University of Limerick Fined €98,000 for GDPR Data Breaches
Summary
The Data Protection Commission has published its final decision following an own-volition inquiry into University of Limerick, finding multiple GDPR violations arising from personal data breaches that occurred between November 2018 and January 2020. The DPC reprimanded University of Limerick and imposed administrative fines totalling €98,000 for failing to implement appropriate security measures, delay in informing affected persons of high-risk breaches, non-compliance with records of processing activity requirements, and untimely breach reporting to the DPC.
“The DPC reprimanded University of Limerick and imposed administrative fines totalling €98,000.”
Educational institutions processing personal data on a large scale should treat this enforcement as a reference point for three specific compliance gaps: (1) maintaining complete Article 30 records of processing activities from the outset of any data processing operation; (2) meeting the 72-hour DPC notification window under Article 33; and (3) immediately notifying affected individuals when a breach is deemed high-risk under Article 34. Universities with similar breach histories should conduct gap analyses against Articles 5, 30, 32, 33, and 34.
About this source
GovPing monitors Ireland Data Protection Commission News for new data privacy & cybersecurity regulatory changes. Every update since tracking began is archived, classified, and available as free RSS or email alerts — 3 changes logged to date.
What changed
The DPC's final decision finds University of Limerick violated four GDPR provisions: Articles 5(1)(f) and 32(1) for failing to implement appropriate technical and organisational security measures; Article 34(1) for failing to inform affected persons of high-risk breaches without undue delay in three cases; Article 30(1) for incomplete records of processing activity; and Article 33(1) for failing to report three breach notifications to the DPC without undue delay. The fine amount reflects mitigation for the university's acceptance of the majority of findings and proactive remediation steps taken to improve systems, training, and policies.
Higher education institutions and organisations processing personal data should review their data security technical and organisational measures, verify that breach notification procedures to both the supervisory authority and affected individuals meet statutory timelines, and ensure records of processing activities are fully compliant with Article 30 requirements.
Penalties
€98,000 in administrative fines
Archived snapshot
Apr 22, 2026GovPing captured this document from the original source. If the source has since changed or been removed, this is the text as it existed at that time.
The Data Protection Commission Publishes Final Decision Following Inquiry into University of Limerick
02nd March 2026
The Data Protection Commission (DPC) has published its final decision following an inquiry into a personal data breach in University of Limerick.
This decision arises from an own-volition inquiry into the University of Limerick following a series of personal data breaches that occurred between November 2018 and January 2020.
The DPC assessed University of Limerick’s technical and organisational measures for ensuring the security of personal data that it processed, and also examined compliance with the controller’s obligation to notify breaches promptly
The DPC’s decision finds that University of Limerick:
- did not implement appropriate technical and organisational measures to ensure the security of personal data as required by Articles 5(1)(f) and 32(1) GDPR,
- failed in three cases to inform persons affected by a high-risk breach without undue delay in accordance with Article 34(1) GDPR,
- did not fully comply with the requirements of Article 30(1) GDPR in its initial record of processing activity.
- did not report three breach notifications without undue delay in accordance with Article 33(1) GDPR. The DPC reprimanded University of Limerick and imposed administrative fines totalling €98,000.
The DPC commends University of Limerick’s engagement with the DPC since being presented with the DPC’s proposed findings in a draft version of its decision. The final administrative fines reflect the mitigation occasioned by University of Limerick accepting the majority of the findings in the draft decision, acknowledging responsibility for significant infringements, and proactively taking steps to improve its systems, training, and policies, in order to reduce the likelihood of similar breaches occurring in the future.
Named provisions
Parties
Related changes
Get daily alerts for Ireland Data Protection Commission News
Daily digest delivered to your inbox.
Free. Unsubscribe anytime.
Source
About this page
Every important government, regulator, and court update from around the world. One place. Real-time. Free. Our mission
Source document text, dates, docket IDs, and authority are extracted directly from DPC.
The summary, classification, recommended actions, deadlines, and penalty information are AI-generated from the original text and may contain errors. Always verify against the source document.
Classification
Who this affects
Taxonomy
Browse Categories
Get alerts for this source
We'll email you when Ireland Data Protection Commission News publishes new changes.
Subscribed!
Optional. Filters your digest to exactly the updates that matter to you.