Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Iceland: Persónuvernd fines SAA ISK 3M for personal data breach

The Icelandic data protection authority ('Persónuvernd') announced, on 10 March 2020, that it had fined the National Center of Addiction Medicine ('SAA') ISK 3,000,000 (approx. €20,643) for a personal data breach. In particular, Persónuvernd highlighted that the breach occurred when a former employee of the SAA received boxes containing what were supposed to be personal belongings that he had left there. However, the boxes contained patient data as well, including health records of 252 former patients and records containing the names of approximately 3,000 people who had attended rehabilitation for alcohol and substance abuse.

After carrying out an investigation of the data breach, Persónuvernd concluded that the breach was a result of a lack of implementation of appropriate data protection policies, and technical and organisational measures to protect the data held by the controller, which is in violation of Article 32 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR').

You can read the press release here and the decision, only available in Icelandic, here.