Irish DPC issues first GDPR fine

The Irish Data Protection Commission (DPC) has issued its first fine under the GDPR. A fine of €75,000 has been imposed on a State agency “Tusla” (the child and family agency) for wrongly disclosing personal data about children to unauthorised parties in three cases – in one instance, the contact and location data of a mother and child victim was disclosed to an alleged abuser. While one might expect a higher fine for such a breach, the Irish Data Protection Act 2018 imposes an upper limit of €1 million on the level of fines that may be imposed on a public authority or public body. Further, Tusla appears to have engaged fully with the DPC in its inquiry.

The DPC has applied to the Circuit Court to confirm its decision and the fine, as required under the Data Protection Act 2018, and Tusla has confirmed that it will not contest the DPC’s findings.

There are two additional ongoing inquiries into data breaches concerning Tusla.

It is likely we will see more fines being issued by the DPC this year as it is finalising a number of inquiries. The DPC has been criticised for a lack of enforcement to date, but the DPC’s position has been that it wishes to ensure it inquiries are carried out lawfully and thoroughly to reduce the risk of litigation once a decision/fine has issued.

If you have any data protection queries, please contact Marie Claire Scullion at or your usual Whitney Moore contact.