Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Iceland: Persónuvernd orders Landspítali to involve DPO in data protection matters in timely manner

The Icelandic data protection authority ('Persónuvernd') published, on 4 August 2022, its decision in Case No. 2020061952, as issued on 29 June 2022, in which it found Landspítali, an Icelandic hospital, in violation of Article 38(1) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') and Article 35(3) of the Act 90/2018 on Privacy and Processing of Personal Data ('the Act'), following an ex officio assessment.

Background to the decision

In particular, the Persónuvernd reported that it had decided to carry out an assessment of the position of Landspítali's data protection officer ('DPO') and to investigate whether the requirements under the Act and the GDPR were complied with.

Findings of the Persónuvernd

Further to the above and based on the elements acquired, the Persónuvernd found that Landspítali had not ensured that the DPO would be involved in all issues related to the protection of personal data in an appropriate and timely manner, thus violating Article 38(1) of the GDPR and Article 35(3) of the Act. However, the Persónuvernd determined that Landspítali had provided its DPO with appropriate resources and that no violations had been found in relation to the DPO's reporting to Landspítali's legal department, as care was taken to ensure, on one hand, that the DPO was not instructed how to carry out their tasks and, on the other hand, that the same would have access to the Landspítali's highest management.


In conclusion, the Persónuvernd found Landspítal in violation of Article 38(1) of the GDPR and Article 35(3) of the Act and, accordingly, it ordered Landspítali to ensure an appropriate and timely involvement of the DPO in all matters related to the protection of personal data.

You can read the decision, only available in Icelandic, here.