Iceland: Persónuvernd finds City of Reykjavík school system in violation of GDPR
The Icelandic data protection authority ('Persónuvernd') published, on 20 December 2021, its decision in Case No. 2021040879, as issued on 16 December 2021, in which it found the City of Reykjavík in violation of Articles 8(1)(1), 8(1)(2), 8(1)(3), 8(1)(5), 8(1)(6), 17(1), 23, 24, 25(3), 25(1), 27(1), and 29(1) of the Act on Data Protection and the Processing of Personal Data No. 90/2018 ('the Act') and Articles 5(1)(a), 5(1)(b), 5(1)(c), 5(1)(e), 5(2), 8(2), 13, 25(1), 25(2), 26(1)(2), 28, 28(3), 32, 35(1), and 46 of General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), following its failure to comply with data protection obligations in processing sensitive personal data of children.
Background to the decision
In particular, the Persónuvernd launched, in April 2020, an investigation following a suggestion that one of the City of Reykjavík's primary schools had, earlier that month, requested parental consent for the use of the Seesaw Learning, Inc. student system in teaching. Moreover, the Persónuvernd highlighted that the investigation was initated to determine whether the processing of personal information, which involves the use of the student system by the City of Reykjavík, is in accordance with Act and the GDPR.
The Persónuvernd outlined that In light of this, it investigated the processing of personal information in the Seesaw student system, notably the production agreement with Seesaw concerned processing of location data and sensitive personal data, purpose and consent of the processing of personal information, the scope of processing, fairness, proportionality, minimisation of data, education for parents and guardians, assessment of risks and effects on privacy, and appropriate security measures.
Findings of the Persónuvernd
Further to the above, the Persónuvernd stated that they considered the processing of personal information of school children in the Seesaw student system on behalf of the City of Reykjavík was not in accordance with the Act and the GDPR for the reasons stated below.
The Persónuvernd noted that they found that there was a violation of Data Protection by Design and Default in failing to obtain data for legitimate purposes pursuant to Articles 8(1)(2), 8(1)(3), and 8(1)(5) of the Act and Articles 5(1)(b), 5(1)(c), and 5(1)(e) of the GDPR. The Persónuvernd specified that in addition, it found that it was possible to identify registered persons for longer than necessary which violated Article 25(1) and Article 25(2) of the GDPR.
Moreover, the Persónuvernd deemed that the City of Reykjavík failed to process personal data in a fair and transparent manner, noting that Seesaw processed the personal data of parents and guardians of students in order to direct them to marketing, and, as a result, violated Article 8(1)(1) of the Act and Articles 5 and 13 of the GDPR. In particular, Persónuvernd found that the City of Reykjavík did not base the processing of personal information in the system on a satisfactory authorisation such as consent, pursuant to Article 9 of the Act and Article 6(1) of the GDPR.
Furthermore, the Persónuvernd considered that the City of Reykjavík did not enter into a satisfactory production agreement pursuant to Articles 23 and 25(3) of the Act and Articles 26(1), 26(2), and 28(3) of the GDPR. The Persónuvernd noted that in particular, the authority noted the failure to clarify which of the parties was responsible for the processing of data and that the existing processing agreement was not accessible to the registered person in Iceland pursuant to Article 8(1)(1) of the Act and Article 5(1)(a) of the GDPR.
The Persónuvernd also found that the City of Reykjavík violated Article 29(1) of the Act and Article 35(1) of the GDPR for failing to complete the DPIA before beginning to process data.
The Persónuvernd held that the City of Reykjavík failed to demonstrate that it had fulfilled its responsibilities relating to ensuring the security of the processing of personal information in the Seesaw student system pursuant to Articles 8(1)(6), 24, 25(1), 27(1) of the Act and Articles 5(1)(f), 28(1) and 32(1) of the GDPR.
Finally, in its investigation, the Persónuvernd noted that the personal information of students in the system was transferred to the US and processed there. The decision added that the City of Reykjavík formally requested for the information to be processed only within Europe, but, if this does not happen, it will be requested that the contract with Seesaw be terminated and the processing of personal information in the student system stopped. The Persónuvernd highlighted that the company's Standard Contractual Clauses did not provide adequate protection and did not ensure secure transfer in pursuant to Article 46 of the GDPR.
The Persónuvernd set out that the City of Reykjavík was ordered to close the accounts of school children in Seesaw and ensure that all their personal information is deleted from the system, but not before a copy of the information had been taken to hand over to the children or for safekeeping in schools. The Persónuvernd highlighted that the children's privacy protection will not be guaranteed in any other way and evidence that these instructions have been complied with must be received no later than 20 January 2022.
Moreover, the Persónuvernd disclosed that there were discussions on the possibility of a fine in accordance with Articles 46(2)(1), 46(1), 46(2), and 46(3) of the Act and with the GDPR. However, the municipality will be granted a special right to object in this regard.
Finally, the Persónuvernd provided additional guidance in its decision for municipalities using information technology systems to process children's personal information.