Ministry of Industries and Innovation – €78,200 Fine (Iceland, 2021)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Iceland's Ministry of Industries and Innovation was fined for mishandling personal data through a digital gift card app. The app collected too much personal information and didn't properly inform users about how their data was used. This case highlights the importance of transparency and data minimization in digital services.
What happened
The Ministry collected excessive personal data through a digital gift card app without proper consent or transparency.
Who was affected
Icelanders over 18 who used the digital gift card app and shared personal data like email, phone number, and more.
What the authority found
The Icelandic DPA found the Ministry violated data protection rules by not having a lawful basis for data collection and failing to inform users properly.
Why this matters
This case underscores the need for clear communication and minimal data collection in apps. Businesses should ensure they have a valid reason for collecting user data and inform users clearly about its use.
GDPR Articles Cited
National Law Articles
Entities Involved
In September 2020, the Icelandic DPA initiated an investigation on a digital gift card application provided by the Ministry of Industries and Innovation (the Ministry), and developed by the company YAY ehf (YAY). The aim of the application was to issue a digital gift certificate to all Icelanders over 18 years old in order to stimulate domestic tourism in the summer 2020 during the COVID-19 pandemic. After the app was published on 18 June 2020, the DPA became aware that, in order to be able to use the digital gift card, the users of the application had to submit their personal data, such as, email address, phone number, age and gender. Moreover, the users were also required in some cases to give an access to their phones´ camera, microphone, GPS location, calendar, contact information as well as data on USB storage. The DPA decided to open an investigation to assess whether the collection of users´ data and the acquisition of access rights to their mobile devices by the digital gift card application were in compliance with the GDPR and the Icelandic Act no. 90/2018 on data protection and the processing of personal data. In the context of this investigation, the Icelandic DPA found that the Ministry was the controller of the personal data and that YAY was a processor of the personal data. In its decision from 23 November 2021, the Icelandic DPA came to conclusion that the Ministry had breached several principles of the data protection legislation. More specifically, the Icelandic DPA found that the Ministry had (1) collected a large amount of users´ personal data without having a lawful basis; (2) failed to obtain a valid consent for processing of users´ data, (3) required extensive access rights to users´ mobile devices, in violation of the principle of data minimisation and (4) failed to provide the users with adequate information on the use of their data. Furthermore, the Icelandic DPA stated that both the Ministry and YAY had failed to implement appropriate
Related Enforcement Actions (0)
No other enforcement actions found for Ministry of Industries and Innovation in IS
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
23 November 2021
Authority
Persónuvernd
Fine Amount
€78,200
11,500,000 ISK
GDPRhub ID
gdprhub-4398About this data
Cite as: Cookie Fines. Ministry of Industries and Innovation - Iceland (2021). Retrieved from cookiefines.eu
Last updated: