Íslenskrar erfðagreiningar – Violation Found (Iceland, 2021)

The National University Hospital of Iceland (NUH) decided to engage a genetic company (the Company) to perform blood sample analysis in connection with scientific research on the SARS-2 Covid-19 virus. All patients admitted to the NHU between the 3rd and the 7th of April 2021 and who were diagnosed with the virus had submitted blood samples that were initially processed for clinical purposes. The blood samples were then sent to the Company for scientific research purposes. The competent authorities had authorised the scientific study on the 7th of April, after which the patients were asked to consent to the further processing of the already submitted samples for scientific purposes. The Icelandic DPA launched an investigation regarding the lawfulness of the processing. The Icelandic DPA first highlighted that the use of the blood samples for scientific research had been planned before the study was finally approved. The data subjects were however not informed of this possible use of the blood samples until after the approval of the study, when they were asked to consent to further processing. The Icelandic DPA therefore concluded that the processing did not take place in a legitimate, fair and transparent manner in accordance with Article 5(1)(a) GDPR. Due to the specific circumstances surrounding the outbreak of the Covid-19 pandemic, no administrative fines were imposed on the NHU or on the Company.