European Data Protection Board logo
Close menu

Irish SA Imposes €125,000 Administrative fine following Inquiry into City of Dublin Education and Training Board (CDETB)

  • National News
  • ie

Background information

  • Date of final decision: 23 June 2025
  • National case
  • Controller: City of Dublin Education and Training Board (CDETB)
  • Legal Reference (s): Article 5 (Principles relating to processing of personal data), Article 32 (Security of processing),  Article 33 (Notification of a personal data breach to the supervisory authority),  Article 34 (Communication of a personal data breach to the data subject)
  • Decision: Administrative fine, Reprimand
  • Key words: Personal data breach, Sensitive data, Biometrics

Summary of the Decision

Origin of the case

The Irish Supervisory Authority (SA) commenced this inquiry on an own-volition basis in July 2019. The inquiry related to a personal data breach notified by the City of Dublin Education and Training Board (CDETB) in November 2018, following CDETB’s discovery that its webserver was retaining the personal data of student grant applicants who had uploaded information related to their grant applications through CDETB’s website, as well as the discovery of malware on the webserver.

 

Key Findings 

The Irish SA’s Decision found CDETB:

  • Infringed Articles 5(1)(f), 32(1) and 32(2) GDPR by failing to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk presented by its processing of personal data on its website, and by failing to assess the appropriate level of security,
  • Infringed Article 33(1) GDPR by failing to notify the DPC of the breach without undue delay,
  • Infringed Article 34(1) GDPR by failing to notify the affected data subjects of the breach without undue delay, and

  • Infringed Article 34(4) GDPR by failing to communicate the breach to data subjects when required to do so by the DPC.

     

Decision 

The Irish SA reprimanded CDETB, imposed administrative fines totalling €125,000 and ordered CDETB to bring its processing into compliance with the security requirements of the GDPR.


For further information: 

Latest news

  • EDPB News

EDPB gets a new look: discover the new website and brand identity

  • EDPB News

Coordinated Supervision Committee extends scope to include Eurodac

  • EDPB News

EDPB träffar EU-kommissionär McGrath och antar gemensam mall för anmälan av dataintrång

Alla nyheter