Ireland DPC Decisions

DPC Finds Microsoft Ireland Operations Limited Infringed GDPR Articles 12(4) and 5(1)(a)

On 1 September 2025, the DPC adopted a decision finding Microsoft Ireland Operations Limited infringed Article 12(4) of the GDPR by failing to inform a complainant of their right to lodge a complaint with a supervisory authority and seek judicial remedy following an access request. The DPC also found Microsoft infringed Article 5(1)(a) (lawfulness, fairness and transparency) in its handling of the access request and decision to delete the complainant's data. The DPC issued a reprimand pursuant to Article 58(2)(b) and ordered Microsoft to revise its policies and procedures regarding data retention for terminated accounts, permanent deletion circumstances, and appeals processes.

DPC Fines University of Limerick €98,000 Over 12 Phishing-Related Data Breaches

The Data Protection Commission issued its decision IN-19-7-1 on 10 December 2025, finding University of Limerick liable for multiple GDPR infringements following 12 personal data breaches between November 2018 and January 2020. In six breaches, unauthorised persons accessed UL staff email accounts via phishing attacks, with some setting up forwarding rules to divert emails with specified keywords. The compromised accounts contained identity information, PPS numbers, bank details, medical and legal documentation, and HR records. The DPC imposed total administrative fines of €98,000 across four categories and issued a reprimand pursuant to Article 58(2)(b) GDPR.

DSP Fined €550,000 for Unlawful Biometric Facial Template Processing Under SAFE 2 Registration

The DPC completed Inquiry IN-21-7-3 concerning the Department of Social Protection's processing of biometric facial templates under SAFE 2 registration for the Public Services Card. The inquiry found the DSP failed to establish a valid lawful basis for collecting special-category biometric data, unlawfully retained such data, violated transparency obligations, and produced an inadequate Data Protection Impact Assessment. The DPC imposed administrative fines totalling €550,000, issued a formal reprimand, and ordered the DSP to cease processing biometric data within nine months unless a valid lawful basis is established.