We use cookies to collect and analyse information on site performance and usage to improve and customise your experience, where applicable. View our Cookies Policy. Click Accept and continue to use our website or Manage to review and update your preferences.


BoI rapped over breaches of GDPR rules
Pic: RollingNews.ie

05 Apr 2022 regulation Print

BoI rapped over breaches of GDPR rules

The Data Protection Commissioner (DPC) has handed Bank of Ireland a fine of €463,000 and reprimanded it for a number of breaches of GDPR data-privacy rules.

Bank of Ireland had notified the watchdog of 22 incidents linked to information provided to the Central Credit Register (CCR) – a centralised system that collects and securely stores information about loans.

The incidents, which took place in 2018 and 2019, included unauthorised disclosures of customers' personal data to the CCR, and accidental alterations of customers’ personal data.

A DPC investigation found that 19 of the incidents amounted to a ‘personal data breach’ under GDPR rules.

BoI to make changes

In 17 cases, the bank failed to report the breaches “without undue delay”, or without sufficient detail.

In 14 incidents, the watchdog found that Bank of Ireland had failed to contact individuals quickly enough, in circumstances where the breaches were likely to result in a high risk to the data subjects’ rights and freedoms.

The DPC also found that the bank had failed to implement appropriate measures to ensure a level of security appropriate to the risk presented by its processing of customer data in transferring information to the CCR.

The watchdog has ordered Bank of Ireland to make a number of changes to its technical and organisational measures.

Bank of Ireland said it fully acknowledged and sincerely apologised for the breaches.

"The bank takes its regulatory and compliance obligations very seriously, and regrets that it has fallen short in this way," the bank said in a statement.

Gazette Desk
Gazette.ie is the daily legal news site of the Law Society of Ireland

Copyright © 2024 Law Society Gazette. The Law Society is not responsible for the content of external sites – see our Privacy Policy.