Precedent corpus / DPC (Ireland)
Bank of Ireland Group plc
DPC (Ireland) case IN-20-7-2, decided 2023-02-27. EUR 750,000.
What the regulator decided
A series of ten personal data breaches in the Bank of Ireland 365 mobile banking application resulted in unauthorised users gaining access to other customers' accounts; Bank of Ireland failed to implement appropriate technical and organisational measures to ensure the integrity and confidentiality of personal data, breaching Article 5(1)(f) GDPR and the security-of-processing obligation in Article 32(1) GDPR.
Primary source
Regulator-owned URL. Quote this in legal briefs and academic citations.
https://www.dataprotection.ie/sites/default/files/uploads/2023-03/Final%20Decision%20IN-20-7-2%20Bank%20of%20Ireland%20%28BOI%29%20365.pdfArchived snapshot
Wayback Machine snapshot of the primary source. Use this when the regulator URL might be refactored or expire.
https://web.archive.org/web/20260428141316/https://www.dataprotection.ie/sites/default/files/uploads/2023-03/Final%20Decision%20IN-20-7-2%20Bank%20of%20Ireland%20%28BOI%29%20365.pdfConsentMark interpretation
Operator-readable note on how this case shapes the ConsentMark scanner narrative. Not a legal opinion; cites the primary source.
EUR 750k administrative fine plus reprimand and compliance order. Cite when the scanner narrative covers an authenticated-app authorisation bug that surfaces another customer's data in-session - the DPC frames this as Article 32(1) security, not Article 25 design.
Verification trail
- Verified by
- donal
- Verified at
- 2026-05-27
- Review due
- 2026-11-27
Cite this case
Pick the format that matches where you are pasting. The methodology version is preserved in every variant so the citation stays verifiable after future methodology changes.
@misc{consentmark-precedent-dpc-in-20-7-2,
author = {{ConsentMark}},
year = {2023},
title = {DPC (Ireland) IN-20-7-2 - Bank of Ireland Group plc},
howpublished = {\url{https://www.consentmark.com/precedent/dpc-in-20-7-2}},
note = {ConsentMark methodology v1.3}
}ConsentMark. (2023, February 27). DPC (Ireland) IN-20-7-2 - Bank of Ireland Group plc. Methodology v1.3. https://www.consentmark.com/precedent/dpc-in-20-7-2[DPC (Ireland) IN-20-7-2 - Bank of Ireland Group plc - ConsentMark](https://www.consentmark.com/precedent/dpc-in-20-7-2)DPC (Ireland) IN-20-7-2 - Bank of Ireland Group plc - ConsentMark, 2023-02-27, methodology v1.3, https://www.consentmark.com/precedent/dpc-in-20-7-2