Social Services – Complaint Upheld (Iceland, 2022)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
In Iceland, social services shared sensitive information about a mother and her children with the children's father. The Icelandic data protection authority found that sharing the mother's health data was allowed under local law, but sharing details about the other children was not. This case shows how complex data sharing can be, especially when health information is involved.
What happened
Social services shared sensitive health and personal information about a mother and her children with the father.
Who was affected
The mother and her four children, whose personal and health information was shared.
What the authority found
The Icelandic DPA found that sharing the mother's health data was lawful under Icelandic law, but sharing the children's details was not compliant with data protection laws.
Why this matters
This case underscores the need for organizations to carefully consider legal obligations and data protection rules when sharing sensitive information. It also highlights the special care required when handling health data.
GDPR Articles Cited
The data subject is a mother. The personal data of her and her four children was shared by the social service of an Icelandic municipality, the controller, to the father and joined guardian of the oldest child. The personal data was shared in a letter and included information about the suicide attempt of the data subject, her addiction problem, as well as the the full names and social security numbers of all of the data subject's children. The data subject disputes that the social services were authorized to share this personal data. The social services answered that they were required to share the information under Icelandic law. Article 21 of Act no. 80/2002 states that when child protection services receive information that a child's physical or mental health or development may be at risk due the behaviour of the parents or others, they must investigate the matter and make a decision without delay. The Article also obliges them to notify the (other) parents of the situation. Informing the father about the mother's suicide attempt and drug consumption habits was therefore required by the law. Regarding the sharing of details of the other children, the social services conceded that their conduct was not in line with data protection laws. However, the controller argued, the father of the oldest child could have obtained this information in other ways, such as by asking his child or through the national registry. The Icelandic DPA held that the suicide attempt and addiction problems of the data subject constituted health data. Therefore, since GDPR categorizes health data as a special category of data, the processing has to comply with Article 6 as well as Article 9 GDPR. Considering the legal obligations of the social services under Act no. 80/2002, the DPA held that the social services rightfully shared the information about the mother with the father. The law does not clearly state what the content of notifications to the parents should be. However, in the o
Outcome
Complaint Upheld
A data subject complaint that was upheld by the DPA.
Related Enforcement Actions (0)
No other enforcement actions found for Social Services in IS
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Social Services - Iceland (2022). Retrieved from cookiefines.eu
Last updated: