Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Back
LinkedIn Created with Sketch. Twitter Created with Sketch.
20 December 2023

Iceland: Persónuvernd issues fine of ISK 2.5M on Garðabær Municipality for unlawful processing of children's data

Privacy Impact AssessmentsPrivacy by Design and by DefaultChildren's DataEnforcement ActionsFinesPrivacy Law PrinciplesEducationAppsData TransfersVendor Management

On December 6, 2023, the Icelandic data protection authority (Persónuvernd) published its decision in Case No. 2022020418, as issued on November 28, 2023, in which it imposed a fine of ISK 2.5 million (approx. $18,210) on Garðabær Municipality, for violations of the Act on Privacy and Processing of Personal Data (the Act) and the General Data Protection Regulation (GDPR), following an audit. 

Background to the case 

The Persónuvernd explained that the decision stemmed from an audit on the use of cloud services in elementary schools by Garðabær Municipality. The audit examined the processing of elementary school students' personal data in the Google student system, known as Google Workspace for Education.

Findings of the Persónuvernd 

The audit by the Persónuvernd revealed that Google processed the personal data of elementary school students beyond the instructions of Garðabær Municipality. Additionally, the Persónuvernd found that the data processing by Google was not confined to the purposes defined by Garðabær Municipality. Subsequently, the Persónuvernd determined that Garðabær Municipality had failed to:

  • fulfill its liability obligations in selecting Google as a data processor in violation of Articles 26 and 29 of the GDPR and Article 23 of the Act;

  • ensure that its agreement with Google prevented the processing of personal data beyond Garðabær Municipality's instructions in violation of Article 28 of the GDPR and Article 25 of the Act;

  • ensure that the processing of personal data is aligned with the principles of lawfulness, fairness, and transparency in violation of Article 5 of the GDPR and Article 8 of the Act;
  • fulfill its processing obligations related to purpose limitation, storage limitation, data minimization, and privacy protection in violation of Articles 5 and 32 of the GDPR; and
  • conduct an impact assessment that met the minimum requirements of Article 35 of GDPR.

Additionally, the Persónuvernd found that Garðabær Municipality had transferred personal data to the US without adequate safeguards.

Outcomes 

In light of the above, the Persónuvernd imposed a fine of ISK 2.5 million on Garðabær Municipality and ordered it to bring the processing of children's personal information into compliance with the privacy legislation in all the elementary schools within the Municipality, by correcting the abovementioned failings.

You can read the decision, only available in Icelandic, here

    Company

    Our Policies

    Your Rights

    This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
    © OneTrust, LLC. All Rights Reserved.
    The materials herein are for informational purposes only and do not constitute legal advice.
    Feedback