Icelandair – Violation Found (Iceland, 2023)

A news report revealed that the flight attendants working for Icelandair were required to evaluate each other at work. This led the Icelandic DPA to open an investigation on the compliance of that mechanism with GDPR. On 19 May 2022, the DPA informed Icelandair of the investigation and invited it to provide explanation. Icelandair explained that it ran an app called Crew App containing a possibility to evaluate the performance of colleagues. It works in the following way: 45 minutes after landing, the app announces that the performance evaluation is open. Flight attendants can then submit evaluation for 48 hours. This evaluation includes a grade from 1 to 5 with a written justification and text boxes where it is possible to enter text. The employees can consult their own average evaluation in the program only if they participated in performance evaluation of others. The company explained that the purpose of the evaluation was to make employees aware of their performance. It also argued that the collective agreement between Icelandair and the Flight Attendants Association of Iceland stated among other things that performance must be taken into account when offering promotions and management positions. Therefore, regarding the legal basis, Icelandair stated (1) to have a legitimate interest in the performance evaluation and (2) that it is necessary to perform a contractual obligation arising from the collective agreement with the Flight Attendants Association. Finally, the company stated that the processing met the transparency requirements: the staff received a detailed introduction to use the app and could request access to their data under Article 15 GDPR. The company also believed that it was not obliged to carry out a data protection impact assessment under Article 35 GDPR due to the nature of the processing: assessment and grading. It considered that this processing could not be seen as systematic or on a large scale of special categories of personal data sin