Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Iceland: Persónuvernd finds Sjóvá-Almennar tryggingar in violation of fair and transparent processing

The Icelandic data protection authority ('Persónuvernd') published, on 19 March 2022, its decision in Case No. 2020061826, as issued on 18 March 2022, in which it found Sjóvá-Almennar tryggingar hf. in violation of Articles 8(1)(1) and 17(2) of the Act 90/2018 on Privacy and Processing of Personal Data ('the Act') and Articles 5(1)(a) and 13(1)(e) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), following a complaint submitted by an individual.

Background to the decision

In particular, the Persónuvernd outlined that, on 6 January 2020, the individual's lawyer filed a complaint on their behalf against Sjóvá-Almennar, an insurance company, for providing their sensitive personal information to an expert for the preparation of a report for the company on speed and stroke calculations due to a traffic incident. Subsequently, the Persónuvernd investigated the individual's complaint that Sjóvá-Almennar provided the expert with access to the complainant's personal information, including sensitive personal information, without their consent or knowledge, as well as that the expert subsequently processed the same personal information.

Findings of the Persónuvernd

In light of the above, the Persónuvernd noted that the processing of personal information in question was indeed legitimate, as it was necessary to fulfil the contract between Sjóvá-Almennar and the complainant, based on which the latter had filed the financial claim and requested settlement of compensation following the traffic incident. Specifically, the Persónuvernd added that the said processing of personal information for the preparation of a report was stipulated in the expert's processing agreement and Sjóvá-Almennar's privacy policy, and as such, the above processing is in accordance with Article 9(2) of the Act and Article 6(1)(b) of the GDPR. However, the Persónuvernd clarified that the expert's access to and processing of the complainant's personal information is based on a processing contract in accordance with Article 28(3) of the GDPR and Article 25(3) of the Act, but not a special processing authorisation as provided in Article 9 of the Act and Article 6 of the GDPR.

Moreover, the Persónuvernd assessed whether the complainant was adequately informed and educated on the use of processors and did not provide information required in Article 13 of the GDPR and Article 17 of the Act to ensure fair and transparent processing. Therefore, the Persónuvernd determined that Sjóvá-Almennar had violated Articles 5(1)(a) and 13(e) of the GDPR and Articles 8(1)(1) and 17(2) of the Act.


Ultimately, the Persónuvernd concluded that the processing of personal information in connection with the settlement of a claim for compensation was in violation of the Act and the GDPR, for failing to provide information and transparency regarding the involvement of processors.

You can read the decision, only available in Icelandic, here.