deCode Genetics – No Violation (Iceland, 2022)

On 12 December 2020, the Icelandic DPA received a complaint from a Danish organization "Patientforeningen," representing a data subject. The complaint concerned a letter from the Danish Biobank addressed at the data subject, which stated that the body tissues collected from the data subject were sent to deCode Genetics in Iceland to be processed and stored by deCode Genetics. The complaint pointed out that according to the website of the research project, the Capital Region of Denmark is the controller and deCode Genetics is the processor of the processing. The complaint contended the following: 1. The processing of personal data in Iceland is without authorization. 2. The personal data in question is outside the scope of data protection impact assessment (DPIA) carried out in Denmark. Moreover, it is unclear whether deCode Genetics carried out any DPIA. 3. The genetic information is processed without the permission of the Central Scientific Ethics Committee in Iceland. 4. The processing of genetic data is done without permission from the Icelandic DPA. The complaint claimed that although the agreement between Danish Biobank and deCode Genetics stated deCode Genetics to be the processor, it was in fact acting as a controller and thus had to be responsible for the obligations of a controller. This claim was on the basis that the articles published regarding the research identified individuals from deCode Genetics as first and last authors. Usually in the scientific community, the first author is the real contributor, and hence the main decision authority. In reply, deCode Genetics claimed that it is the Danish DPA which has the jurisdiction since the data subject is Danish and the data is primarily registered and stored in Denmark. deCode Genetics submitted that the Danish DPA was already looking into similar cases and hence is the most appropriate authority. deCode Genetics cited its other collaborative research projects and claimed that it was recognized as a