Precedent corpus / DPC (Ireland)

Bank of Ireland Group plc

DPC (Ireland) case IN-20-7-2, decided 2023-02-27. EUR 750,000.

What the regulator decided

A series of ten personal data breaches in the Bank of Ireland 365 mobile banking application resulted in unauthorised users gaining access to other customers' accounts; Bank of Ireland failed to implement appropriate technical and organisational measures to ensure the integrity and confidentiality of personal data, breaching Article 5(1)(f) GDPR and the security-of-processing obligation in Article 32(1) GDPR.

ConsentMark interpretation

Operator-readable note on how this case shapes the ConsentMark scanner narrative. Not a legal opinion; cites the primary source.

EUR 750k administrative fine plus reprimand and compliance order. Cite when the scanner narrative covers an authenticated-app authorisation bug that surfaces another customer's data in-session - the DPC frames this as Article 32(1) security, not Article 25 design.

Verification trail

Verified by
donal
Verified at
2026-05-27
Review due
2026-11-27
Cite this case

Pick the format that matches where you are pasting. The methodology version is preserved in every variant so the citation stays verifiable after future methodology changes.

BibTeX
@misc{consentmark-precedent-dpc-in-20-7-2,
  author       = {{ConsentMark}},
  year         = {2023},
  title        = {DPC (Ireland) IN-20-7-2 - Bank of Ireland Group plc},
  howpublished = {\url{https://www.consentmark.com/precedent/dpc-in-20-7-2}},
  note         = {ConsentMark methodology v1.3}
}
APA
ConsentMark. (2023, February 27). DPC (Ireland) IN-20-7-2 - Bank of Ireland Group plc. Methodology v1.3. https://www.consentmark.com/precedent/dpc-in-20-7-2
Markdown
[DPC (Ireland) IN-20-7-2 - Bank of Ireland Group plc - ConsentMark](https://www.consentmark.com/precedent/dpc-in-20-7-2)
Plain text
DPC (Ireland) IN-20-7-2 - Bank of Ireland Group plc - ConsentMark, 2023-02-27, methodology v1.3, https://www.consentmark.com/precedent/dpc-in-20-7-2