Harpa Music and Conference Center – €6,800 Fine (Iceland, 2022)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Harpa Music and Conference Center was fined for requiring customers to provide their ID numbers when buying tickets. The Icelandic DPA found this unnecessary and a violation of data protection rules. This case highlights the importance of collecting only essential customer information.
What happened
Harpa Music and Conference Center required customers to provide their ID numbers to buy tickets, which was deemed unnecessary.
Who was affected
Individuals purchasing tickets for events at Harpa Music and Conference Center.
What the authority found
The Icelandic DPA ruled that requiring full ID numbers for ticket purchases violated the principle of data minimization.
Why this matters
This ruling reinforces the need for businesses to limit data collection to what is strictly necessary. It serves as a reminder to review and adjust data collection practices to comply with GDPR standards.
GDPR Articles Cited
A data subject issued a complaint with the Icelandic DPA due to the fact that they were required to provide their ID number when purchasing tickets for a musical event in Harpa Music and Conference Center (its administration is the controller) through the ticket sales system Tix Miðasala (processor). When they were not able to purchase the tickets without providing the ID number, the data subject contacted the processor. The processor informed the data subject that they were not required to fill in their full ID number, and that it was enough to provide the first six digits, which correspond to their date of birth in Icelandic ID numbers. The data subject considered that their ID number or date of birth were unnecessary data requirements for the purchase of a ticket. The controller claimed that the processor collected the ID number in order to verify the identity of the person collecting the tickets purchased online, and that this is a common practice among event organizers in Iceland. The Icelandic DPA launched its investigation, and found that the field for the ID number was marked as a necessary requirement when purchasing a ticket with the processor’s online platform. The DPA noted that the controller and the processor’s privacy policies stated that the customer’s ID number was collected in order to verify their identity, and that there was no indication in these policies, or during the purchase process, that this was an optional requirement which could be fulfilled with just the first six digits corresponding to the date of birth. The DPA also noted that this field was required before the data subject chose the ticket delivery method. In cases where the ticket is delivered to a physical address or an email, it would not be necessary to provide the ID number, as this requirement is only relevant when collecting the tickets personally at the venue’s booth. Furthermore, the DPA held that requiring a data subject’s ID number, or their date of birth, was not nec
Related Enforcement Actions (0)
No other enforcement actions found for Harpa Music and Conference Center in IS
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Harpa Music and Conference Center - Iceland (2022). Retrieved from cookiefines.eu
Last updated: