Who We Are

Decisions

Filters

[Reset]

Inquiry into a Consultancy Provider

Area: Health sector - private

Topic: Data security

Articles: 5(1)(a), 32(1)

DPC Reference: IN-20-4-8

Decision Date: 24 January 2022

This inquiry was commenced in respect of a personal data breach that the Personal Injuries Assessment Board (‘PIAB’) reported to the Data Protection Commission on 10 December 2019. PIAB is an independent statutory body that deals with personal injury claims. The personal data breach occurred when a Consultancy Provider sent an unencrypted USB storage device, containing personal data to PIAB, despite PIAB expressly stating the data was not to be sent. The Inquiry considered whether the Consultancy Provider had complied with its obligation to implement an appropriate level of security under Article 32 GDPR.

  • The decision found that the Consultancy Provider had infringed Article 32(1) GDPR by failing to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk presented by its processing of personal data.

The corrective powers exercised:

  • The decision issued the Consultancy Provider with a reprimand in respect of the infringement.
Download full decision (PDF)

Decisions

Filters

[Reset]

Inquiry into Virtue Integrated Elder Care Ltd (VIEC)

Area: Health sector - private

Topic: Data protection by design and default

Articles: 5(1)(f), 32(1)

DPC Reference: IN-21-2-5

Decision Date: 20 December 2022

The inquiry was commenced after VIEC notified a personal data breach to the DPC on 19 August 2020. VIEC operates and manages five nursing homes on the Southside of Dublin and in County Louth. The data breach notification concerned an unknown actor who gained access to a VIEC manager email account by way of a phishing attack and set up mail forwarding rules to an external account. As a result of this, the personal data of residents, including special category data such as health and biometric data, was accessed by the unknown actor.

The decision considered whether VIEC had complied with Articles 5(1)(f) and 32(1) GDPR and, in particular, whether VIEC had implemented appropriate technical and organisational measures to ensure a level of risk appropriate to the risks associated with its processing operations.

The decision found that VIEC had infringed its obligations under Articles 5(1) and 32(1) GDPR. The processing by VIEC of personal and special category data on its email system prior to the phishing attack, without adequate security measures, placed such data at risk of being unlawfully accessed.

Corrective Powers Exercised:

  • The decision issued VIEC with a reprimand in respect of the infringements.
  • The decision ordered VIEC to bring its processing by into compliance with Articles 5(1)(f) and 32(1) of the GDPR.
  • The decision imposed an administrative fine on VIEC in the amount of €100,000 in respect of the infringement of Article 5(1)(f) GDPR.
Download full decision (PDF)
Subscribe to Health sector - private