Garðabær municipality – €16,600 Fine (Iceland, 2023)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Garðabær municipality was fined EUR 16,600 for not adequately protecting student data while using Google Education. They did not ensure that the data was only used for its intended purposes and kept it longer than necessary. This case serves as a reminder for organizations to prioritize data protection, especially for sensitive information.
What happened
Garðabær municipality failed to comply with data protection regulations while using Google Education.
Who was affected
Students whose data was processed by Google Education through the municipality were affected.
What the authority found
The authority determined that Garðabær did not fulfill its responsibilities in selecting Google as a service provider and protecting sensitive data.
Why this matters
This decision highlights the need for municipalities and other organizations to ensure they follow data protection rules when using third-party services. It encourages businesses to evaluate their data handling practices.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The Icelandic DPA has imposed a fine of EUR 16,600 on the municipality of Garðabær. The municipality had used the Google Education system without sufficiently complying with data protection regulations. In particular, the municipality did not fulfill its obligations when selecting Google as a processor and the processing agreement with Google did not comply with data protection requirements. Furthermore, the municipality did not ensure that the student data was not processed for purposes other than those specified by the municipality. Furthermore, the retention period was not considered appropriate but rather too extensive. In imposing the fine, particular consideration was given to the protection of sensitive children's data. Although no demonstrable damage had occurred, it was criticized that Garðabær had not sufficiently ensured the secure transfer of data to the US in the past. However, the municipality cooperated transparently with the data protection authority and revised its data protection practices.
Related Enforcement Actions (0)
No other enforcement actions found for Garðabær municipality in IS
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
6 December 2023
Authority
Persónuvernd
Fine Amount
€16,600
Enforcement Tracker ID
ETid-2141
About this data
Cite as: Cookie Fines. Garðabær municipality - Iceland (2023). Retrieved from cookiefines.eu
Last updated: