Iceland: Persónuvernd fines HEI ISK 1.5M for failure to comply with access request
The Icelandic data protection authority ('Persónuvernd') published, on 10 May 2022, its decision in Case No. 2020051610, as issued on 3 May 2022, in which it imposed a fine of ISK 1.5 million (approx. €10,770) to HEI - Medical Travel ehf, for violations of Articles 9(1) and 17(2) of Act 90/2018 on Privacy and Processing of Personal Data ('the Act') and Articles 15(1) and 15(3) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), following a complaint.
Background to the decision
In particular, the Persónuvernd recalled that it had received a complaint from an individual alleging that HEI had not processed their request for access to their personal information. More specifically, the Persónuvernd highlighted that the complaint had been initiated when HEI had sent an unsolicited email to the individual, prompting the individual to request information from HEI regarding the collection, registration, and storage of their email address.
In this regard, the Persónuvernd noted that, according to HEI's statement, the individual's email address had been registered and obtained by an unauthorised employee, a breach which had been reported to the Persónuvernd on 30 January 2020. Furthermore, the Persónuvernd noted that HEI had claimed that the email had been sent by mistake and that it had not instructed the employee to send the same.
Findings of the Persónuvernd
Accordingly, the Persónuvernd concluded that given that the individual's email address had been obtained by an unauthorised employee, there was no authorisation for the processing of the individual's personal information, thereby violating Article 9(1) of the Act. Furthermore, the Persónuvernd determined that it is undisputed that HEI had not provided the individual with access to their personal information and that HEI had in fact deleted the individual's email address upon receiving such request. In addition, the Persónuvernd indicated that it is also clear that HEI did not inform the individual on how their information had been obtained, in accordance with Article 15 of the GDPR.
In calculating the fine, the Persónuvernd took into account various mitigating and aggravating factors, such as the number of individuals affected by the same situation and the fact that it is unclear whether the individual's email address had been lawfully obtained.
In light of the above, the Persónuvernd imposed a fine of ISK 1.5 million (approx. €10,770) on HEI, which shall be paid within one month from the date of ruling.
You can read the decision, only available in Icelandic, here.
UPDATE (24 May 2022)
EDPB publishes English press release of the Persónuvernd's decision
The European Data Protection Board ('EDPB') published, on 24 May 2022, an English press release on the Persónuvernd's decision to fine HEI following the unlawful processing of the complainant's pesonal information and deleting the complainant's personal information after receiving a request for access from the same.
You can read the press release here.