Iceland: Persónuvernd fines SAA ISK 3M for personal data breach
The Icelandic data protection authority ('Persónuvernd') announced, on 10 March 2020, that it had fined the National Center of Addiction Medicine ('SAA') ISK 3,000,000 (approx. €20,643) for a personal data breach. In particular, Persónuvernd highlighted that the breach occurred when a former employee of the SAA received boxes containing what were supposed to be personal belongings that he had left there. However, the boxes contained patient data as well, including health records of 252 former patients and records containing the names of approximately 3,000 people who had attended rehabilitation for alcohol and substance abuse.
After carrying out an investigation of the data breach, Persónuvernd concluded that the breach was a result of a lack of implementation of appropriate data protection policies, and technical and organisational measures to protect the data held by the controller, which is in violation of Article 32 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR').