data Protection Authority of Ireland

The Irish DPA imposed a fine of EUR 550,000 on the Departement of Social Security. The controller uses the so called SAFE 2 registration process for anyone applying for a Public Services Card. The SAFE 2 registration, which is mandatory, processes biometric data without a sufficient legal basis. The controller also failed to adequately inform data subjects in regards to the processing and to conduct a data protection impact assessment.

550.000 euro boete - Ierse Autoriteit voor Gegevensbescherming.

De Ierse Autoriteit Persoonsgegevens heeft een boete van 550.000 euro opgelegd aan het Ministerie van Sociale Zekerheid. De verantwoordelijke instantie gebruikt een zogenaamd SAFE 2-registratieproces voor iedereen die een "Public Services Card" aanvraagt. Deze verplichte SAFE 2-registratie verwerkt biometrische gegevens zonder voldoende juridische basis. Bovendien heeft de verantwoordelijke instantie de betrokkenen niet voldoende geïnformeerd over de verwerking en geen impactanalyse op het gebied van gegevensbescherming uitgevoerd.

€530,000,000 fine - Data Protection Authority of Ireland

The Irish DPA (DPC) has fined TikTok EUR 530 million. In its decision, the DPC found, that TikTok infringed Art. 13 (1) f) GDPR and Art. 46 (1) GDPR due to the unlawful transfer and storage of personal data from users in the EEA on Chinese servers. TikTok was unable to verify, guarantee and demonstrate that the supplementary measures and the Standard Contractual Clauses were effective to guarantee that the data afforded a level of protection, which is equivalent of the level of protection guaran

530.000.000 euro boete - Ierse Autoriteit voor Gegevensbescherming.

De Ierse Autoriteit Persoonsgegevens (DPA) heeft TikTok een boete van 530 miljoen euro opgelegd. In haar beslissing stelde de DPA vast dat TikTok artikel 13 (1) f) en artikel 46 (1) van de AVG heeft overtreden, vanwege de onrechtmatige overdracht en opslag van persoonlijke gegevens van gebruikers in de EER op servers in China. TikTok kon niet aantonen, garanderen of bewijzen dat de aanvullende maatregelen en de standaardcontractuele clausules effectief waren om ervoor te zorgen dat de gegevens een beschermingsniveau boden dat gelijkwaardig is aan het beschermingsniveau dat is gegarandeerd.

€251,000,000 fine - Data Protection Authority of Ireland

The Irish Data Protection Commission (DPC) has fined Meta Platforms Ireland Limited EUR 251 million. The fine was imposed for data protection violations related to a data breach that occurred in 2018 and affected 29 million Facebook accounts worldwide, including 3 million in the EU/EEA. Compromised data included names, email addresses, phone numbers, and children's data. The breach resulted from the exploitation of user tokens on the platform by unauthorized third parties. The DPC found that Met

€40,000 fine - Data Protection Authority of Ireland

The Irish DPA has imposed a fine of EUR 40,000 on Maynooth University. The controller failed to implement adequate technical and organisational measures, resulting in an unauthorised third party gaining access to multiple employees' email accounts, which the third party then used for fraudulent purposes.

€29,500 fine - Data Protection Authority of Ireland

The Irish DPA has imposed a fine of EUR 29,500 on the Sligo County Council. The controller used video surveillance but failed to ensure compliance with the GDPR. They failed to provide adequate information to data subjects, failed to implement sufficient technical and organisational measures to ensure GDPR compliance, failed to ensure adequate data security and stored the recorded data for longer than necessary.

€310,000,000 fine - Data Protection Authority of Ireland

The Irish DPA (DPC) has fined LinkedIn EUR 310 million. This decision is related to an investigation following a complaint in 2018 from the French NGO 'La Quadrature Du Net'. In July 2024, the DPC issued a draft decision under the GDPR cooperation mechanism under Art. 60 GDPR, to which no objections were raised. During its investigation, the DPC found that LinkedIn had no valid legal basis for processing user data for the purposes of behavioral analysis and targeted advertising. The DPC found th

€91,000,000 fine - Data Protection Authority of Ireland

The Irish DPA (DPC) has imposed a fine of EUR 91 million on Meta Platforms Ireland Limited (MPIL). The DPC had initiated an investigation after MPIL reported that user passwords had been stored unencrypted on internal systems; however, external parties did not have access to these passwords. During the investigation, the DPC found that MPIL had not implemented appropriate technical and organizational measures to protect personal data, as the passwords should have been stored in encrypted form. T

€345,000,000 fine - Data Protection Authority of Ireland

The Irish DPA (DPC), has imposed a fine of EUR 345 million on TikTok Limited. The DPC conducted an investigation primarily focused on the processing of personal data between July 31, 2020, and December 31, 2020. During their investigation, the DPC found that the profiles of child users were set to public access by default. As a result, the DPC concluded that TikTok had failed to implement appropriate technical and organizational measures to ensure that only necessary personal data was being proc

€22,500 fine - Data Protection Authority of Ireland

The Irish DPA (DPC) has fined the Irish Department of Health EUR 22,500. The DPA launched an investigation into the department following public allegations that the department unlawfully processed personal data from claimants and their families in the context of litigation over special educational needs. The DPC found that the departement had obtained information from the Health Service Executive (HSE) about services that the plaintiffs and their families had received. They had also been asked b

€1,200,000,000 fine - Data Protection Authority of Ireland

The Irish DPA (DPC) has fined Meta Platforms Ireland Limited EUR 1.2 billion. This is the highest fine imposed to date under the GDPR. In its decision, the DPC found that Meta had violated Art. 46 GDPR by continuing to transfer personal data to the U.S. after the Schrems II ruling of the CJEU. According to the Schrems II ruling, U.S. law does not provide a level of protection for personal data substantially equivalent to that provided by EU law and that the standard contractual clauses (SCCs) al

€750,000 fine - Data Protection Authority of Ireland

The Irish DPA has fined Bank of Ireland 365 EUR 750,000. The bank had notified the DPA of 10 data breaches linked to the bank's app. Unauthorized persons had managed to gain access to the app as well as to other individuals' accounts. The DPA determined that this data breach was facilitated due to the bank's failure to implement appropriate technical and organizational measures to protect personal data.

€460,000 fine - Data Protection Authority of Ireland

The Irish DPA has imposed a fine of EUR 460,000 on Centric Health Ltd.. The controller suffered a ransomware attack in which personal data such as name, date of birth and contact details were accessed, altered and destroyed without authorization. Data records of approximately 70,000 people were affected, of which 2,500 were permanently affected. The DPA's investigation found that the healthcare facility had failed to implement adequate technical and organizational measures to protect personal da

€5,500,000 fine - Data Protection Authority of Ireland

The Irish DPA (DPC) has fined WhatsApp Ireland Ltd. EUR 5.5 million. The Austrian organization 'None of Your Business' (NOYB) had filed a complaint with the DPA on behalf of an individual. WhatsApp had updated its terms of service shortly before the GDPR came into force. In its new terms of service, WhatsApp informed its users to click 'Agree and Continue' to indicate their agreement with the new terms of service. This was required for further access to the services. WhatsApp assumed that the ac

€390,000,000 fine - Data Protection Authority of Ireland

The Irish DPA (DPC) has fined Meta Platforms Ireland Limited EUR 390 million. The DPA has imposed a fine of EUR 210 million for violations related to the provision of its Facebook service and EUR 180 million for violations related to the provision of its Instagram service. The Austrian organization 'None of Your Business' (NOYB) had filed a complaint with the DPA on behalf of two individuals. Meta had updated its terms of service shortly before the GDPR came into force. In its new terms of servi

€15,000 fine - Data Protection Authority of Ireland

The Irish DPA (DPC) has fined A&G Couriers Limited T/A Fastway Couriers (Ireland) EUR 15,000. During a changeover of its IT systems, the controller had suffered a cyberattack in which unauthorized third parties gained access to personal data. The DPA found that the controller had failed to implement adequate technical and organizational measures to protect personal data, which facilitated such an attack.

€100,000 fine - Data Protection Authority of Ireland

The Irish DPA has imposed a fine of EUR 100,000 on the nursing home operator VIEC Limited. The controller had notified the DPA of a data breach pursuant to Art. 33 GDPR. The controller had suffered a phishing attack in which an unauthorized third party gained access to an email account of a VIEC manager. As a result, the unknown third party also managed to access personal data such as health and biometric data of home residents. The DPA found this to be a breach of the principle of integrity and

€265,000,000 fine - Data Protection Authority of Ireland

The Irish DPA has fined Meta Platforms Ireland Limited EUR 265 million. The DPA had launched an investigation against Meta in 2021 after media reports indicated that a dataset containing personal data from Facebook had been made available on a hacking platform. The data leak affected up to 533 million users with their data such as phone numbers and email addresses. As part of the investigation, the DPA reviewed and assessed the Facebook Search, Facebook Messenger Contact Importer and Instagram C

€405,000,000 fine - Data Protection Authority of Ireland

The Irish DPA (DPC) has imposed a fine of EUR 405,000,000 on Meta Platforms, Inc. (Instagram). Following the investigation, the DPC submitted a draft decision under Art. 60 GDPR to other European supervisory authorities concerned. The initial draft proposed a fine of EUR 30-50 million. The DPC subsequently received objections from six supervisory authorities, which led to a dispute resolution procedure at the European Data Protection Board (EDPB) in Brussels. In its decision, the EDPB requested

€463,000 fine - Data Protection Authority of Ireland

The Irish DPA has fined the Bank of Ireland EUR 463,000. The bank had reported 22 data breaches to the DPA under Article 33 GDPR. As part of its investigation, the DPA found that the bank had provided false information to the Central Credit Register due to a mix-up of bank customers' account data. This error had the potential to have a negative impact on the creditworthiness of the data subjects. The DPA found that the personal data breach had occurred due to inadequate technical and organizatio

€17,000,000 fine - Data Protection Authority of Ireland

The Irish DPA (DPC) has imposed a fine of EUR 17 million on Meta Platforms Ireland Limited (former Facebook Ireland Limited). The decision is based on twelve notifications of data breaches that occurred between June 7, 2018 and December 4, 2018. The outcome of the DPC's investigation revealed that Meta had violated Article 5 (2) GDPR and Article 24 (1) GDPR. In the course of its investigation, the DPC found that Meta failed to demonstrate that it had taken appropriate technical and organizationa

€5,000 fine - Data Protection Authority of Ireland

The Irish DPA has imposed a fine of EUR 5,000 on Slane Credit Union Ltd. The controller had notified the DPA of a data breach in 2018. Due to an error in a search engine optimization tool installed on the controller's website, four reports of member inquiries containing personal member data were unintentionally published. The incident affected 76 members, including minors, and their personal data such as names, addresses, gender, birth dates, account numbers, etc. The DPA found that the controll

€110,000 fine - Data Protection Authority of Ireland

The Irish DPA has fined Limerick City and County Council EUR 110,000. As part of an investigation, the DPA conducted an audit of the processing of personal data by the council or on its behalf using video surveillance systems, automatic license plate recognition, body-worn cameras and other technologies that can be used to monitor individuals. In doing so, it found that the Council had violated a number of data protection laws in its use of the technologies. However, the fine was issued due to G

€60,000 fine - Data Protection Authority of Ireland

The Irish DPA has imposed a fine of EUR 60,000 on the Irish Teaching Council. The Council notified the DPA of a data breach under Art. 33 of the GDPR. Accordingly, two employees of the Council accessed a phishing email that allowed them to set up an automatic forwarding system from their email accounts to a malicious email account. As a result, 323 emails were forwarded to the unauthorized external email address between February 17, 2020 and March 6, 2020. The emails contained the personal data

Data Protection Authority of Ireland

The organization 'None of your business' (NOYB) published a draft decision of the Irish DPA (DPC) on October 13, 2021, which indicates that it proposes a fine between EUR 28 million and EUR 36 million against Facebook. The draft primarily addresses the fact that Facebook has included details on data processing in its terms of service, thus relying on Art. 6 (1) b) rather than on consent pursuant to Art. 6 (1) a) GDPR. Critics consider this a loophole used by Facebook to circumvent the stricter G

€1,400 fine - Data Protection Authority of Ireland

The Irish DPA has fined Vodafone Ireland Limited EUR 1,400. Vodafone had in several cases sent marketing SMS and emails and made telephone calls without the consent of the data subjects. Despite several revocations by the data subjects, they continued to receive unsolicited advertising. In one case, a former customer had contacted Vodafone seven times and asked not to receive any more advertising calls on his cell phone. Despite his request, he continued to receive advertising calls. In another

€225,000,000 fine - Data Protection Authority of Ireland

The Irish DPA (DPC) has imposed a fine of EUR 225,000,000 on WhatsApp Ireland Ltd. The DPA had started extensive investigations into the messaging service's compliance with transparency obligations back in December 2018. In this context, the DPC investigated whether WhatsApp complied with its obligations under the GDPR regarding the provision of information and the transparency of this information to users and non-users of WhatsApp. In the course of the investigation, the DPC found that WhatsApp

€1,500 fine - Data Protection Authority of Ireland

The Irish DPA (DPC) has fined the organization MOVE (Men Overcoming Violence) EUR 1,500. MOVE is a charity working in the field of domestic violence. The organization aims to support the safety and well-being of women and their children who have experienced violence in relationships. For this purpose, participants (men) come to weekly sessions in order to change their behavior. On February 3, 2021, the organization reported a data breach in accordance with Art. 33 GDPR. The organization stated t

€90,000 fine - Data Protection Authority of Ireland

The Irish DPA (DPC) has imposed a fine of EUR 90,000 on Irish Credit Bureau (ICB). The fine follows a data breach reported by the controller to the DPA on August 31, 2018. The controller is a credit reporting agency that maintains a database of credit contract performance between financial institutions and borrowers. The data breach occurred when the controller made a code change to its database that contained a technical error. As a result, between June 28, 2018 and August 30, 2018, the ICB dat

€70,000 fine - Data Protection Authority of Ireland

The Irish DPA (DPC) fined University College Dublin (UCD) EUR 70,000 due to seven personal data breaches. Unauthorized third parties were able to access UCD e-mail accounts, and login credentials for UCD e-mail accounts were posted online. It was found that the controller did not take appropriate technical and organisational measures to protect data security when processing personal data in its email service. In addition, the controller stored certain personal data in an email account in a form

€450,000 fine - Data Protection Authority of Ireland

The Irish DPA (DPC) fined Twitter International Company EUR 450,000 for violating Art. 33 (1) GDPR and Art. 33 (5) GDPR for failing to notify the DPA in a timely manner of a data breach and not adequately documenting that breach. The data breach concerned the privacy settings of user posts on the social media platform Twitter. There, users have the option to set the visibility of their posts to private or public. Private posts can only be seen by subscribers of the respective user profile, while

€65,000 fine - Data Protection Authority of Ireland

The „Data Protection Authority of Ireland“ imposed a fine on Cork University Maternity Hospital (CUMH) after the personal data of 78 patients was discovered disposed of in a public recycling center. Among the documents disposed of, some contain special category personal data of six patients. It is believed that the breach at CUMH involves sensitive patient health data such as the medical history and future planned care programs.

€85,000 fine - Data Protection Authority of Ireland

The Irish DPA (DPC) fined Tusla Child and Family Agency EUR 85,000. The controller had reported 71 data breaches to the Irish DPA that occurred between May 25 and November 16, 2018, and concerned the unauthorized access of personal data processed by the controller. After a broad investigation, the DPA concluded that the controller failed to implement adequate technical and organizational measures to protect the data processing and thus violated Art. 32 (1) of the GDPR.

€40,000 fine - Data Protection Authority of Ireland

The organization sent a letter with abuse allegations to a third party who then uploaded it to social networks.

€75,000 fine - Data Protection Authority of Ireland

The company has erroneously disclosed personal data, including information about children, to unauthorized persons. In one case, the contact and location data of a mother and a child were disclosed to an alleged offender, and in two other cases, data about children in foster care were improperly disclosed to blood relatives, including in one case to a father in prison.