Six of the incidents resulted from successful phishing attacks that compromised staff email accounts, exposing a wide range of personal data relating to students, staff and third parties. The case provides detailed insights into the DPC’s expectations around security measures, record‑keeping and breach‑handling processes.
Following its inquiry, the Irish Data Protection Commission (“DPC”) published its final decision, focusing on four main infringements:
The DPC found that UL’s security controls did not meet the standards required under articles 5(1)(f) and 32 GDPR. While UL had introduced several security tools, including a DNS firewall, Fortinet devices, email filtering and limited multi‑factor authentication (MFA), these measures were not sufficient to mitigate the risks.
Key weaknesses identified included:
These findings highlight the importance of proactive and fully implemented technical controls, supported by mandatory training and up‑to‑date governance documentation.
Under article 30 GDPR, organisations must maintain a complete and accurate RoPA. The DPC found that UL’s RoPA lacked:
These omissions undermined UL’s ability to demonstrate compliance and maintain oversight of high‑risk processing.
The GDPR requires controllers to notify supervisory authorities of personal data breaches within 72 hours. UL failed to meet this requirement in multiple cases, including one breach reported 10 days after discovery.
The DPC rejected internal communication delays as a justification, noting that:
This finding reinforces that timely breach notification is a strict obligation and cannot be deferred for operational reasons.
Where a breach poses a high risk to individuals, article 34 requires organisations to notify affected data subjects without undue delay. UL failed to do so in three cases.
In one example, UL identified a breach as high risk in March 2019 but did not notify affected individuals until September 2019, waiting for the outcome of an external investigation. The DPC acknowledged the value of thorough investigations but stressed that they must not delay individuals’ ability to take protective steps such as resetting passwords or monitoring accounts.
The DPC imposed a €98,000 fine, noting that UL’s cooperation, acceptance of responsibility and proactive improvements to systems, policies and training helped reduce the final amount. The case reinforces the importance of:
These findings serve as a reminder that both technical controls and organisational processes must operate effectively and consistently to meet GDPR requirements.
The Irish Data Protection Commission (DPC) has fined the University of Limerick (UL) €98,000 following 12 personal data breaches that occurred between 2018 and 2020.
The EDPB has published a series of updates that reflect its ongoing focus on harmonisation, practical guidance and coordinated supervision across the EU.
The French Data Protection Authority (CNIL) has fined an organisation €3.5 million for improper use of customer match tools, reinforcing the growing regulatory focus on social media‑based targeted advertising. The decision highlights the need for clear transparency, specific consent and strong governance when sharing customer data with advertising platforms.
Amplify your business with innovative solutions.
Tailored solutions for assurance and value creation in a changing world.
Forvis Mazars supports you in achieving and maintaining data protection and privacy compliance
This website uses cookies.
Some of these cookies are necessary, while others help us analyse our traffic, serve advertising and deliver customised experiences for you.
For more information on the cookies we use, please refer to our Privacy Policy.
This website cannot function properly without these cookies.
Analytical cookies help us enhance our website by collecting information on its usage.
We use marketing cookies to increase the relevancy of our advertising campaigns.