Chief Epidemiologist of the Office of the Medical Director of Health – Violation Found (Iceland, 2021)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The Icelandic DPA found that the Chief Epidemiologist's agreement with a hospital for COVID-19 testing was missing important details about data handling. The agreement didn't fully comply with GDPR rules, so the DPA ordered a new agreement. This case shows the importance of clear contracts when sharing personal data.
What happened
The Chief Epidemiologist's data processing agreement with a hospital for COVID-19 testing lacked several GDPR-required details.
Who was affected
Individuals whose personal data was processed during COVID-19 testing by the Chief Epidemiologist and the hospital.
What the authority found
The Icelandic DPA found the data processing agreement incomplete and ordered the Chief Epidemiologist to create a new one that meets GDPR requirements.
Why this matters
This decision highlights the necessity for detailed data processing agreements when sharing personal data. Organizations should ensure their contracts cover all GDPR requirements to avoid compliance issues.
GDPR Articles Cited
Entities Involved
Upon learning that the Chief Epidemiologist had outsourced screening for the SARS-CoV-2 virus as well as antibody testing to a hospital and a genetic research company, the Icelandic DPA initiated an investigation into the lawfulness of the processing. The Icelandic DPA first highlighted that, in connection with the virus screening and antibody testing, the Chief Epidemiologist acted as a controller in accordance with the Icelandic Epidemiology Act. The Icelandic DPA further found that Landspítali (the Hospital) was only processing personal data on behalf of the Chief Epidemiologist, and was thus acting as a processor, while the company Icelandic Genetics (Icelandic Genetics) was acting as a sub-processor of the personal data. The Icelandic DPA held that the processing of personal data for SARS-CoV-2 screening and testing by the the Chief Epidemiologist and the Hospital was overall compliant with data protection law. However, the Icelandic DPA found that the data processing agreement between the Chief Epidemiologist and the Hospital was incomplete with regards to several requirements set in Article 28(3) GDPR, and notably points b, c, e, f, g and h. For example, the processing agreement did not contain any information on the deletion or return of personal data (Article 28(3)(g) GDPR). In addition, the processing agreement was referencing outdated data protection legislation. The DPA therefore ordered the Chief Epidemiologist to enter into a new data processing agreement with the Hospital which would comply with all the requirements of Article 28(3) GDPR. Furthermore, the Icelandic DPA held that the data subjects should have received more information on the purpose of the processing by Icelandic Genetics pursuant to Article 14(1) GDPR. In particular, it was unclear whether the screening and testing only served as a measure for disease control or whether it could also be used for scientific research. The Icelandic DPA therefore concluded that Icelandic Genetics sho
Outcome
Violation Found
The DPA found a violation but did not impose a fine.
Related Enforcement Actions (0)
No other enforcement actions found for Chief Epidemiologist of the Office of the Medical Director of Health in IS
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Chief Epidemiologist of the Office of the Medical Director of Health - Iceland (2021). Retrieved from cookiefines.eu
Last updated: