Faroe Islands: Authority prosecutes data controller for lack of data processing agreement
The Faroe Islands Data Protection Authority ('the Authority') announced, on 6 October 2021, that it had completed its investigation into a data controller, in which it prosecuted the data controller for violation of Section 41(2) of the Act No. 80 of 7 June 2020 on the Protection of Personal Data ('the Act'), following a complaint initially regarding information provision obligations.
Background to the case
In particular, the Authority received a complaint regarding information provision obligations from a data controller and its processor.
Findings of the Authority
Following its investigations, the Authority determined that the data controller had not provided the information required under Sections 23 to 25 of the Act, in cases where data is collected from the data subject. Furthermore, regarding sending of the complainant's personal data to third parties, the Authority recalled that, under Section 41(2) of the Act, processing by a processor must be governed by a contract that is binding and that sets out the subject-matter, the purpose of the processing, and the obligations and rights of the controller.
You can read the press release, only available in Danish, here.