The Icelandic data protection authority ('Persónuvernd') announced, on 10 March 2020, that it had fined Breiðholt Upper Secondary School ISK 1.3 million (approx. €8,945) for a personal data breach. In particular, Persónuvernd highlighted that the breach occurred when a teacher sent an email to his students and their parents with an attachment that contained data on their well-being, study performance, and social conditions. After carrying out an investigation of the data breach, Persónuvernd concluded that it was a result of a lack of implementation on the part of the controller of appropriate data protection policies and technical and organisational measures to protect data, in violation of Article 32 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR').

You can read the press release here and the decision, only available in Icelandic, here.

UPDATE (13 March 2020)

EDPB issues statement on Persónuvernd fining Breiðholt Upper Secondary School ISK 1.3M

The European Data Protection Board ('EDPB') issued, on 11 March 2020, a statement ('the Statement') on the Persónuvernd fining Breiðholt Upper Secondary School ISK 1.3 million for a personal data breach. In particular, the EDPB noted that Breiðholt Upper Secondary School had violated Article 32 and Article 5 (1) (f) of the GDPR and that the fine took into account the fact that the personal data breach included health data such as mental health data and interventions by child services.

You can read the Statement here.