On 8 May 2026, Ireland's Data Protection Commission (DPC) published its final decision in an inquiry into Permanent TSB (PTSB), one of Ireland's largest retail banks. The regulator fined the bank €277,500 and issued a reprimand over three incidents in which attackers — already holding some customer information — telephoned the bank's Open24 Contact Centre, impersonated account holders, altered account details and extracted further data. Victims were exposed to heightened fraud risk; some lost money and had to close their accounts.
The DPC found PTSB had breached the integrity-and-confidentiality principle in Article 5(1)(f) and the security-of-processing duty in Article 32(1) of the GDPR, fining it €250,000 for those failures. A separate €27,500 penalty was imposed under Article 33(1) for not notifying the regulator within 72 hours. The breaches were first reported to the DPC in May 2022.
Enforcement that fits the harm
It is worth saying plainly: this is close to what proportionate enforcement should look like. The strongest case for the fine is straightforward. Article 32 exists precisely to make controllers treat identity verification as a security control, not a customer-service convenience. PTSB let callers reconfigure accounts on the strength of information that — by the DPC's own account — attackers already possessed. People lost money. A regulator that ignored that would be failing the public it serves.
What makes the decision defensible from a pro-innovation standpoint is its calibration. €277,500 against a bank that, as it told RTÉ, fully reimbursed the affected customers and has since hardened its controls is a corrective signal, not a punitive spectacle. It is roughly a thousandth of the headline transfers and platform fines the DPC has levied on Big Tech. The penalty tracks the actual harm — three customers, real losses, a fixable process gap — rather than the theoretical maximum of 2% of global turnover the GDPR permits. That is the regime behaving as a backstop for genuine security failure, not as a revenue engine.
The channel everyone forgets
The substantive lesson is one every consumer-facing business should absorb, and it has nothing to do with paperwork. Voice channels remain the soft underbelly of identity. Firms pour resources into multi-factor authentication on apps and websites, then leave a phone line where a confident caller and a few personal details can override all of it.
The deeper issue is that knowledge-based authentication — date of birth, address, recent transactions, a memorable word — is structurally broken once that data is in circulation. Years of breaches and a mature data-broker market mean "information only the customer would know" is frequently information attackers can buy. The fix is innovation, not friction: callback verification to a registered device, step-up authentication for high-risk changes, anomaly detection on the call itself. The PTSB case is a useful reminder that GDPR's security mandate rewards better engineering, and the cheapest place to learn that lesson is from someone else's fine.
Four years is the real problem
Where the decision is harder to defend is its timing — and here the criticism cuts against the regulator, not the bank. The breaches were reported in May 2022. The decision landed in May 2026. Four years to adjudicate a self-reported, three-customer call-centre fraud is hard to square with the urgency the GDPR demands of everyone else.
That asymmetry deserves scrutiny. The strongest argument for the strict 72-hour notification rule in Article 33 is that early reporting lets regulators and affected people act before harm spreads; the €27,500 penalty signals that the clock is real. Fair enough. But a regime that fines a controller for a delayed notification while taking four years to reach a verdict on the underlying conduct erodes its own credibility. Deterrence and the educational value of enforcement both decay with time. By 2026, the authentication weaknesses at issue have been remediated, the threat landscape has moved on, and the rest of the market has had to guess at the standard the DPC would eventually articulate.
Proportionate regulation is not only about the size of the fine; it is about timeliness. A supervisory authority that expects 72-hour discipline from controllers should hold itself to a visible, predictable timeline for its own decisions. Pendency of this length is a feature of the EU's enforcement architecture — the cross-border one-stop-shop, layered review — but it is a cost, and it is borne by the businesses and consumers the system is meant to protect.
What good enforcement looks like
For all that, the PTSB decision is a better model than the cases that dominate the headlines. In its 2025 annual report, the European Data Protection Board recorded €1.15 billion in GDPR fines across the bloc — a total skewed heavily by a handful of mega-penalties on global platforms, often for cross-border data-transfer technicalities. The public-protection value of GDPR is clearer in cases like this one: a concrete harm, an identifiable security failure, a remedy already in motion, and a modest fine that tells the rest of the market exactly what to fix.
If European regulators want the GDPR to be seen as a guardrail for innovation rather than a tax on it, more enforcement should look like the PTSB decision — and arrive years sooner.