Breiðholt Multicultural School – €8,840 Fine (Iceland, 2020)

Persónuvernd received a notification of a personal data breach from Breiðholt Multicultural School. According to the notification, an attachment containing sensitive information about earlier students was mistakenly sent by a teacher to new students. The teacher mistakenly sent an email with an attachment that included information about interviews that had been conducted the previous semester. The document contained special categories of data concerning the former students. The comments included information about the students’ well-being, learning outcomes and social conditions. The information was to a large extent about qualities that the students’ lacked. In one case it related to the fact that the child protection authorities were connected. In another case there was information about mental health, and in another case, physical health. Persónuvernd highlighted that personal data must be processed in accordance to the principles found in Article 5 GDPR, in this case Article 5(1)(f) GDPR. In addition, Persónuvernd highlighted Article 32 GDPR as operationalising the requirement to implement adequate technical and organisational measures to ensure the secure processing of personal data. In light of the requirements for controllers to provide adequate security of personal data, Persónuvernd found that the dissemination of special categories of data was not in line with the requirements as found in GDPR. In reference to Article 83(2)(c), the Supervisory Authority referenced mitigating factors carried out by the school when assessing the fine.