City of Reykjavik – Complaint Upheld (Iceland, 2023)

The city of Reykjavik (controller) sent a health report about a child to the wrong person by email. The document was locked but the password to open it was sent to the same wrong email address. The recipient reported the error on the same day he received the e-mail. The controller reported the data breach to the DPA as a security breach within 72 hours, explaining that the breach was due to a human error when entering the email address. The controller also informed the parents of the child that their child’s data had been disclosed to an unauthorised recipient and contacted the latter asking him to delete the emails. The parents considered that the controller did not implement technical and organizational measures in order to ensure the security of personal data. Therefore, they filed a complaint with the DPA. In its defence, the controller argued that it had appropriate measures in place since the document was locked with a password, that it reported the data breach to the DPA and notified the parents. The DPA first stressed that the sending per email of a locked report containing health information to an unauthorised party, along with the password to unlock the document constitutes processing of personal data pursuant to Article 4 GDPR. The DPA explained that locking the document was useless since the password was communicated in the same way as the document, i.e. in contiguous e-mails to the same e-mail address. The controller therefore did not ensure the security of the data as required by Article 32. Taking into account that the controller reported the breach as required by Article 34, notified the parents and contacted the recipient of the report for its deletion, the DPA stated that there was no reason for further action. It did not consider necessary to fine the controller or to order special measures.