Iceland’s data protection authority (Persónuvernd) has imposed administrative penalties of ISK 7.5 million (approximately €51 000) on MII ISK 4 million (approximately €27 250) on YAY ehf. for violating a number of the GDPR provisions. In order to boost the tourism sector, the Ministry commissioned Yay to issue digital gift vouchers to all persons over the age of 18 residing in Iceland, through an existing application developed by Yay. Persónuvernd received many complaints from data subjects because the use of the digital vouchers required a lot of personal data and access to users’ phones.
In determining the amount of the sanction, Persónuvernd took into account, among other things, the nature and scope of the processing, as well as multiple violations of the GDPR as aggravating circumstances. The mitigation of the administrative penalty was influenced by the fact that the Ministry and Yay updated their procedures after the initiation of the proceedings, entered into a data processing agreement and provided data subjects with information about the processing.