S.Á.Á – Fine (Iceland, 2020)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
S.Á.Á was investigated after a retired employee took home boxes containing sensitive patient records by mistake. This matters because it shows the need for strict controls over who can access personal data, even when employees leave. Although no fine was issued, the incident underscores the importance of data security measures.
What happened
A retired employee of S.Á.Á accidentally took home boxes containing sensitive patient records.
Who was affected
The affected individuals were patients whose medical records were mistakenly sent to a retired employee.
What the authority found
The Icelandic data protection authority found that S.Á.Á lacked proper security measures to prevent unauthorized access to personal data, even though no fine was imposed.
Why this matters
This case serves as a warning to organizations about the importance of maintaining data security, especially when employees leave. It stresses the need for clear procedures to prevent unauthorized access to sensitive information.
GDPR Articles Cited
The case and investigation was opened as a result of a data breach notification sent to Persónuvernd from S.Á.Á. A retired employee, who was the head of the treatment home Vik before retiring, received «a significant amount» of personal data concerning patients, including the detailed medical records of 252 individuals and records of check-ins containing 3,000 names. The personal data was stored in boxes that was sent to the retired employee alongside his belongings. S.Á.Á. did not dispute that a breach of personal data had occurred. However, S.Á.Á. emphasized that the former head packed the boxes himself, and as a former chief he should have been clear about the contents of the boxes. In addition, S.Á.Á. stressed that the incident was related to human error, and that the organization had reviewed their organisational measures to avoid data breaches. In the view of Persónuvernd, the delivery of the medical records was a result of lacking technical and organisational measures. The fact that the former employee had packed the boxes himself did not justify the lack of technical and organisational measures that should have prevented such a disclosure from S.Á.Á. as a controller of the personal data.
Related Enforcement Actions (0)
No other enforcement actions found for S.Á.Á in IS
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. S.Á.Á - Iceland (2020). Retrieved from cookiefines.eu
Last updated: