UL: €98,000 for late notification — what Article 33 really requires
Ireland’s DPC fined the University of Limerick for three late GDPR notifications. Here is how to meet Article 33 and notify the CNPD within 72 hours, with documented timing and solid content.
Excerpt — On 2 March 2026, Ireland’s DPC sanctioned the University of Limerick for, among other things, three breach notifications submitted beyond the 72-hour window (GDPR Art. 33). Here is what this means to notify the CNPD without missteps. dataprotection.ie
The case
On 2 March 2026, the Irish Data Protection Commission published its final decision following an ex officio inquiry into a series of data breaches at the University of Limerick (UL) between November 2018 and January 2020. The DPC found shortcomings in security (Arts. 5(1)(f) and 32(1)), records of processing (Art. 30(1)), communication to data subjects (Art. 34(1)) and—central to this article—notification to the regulator within the legal timeframe (Art. 33(1)). Penalties: a reprimand and €98,000 in fines, including €35,000 specifically for the Art. 33(1) infringement (delay on three notifications). See the press release and the decision summary with the full PDF. dataprotection.ie ; dataprotection.ie
This emblematic case highlights a critical point for Luxembourg organisations: “without undue delay and, where feasible, not later than 72 hours” means a short, documented clock and the ability to notify with precise content—to the CNPD, not another authority. eur-lex.europa.eu
Legal reasoning
- Legal basis for notification — GDPR Article 33(1) requires controllers to notify “the competent supervisory authority” of any personal data breach “unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons.” Notification must be made “without undue delay and, where feasible, not later than 72 hours after having become aware,” with reasons for any delay. In Luxembourg, the competent authority is the CNPD. eur-lex.europa.eu — see also the framework of Article 33.
- Mandatory content — Article 33(3) lists the required elements: (a) description of the nature of the breach, including categories and approximate numbers of data subjects and records; (b) name and contact details of the DPO or a contact point; (c) likely consequences; (d) measures taken or proposed to address the breach and mitigate its effects. The CNPD reflects these in its “Data breaches” pages and form. eur-lex.europa.eu ; cnpd.public.lu ; cnpd.public.lu
- Authorities’ interpretation — The EDPB Guidelines 9/2022 clarify when a controller “becomes aware,” how to assess risk, and what may (or may not) justify going beyond 72 hours. Guidelines 01/2021 provide concrete scenarios (e.g., email compromise, ransomware, loss of availability). edpb.europa.eu ; edpb.europa.eu
- Application to UL — The DPC held that three notifications were submitted beyond 72 hours “after becoming aware” and “without sufficient justification,” constituting an Art. 33(1) infringement; in parallel, UL failed to inform data subjects “without undue delay” in three cases (Art. 34(1)). This mirrors the EDPB matrix: notifying the authority and informing data subjects require related but distinct risk analyses. dataprotection.ie
What this changes in practice in Luxembourg
For executives, DPOs, CISOs and in-house counsel operating in Luxembourg (or cross-border teams managing LU entities), the takeaway is straightforward: respect the clock, document T0, and align content with a risk-based assessment. For broader guidance, see our page on CNPD compliance in Luxembourg.
- The 72-hour clock starts at internal “awareness,” not when forensics is complete. Set up early triage and document T0. The EDPB accepts an iterative approach: notify with available facts and follow up (Art. 33(4)). edpb.europa.eu
- CNPD channel — use the official form (FR/EN) and provide Art. 33(3) content — including a reachable DPO contact. Any delay must be justified. cnpd.public.lu
- Risk thresholds — “risk” triggers CNPD notification; “high risk” triggers data subject communication (Art. 34). Email account takeovers, central to UL, are often notifiable and may require data subject communication depending on the data. dataprotection.ie
- Substantive content — clearly describe incident nature, categories of individuals/data, likely impacts, and measures taken/planned. Thin submissions that shift everything to a vendor raise red flags. cnpd.public.lu
- Sector regimes — NIS 2, finance, etc. add to GDPR; they never replace CNPD notification within 72 hours when personal data is involved. cnpd.public.lu
Immediate application scenarios
- Compromised Microsoft 365 mailbox with email forwarding: typically CNPD-notifiable; with sensitive/financial data, data subject communication is likely. Preserve detection timestamps, disable forwarding, notify with available facts, then supplement. dataprotection.ie
- Ransomware on HR server with no confirmed exfiltration: loss of availability alone can create risk; CNPD notification is often required; align with data subject communication if their rights (e.g., payroll, attestations) are durably impacted. edpb.europa.eu
- Large misdirected email containing health data: high risk is almost certain; notify the CNPD and inform data subjects promptly, providing concrete assistance. edpb.europa.eu
Frequent pitfalls (seen in audits)
- Starting from the technical cause rather than data subject risk. GDPR is risk-based for rights and freedoms; cause is only a vector. Require a documented, people-centric assessment. cnpd.public.lu
- Waiting for “exfiltration proof” to start the clock. Incorrect: awareness of unauthorised access is enough. Notify with available information and submit a follow-up (Art. 33(4)). edpb.europa.eu
- Confusing sector channels with GDPR: informing the CSSF/ILR/clients does not extinguish the CNPD obligation. Regimes add up. cnpd.public.lu
- Omitting Art. 33(3) content: missing categories/approximate numbers, DPO contact, or measures weakens your position. Use the CNPD form. cnpd.public.lu
- Overlooking the Art. 33/34 linkage: CNPD notification does not replace prompt data subject communication where “high risk” is present. dataprotection.ie
Action plan to structure compliance
- Define “T0” and track the clock: SOC/DPO procedure to timestamp “awareness,” trigger 72 hours, and template delay justifications. Refer to EDPB criteria. edpb.europa.eu
- Qualify with four EDPB questions: which data? which people? likely consequences? immediate measures? Make a CNPD GO/NO-GO within 24h, then iterate. edpb.europa.eu
- Standardise content (Art. 33(3) checklist) and prefill the CNPD form with your DPO details, escalation paths, and typical measures (resets, logging, assistance, remediation). cnpd.public.lu — if needed, secure an appropriate DPO mandate.
- Anticipate recurring cases (compromised mailboxes, misaddressed attachments, export errors) using “playbooks” aligned with EDPB 01/2021 examples. edpb.europa.eu
- Link GDPR and operational security: what the DPC criticised at UL (authentication, hardening, logging) maps to Art. 32. Your ability to detect, contain and explain the breach drives notification quality—and timeliness. dataprotection.ie
Official sources
- Data Protection Commission (Ireland) — “The DPC publishes final decision following inquiry into University of Limerick” (02/03/2026) and decision note + full PDF. Press release ; Decision note + PDF.
- GDPR — Articles 33 (breach notification) and 34 (communication to data subjects): consolidated text on EUR‑Lex. EUR‑Lex, Regulation (EU) 2016/679.
- EDPB — Guidelines 9/2022 on personal data breach notification (v2.0, 4 April 2023). Guidelines 9/2022.
- EDPB — Guidelines 01/2021 (examples regarding breach notification). Guidelines 01/2021.
- CNPD (Luxembourg) — “Data breaches (GDPR)” and official notification forms. CNPD page ; Notification form.
Key takeaway: the University of Limerick case shows that Article 33’s “right-on-time” and “right-content” are non-negotiable. In Luxembourg, prepare SOC/DPO pathways, CNPD templates and EDPB risk analyses—before the clock starts.
Luxgap regulatory expertise article. For personalised guidance on this topic, contact us or configure your online quote.
A question on this topic?
Our team usually replies within one business day. Configure your quote or write to us.
Build my quote →