City of Reykjavík: Insufficient legal basis for data processing

The Icelandic DPA has imposed a fine of EUR 36,000 on the City of Reykjavík. The city had used the digital education system 'Seesaw' at several schools. The student system processed, among other things, personal data of minor students such as teacher feedback and information about students' private affairs. During its investigation, the DPA found that the purpose of the processing of the children's data had not been sufficiently clearly defined. In this context, the DPA also found a breach of the principle of proportionality and data minimization. In addition, the DPA concluded that the city had not implemented adequate technical and organizational measures regarding the protection of personal data. This would have been necessary given the high risk that the data might be transferred to and processed in the United States. In determining the fine, mitigating consideration was given to the fact that no damage was caused by the data breaches.

GDPR Articles: Art. 5 GDPR, Art. 6 GDPR, Art. 32 GDPR
Industry: Public Sector and Education