Date of final decision: May 3, 2022 (Decision on infringement, December 20, 2021).
Controller: The municipality of Reykjavík.
Legal Reference: data protection principles (Article 5), lawfulness of processing (Article 6), transparency (Article 13), data protection by design and default (Article 25), joint controllers (Article 26), processing agreement (Article 28), security of processing (Article 32), data protection impact assessment (Article 35), appropriate safeguards (Article 46).
Decision: infringement of the GDPR, order to suspend processing and erasure of personal data, fine imposed.
Key words: cloud Based Services, children, unlawful Processing, transparency, purpose limitation, data minimisation, storage limitations, accountability, data protection by design and default, processing agreement, data protection impact assessment, transfer to third countries, appropriate safeguards.
Summary of the Decision
Origin of the case
In April 2021 the Icelandic Supervisory Authority (SA) was notified that one of Reykjavík’s elementary schools was obtaining consent from parents for processing of personal data of students using the Seesaw educational system, which is an American cloud-based service. The Icelandic SA subsequently examined on its own initiative the use of the Seesaw educational system by elementary schools in Reykjavík.
On December 20, 2021, the Icelandic SA concluded that the municipality of Reykjavík had breached various provisions of the GDPR using Seesaw. Following that decision, the Icelandic SA examined whether there were grounds for imposing an administrative fine. In its decision on May 3 the Icelandic SA concluded that the municipality of Reykjavík was to pay a 5.000.000 ISK fine.
Key findings of the Icelandic SA’s former decision were i.a. that the processing agreement between Reykjavík and Seesaw was insufficient, that the municipality could not demonstrate a specified, explicit and legitimate purpose for the processing in question, which was therefore considered unlawful, that the processing was neither fair nor transparent, that the principles of data minimisation and storage limitations were not implemented nor data protection by design and by default, taking into consideration the amount of data collected, the extent of their processing, the period of their storage and their accessibility, that the data protection impact assessment did not meet the minimum requirements, that the municipality did not demonstrate that it had ensured appropriate security of the personal data in question and that the data was being transferred to the United States without appropriate safeguards.
The Icelandic SA furthermore concluded that all processing in the Seesaw educational system should be seized and students’ data deleted after being retrieved, if applicable, to be stored within each school.
Key findings of the latter decision were that, due to all the above and taking into consideration i.a. that the infringements concerned the personal data of children and that it was considered likely that special categories of data and other sensitive information were being processed; but also that no damage appeared to have been caused by the violations, that there was no indication that Seesaw’s general information security was not adequate and that the municipality co-operated with the SA in a clear and concise manner, a 5.000.000 ISK administrative fine was imposed on the municipality of Reykjavík.
Administrative fine, appr. 35.768 EUR.
For further information: decisions in national language, decision of May 3, 2022: Notkun Seesaw-nemendakerfisins í grunnskólum Reykjavíkur - sektarákvörðun; decision of December 20, 2021: Ákvörðun um notkun Seesaw-nemendakerfisins í grunnskólum Reykjavíkur.
The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.