Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Back
LinkedIn Created with Sketch. Twitter Created with Sketch.
20 December 2023

Iceland: Persónuvernd fines Kópavogur Municipality ISK 3M for multiple privacy violations in processing children's data

Privacy Impact AssessmentsPrivacy by Design and by DefaultChildren's DataEnforcement ActionsFinesPrivacy Law PrinciplesEducationAppsData TransfersVendor Management

On December 6, 2023, the Icelandic data protection authority (Persónuvernd) published its decision in Case No. 2022020414, as issued on November 28, 2023, in which it imposed a fine of ISK 3 million (approx. $21,860) on Kópavogur Municipality, for violations of the Act on Privacy and Processing of Personal Data (the Act) and the General Data Protection Regulation (GDPR), following an audit by the Persónuvernd into the use of Google cloud solution in elementary schools.

Background to the case

The Persónuvernd explained that it conducted an assessment into Kópavogur Municipality's use of Google's cloud solution, Google Workspace for Education, in elementary school activities. The case was part of a broader initiative by the European Data Protection Board (EDPD) emphasizing the protection of children's personal information in smart solutions. This audit was one of five targeting larger local authorities in Iceland.

Findings of the Persónuvernd

The Persónuvernd found that the processing of children's personal data using the Google student system in primary schools in the Kópavogur Municipality was not in accordance with the provisions of the privacy legislation. In particular, Kópavogur Municipality was found to have failed to:

  • comply with liability obligations in its decision to use Google as a processor (Articles 8, 23(1), and 25 of the Act and Articles 24(1) and 28 of the GDPR);
  • comply with the requirements in its processing agreement with Google (Article 28(3)(a) of the GDPR and Article 25(3) of the Act);
  • specify the purpose for processing in sufficient detail and not process personal data for incompatible purposes (Articles 8(1) and 8(2) of the Act and Articles 5(1)(b) and 6(4) of the GDPR);
  • comply with the minimization principle and built-in and default personal protection (Articles 8(1), 24(1), and 24(2) of the Act and Articles 5(1)(c), 25(1), and 25(2) of the GDPR);
  • fulfill storage limitation and default personal protection obligations (Articles 8(1), 8(5), and 24(2) of the Act and Articles 5(1)(e), and 25(2) of the GDPR);
  • conduct a timely impact assessment and comply with the requirements for the existing assessment (Articles 29(1) and 23 of the Act and Articles 24(1), 35(1), 35(7), and 35(11) of the GDPR); and
  • ensure safe personal data transfer to the United States (Article 46 of the GDPR).

Outcomes

In light of the above, the Persónuvernd issued an administrative fine of ISK 3 million to the Kópavogur Municipality. Additionally, the Persónuvernd stated that, if the Kópavogur Municipality wishes to continue to use Google cloud services, it must bring the processing of children's personal information into compliance with the privacy legislation, by correcting the abovementioned failings.

You can read the press release here and the decision here, both only available in Icelandic.

Company

Our Policies

Your Rights

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
© OneTrust, LLC. All Rights Reserved.
The materials herein are for informational purposes only and do not constitute legal advice.
Feedback