Background information
- Date of final decision: 28/11/2023
- National case
- Controller: the municipality of Hafnarfjörður
- Legal Reference(s): Article 5 (Principles relating to processing of personal data), Article 6 (Lawfulness of processing), Article 24 (Responsibility of the controller), Article 25 (Data protection by design and by default), Article 28 (Processor), Article 35 (Data protection impact assessment), Article 44 (General principle for transfers), Article 46 (Transfers by way of appropriate safeguards)
- Decision: Compliance order, Administrative fine
- Key words: accountability, purpose limitation, data minimisation, storage limitations, data processing agreement, data protection impact assessment, transfer to third countries, children, education, cloud-based services.
Summary of the Decision
Origin of the case
In October 2021, the EDPB selected “the use of cloud in the public sector” for its 2022 Coordinated Enforcement Action. The Icelandic SA decided to investigate the use of cloud services in elementary schools as part of this coordinated action. The investigation was limited to the use of Google Workspace for Education, Google’s educational system, in the five largest municipalities in Iceland, in addition to the use of Seesaw in the municipality of Kópavogur. This case only concerns the use of Google’s educational system in the municipality of Hafnarfjörður.
Key Findings
The Icelandic SA’s investigation revealed that students’ personal data were not only processed on the instructions of the municipality of Hafnarfjörður, but also for Google’s own purposes. The municipality failed to demonstrate how further processing by Google was compatible with the purpose for which students’ personal data were initially collected i.e., in order to provide education in accordance with the national compulsory school act.
The Icelandic SA concluded that the municipality of Hafnarfjörður infringed multiple Articles of the GDPR with its use of Google’s educational system i.e.:
- Failure to ensure and to be able to demonstrate that processing is performed in accordance with the Regulation (Articles 5, 24(1) & 28(1) GDPR)
- Data processing agreement did not meet the minimum requirements (Article 28(3)(a) GDPR)
- Failure to demonstrate a specified, explicit, and legitimate purpose for all processing operations (Article 5(1)(b) GDPR)
- Failure to ensure that data is not further processed in a manner that is incompatible with the initial purpose (Articles 5(1)(b) & 6(4) GDPR)
- Failure to ensure data minimisation (Articles 5(1)(c) & 25 GDPR)
- Failure to ensure a proportionate storage period (Article 5(1)(e) GDPR)
- Failure to carry out a data protection impact assessment in a timely manner (Articles 35(1) & 35(11) GDPR)
- Data protection impact assessment did not meet the minimum requirements (Article 35(7) GDPR)
- Data transferred to the United States without appropriate safeguards (Articles 44 & 46 GDPR)
Decision
The Icelandic SA ordered the municipality of Hafnarfjörður to bring the processing operations in Google’s educational system into compliance with the Regulation. Furthermore, the Icelandic SA imposed a fine of app. EUR 18.580 (ISK 2,800,000) on the municipality of Hafnarfjörður.
For further information:
- National decision: Úttekt á notkun Hafnarfjarðarbæjar á skýjalausn Google í grunnskólastarfi
The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.