Announcement of Fine Imposed on Permanent TSB

On 8 May 2026 the Data Protection Commission announced its final decision into an inquiry involving Permanent TSB (PTSB) following a series of personal data breaches first reported in May 2022. The breaches involved malicious actors impersonating customers at PTSB's Open24 Contact Centre, exploiting failures in security protocols to access accounts and amend customer details, resulting in financial loss for some customers.

The DPC found that PTSB infringed the following GDPR articles: 

• Article 5(1)(f) - breach of the integrity and confidentiality principle, by failing to ensure appropriate security for customer account data;
• Article 32(1) - failure to implement adequate technical and organisational measures to protect personal data processed through the OIpen24 Contact Centre; and
• Article 33(1) - failure to notify the DPC without undue delay and within the required 72-hour timeframe upon becoming aware of the breaches.
  

PTSB were reprimanded and fined €250,000 for the Article 5(1)(f) and 32(1) infringements and a further €27,500 for the Article 33(1) infringement. 

This decision against Permanent TSB is, in many respects, a familiar one. Appropriate technical and organisational measures must be actively maintained, regularly reviewed, and stress-tested against real-world threats, including social engineering attacks of the kind that gave rise to these breaches. Equally, the fine imposed for the failure to notify the DPC within 72 hours underscores that timely breach notification is a distinct and necessary obligation. When a breach occurs, or is suspected, organisations must act swiftly to ensure regulatory obligations are met without delay. 

High Court Issues Decision in LinkedIn Appeal 

Judgment was delivered on 20 April 2026 in High Court proceedings arising from an appeal by LinkedIn against a decision of the DPC to impose corrective measures, including a fine totalling €310 million. 

This judgment concerns preliminary issues that arose relating to the scope and appropriate statutory appeal framework of LinkedIn’s appeal. 

Appeal Route

The Court held that section 142 of the Data Protection Act 2018 (the “2018 Act”) is confined to appeals against a decision to impose an administrative fine, and does not extend to infringement findings, which must be appealed under section 150. However, the Court confirmed that a fining decision also constitutes a "legally binding decision" under section 150(5), meaning a controller may choose to appeal a fine under either route, and can challenge the underlying infringement and the associated fine within a single set of proceedings.

Standard of Review

On the applicable standard of review, the Court rejected the DPC's submission that the appeal should be governed by the "serious and significant error" test established in Orange Ltd v Director of Telecoms (No. 2) [2000] 4 I.R. 159, finding that the breadth of the court's statutory powers — including the express power to replace the DPC's decision with one the court considers just and appropriate — points to a more fulsome form of appeal. Accordingly, the Court found that the form of appeal provided for in section 142 is an appeal on the record. 

The Court also held that deference to the DPC is issue-specific: significant weight may be afforded by the trial judge to matters which are within the DPC's areas of expertise, but there is no deference on questions of law or errors of fact, and no presumption of correctness attaches to the DPC's decision. This applies equally to an appeal pursuant to section 142 or section 150(5). 

New evidence

Whilst section 142(2) expressly permits new evidence and arguments on appeal of a financial sanction, the Court held that the appellate court also retains a discretion under section 150(5) to admit new evidence where necessary in the interests of justice, albeit the threshold under section 142 may be somewhat lighter than that under section 150(5), given there is specific statutory provision governing this question in section 142(2). 

This judgment is a significant procedural milestone and provides helpful clarity on the statutory appeal framework to challenge DPC’s decisions before the Irish courts. 

Publication of Decision following University of Limerick Inquiry 

The DPC published its final decision on 2 March 2026 following an own-volition inquiry into a series of personal data breaches at the University of Limerick (UL), occurring between November 2018 and January 2020.

The DPC's inquiry focused on UL's technical and organisational measures for protecting personal data, as well as its compliance with breach notification obligations. The DPC found UL infringed four separate GDPR obligations:

• Articles 5(1)(f) and 32(1) – failure to implement appropriate technical and organisational measures to ensure the security of personal data;
• Article 34(1) – failure, in three cases, to inform affected individuals of a high-risk breach without undue delay;
  
• Article 33(1) – failure to report three breach notifications to the DPC without undue delay; and
  
• Article 30(1) – failure to fully comply with record of processing activity requirements.
  

UL were reprimanded and fined €98,000 for these infringements. 

Of particular note is the DPC’s acknowledgment of UL's positive engagement with the inquiry process, noting that the final fine reflects mitigation arising from UL accepting the majority of findings, acknowledging responsibility, and proactively taking steps to improve its systems, training, and policies.

This decision also highlights the distinction between notifying the DPC under Article 33 and notifying affected individuals under Article 34. Both are separate obligations, each with their own strict timelines, and failures across both will attract separate findings and penalties.

The acknowledgement by the DPC of UL's co-operative approach and remediation efforts offers a constructive lesson: when a breach occurs, the appropriate response can involve more than simply prompt remedial action and transparency — genuine engagement and improvement can have a tangible impact on the outcome of enforcement proceedings.

Notable Implications for Data Controllers and Processors

1. Security is a live, continuous obligation. The PTSB decision confirms that Articles 5(1)(f) and 32(1) require technical and organisational measures to be actively maintained and stress-tested against the threats that actually materialise; including social engineering threats.
2. Notification is its own exposure. Article 33 (DPC) and Article 34 (affected individuals) are discrete obligations with separate reporting timeframes and separate penalties; both PTSB and UL were fined for notification failures on top of the underlying security findings.
3. Post-incident response has measurable consequences. The DPC acknowledged UL's "positive engagement”. The practical lesson is that cooperation has a measurable cash value in the size of the eventual fine. Similarly, the LinkedIn judgment confirms that a full appeal on the record - with no presumption of correctness attaching to the DPC on questions of law or fact - is available, permitting an organisation to challenge both the infringement finding and the fine in a single set of proceedings. 

Seán O’Donnell advises corporate and public sector clients on Data Protection Law investigations and compliance and in particular in relation to Data Security Breaches and Data Access Requests. For further information on DPC developments, please contact Partner Sean O'Donnell or Associate Saidhbhe Corbett from the Litigation and Regulation Team.