City of Kópavogur – €20,000 Fine (Iceland, 2023)

€20,000Persónuvernd6 December 2023Iceland
final
Fine

General GDPR enforcement action

This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.

The city of Kópavogur was fined EUR 20,000 for not adhering to data protection rules while using the Google Education system. They did not ensure that student data was only used for its intended purposes and had issues with data retention. This case serves as a reminder for public entities to be vigilant about data protection when working with third-party services.

What happened

The city of Kópavogur used the Google Education system without properly complying with data protection regulations.

Who was affected

Students whose data was processed by the Google Education system used by the city of Kópavogur.

What the authority found

The authority determined that the city failed to fulfill its responsibilities in selecting Google as a service provider and did not protect sensitive student data adequately.

Why this matters

This ruling shows that local governments must prioritize data protection when partnering with service providers. Other cities should assess their data handling practices to prevent similar violations.

GDPR Articles Cited

AI-verified

Art. 28(GDPR)
Art. 5(1) GDPR
Art. 24(1) GDPR
View original scraped data
Art. 5(1) GDPR
Art. 24(1) GDPR
Art. 28(GDPR)

Original data from scraper before AI verification against source document.

Source verified 13 March 2026
amount discrepancy
Iceland enforcementPersónuvernd actionsAll City of Kópavogur actions
Full Legal Summary
Detailed

The Icelandic DPA has imposed a fine of EUR 20,000 on the city of Kópavogur. The city had used the Google Education system without sufficiently complying with data protection regulations. In particular, the city did not fulfill its obligations when selecting Google as a processor and the processing agreement with Google did not comply with data protection requirements. Furthermore, the city did not ensure that the student data was not processed for purposes other than those specified by the city. Furthermore, the retention period was not considered appropriate but rather too extensive. In imposing the fine, particular consideration was given to the protection of sensitive children's data. Although no demonstrable damage had occurred, it was criticized that the city had not sufficiently ensured the secure transfer of data to the US in the past. However, the city cooperated transparently with the data protection authority and revised its data protection practices.

Related Enforcement Actions (0)

No other enforcement actions found for City of Kópavogur in IS

This is the only recorded action for this entity in this jurisdiction.

Details

Fine Date

6 December 2023

Authority

Persónuvernd

Fine Amount

€20,000

Enforcement Tracker ID

ETid-2153

Sources

About this data

Data: CMS GDPR Enforcement Tracker
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. City of Kópavogur - Iceland (2023). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: