University of Iceland – Complaint Upheld (Iceland, 2024)

A student at the University of Iceland complained to the Icelandic DPA that a teacher was monitoring their use of a teaching website in the Canvas student management system. In a subsequent complaint, the student also alleged that the University did not provide sufficient information about using peer evaluation as a method. The Icelandic DPA combined both the complaints and asked the University of Iceland to reply. In reply, the University of Iceland stated that the University's processing of student's personal data is based upon authorisation granted under the Act on Data Protection and the Processing of Personal Data. The University also stated that the examination of student's use of a teaching website was necessary for the assessment and was as per Art. 6(1) GDPR. However, one of the web pages which would have provided the necessary information to the student about the examination of the use of the learning website on Canvas was inactive. With respect to peer assessment, the University provided no evidence claiming that the student was informed in this regard. The Icelandic DPA held that the University's examination of student's use of the learning website on the Canvas platform violated Art. 5(1)(a) GDPR. It also held that as the University violated Article 12-13 GDPR because it failed to provide the student the required information about examination of their use of the learning website and peer assessment.