Data Protection Commission Inquiry

5 April 2022: Between November 2018 and June 2019 Bank of Ireland notified the Data Protection Commission of a number of personal data breaches relating to errors in information it submitted to the Central Credit Register (CCR).

The CCR is the Central Bank of Ireland’s national database of customer credit information and all lenders, including Bank of Ireland, are required to submit information to it every month.

The fine and corrective actions imposed today by the Data Protection Commission arise from these breaches and the Bank’s delay in communicating with impacted customers.

Bank of Ireland fully acknowledges, and sincerely apologises for, these breaches. The Bank takes its regulatory and compliance obligations very seriously and regrets that it has fallen short in this way.

The Bank has notified all impacted customers. It has rectified the inaccurate information reported to the CCR in all but 20 cases which will be corrected shortly. It has also taken measures to improve its ongoing CCR reporting, including error management procedures and a process that enables faster correction of errors.

The Data Protection Commission has mandated further measures and work has already begun to put these in place. The Bank has engaged fully and proactively with the Commission during its inquiry and will continue to do so as it implements these additional measures as quickly as possible.