YAY ehf. – €27,200 Fine (Iceland, 2021)

The Icelandic Data Protection Authority has imposed a fine of EUR 51,000 on the Ministry of Industry and Innovation and a fine of EUR 27,200 on YAY ehf. The fine is related to a campaign by the ministry to encourage Icelanders to travel domestically in the summer of 2020. This involved a digital gift voucher that could be obtained through the app of the company YAY ehf. The DPA received a number of complaints regarding the fact that the use of the travel gift required extensive personal information and access to users' phones. As a result, the DPA launched investigations against the ministry and the company. The DPA found that the ministry had violated the principle of legality and transparency. Participating individuals were only required to agree to the General Terms of Use of the YAY app in order to participate in the voucher promotion. However, the DPA found that by doing so, the data subjects had not expressly consented to the processing of their personal data carried out as part of the promotion. The DPA also found that the information provided about the actual processing of personal data was insufficient. Moreover, neither the ministry nor YAY ehf. had implemented appropriate technical and organizational measures to ensure the security of the processing of personal data. Also, due to a configuration error on the part of YAY, more data than necessary was processed, which is why the DPA found a violation of the principle of data minimization.