GDPR: 3 years on – the value of prompt corrective action in mitigating administrative fines

Today marks the anniversary of the introduction of the General Data Protection Regulation (GDPR).

Earlier this year, the Data Protection Commission (DPC) published its 2020 Annual Report. Click here for our recent article that outlines a snapshot of the key highlights.

In this article, Alison Kelleher, Partner, Comyn Kelleher Tobin, outlines the recently published decision of the DPC following a data breach at Irish Credit Bureau (ICB) in August 2018.


ICB is a credit reference agency that maintains an extensive database on the performance of credit agreements between approximately 280 member financial institutions and borrowers. The database creates credit reports and credit scores in respect of borrowers and processes on average 3.5 million monthly updates which assist financial institutions in making decisions on applications for credit.

During an IT upgrade ICB inaccurately updated the records of 15,120 closed accounts in the summer of 2018.

Following an internal investigation, the ICB discovered that they had disclosed 1,062 inaccurate account records to financial institutions or data subjects before fixing the issue.

Although the inaccurate account records stated that the accounts had been closed more recently than they actually had been, none misstated that a balance was outstanding on the accounts.

The commissioner found that,

  • ICB infringed Article 25(1) of the GDPR by failing to implement appropriate technical and organisational measures designed to implement the principle of accuracy in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of the GDPR and protect the rights of data subjects.
  • ICB infringed Article 5(2) and 24(1) of the GDPR by failing to demonstrate compliance with its obligation, pursuant to Article 25(1) of the GDPR, to undertake appropriate testing of proposed changes to its database.
  • ICB did not infringe Article 26(1) of the GDPR in circumstances where the ICB members are not joint controllers in respect of ICB’s database.

The DPC imposed an administrative fine of €90,000 and a reprimand in respect of the infringements.

In reaching this decision the DPC provided an interesting narrative of how this figure was reached.

  • The DPC noted that the first consideration is to establish the permitted range (which here was in the lower tier of up to a maximum of €10 million or 2% of turnover) and to locate the infringement on that permitted range by reference to the nature, gravity, and duration of the infringement.  Noting that these decisions are made in the context of the objectives of re-establishing compliance, including through deterrence the DPC found that an appropriate fine was in the region of €220,000.
  • The second step in calculating the administrative fine is to apply the mitigating factors to reduce the fine where applicable.  The DPC commented that the mitigating factors warrant a significant reduction in this case by €130,000 to a total fine of €90,000 noting in particular;
    • the action taken by ICB to mitigate the damage suffered by the data subjects,
    • ICB’s lack of previous infringements,
    • ICB’s cooperation with the DPC to remedy the infringement and to mitigate its adverse effects, and
    • the implementation of a comprehensive change management process for future IT upgrades.
  • Finally, the DPC noted that the third step is to consider whether the figure arrived at is “effective, proportionate and dissuasive” in the circumstances in accordance with Article 83(1) of the GDPR.

Following a review of the measures implemented by the ICB in the aftermath, the DPC advised that appropriate safeguarding measures had been taken and it was not necessary for the decision to order the ICB to take specific action to bring its processing operations into compliance with the GDPR.


The decision highlights the decisive action taken by the ICB to mitigate the damage suffered by the data subjects and ICB’s cooperation with the DPC to remedy the infringement and to mitigate its adverse effects including by implementing a comprehensive change management process led to a significant reduction of the fine. The fine of €90,000 amounts to just 0.9% of the cap available and 2% of the ICB’s turnover, emphasising the importance of taking prompt mitigating action by data controllers following a breach.

If you have any questions relating to this article, please contact Alison Kelleher, Partner, Comyn Kelleher Tobin.