Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Iceland: Persónuvernd issues fine of ISK 2M on City of Reykjavík for violation of children's data rights
On December 6, 2023, the Icelandic data protection authority (Persónuvernd) published its decision in Case No. 2022020363, as issued on November 28, 2023, in which it imposed a fine of ISK 2 million (approx. $14,560) on the City of Reykjavík, for violations of the Act on Privacy and Processing of Personal Data (the Act) and the General Data Protection Regulation (GDPR), following an audit by the Persónuvernd.
Background to the case
The Persónuvernd explained that it conducted an assessment into City of Reykjavík's use of Google cloud solution, Google Workspace for Education, in elementary school activities, focusing its assessment on the protection of children's personal information.
Findings of the Persónuvernd
The Persónuvernd found that the processing of children's personal data using the Google student system in primary schools in the City of Reykjavík was not in accordance with the provisions of the privacy legislation. In particular, City of Reykjavík was found to be in breach of the following:
- its liability obligations when an assessment was made and in its decision to use Google as a processor (Articles 8, 23, and 25(1) of the Act and Articles 5, 24(1), and 28(1) of the GDPR);
- its processing agreement with Google is not in accordance with privacy laws (Article 28(3)(a) of the GDPR and Article 25(3) of the Act);
- its failure to specify the purpose for processing and processing with incompatible purposes (Article 8(1) and 8(2) of the Act and Articles 5(1)(b) and 6(4) of the GDPR);
- its failure to uphold the minimization principle and built-in and default personal protection system (Articles 8(1), 8(3), 24(1), and 24(2) of the Act and Articles 5(1), 25(1), and 25(2) of the GDPR);
- its failure to comply with minimum requirements for the impact assessment on the processing (Articles 29(1) of the Act, and 35(7) of the GDPR); and
- its failure to ensure safe personal data transfer to the United States (Article 46 of the GDPR).
Outcomes
In light of the above, the Persónuvernd issued an administrative fine of ISK 2 million to the City of Reykjavík and ordered it to bring the processing of children's personal information into compliance in all the elementary schools within the Municipality, by correcting the abovementioned failings.
You can read the press release here and the decision here, both only available in Icelandic.