Details:
| Summary | The Irish DPA has imposed a fine of EUR 60,000 on the Irish Teaching Council. The Council notified the DPA of a data breach under Art. 33 of the GDPR.
Accordingly, two employees of the Council accessed a phishing email that allowed them to set up an automatic forwarding system from their email accounts to a malicious email account. As a result, 323 emails were forwarded to the unauthorized external email address between February 17, 2020 and March 6, 2020. The emails contained the personal data of 9,735 data subjects and the sensitive personal data of one data subject. The DPA therefore found that the Council had failed to implement appropriate technical and organizational measures to ensure a level of protection for data subjects’ personal data commensurate with the risk. In addition, the DPA found that the Council failed to report the data breach in a timely manner. |
| Link: | link |
| Related articles: | Art. 5 (1) GDPR, Art. 32 (1) GDPR, Art. 33 GDPR |
| Type: | Insufficient technical and organisational measures to ensure information security |
| Fine: | EUR 60,000 |
| Sector | Public Sector and Education |
All data is based on The CMS’s Law GDPR Enforcement Tracker Source: https://www.enforcementtracker.com/