Date of final decision: 24th of November 2021
National case: 2020092288
Controller: Ministry of Industries and Innovation and YAY ehf.
Processor: YAY ehf.
Legal References: Principles relating to processing of personal data (Article 5), Lawfulness of processing (Article 6), Conditions for consent (Article 7), Processing of special categories of personal data (Article 9), Transparency (Article 12), Information to be provided where personal data are collected from the data subject (Article 13), Responsibility of the controller (Article 24), Data protection by design and by default (Article 25), Processing contract (Article 28(3)), Security of processing (Article 32).
Decision: Infringement of the GDPR, Fine
Key words: Principles, Lawfulness of processing, Conditions for consent, Processing of special categories of personal data, Transparency, Information, Responsibility of the controller, Data protection by design and by default, Processor, Security of personal data.
Summary of the Decision
Origin of the case
Due to economic difficulties in Iceland caused by Covid-19 the Icelandic government decided, in early 2020, to boost the tourism sector and small businesses by issuing a digital gift certificate of 5000 IKR (approx. 34 euros) to all Icelanders over 18 years old. The Icelandic government contracted a company that issued a digital gift card app based on an already existing app developed by the same company. After the app was first published, the Icelandic DPA received tips from data subjects on the amount of personal data the app was using and the extensive access rights it claimed in the user’s mobile device. The Icelandic DPA subsequently decided to examine on its own initiative whether the project complied with the GDPR.
In its decision, the Icelandic DPA notes that due to the economic situation, a heavy emphasis was placed on the speed of both the programming and the publication of the app, resulting in inadequate adjustment of settings. This led to unlawful and unnecessary collection of considerable amounts of personal data and the collection of access rights to the user’s mobile devices.
Furthermore, requirements for consent for processing were not met and the information the data subjects received when signing into the app was inadequate.
Additionally, the controller and the processor had not ensured the appropriate security of the personal data. A processing agreement, according to Article 28(3), was not made and the controller and processor failed to implement data protection by design and by default, that should have ensured data minimization, when designing the app.
When deciding the fine, the Icelandic DPA took into account, among other things, the nature and scope of the processing as well as the multiple infringements of the GDPR. The Ministry of Industries and Innovation was fined 7,5 million ISK (approx. 50.800 Euros) and the company YAY ehf. was fined 4 million ISK (approx. 27.100 Euros).
For further information:
- Icelandic DPA issues fine to the Ministry of Industries and Innovation and YAY ehf. for data processing through a digital gift card app (English press release)
- Ákvörðun um sekt vegna ferðagjafar stjórnvalda (decision in Icelandic)
The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.