Icelandic Ministry of Industry and Innovation (MII) fined for violations

Iceland’s data protection authority (Persónuvernd) has imposed administrative penalties of ISK 7.5 million (approximately €51 000) on MII ISK 4 million (approximately €27 250) on YAY ehf. for violating a number of the GDPR provisions. In order to boost the tourism sector, the Ministry commissioned Yay to issue digital gift vouchers to all persons over the age of 18 residing in Iceland, through an existing application developed by Yay. Persónuvernd received many complaints from data subjects because the use of the digital vouchers required a lot of personal data and access to users’ phones.

Due to the economic situation, great emphasis was placed on speed in both the design and implementation phases of the application, which led to the unlawful redundant collection of a large amount of personal data. Furthermore, the infringement also concerned the conditions for consent to the processing of personal data, and the information on the processing of personal data provided to users was inadequate. In the course of the proceedings, Persónuvernd noted that MII (controller) did not enter into an entrustment agreement with Yay (processor) for the processing of personal data.
The processors acted contrary to the principles of privacy by design and privacy by default and failed to ensure an adequate level of protection of personal data. This is the price for the rush to create and implement IT solutions.

In determining the amount of the sanction, Persónuvernd took into account, among other things, the nature and scope of the processing, as well as multiple violations of the GDPR as aggravating circumstances. The mitigation of the administrative penalty was influenced by the fact that the Ministry and Yay updated their procedures after the initiation of the proceedings, entered into a data processing agreement and provided data subjects with information about the processing.

LATEST POSTS

FIND US