The Icelandic data protection authority ('Persónuvernd') published, on 4 August 2022, its decision in Case No. 2020061952, as issued on 29 June 2022, in which it found Landspítali, an Icelandic hospital, in violation of Article 38(1) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') and Article 35(3) of the Act 90/2018 on Privacy and Processing of Personal Data ('the Act'), following an ex officio assessment.

Background to the decision

In particular, the Persónuvernd reported that it had decided to carry out an assessment of the position of Landspítali's data protection officer ('DPO') and to investigate whether the requirements under the Act and the GDPR were complied with.

Findings of the Persónuvernd

Further to the above and based on the elements acquired, the Persónuvernd found that Landspítali had not ensured that the DPO would be involved in all issues related to the protection of personal data in an appropriate and timely manner, thus violating Article 38(1) of the GDPR and Article 35(3) of the Act. However, the Persónuvernd determined that Landspítali had provided its DPO with appropriate resources and that no violations had been found in relation to the DPO's reporting to Landspítali's legal department, as care was taken to ensure, on one hand, that the DPO was not instructed how to carry out their tasks and, on the other hand, that the same would have access to the Landspítali's highest management.

Outcomes

In conclusion, the Persónuvernd found Landspítal in violation of Article 38(1) of the GDPR and Article 35(3) of the Act and, accordingly, it ordered Landspítali to ensure an appropriate and timely involvement of the DPO in all matters related to the protection of personal data.

You can read the decision, only available in Icelandic, here.