University of Limerick has been fined €98,000 after Ireland’s Data Protection Commission uncovered serious GDPR failures, including weak email security, delayed breach reporting, and inadequate safeguards following multiple phishing incidents.

In March 2026, the Data Protection Commission (“DPC”) published its final decision made pursuant to sections 110 – 111 of the Data Protection Act 2018 following an own volition inquiry into six phishing related data breaches at the University of Limerick (“UL”) between November 2018 and January 2020.

The DPC found that UL infringed Articles 5(1)(f) and 32(1) GDPR by failing to implement appropriate technical and organisational measures to ensure the security of personal data processed on its email system. Key failings included:

• The absence of multi factor authentication
• Failure to deploy standard email authentication protocols
• Continued use of an outdated email platform
• Inadequate controls on email forwarding rules, and
• Non-mandatory cyber security training.

UL was also found to have infringed Article 30(1) GDPR by maintaining an incomplete Record of Processing Activities that failed to document email processing and related security measures.

In relation to incident response, the DPC found breaches of Article 33(1) GDPR due to late notification of three personal data breaches to the DPC, and of Article 34(1) GDPR for failing to notify affected data subjects without undue delay where breaches had been assessed as posing a high risk.

The DPC issued a reprimand and imposed administrative fines totalling €98,000:

• €45,000 for breaches of Articles 5(1)(f) and 32(1)
• €3,000 for breach of Article 30(1)
• €35,000 for breaches of Article 33(1)
• €15,000 for breach of Article 34(1).

Notably, the final fines were substantially lower than the maximum fines proposed in the DPC’s draft decision. The DPC acknowledged that the reduction reflected the mitigation occasioned by UL accepting the majority of the findings in the draft decision, acknowledging responsibility for significant infringements, and proactively taking steps to improve its systems, training, and policies so as to reduce the likelihood of similar breaches recurring. The DPC was nonetheless satisfied that it was necessary and proportionate to issue corrective measures pursuant to section 115 of the Data Protection Act 2018 and Article 58(2) GDPR.