Date of final decision: 8 March 2022
Controller: Harpa Concert Hall and Conference Centre ohf.
Legal Reference: principles relating to processing of personal data (Article 5), lawfulness of processing (Article 6)
Decision: infringement of the GDPR, order to comply, fine 1 million ISK (approx. 7.200 Euros).
Key words: principles, lawfulness of processing, transparency, data minimisation.
Summary of the Decision
Origin of the case
The Icelandic Supervisory Authority (SA) received a complaint about the collection of the ID number and date of birth of the complainant by Harpa Concert Hall and Conference Centre in connection with his electronic purchase of tickets. The complaint referred to processing that took place before the Covid-19 pandemic in Iceland and thus before rules were set that required the registration of personal information in connection with event attendance.
The Icelandic SA found that it was not necessary to collect information on the complainant's ID number and date of birth for the purpose of handing him a ticket, as it would have been possible to fulfil the contract for the purchase without it. The processing was therefore not lawful and did not comply with the principles relating to processing of personal data on legality, fairness, transparency, and minimisation of data. The processing had also violated the special provisions of the Icelandic law that stipulates that the use of an ID number is subject to its objective purpose and is necessary to ensure secure identification.
Harpa Concert Hall and Conference Centre was instructed to stop collecting information on ID numbers and dates of birth in connection with individuals' purchase of tickets for events organized by the company, and to delete available information that had been collected for the purpose of identifying them upon delivery of sold tickets.
When deciding the fine, the Icelandic SA took into account, among other things, that the information had been collected in good faith that the processing was lawful. Furthermore, it was not possible for Harpa to change the procedure after rules were set that required the registration of personal information in connection with event attendance. Harpa Music and Conference Center was fined 1 million ISK (approx. 7.200 Euros).
For further information: https://www.personuvernd.is/urlausnir/sofnun-personuupplysinga-vegna-kaupa-a-adgongumida-a-vidburd-i-horpu-sektarakvordun (decision in Icelandic).
The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.