Landspítali – The National University Hospital of Iceland – Violation Found (Iceland, 2021)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Landspítali Hospital did not conduct a new Data Protection Impact Assessment (DPIA) before moving staff to another company's facilities for COVID-19 testing. The Icelandic DPA found this oversight problematic. This case emphasizes the need for updated assessments when changing how personal data is processed.
What happened
Landspítali Hospital failed to conduct a new DPIA before relocating staff to another company's facilities for COVID-19 testing.
Who was affected
Patients whose personal data was processed during COVID-19 testing at Landspítali Hospital and the subcontracted facilities.
What the authority found
The Icelandic DPA found that Landspítali Hospital should have conducted a new DPIA to comply with GDPR when changing data processing locations.
Why this matters
This case highlights the importance of conducting new DPIAs when there are significant changes in data processing activities. Organizations should regularly review and update their data protection measures to ensure compliance.
GDPR Articles Cited
Entities Involved
Since 2015, the Icelandic health authorities had appointed Landspítali Hospital (the Hospital) to conduct border and domestic screening to monitor the spread of infectious diseases. It was agreed that the Hospital was allowed to subcontract services in order to carry out this screening. In June 2020, the Hospital sought the services of a company named Icelandic Genealogy (IG) to conduct COVID-19 screening tests. A Data Protection Impact Assessment (DPIA) was carried out by the Icelandic Medical Director of Health (the Director) in consultation with the Icelandic DPA. The DPA observed that there was no indication that this processing would violate the GDPR. As a result, the Hospital outsourced part of the testing and screening activities to IG. However, in August 2020, the Hospital publicly announced that they would temporarily relocate part of their own staff to IG’s facilities to use some of their equipment and software (Virlab) in order to increase their screening capacity. Following this announcement, the Icelandic DPA asked the Hospital for specific information regarding security measures related to the processing of personal data, and whether a new DPIA had been carried out by the Hospital before relocating part of their staff to IG’s facilities. The Hospital disregarded this request, and related part of its staff to IG’s facilities, as planned. The DPA reiterated their request in September 2020. The Hospital then responded to the DPA, apologising for the delay, and explaining that they had began using IG’s facilities expeditiously in order to respond to the increased demand in sampling due to the pandemic. The Hospital also stated that they had not conducted a new DPIA because they considered that the previous DPIA applied to the processing that would now temporarily take place at IG’s facilities. However, prior to the transfer of some staff members to IG’s facilities, IG only had access to sample numbers sent by the Hospital. Once part of the Hospital's sta
Outcome
Violation Found
The DPA found a violation but did not impose a fine.
Related Enforcement Actions (0)
No other enforcement actions found for Landspítali – The National University Hospital of Iceland in IS
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Landspítali – The National University Hospital of Iceland - Iceland (2021). Retrieved from cookiefines.eu
Last updated: