Íslensk erfðagreining – Violation Found (Iceland, 2022)

The Icelandic DPA started an investigation into a genetic research company. More specifically, to assess the company's Data Protection Officer (DPO), as well as the performance of the DPO's tasks. The DPA requested information from the company to determine if and how the company's DPO was compatible with Article 38 GDPR. The DPA stated that the decision to investigate the DPO was made with the intention of ensuring compliance, not because it assumed the requirements of the GDPR were not being followed. The DPA wrote two letters, but the company did not respond to any of them within the prescribed deadlines. After a phone call, the DPA received a response almost two months after the first letter had been sent. After reviewing the responses from the controller, the Icelandic DPA concluded that there were no violations in relation to the obligations to appoint a DPO (Article 37), to involve the DPO in relevant matters (Article 38(1)), and to provide the DPO with the necessary resources (Article 38(2)). However, the DPA held that the controller violated the obligation to ensure the DPO's independence pursuant to Article 38(3). The acting DPO at the time of the investigation also held the position of deputy CEO, senior lawyer and board member. The DPA held that that could lead to a conflict of interest. The current DPO also held the position of senior lawyer. The DPA held that this also constituted a conflict of interest. The DPA instructed the controller to ensure that the acting DPO would not be responsible for other tasks and duties that may lead to a conflict of interest. The DPA further noted that the despite the delayed answers, it would not impose a fine, taking into account the fact that the information was eventually received as well as the COVID-19 outbreak.