The Faroe Islands Data Protection Authority ('the Authority') announced, on 6 October 2021, that it had completed its investigation into a data controller, in which it prosecuted the data controller for violation of Section 41(2) of the Act No. 80 of 7 June 2020 on the Protection of Personal Data ('the Act'), following a complaint initially regarding information provision obligations.

Background to the case

In particular, the Authority received a complaint regarding information provision obligations from a data controller and its processor.

Findings of the Authority

Following its investigations, the Authority determined that the data controller had not provided the information required under Sections 23 to 25 of the Act, in cases where data is collected from the data subject. Furthermore, regarding sending of the complainant's personal data to third parties, the Authority recalled that, under Section 41(2) of the Act, processing by a processor must be governed by a contract that is binding and that sets out the subject-matter, the purpose of the processing, and the obligations and rights of the controller.

Outcomes

In light of the above, the Authority issued a warning to the data controller regarding its information provision obligations, to which the data controller responeded posting a privacy policy on its website. However, the Authority prosecuted the data controller for failing to have a data processing agreement before the initial complaint was made.

You can read the press release, only available in Danish, here.