Ireland — Permanent TSB fined: GDPR arts. 32/33 tested at call centers

Summary — On 8 May 2026, Ireland’s DPC fined Permanent TSB (€277,500) after social‑engineering fraud at its call center and a late breach notification. Key takeaway for Luxembourg: Article 32 (security) and Article 33 (72h) fully apply to human processes and real‑world effectiveness. Official source: DPC press release 08/05/2026.

The case

In 2022, fraudsters armed with partial customer data phoned Permanent TSB’s “Open24 Contact Centre”, impersonated customers, and obtained account changes. The DPC found that “in three incidents, the appropriate security protocols were not followed”, exposing customers to fraud risks and financial loss.

Sanctions: a reprimand, €250,000 for infringements of Articles 5(1)(f) (integrity/confidentiality) and 32(1) (security of processing), and €27,500 for Article 33(1) (72h supervisory authority notification). The full decision will be published “in due course”. Source: DPC.

Legal reasoning

• GDPR basis. Article 5(1)(f) mandates integrity and confidentiality; Article 32(1) requires “appropriate technical and organisational measures” proportionate to risk; Article 33(1) requires notification “without undue delay and, where feasible, not later than 72 hours” after becoming aware of a breach. Consolidated text: Regulation (EU) 2016/679. For a structured overview, see our GDPR page.
• DPC’s interpretation. The failure of call center “protocols” directly breached Article 32(1): in banking, easily guessable KBA (DOB, address, approximate transactions) is insufficient if bypassable using data already traded on black markets. Additional controls (strong authentication, verified callbacks, account locks, active logging) are expected. On Article 33(1), the DPC penalised exceeding the 72h window. Source: PTSB.
• EU alignment. EDPB Guidelines 01/2021 provide concrete scenarios (credential stuffing and identity theft/social engineering) requiring reinforced measures and often prompt notification (cases 07 and 17). Reference: EDPB Guidelines 01/2021.
• Luxembourg stance. The CNPD requires controllers to notify within 72h where there is a risk to rights and freedoms; processors must alert controllers “without delay”. Reference: CNPD — Data breaches.

What this changes in Luxembourg (May 2026)

Contact centers and KYC/retail. Banks/PSF, insurance, e‑commerce, utilities, healthcare — any organisation whose call center can alter contact details, payment means or consents — faces the same risk. “Procedures” are not enough if fragile or poorly applied: Article 32 targets an outcome (“appropriate level of security”) given the risk, not the mere existence of a call script.

For local compliance expectations and CNPD conformity, see our GDPR Luxembourg page.

“Appropriate” measures for phone interactions

• Out‑of‑band MFA for sensitive operations (OTP via app; callback to the on‑file number; challenge in the customer portal) rather than KBA alone.
• Step‑up authentication when risk indicators arise (fraud scores, voice inconsistency, account‑linked technical signals).
• Segregation of duties: the agent verifying is not the approver for critical changes; traceability via timestamped logs.
• Incident playbooks specific to social engineering, with preventive account freeze, customer alerts and reset tokens.
• Ongoing training and QA for agents, real‑time supervision and a four‑eyes principle on sensitive changes. Strengthen capabilities with our cyber awareness services.

These measures reflect Article 32 and EDPB examples on confidentiality/integrity incidents, and should be recorded in your security register and DPIAs where risk is high. See EDPB 01/2021.

“72h” notification and communication to individuals

Once you become aware of a likely breach (e.g., a fraudster obtained extra data or changed contact details), start risk qualification and prepare CNPD notification unless risk is “unlikely”. If risk is “high”, also inform individuals (Art. 34). CNPD practicalities: dedicated page. The consolidated Articles 32 and 33 are on EUR‑Lex.

Fine calculation

PTSB illustrates Article 83 combined with EDPB 04/2022 methodology to calibrate proportionate amounts (gravity, duration, negligence, cooperation, remediation). Reference: EDPB Guidelines 04/2022.

Frequent audit pitfalls

1. Relying on static KBA. Often public or leaked data: insufficient for high‑risk operations (changing IBAN, address, or auth channel). Basis: Art. 32; DPC PTSB (source).
2. Scripts without execution control. Flawless SOPs on paper but not followed = Article 32 failure: effectiveness (training, supervision, QA, logs) is decisive. DPC PTSB: “protocols not followed” (source).
3. Misunderstanding the 72h start point. The clock starts at reasonable awareness, not at the end of the investigation. Documentation can be completed later (Art. 33(4)). Refs: CNPD and GDPR (CNPD).
4. Underestimating the “domino effect”. Fraudulent changes of phone/email enable later OTP capture and escalation. EDPB provides cases triggering notification and communication (EDPB 01/2021).
5. Not scaling controls to sector risk. “Appropriate” varies by sector: in finance, voice/app MFA and dual controls are now baseline. Basis: Art. 32; DPC PTSB (GDPR text).

Official sources

• Data Protection Commission (Ireland) — “Data Protection Commission Publishes Final Decision Following Inquiry into Permanent TSB”, 08/05/2026. Link.
• Regulation (EU) 2016/679 (GDPR) — Articles 5(1)(f), 32, 33 (consolidated on EUR‑Lex). Link.
• CNPD (Luxembourg) — “Data breaches (GDPR): notify within 72h”, professional page. Link.
• EDPB — “Guidelines 01/2021 on Examples regarding Personal Data Breach Notification” (v2.0, 14/12/2021). PDF link.
• EDPB — “Guidelines 04/2022 on the calculation of administrative fines under the GDPR”. Link.

Bottom line: in 2026, GDPR “state of the art” over the phone means controls that truly resist social engineering and a documented notification engine to meet the 72‑hour deadline. For leaders in Luxembourg: Article 32 = proof of effectiveness; Article 33 = operational reflex.

Need a quick review of your call center flows and scripts? Get in touch.

Luxgap regulatory expertise article. For personalised guidance on this topic, contact us or configure your online quote.