City of Reykjavík – €36,000 Fine (Iceland, 2022)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The City of Reykjavík was fined €36,000 for not properly protecting student data in its digital education system. The city failed to clearly define why it was collecting the data and didn't have strong enough security measures. This case highlights the need for clear data processing purposes and robust data protection, especially for sensitive information like children's data.
What happened
The City of Reykjavík used a digital education system that inadequately protected student data and lacked clear processing purposes.
Who was affected
Minor students whose personal data, including private affairs and teacher feedback, was processed by the city's education system.
What the authority found
The Icelandic DPA fined the city for not having a clear purpose for data processing and inadequate security measures, violating GDPR principles.
Why this matters
This ruling emphasizes the importance of defining clear purposes for data collection and implementing strong security measures. Organizations handling sensitive data, especially involving children, must ensure compliance to avoid significant fines.
GDPR Articles Cited
The Icelandic DPA has imposed a fine of EUR 36,000 on the City of Reykjavík. The city had used the digital education system 'Seesaw' at several schools. The student system processed, among other things, personal data of minor students such as teacher feedback and information about students' private affairs. During its investigation, the DPA found that the purpose of the processing of the children's data had not been sufficiently clearly defined. In this context, the DPA also found a breach of the principle of proportionality and data minimization. In addition, the DPA concluded that the city had not implemented adequate technical and organizational measures regarding the protection of personal data. This would have been necessary given the high risk that the data might be transferred to and processed in the United States. In determining the fine, mitigating consideration was given to the fact that no damage was caused by the data breaches.
Related Enforcement Actions (0)
No other enforcement actions found for City of Reykjavík in IS
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
3 May 2022
Authority
Persónuvernd
Fine Amount
€36,000
Enforcement Tracker ID
ETid-1154
About this data
Cite as: Cookie Fines. City of Reykjavík - Iceland (2022). Retrieved from cookiefines.eu
Last updated: