Iceland: Persónuvernd finds dissemination of a child's personal information by KVAN unlawful
The Icelandic data protection authority ('Persónuvernd') published, on 20 April 2022, its decision in case No. 2021051112, issued on 6 April 2022, in which it ruled that the dissemination of sensitive personal data by KVAN ehf. violated Articles 8(1)(5) and 9 of the Act 90/2018 on Privacy and Processing of Personal Data ('the Act'), and Articles 5(1)(e) and 6(1) of the General Data Protection (Regulation (EU) 2016/679) ('GDPR'), following a complaint by a child's parents.
Background to the case
In particular, the Persónuvernd detailed that it had received, on 13 May 2021, a complaint from a parent, on behalf of their child, regarding the dissemination of information about the child by KVAN to the professional council for bullying in primary and secondary schools evidenced in an email shared between the parties on 3 December 2019. Specifically, the Persónuvernd provided that KVAN continued processing the child's information despite the termination of collaboration with the child's school.
Findings of the Persónuvernd
In this context, the Persónuvernd detailed that the email concerned personal information within the meaning of the GDPR and outlined that from what is stated in the email, those who are familiar with the matter can easily guess which individuals are being discussed. As a result, the information contained therein will be considered personally identifiable, and thus considered to be processing of personal information in accordance with Article 4(6) of the Act and Article 4(7) of the GDPR.
Furthermore, the Persónuvernd highlighted its findings in a previous case in connection with the current case, where it found that the school was not permitted to share information about the child to KVAN, and that the collaboration between the school and KVAN ended when the email referred to above was sent. Specifically, the Persónuvernd considered that KVAN was not permitted to process personal information and should have handed over all relevant data and information to the school, and delete other personal information in accordance with Article 8(1)(5) of the Act and Article 5(1)(e) of the GDPR. Therefore, the Persónuvernd determined that KVAN did not have authorisation to disseminate the child's information in accordance with Article 9 of the Act and Article 6(1) of the GDPR.
In light of the above, the Persónuvernd concluded that KVAN's dissemination of the child's personal information in an email sent to the professional council 3 December 2019 was unlawful.
You can read the decision, only available in Icelandic, here.