Background information
- Date of decision: 2 May 2023
- Cross-border case or national case: National case
- Controller: The municipality of Kópavogur
- Legal references: Article 5 (Principles relating to processing of personal data), Article 6 (Lawfulness of processing), Article 26 (Joint controllers), Article 28 (Processor), Article 35 (Data protection impact assessment), Article 44 (General principle for transfers), Article 46 (Transfers by way of appropriate safeguards)
- Decision: Administrative fine
- Key words: Children, Lawfulness of processing, Transparency, Purpose limitation, Data minimisation, Accountability, Data protection impact assessment
Summary of the Decision
Origin of the case
In October 2021, the EDPB selected “the use of cloud in the public sector” for its 2022 Coordinated Enforcement Action. The Icelandic SA decided to investigate the use of cloud services in elementary schools as part of this coordinated action. The investigation was limited to the use of Google Workspace for Education in the five largest municipalities in Iceland, in addition to the use of Seesaw in the municipality of Kópavogur. This case only concerns the use of Seesaw’s educational system in the municipality of Kópavogur.
Key Findings
- Data processing agreement did not meet the minimum requirements (Article 28(3)(a) GDPR)
- Failure to provide a transparent arrangement for the processing operations carried out jointly with another data controller (Article 26 GDPR)
- Failure to demonstrate a lawful ground for all processing operations (Article 6 GDPR)
- Failure to comply with the obligation to process personal data lawfully, fairly and in a transparent manner (Article 5(1)(a) GDPR)
- Failure to demonstrate a specified, explicit, and legitimate purpose for all processing operations (Article 5(1)(b) GDPR)
- Failure to ensure data minimisation (Article 5(1)(c) GDPR)
- Failure to ensure a proportionate storage period (Article 5(1)(e) GDPR)
- Data protection impact assessment did not meet the minimum requirements (Article 35(7) GDPR)
- Data transferred to the United States without appropriate safeguards (Articles 44 & 46 GDPR)
Decision
The Icelandic SA concluded that all processing of personal data in the Seesaw educational system should be suspended, and students’ data deleted after being retrieved, if applicable, to be stored within each school. Furthermore, the Icelandic SA imposed a fine of ± EUR 26 675 (ISK 4,000,000) on the municipality of Kópavogur.
For further information:
The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.