Irish SA Imposes €125,000 Administrative fine following Inquiry into City of Dublin Education and Training Board (CDETB)

1 July 2025

Background information

  • Date of final decision: 23 June 2025
  • National case
  • Controller: City of Dublin Education and Training Board (CDETB)
  • Legal Reference (s): Article 5 (Principles relating to processing of personal data), Article 32 (Security of processing),  Article 33 (Notification of a personal data breach to the supervisory authority),  Article 34 (Communication of a personal data breach to the data subject)
  • Decision: Administrative fine, Reprimand
  • Key words: Personal data breach, Sensitive data, Biometrics

Summary of the Decision

Origin of the case

The Irish Supervisory Authority (SA) commenced this inquiry on an own-volition basis in July 2019. The inquiry related to a personal data breach notified by the City of Dublin Education and Training Board (CDETB) in November 2018, following CDETB’s discovery that its webserver was retaining the personal data of student grant applicants who had uploaded information related to their grant applications through CDETB’s website, as well as the discovery of malware on the webserver.

 

Key Findings 

The Irish SA’s Decision found CDETB:

  • Infringed Articles 5(1)(f), 32(1) and 32(2) GDPR by failing to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk presented by its processing of personal data on its website, and by failing to assess the appropriate level of security,
  • Infringed Article 33(1) GDPR by failing to notify the DPC of the breach without undue delay,
  • Infringed Article 34(1) GDPR by failing to notify the affected data subjects of the breach without undue delay, and

  • Infringed Article 34(4) GDPR by failing to communicate the breach to data subjects when required to do so by the DPC.

     

Decision 

The Irish SA reprimanded CDETB, imposed administrative fines totalling €125,000 and ordered CDETB to bring its processing into compliance with the security requirements of the GDPR.


For further information: 

The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.