On December 6, 2023, the Icelandic data protection authority (Persónuvernd) published its decision in Case No. 2022020415, as issued on November 28, 2023, in which it imposed a fine of ISK 2.8 million (approx. $20,430) on Hafnarfjörður Municipality, for violations of the Act on Privacy and Processing of Personal Data (the Act) and the General Data Protection Regulation (GDPR), following an audit. 

Background to the case 

The Persónuvernd explained that the decision stemmed from one of five audits carried out by the Persónuvernd on the use of cloud services in elementary school work by the country's larger local authorities, the Hafnarfjörður Municipality in this case. In particular, the audit examined the processing of elementary school students' personal data in Google's student system, known as Google Workspace for Education.

Findings of the Persónuvernd 

The audit by the Persónuvernd revealed, among other things, that Google processed the personal data of elementary school students beyond the instructions of the Hafnarfjörður Municipality. Additionally, the Persónuvernd found that the data processing by Google was not confined to the purposes defined by the Hafnarfjörður Municipality. Therefore, the Persónuvernd determined that the Hafnarfjörður Municipality:

• failed to fulfill its liability obligations in selecting Google as a data processor in violation of Articles 8, 23, and 25(1) of the Act and Articles 5, 24(1), and 28(1) of the GDPR;
• did not ensure that the data processing agreement met the requirements of Article 28(3)(a) of the GDPR and Article 25(3) of the Act;
• did not specify the purpose of the individual processing operations in a sufficiently clear manner and did not fulfill its responsibility regarding the personal data of its elementary school students not being processed for other and incompatible purposes than those specified for the processing, in violation of Article 8(1) of the Act, and Articles 5(1)(c) and 6(4) of the GDPR;
• did not fulfill its obligations relating to storage limitation and default personal protection, in violation of Articles 8(1) and Article 24(2) of the Act and Articles 5(1)(e) and 25(2) of the GDPR;
• failed to fulfill its obligations relating to the minimization of data and built-in and default data protection in violation of Articles 8(1), 24(1), and (2) of the Act and Articles 5(1)(c) and 25(1) and (2) of the GDPR; and
• did not conduct a Data Protection Impact Assessment (DPIA) in violation of Articles 35(1) and 35(11) of the GDPR and Article 29 of the Act and therefore failed to fulfill its obligations under Article 24(1) of the GDPR and Article 23 of the Act. Additionally, the Hafnarfjörður Municipality's existing assessment did not meet the requirements of Articles 35(7)(a) and 35(7)(c) of the GDPR and Article 29(1) of the Act; and 
• did not ensure the safe transfer of personal information to the US, in violation of Article 46 of the GDPR.

Outcomes 

In light of the above, the Persónuvernd imposed fine of ISK 2.8 million on the Hafnarfjörður Municipality and ordered it to bring the processing of children's personal information into compliance with the privacy legislation in all the elementary schools within the Hafnarfjörður Municipality, by correcting the abovementioned failings.

You can read the press release here and the decision, only available in Icelandic, here.