Nova hf. – Dismissed (Iceland, 2022)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
An Icelandic phone company, Nova hf., faced a complaint after accidentally reassigning a customer's phone number to someone else. The data protection authority found no security breach occurred, as no personal data was accessed. This case highlights the importance of maintaining accurate customer records.
What happened
Nova hf. mistakenly reassigned a customer's phone number to another person.
Who was affected
The customer whose phone number was reassigned was affected.
What the authority found
The authority found that no security breach occurred because no personal data was accessed during the incident.
Why this matters
This case highlights the need for companies to have robust procedures to prevent errors like phone number reassignment. It also shows that not all mistakes lead to data breaches if no personal data is exposed.
GDPR Articles Cited
The data subject has a phone contract with the controller. The incident in question concerned the controller's accidental reassigning of the data subject's phone number to a third party. The phone number on the data subject's phone became inactive and active on the phone of the third party. The dispute between the parties concerned the question whether the incident involved a security breach which should have been notified. Moreover, the parties have differing opinions about whether personal data of the data subject was made available to a third party and whether the security measures of the controller were sufficient. The data subject argued that a third party had acquired access to personal data, such as text messages that could have been received at the phone number after it was reassigned. Additionally, the third-party would have been capable of accessing personal data of the data subjects on websites and smart apps that use the phone number as an identifier. The controller argued to the contrary that no security breach occurred. The incident was caused by a human error on the part of the relevant employee who handed over the phone number to an unauthorized party. No information about previous calls, text messages or other information was made available when the phone number was transferred. The controller also does not see itself responsible for other personal data that may be connected to the data subject's phone number, such as the use of authentication methods in services unrelated to the controller. Furthermore, the controller believed that its current processes minimize the risk of mistakes like this occurring and pointed out that incidents like this have only occurred three times since 2015. The controller therefore assessed that its technical and organizational measures are in accordance with the security standards required by Article 32 GDPR. The DPA made two holdings: First, it held that the controller did not ensure an appropriate security of the
Outcome
Dismissed
The complaint or investigation was dismissed.
Related Enforcement Actions (0)
No other enforcement actions found for Nova hf. in IS
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Nova hf. - Iceland (2022). Retrieved from cookiefines.eu
Last updated: