The Data Protection Commission (DPC) yesterday published its final decision following an own-volition inquiry into the breaches, which occurred between November 2018 and January 2020.

The DPC assessed University of Limerick’s technical and organisational measures for ensuring the security of personal data that it processed, and also examined compliance with the controller’s obligation to notify breaches promptly.

The watchdog found that the university did not implement appropriate technical and organisational measures to ensure the security of personal data as required by Articles 5(1)(f) and 32(1) GDPR.

It failed in three cases to inform persons affected by a high-risk breach without undue delay in accordance with Article 34(1) GDPR.

The university did not fully comply with the requirements of Article 30(1) GDPR in its initial record of processing activity.

It also did not report three breach notifications without undue delay in accordance with Article 33(1) GDPR.

The DPC reprimanded University of Limerick and imposed administrative fines totalling €98,000.

In a statement, the DPC said it “commends University of Limerick’s engagement with the DPC since being presented with the DPC’s proposed findings in a draft version of its decision”.

“The final administrative fines reflect the mitigation occasioned by University of Limerick accepting the majority of the findings in the draft decision, acknowledging responsibility for significant infringements, and proactively taking steps to improve its systems, training, and policies, in order to reduce the likelihood of similar breaches occurring in the future,” it said.