Íslandsbanki – Complaint Upheld (Iceland, 2020)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The Icelandic DPA found that Íslandsbanki violated data protection rules by allowing unauthorized access to a customer's online banking account due to human error. This case shows the importance of ensuring only authorized individuals can access sensitive financial information. Banks must implement strict controls to prevent such errors.
What happened
Íslandsbanki allowed unauthorized access to a customer's online banking account due to human error.
Who was affected
A customer of Íslandsbanki whose financial information was accessed by an unauthorized person.
What the authority found
The Icelandic DPA determined that there was no legal basis for granting access to the complainant's data, violating data protection rules.
Why this matters
This decision emphasizes the need for banks to have strict access controls and to prevent unauthorized access to sensitive data. It serves as a warning that even human errors can lead to serious privacy violations.
GDPR Articles Cited
National Law Articles
The complainant complained to the Icelandic DPA (Personuvernd) that an unauthorized person (his mother) was given access to his online banking account by his bank Íslandsbanki. The complainant’s mother was able to read his financial information and portfolio of securities without his consent. The complainant claimed that this was a violation of his right to confidentiality and privacy. Íslandsbanki argued that the complainants mother was given access to his personal data on online banking due to a human error by an employee. Íslandsbanki stated that the complainant’s consent nor a proxy had been obtained for the purpose of granting access to an unauthorized person. Íslandsbanki also stated that it did not report the security breach to the DPA because it was unlikely to pose a risk to the complainant’s rights and freedoms (Article 27(2) Act 90/2018). There was limited risk to the data subject as the unauthorized person granted access was a member of his family and the read access was limited to the complainant’s portfolio of securities. Was granting access to the complainant's online banking to an unauthorised person as a result of a human error a violation of the Act 90/2018 and the GDPR? The Icelandic DPA clarified that a legal basis for processing was required under Act 90/2018. This could either be on the basis of consent (Article 9(1) Act 90/2018) or necessity for the legitimate interests of the controller (Article 9(6) Act 90/2018). The DPA established that there was no such legal basis as access to the complainant’s online banking personal data was granted to his mother as a resuslt of a human error of an employee at Íslandsbanki. The Icelandic DPA established that there is a duty to respect principle that processing of personal data must be secured according to Article 8(1)(6) Act 90/2018 (Article 5(1)(f) GDPR). This was interpreted as requiring that personal data must be kept secret from unauthorised persons. The Iceland DPA then referred to Article 23 A
Outcome
Complaint Upheld
A data subject complaint that was upheld by the DPA.
Related Enforcement Actions (0)
No other enforcement actions found for Íslandsbanki in IS
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Íslandsbanki - Iceland (2020). Retrieved from cookiefines.eu
Last updated: