Bank of Ireland Fined by the Data Protection Commissioner – Civil Cases may follow

Overview

Bank of Ireland Group PLC (the Bank) has been fined €463,000.00 by the Data Protection Commissioner (DPC) after an investigation concluded that the personal date of approximately 47,000 customers had been breached, the DPC said.

The investigation related to 22 personal data breach notifications that the Bank reported to the DPC between the 9th November 2018 and 27 June 2019. The data breach incidents relate to unauthorised and inaccurate disclosures of customers personal data to the Central Credit Register (CCR) – the Central Banks centralised finance database that collects and stores personal credit information on loans of €500.00 or more. The CCR processes financial data provided by the bank and prepare credit reports to both borrowers and lenders to assist Banks in deciding whether to approve an application for a loan.

The DPC decision highlighted a number of incidents where the bank had submitted incorrect information to the CCR which indicated that certain customers were in financial distress.

The 14th March 2022 decision found that the Bank’s reporting of inaccurate information to CCR had breached a number provisions of the General Data Protection Regulation (GDPR). The decision found infringements of the following provisions:

 

  1. Article 33 of the GDPR, which requires controllers to report personal data breaches to the DPC in certain circumstances, was infringed by BOI in respect of 17 of the incidents reported. Article 33(1) was infringed by BOI’s failure to report the personal data breach without undue delay. Article 33(3) was also infringed by BOI’s failure to provide sufficient detail to the DPC in respect of some personal data breach incidents.
  2. Article 34 of the GDPR, which requires controllers to report personal data breaches to data subjects in certain circumstances, was infringed by BOI in respect of 14 of the incidents reported. The infringements concerned a failure by BOI to issue communications to data subjects without undue delay in circumstances where the personal data breaches were likely to result in a high risk to the data subjects’ rights and freedoms;
  3. Article 32(1) of the GDPR was infringed by BOI by failing to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk presented by its processing of customer data in transferring information to the CCR.

 

Impact of the Decision

As highlighted above, the Bank have been fixed with a fine of €463,000.00 by the DPC. The DPC decision concluded by saying that they were satisfied that the fines imposed are effective, proportionate and dissuasive, taking into account all of the circumstances of the inquiry.

Despite the fine, it is probable that some of the customers impacted by the data breach may bring civil actions for damages against the Bank for the GDPR breaches.

 

Can I Bring a Case?

If you have recently received correspondence from the Bank advising you of a breach of your personal data or if you have received confirmation from the Bank advising you of an incorrect credit rating report, you may have been impacted by this Breach.

Lawlor Kiernan LLP have extensive experience in Data Breach litigation and we have successfully prosecuted and obtained Damages for clients arising out of data breaches by various Financial Institutions including Bank of Ireland.

In 2017, our firm obtained a settlement in the sum of €110,000.00 on behalf of a client. In that case, Bank of Ireland wrongfully and unlawfully processed the Plaintiff’s personal information without his consent and disclosed his personal data to a third party.

If you feel you may have been impacted by the recent Bank of Ireland Data Breach or If you would like further information in relation to bringing a data protection case, please contact info@lawlorkiernan.ie .