Changeflow GovPing Data Protection DPC Fines CDETB €125,000 for GDPR Data Breach
Urgent Enforcement Amended Final

DPC Fines CDETB €125,000 for GDPR Data Breach

DPC Press Releases (Ireland DPA)
Filed June 23rd, 2025
Detected February 11th, 2026
Email Set alert

Summary

The Irish Data Protection Commission (DPC) has fined the City of Dublin Education and Training Board (CDETB) €125,000 for a GDPR data breach. The inquiry found CDETB infringed multiple GDPR articles related to security measures, breach notification to the DPC, and notification to data subjects.

View original document View source feed page

What changed

The Irish Data Protection Commission (DPC) has issued a final decision imposing a €125,000 fine on the City of Dublin Education and Training Board (CDETB) following an inquiry into a personal data breach that occurred in November 2018. The breach involved the webserver retaining personal data of approximately 13,000 student grant applicants and the discovery of malware. The DPC found CDETB infringed Articles 5(1)(f), 32(1), 32(2), 33(1), and 34(1) of the GDPR for failing to implement appropriate security measures, notify the DPC promptly, and notify affected data subjects.

This decision highlights the critical importance for organisations, particularly public sector bodies, to conduct thorough risk assessments and implement robust technical and organisational measures to ensure data security. Regulated entities must also strictly adhere to their obligations for timely breach notification to both the DPC and affected data subjects. Failure to comply can result in significant financial penalties and reputational damage, as demonstrated by this case and previous DPC sanctions.

What to do next

  1. Review and update data security measures to ensure they are appropriate to the risks presented by personal data processing.
  2. Ensure prompt notification procedures are in place for data breaches to both the DPC and affected data subjects.
  3. Verify compliance with GDPR Articles 5(1)(f), 32, 33, and 34.

Penalties

Administrative fines totalling €125,000 and a reprimand.

Related changes

AEPD Fines ORNITOLÓGICA DE ANDALUCÍA FOA 131,801 Euros for GDPR Violation
Priority review Mar 07, 2026 AEPD Resolutions (Spain DPA) Data Protection
AEPD Archives Proceedings Against Orange Spain Regarding Portability
Priority review Mar 07, 2026 AEPD Resolutions (Spain DPA) Data Protection
GDPR Resolution Fines Company 1,400 Euros for Unsolicited Email
Priority review Mar 05, 2026 AEPD Resolutions (Spain DPA) Data Protection
Svoboda v. Amazon.com Inc. - Biometric Information Privacy Act Class Action
Priority review Mar 07, 2026 7th Circuit Court of Appeals Federal Courts
AP Warns Users: TikTok Continues to Send Personal Data to China
Priority review Mar 06, 2026 Dutch DPA News Data Privacy
Dutch DPA Cookie Policy Campaign
Routine Mar 06, 2026 Dutch DPA News Data Privacy

Source

DPC Press Releases (Ireland DPA) dataprotection.ie/en/news-media/press-releases
Data Protection
Analysis generated by AI. Source diff and links are from the original.

Classification

Agency
Various DPAs (CNIL, BfDI, AEPD, etc.)
Filed
June 23rd, 2025
Instrument
Enforcement
Legal weight
Binding
Stage
Final
Change scope
Substantive

Who this affects

Applies to
Educational institutions Government agencies
Geographic scope
Ireland

Taxonomy

Primary area
Data Protection
Operational domain
Compliance
Topics
GDPR Data Breach Public Sector Compliance

Browse Categories

Federal Courts 27 State Courts 105 Securities Regulation 2 Financial Regulation 24 Consumer Protection 2 Drug Safety 15 Data Protection 10 Competition 2 Attorneys General 3 Insurance Regulation 3 Trade & Export 38 Legislation 39 Government 98 Energy Regulation 6 Environment 3 Labor & Employment 2 Tax 1

Get Data Protection alerts

Weekly digest. AI-summarized, no noise.

Free. Unsubscribe anytime.