Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Back
LinkedIn Created with Sketch. Twitter Created with Sketch.
20 December 2023

Iceland: Persónuvernd issues fine of ISK 2M on City of Reykjavík for violation of children's data rights

Privacy Impact AssessmentsPrivacy by Design and by DefaultChildren's DataEnforcement ActionsFinesPrivacy Law PrinciplesEducationAppsData TransfersVendor Management

On December 6, 2023, the Icelandic data protection authority (Persónuvernd) published its decision in Case No. 2022020363, as issued on November 28, 2023, in which it imposed a fine of ISK 2 million (approx. $14,560) on the City of Reykjavík, for violations of the Act on Privacy and Processing of Personal Data (the Act) and the General Data Protection Regulation (GDPR), following an audit by the Persónuvernd.

Background to the case

The Persónuvernd explained that it conducted an assessment into City of Reykjavík's use of Google cloud solution, Google Workspace for Education, in elementary school activities, focusing its assessment on the protection of children's personal information.

Findings of the Persónuvernd

The Persónuvernd found that the processing of children's personal data using the Google student system in primary schools in the City of Reykjavík was not in accordance with the provisions of the privacy legislation. In particular, City of Reykjavík was found to be in breach of the following:

  • its liability obligations when an assessment was made and in its decision to use Google as a processor (Articles 8, 23, and 25(1) of the Act and Articles 5, 24(1), and 28(1) of the GDPR);
  • its processing agreement with Google is not in accordance with privacy laws (Article 28(3)(a) of the GDPR and Article 25(3) of the Act);
  • its failure to specify the purpose for processing and processing with incompatible purposes (Article 8(1) and 8(2) of the Act and Articles 5(1)(b) and 6(4) of the GDPR);
  • its failure to uphold the minimization principle and built-in and default personal protection system (Articles 8(1), 8(3), 24(1), and 24(2) of the Act and Articles 5(1), 25(1), and 25(2) of the GDPR);
  • its failure to comply with minimum requirements for the impact assessment on the processing (Articles 29(1) of the Act, and 35(7) of the GDPR); and
  • its failure to ensure safe personal data transfer to the United States (Article 46 of the GDPR).

Outcomes

In light of the above, the Persónuvernd issued an administrative fine of ISK 2 million to the City of Reykjavík and ordered it to bring the processing of children's personal information into compliance in all the elementary schools within the Municipality, by correcting the abovementioned failings.

You can read the press release here and the decision here, both only available in Icelandic.

Company

Our Policies

Your Rights

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
© OneTrust, LLC. All Rights Reserved.
The materials herein are for informational purposes only and do not constitute legal advice.
Feedback