Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Iceland: Persónuvernd fines Kópavogur Municipality ISK 3M for multiple privacy violations in processing children's data
On December 6, 2023, the Icelandic data protection authority (Persónuvernd) published its decision in Case No. 2022020414, as issued on November 28, 2023, in which it imposed a fine of ISK 3 million (approx. $21,860) on Kópavogur Municipality, for violations of the Act on Privacy and Processing of Personal Data (the Act) and the General Data Protection Regulation (GDPR), following an audit by the Persónuvernd into the use of Google cloud solution in elementary schools.
Background to the case
The Persónuvernd explained that it conducted an assessment into Kópavogur Municipality's use of Google's cloud solution, Google Workspace for Education, in elementary school activities. The case was part of a broader initiative by the European Data Protection Board (EDPD) emphasizing the protection of children's personal information in smart solutions. This audit was one of five targeting larger local authorities in Iceland.
Findings of the Persónuvernd
The Persónuvernd found that the processing of children's personal data using the Google student system in primary schools in the Kópavogur Municipality was not in accordance with the provisions of the privacy legislation. In particular, Kópavogur Municipality was found to have failed to:
- comply with liability obligations in its decision to use Google as a processor (Articles 8, 23(1), and 25 of the Act and Articles 24(1) and 28 of the GDPR);
- comply with the requirements in its processing agreement with Google (Article 28(3)(a) of the GDPR and Article 25(3) of the Act);
- specify the purpose for processing in sufficient detail and not process personal data for incompatible purposes (Articles 8(1) and 8(2) of the Act and Articles 5(1)(b) and 6(4) of the GDPR);
- comply with the minimization principle and built-in and default personal protection (Articles 8(1), 24(1), and 24(2) of the Act and Articles 5(1)(c), 25(1), and 25(2) of the GDPR);
- fulfill storage limitation and default personal protection obligations (Articles 8(1), 8(5), and 24(2) of the Act and Articles 5(1)(e), and 25(2) of the GDPR);
- conduct a timely impact assessment and comply with the requirements for the existing assessment (Articles 29(1) and 23 of the Act and Articles 24(1), 35(1), 35(7), and 35(11) of the GDPR); and
- ensure safe personal data transfer to the United States (Article 46 of the GDPR).
Outcomes
In light of the above, the Persónuvernd issued an administrative fine of ISK 3 million to the Kópavogur Municipality. Additionally, the Persónuvernd stated that, if the Kópavogur Municipality wishes to continue to use Google cloud services, it must bring the processing of children's personal information into compliance with the privacy legislation, by correcting the abovementioned failings.
You can read the press release here and the decision here, both only available in Icelandic.