Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Iceland: Persónuvernd fines Breiðholt Upper Secondary School ISK 1.3M for personal data breach

The Icelandic data protection authority ('Persónuvernd') announced, on 10 March 2020, that it had fined Breiðholt Upper Secondary School ISK 1.3 million (approx. €8,945) for a personal data breach. In particular, Persónuvernd highlighted that the breach occurred when a teacher sent an email to his students and their parents with an attachment that contained data on their well-being, study performance, and social conditions. After carrying out an investigation of the data breach, Persónuvernd concluded that it was a result of a lack of implementation on the part of the controller of appropriate data protection policies and technical and organisational measures to protect data, in violation of Article 32 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR').

You can read the press release here and the decision, only available in Icelandic, here.

UPDATE (13 March 2020)

EDPB issues statement on Persónuvernd fining Breiðholt Upper Secondary School ISK 1.3M

The European Data Protection Board ('EDPB') issued, on 11 March 2020, a statement ('the Statement') on the Persónuvernd fining Breiðholt Upper Secondary School ISK 1.3 million for a personal data breach. In particular, the EDPB noted that Breiðholt Upper Secondary School had violated Article 32 and Article 5 (1) (f) of the GDPR and that the fine took into account the fact that the personal data breach included health data such as mental health data and interventions by child services.

You can read the Statement here.