The Data Protection Commission (DPC) last week announced its final decision in an inquiry which it commenced on an own-volition basis in July 2019.

The inquiry related to a personal data breach notified by Maynooth University in November 2018, which affected the email accounts of university employees and allowed unauthorised persons to gain control of up to six accounts.

The unauthorised persons used control of one account to assist in the commission of a fraud, leading to a financial loss by one of the persons affected.

The DPC assessed Maynooth University’s technical and organisational measures for ensuring the security of personal data that it processed, and also examined compliance with the controller’s obligation to notify breaches promptly.

In its decision, the DPC found that the university infringed Articles 5(1)(f) and 32 GDPR by failing to ensure appropriate security personal data that it processed, and to implement appropriate technical and organisational measures to ensure such security; and infringed Article 33(1) GDPR by failing to notify the DPC of the data breach within 72 hours.

The DPC reprimanded Maynooth University, imposed administrative fines totalling €40,000 and ordered the university to bring its processing into compliance with the security requirements of the GDPR.

In a statement, the DPC said: “It is vitally important that organisations ensure that personal data is processed in a manner that ensures appropriate security, through the implementation of the necessary technical and organisational measures required under the GDPR.

“Data controllers must also ensure that they comply with their statutory obligation to notify the Data Protection Commission without undue delay once they become aware that a personal data breach has occurred.

“The DPC will publish the full decision and further related information in due course.”