Iceland: Persónuvernd finds Sjóvá-Almennar tryggingar in violation of fair and transparent processing
The Icelandic data protection authority ('Persónuvernd') published, on 19 March 2022, its decision in Case No. 2020061826, as issued on 18 March 2022, in which it found Sjóvá-Almennar tryggingar hf. in violation of Articles 8(1)(1) and 17(2) of the Act 90/2018 on Privacy and Processing of Personal Data ('the Act') and Articles 5(1)(a) and 13(1)(e) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), following a complaint submitted by an individual.
Background to the decision
In particular, the Persónuvernd outlined that, on 6 January 2020, the individual's lawyer filed a complaint on their behalf against Sjóvá-Almennar, an insurance company, for providing their sensitive personal information to an expert for the preparation of a report for the company on speed and stroke calculations due to a traffic incident. Subsequently, the Persónuvernd investigated the individual's complaint that Sjóvá-Almennar provided the expert with access to the complainant's personal information, including sensitive personal information, without their consent or knowledge, as well as that the expert subsequently processed the same personal information.
Findings of the Persónuvernd
Moreover, the Persónuvernd assessed whether the complainant was adequately informed and educated on the use of processors and did not provide information required in Article 13 of the GDPR and Article 17 of the Act to ensure fair and transparent processing. Therefore, the Persónuvernd determined that Sjóvá-Almennar had violated Articles 5(1)(a) and 13(e) of the GDPR and Articles 8(1)(1) and 17(2) of the Act.
Ultimately, the Persónuvernd concluded that the processing of personal information in connection with the settlement of a claim for compensation was in violation of the Act and the GDPR, for failing to provide information and transparency regarding the involvement of processors.
You can read the decision, only available in Icelandic, here.