Iceland: Persónuvernd fines InfoMentor ISK 3.5M for student data breach
The Icelandic data protection authority ('Persónuvernd') announced, on 4 May 2021, that it had fined InfoMentor ehf., an education consultancy and technology platform, ISK 3,500,000 (approx. €23,350) after unauthorised parties were able to access the personal data of 424 children through the company's online platform. In particular, Persónuvernd outlined that through the company's platform data security flaws meant that the personal data of students could be accessed simply by editing numbers in the relevant URL. Furthermore, Persónuvernd highlighted that a solution to fix the security flaw had previously been identified by InfoMentor, but through human error the company had failed to correct the flaw despite receiving instructions from a network security company to do so. Thus, Persónuvernd considered that the security breach could have been prevented through adequate follow-up and testing of security measures.
In light of the above, Persónuvernd concluded that InfoMentor had failed to implement sufficient technical and organisational measures to ensure the security of the students' data, and had furthermore failed to protect the integrity and confidentiality of such data, in violation of Article 5(1)(f) and 32 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR').
Lastly, Persónuvernd outlined that, in its calculation of the fine amount, it had taken into account, in terms of aggravating factors, that the data breach concerned the personal data of children who enjoy special protection under Act 90/2018 on Privacy and Processing of Personal Data, and, in terms of mitigating factors, that there was no indication that affected individuals had suffered damage due to the security breach.