Íslandspóstur – Dismissed (Iceland, 2022)

On 24 November 2021 and 15 February 2022, a data subject complained to the Icelandic DPA regarding the processing of personal data by a controller, Íslandspóstur, i.e. the Icelandic postal authority. The data subject alleged that the controller maintained a special register of stamp collectors, including the data subject. The allegation was based on the claim that all postage to the data subject from abroad was subjected to customs check, regardless of whether it was general or traceable letters. In reply, the controller stated that it was not maintaining a special register. It also stated that, as per law, all shipments to Iceland are subject to customs duties and, as a customs broker, the postal authority is required to do customs processing. In addition, the controller added that with experience the employees of the postal authority gain knowledge about assessing high-value items. The Icelandic DPA noted that Article 4(1) GDPR applies to "the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system." It added that there was no evidence of a special register for stamp collectors and that, therefore, also no evidence existed for GDPR-infringing personal data processing. Thus, the DPA rejected the complaint. The DPA did not consider it necessary to use its additional powers to carry out any further investigations.