City of Reykjavik – €13,300 Fine (Iceland, 2023)

€13,300Persónuvernd6 December 2023Iceland
final
Fine

General GDPR enforcement action

This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.

The city of Reykjavik was fined EUR 13,300 for not following data protection rules while using Google Education in schools. They failed to ensure that student data was handled properly and securely, especially when transferring it to the US. This case highlights the importance of protecting sensitive children's data and complying with data protection regulations.

What happened

Reykjavik used the Google Education system in schools without properly complying with data protection regulations.

Who was affected

Students whose data was processed by the Google Education system in Reykjavik schools.

What the authority found

The data protection authority found that Reykjavik did not fulfill its obligations when selecting Google as a service provider, violating GDPR requirements.

Why this matters

This ruling emphasizes that municipalities must ensure compliance with data protection rules when using third-party services. Other local governments should review their data handling practices to avoid similar issues.

GDPR Articles Cited

AI-verified

Art. 28(GDPR)
Art. 5(1) GDPR
Art. 24(1) GDPR
View original scraped data
Art. 5(1) GDPR
Art. 24(1) GDPR
Art. 28(GDPR)

Original data from scraper before AI verification against source document.

Source verified 13 March 2026
amount discrepancy
Iceland enforcementPersónuvernd actionsAll City of Reykjavik actions
Full Legal Summary
Detailed

The Icelandic DPA has imposed a fine of EUR 13,300 on the city of Reykjavik. The city had used the Google Education system in schools without sufficiently complying with data protection regulations. In particular, the city did not fulfill its obligations when selecting Google as a processor and the processing agreement with Google did not comply with data protection requirements. Furthermore, the city did not ensure that the student data was not processed for purposes other than those specified by the city. In imposing the fine, particular consideration was given to the protection of sensitive children's data. Although no demonstrable damage had occurred, it was criticized that the city had not sufficiently ensured the secure transfer of data to the US in the past. However, the municipality cooperated transparently with the data protection authority and revised its data protection practices.

Related Enforcement Actions (1)

Other enforcement actions involving City of Reykjavik in IS

Complaint Upheld
Mar 2023· Persónuvernd

The city of Reykjavik (controller) sent a health report about a child to the wrong person by email. The document was locked but the password to open i...

Current
Dec 2023

Fine

€13K

Details

Fine Date

6 December 2023

Authority

Persónuvernd

Fine Amount

€13,300

Sources

About this data

Data: CMS GDPR Enforcement Tracker
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. City of Reykjavik - Iceland (2023). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: