European Data Protection Board

Personal data breach at the Breiðholt Upper Secondary School – Administrative fine

Tuesday, 10 March, 2020
IS

On 5 March 2020, the Icelandic SA took the decision to impose an administrative fine of ISK 1.300.000 (EUR 8.945) on the Breiðholt Upper Secondary School in a case relating to a personal data breach.

The breach occurred when a teacher at the school sent an e-mail to his students and their parents/guardians, 57 people in total. Attached to the e-mail was a document that the teacher believed to contain information on consultation appointments. However, the attachment concerned a different group of students, 18 in total, and contained data on their well-being, study performance, and social conditions. To a considerable extent, the information concerned the students' problems. In one instance, the data had to do with an intervention by child protection services. Furthermore, there were data on one student's physical illness, and on another student's mental health problem.

After carrying out an investigation of the data breach, the SA concluded that the breach was a result of a lack of implementation of appropriate data protection policies and appropriate technical and organisational measures to protect the data by the controller. The lack of appropriate measures to protect the personal data therefore constituted violations of, inter alia, Art. 5(1)f and Art. 32 of the GDPR.

When determining the fine, the SA referred to the nature of the personal information involved in the breach, which were data concerning health and other personal issues. The SA also cited the nature of the Breiðholt Upper Secondary School as a nonprofit institution.

The full decision in Icelandic is available here

For further information, please contact the Icelandic SA: postur@dpa.is

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.