( DPC Inquiry Ref: Date of Decision: IN2072 )
Bank of Ireland (“BOI”) notified Data Protection Commission (“DPC”) about a series of 10 data breaches on its banking app “BOI365” . The data breach notification concerned concerned individual gaining unauthorized access to other people’s account via the BOI 365 app. The DPA, after investigation concluded that BOI has infringed its obligations under Articles 5(1) and 32 (1) of GDPR as it has failed to put sufficient technical and organizational measures to ensure security of personal data processed on BOI 365 app.
DPA ordered BOI to bring its processing into compliance with Articles 5(1)(f) and Article 32(1) of GDPR. Additionally, DPA imposed an administrative fine on BOI in the amount of €750,000 for infringing Article 5(1)(f) GDPR .