Íslandsbanki (Bank of Iceland) – Complaint Upheld (Iceland, 2022)

The Bank of Iceland shared the data subject’s debt status with third parties who owned flats in the same building of the data subject. According to the controller, there was an obligation to do so under national law (Article 7(1(d)) Act no. 32/2009). Essentially, in case of debts, the bank is obliged to inform the co-owner(s) of the existence and status of a mortgage on their building. The data subject filed a complaint. The DPA agreed that there was a legal obligation on the controller arising from the national provision to notify owners of the property. The processing was therefore lawful under Article 6(1) GDPR. It considered that registration books can usually be relied on for the authenticity of the information. However, in this case, the data subject had 100% ownership while the other 25 people mentioned in the registration book only had property lease agreements. The data controller therefore had every reason to examine and further investigate the registration book before sending out such notifications. Indeed, the controller was the responsible party for taking appropriate technical and organizational security measures to ensure adequate security of personal data. Consequently, the DPA held that the controller did not fulfill its duty of diligence and did not ensure appropriate security of the personal data under Article 5(2) and 32(1) GDPR. Pursuant Article 58(2)(c) GDPR, it asked the data controller to take measures to ensure the appropriate security of personal information to be maintained when sending notifications. No fine was imposed.