Enforcement

€34,300 fine - Icelandic data protection authority ('Persónuvernd')

The Icelandic DPA has imposed a fine of EUR 34,300 on the Primary Health Care in the Capital Area. The controller processed personal and health data in shared medical record systems by merging its medical records with those of other parties and granting them access to its patients' records.

€10,000 fine - Icelandic data protection authority ('Persónuvernd')

The Icelandic DPA has imposed a fine of EUR 10,000 on Stjörnuna ehf. (the operator of a Subway branch). An employee had filed a complaint with the DPA regarding video surveillance in the restaurant. During its investigation, the DPA found that the video surveillance of the employees lacked a valid legal basis and was not considered necessary. The DPA also found that the controller failed to inform the employees about the video surveillance.

€16,600 fine - Icelandic data protection authority ('Persónuvernd')

The Icelandic DPA has imposed a fine of EUR 16,600 on the municipality of Garðabær. The municipality had used the Google Education system without sufficiently complying with data protection regulations. In particular, the municipality did not fulfill its obligations when selecting Google as a processor and the processing agreement with Google did not comply with data protection requirements. Furthermore, the municipality did not ensure that the student data was not processed for purposes other t

€18,600 fine - Icelandic data protection authority ('Persónuvernd')

The Icelandic DPA has imposed a fine of EUR 18,600 on the city of Hafnarfjörður. The city had used the Google Education system without sufficiently complying with data protection regulations. In particular, the city did not fulfill its obligations when selecting Google as a processor and the processing agreement with Google did not comply with data protection requirements. Furthermore, the city did not ensure that the student data was not processed for purposes other than those specified by the

€20,000 fine - Icelandic data protection authority ('Persónuvernd')

The Icelandic DPA has imposed a fine of EUR 20,000 on the city of Kópavogur. The city had used the Google Education system without sufficiently complying with data protection regulations. In particular, the city did not fulfill its obligations when selecting Google as a processor and the processing agreement with Google did not comply with data protection requirements. Furthermore, the city did not ensure that the student data was not processed for purposes other than those specified by the city

€13,300 fine - Icelandic data protection authority ('Persónuvernd')

The Icelandic DPA has imposed a fine of EUR 13,300 on the city of Reykjavik. The city had used the Google Education system in schools without sufficiently complying with data protection regulations. In particular, the city did not fulfill its obligations when selecting Google as a processor and the processing agreement with Google did not comply with data protection requirements. Furthermore, the city did not ensure that the student data was not processed for purposes other than those specified

€16,600 fine - Icelandic data protection authority ('Persónuvernd')

The Icelandic DPA has imposed a fine of EUR 16,600 on the municipality of Reykjanesbær. The municipality had used the Google Education system without sufficiently complying with data protection regulations. In particular, the municipality did not fulfill its obligations when selecting Google as a processor and the processing agreement with Google did not comply with data protection requirements. Furthermore, the municipality did not ensure that the student data was not processed for purposes oth

€10,300 fine - Icelandic data protection authority ('Persónuvernd')

The Icelandic DPA has fined the University of Iceland EUR 10,300. The university had not sufficiently informerd about the existence of video surveillance cameras on university buildings and had not provided sufficient information about the purpose, nature and scope of the data processing.

€81,000 fine - Icelandic data protection authority ('Persónuvernd')

The Icelandic DPA has fined Heilsuveru EUR 81,000. The controller had reported a data breach to the DPA, as two unauthorized persons had managed to view personal data. During its investigation, the DPA found that the controller had failed to implement appropriate technical and organizational measures to protect personal data.

€13,400 fine - Icelandic data protection authority ('Persónuvernd')

The Icelandic DPA has imposed a fine of EUR 13,400 on Sjúkratyringur Íslands. During its investigation, the DPA found that the controller had failed to implement adequate technical and organizational measures to protect personal data. This included the lack of multi-factor authentication for access to health information and the controller's use of real data in the development of a system. In assessing the fine, it was considered aggravating that a large number of individuals were affected by the

€51,000 fine - Icelandic data protection authority ('Persónuvernd')

The Icelandic DPA has imposed a fine of EUR 51,000 on eCommerce 2020 ApS. The controller had submitted information on loan defaults for registration even though the required registration conditions for this have not been in place. For instance, unpaid small loans were registered although they were below the required minimum amount. In assessing the fine, the fact that a large number of people were affected by the incident and that the controller was pursuing profits were considered aggravating f

€24,000 fine - Icelandic data protection authority ('Persónuvernd')

The Icelandic DPA has imposed a fine of EUR 24,000 on Almennri innheimtu ehf. The controller had submitted information on loan defaults for registration even though the required registration conditions for this have not been in place. For instance, unpaid small loans were registered although they were below the required minimum amount. In assessing the fine, the fact that a large number of people were affected by the incident and that the controller was pursuing profits were considered aggravati

€257,000 fine - Icelandic data protection authority ('Persónuvernd')

The Icelandic DPA has imposed a fine of EUR 257,000 on Creditinfo Lánstraust hf.. The controller had registered information on loan defaults even though the required registration conditions for this have not been in place. For instance, unpaid small loans were registered although they were below the required minimum amount. In assessing the fine, the fact that a large number of people were affected by the incident and that the controller was pursuing profits were considered aggravating factors.

€36,000 fine - Icelandic data protection authority ('Persónuvernd')

The Icelandic DPA has imposed a fine of EUR 36,000 on the City of Reykjavík. The city had used the digital education system 'Seesaw' at several schools. The student system processed, among other things, personal data of minor students such as teacher feedback and information about students' private affairs. During its investigation, the DPA found that the purpose of the processing of the children's data had not been sufficiently clearly defined. In this context, the DPA also found a breach of th

€10,600 fine - Icelandic data protection authority ('Persónuvernd')

The Icelandic DPA has imposed a fine of EUR 10,600 on HEI - Medical Travel. A data subject had filed a complaint with the DPA against the controller. The controller had gained access to the data subject's email via the Icelandic Medical Association's internal website and had then sent them unsolicited emails. The DPA found that such access was unlawful due to the lack of a valid legal basis. In addition, the data subject had asked the controller for information about the processing of their pers

€7,000 fine - Icelandic data protection authority ('Persónuvernd')

The Icelandic DPA has fined Hörpu tónlistar- og ráðstefnuhúss ohf. EUR 7,000. The DPA had received a complaint regarding the concert hall's collection of ID number and date of birth information as part of an electronic ticket purchase. The incident occurred prior to the start of the Covid-19 pandemic, when the registration of personal data for contact tracking in the context of event visits was not yet required. The DPA concluded that it would not have been necessary to collect the data for issu

€27,200 fine - Icelandic data protection authority ('Persónuvernd')

The Icelandic Data Protection Authority has imposed a fine of EUR 51,000 on the Ministry of Industry and Innovation and a fine of EUR 27,200 on YAY ehf. The fine is related to a campaign by the ministry to encourage Icelanders to travel domestically in the summer of 2020. This involved a digital gift voucher that could be obtained through the app of the company YAY ehf. The DPA received a number of complaints regarding the fact that the use of the travel gift required extensive personal informat

€51,000 fine - Icelandic data protection authority ('Persónuvernd')

The Icelandic Data Protection Authority has imposed a fine of EUR 51,000 on the Ministry of Industry and Innovation and a fine of EUR 27,200 on YAY ehf. The fine is related to a campaign by the ministry to encourage Icelanders to travel domestically in the summer of 2020. This involved a digital gift voucher that could be obtained through the app of the company YAY ehf. The DPA received a number of complaints regarding the fact that the use of the travel gift required extensive personal informat

€34,000 fine - Icelandic data protection authority ('Persónuvernd')

The Icelandic DPA (Persónuvernd) has imposed a fine of EUR 34,000 on Huppuís ehf. A former employee filed a complaint against the controller with the DPA. The reason for this was the camera surveillance installed by the controller. During their shifts, the controller's employees wore clothing provided by the controller.However, the designated changing room of the store was a storage room in which large quantities of cleaning materials were stored. Due to a lack of sufficient space in this room,

€23,100 fine - Icelandic data protection authority ('Persónuvernd')

The Icelandic DPA (Persónuvernd) has imposed a fine of EUR 23,100 on InfoMentor ehf. Previously, the controller had reported a data breach according to Art. 33 GDPR. The incident concerned the company's online system, which is mainly used by schools and other institutions for communication and information purposes. In the course of its investigations, the DPA determined that inadequate technical and organizational security measures on the part of the controller led to the breach. Due to a securi

€20,600 fine - Icelandic data protection authority ('Persónuvernd')

Persónuvernd noted that a former employee of the SAA received boxes of allegedly personal belongings that he had left there, but which also contained patient data, including the health records of 252 former patients and documents with the names of about 3,000 people who had participated in rehabilitation for alcohol and drug abuse.

€9,000 fine - Icelandic data protection authority ('Persónuvernd')

In violation of Art. 32 GDPR, a teacher had sent an e-mail to his students and their parents with an attachment containing data on their well-being, academic performance and social conditions.