The Icelandic data protection authority ('Persónuvernd') published, on 6 May 2022, its decision in Case No. 2021040879, as issued on 3 May 2022, in which it imposed a fine of ISK 5 million (approx. €35,840) on the City of Reykjavík, for violation of Articles 8(1)(1), 8(1)(2), 8(1)(3), 8(1)(5), 8(1)(6), 17(1), 23, 24, 25(3), 25(1), 27(1), and 29(1) of the Act on Data Protection and the Processing of Personal Data No. 90/2018 ('the Act') and Articles 5(1)(a), 5(1)(b), 5(1)(c), 5(1)(e), 5(2), 6, 8(2), 13, 25(1), 25(2), 26(1)(2), 28, 28(3), 32, 35(1), and 46 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), following the Persónuvernd's findings that the use of the Seesaw educational system violated the GDPR.

Background to the decision

In particular, the Persónuvernd issued in December 2021 its decision where it found the City of Reykjavík in violation of the GDPR in its use of the Seesaw educational system. 

Therefore, in this particular decision, the Persónuvernd considered whether it should impose a fine and how much this should be, following its findings that the City of Reykjavík's violations concerned the personal data of children who enjoy special protection under the Act.

Findings of the Persónuvernd

Further to the above, the Persónuvernd considered that it was likely that their sensitive personal information was entered into the system as teacher feedback and information on students' private affairs in violation of Article 5 of the GDPR. Moreover, the Persónuvernd noted that the purpose of the processing was not sufficiently defined and thus the processing authorisation was void in accordance with Articles 6 and 28 of the GDPR. In addition, the Persónuvernd indicated that the principle of proportionality and data minimisation was not observed in accordance with Articles 5(1)(b) and (c) of the GDPR, and that there was a high risk of personal data being transferred to the United States and processed without adequate protection in violation of Articles 32, 35(1), and 46 of the GDPR. However, the Persónuvernd did acknowledge that no damage appeared to have been caused by the violations, the City of Reykjavík responded to the Persónuvernd's messages in the handling of the case in a clear and concise manner, and the city stopped supporting processing in the student system following its recommendations.

Outcomes

In conclusion, the Persónuvernd decided to impose a fine of ISK 5 million (approx. €35,840) on the City of Reykjavík, payable to the Treasury within one month from the date of this decision.

You can read the decision, only available in Icelandic, here and the European Data Protection Supervisor ('EDPS') summary here.