Decisions in English
Headline list
A ruling on the processing of personal data related to Danish research projects
The Icelandic DPA has issued a ruling in a case regarding a complaint about the processing of personal data related to Danish research projects by the genetic research company deCODE Genetics. The processing has taken place with reference to data processing agreements which the Danish Capital Area has made with the company, and the complainant considered that the company had exceeded its role as a processor and thus itself become a controller of unlawful processing. The DPA did not consider the case file to support this and the conclusion was therefore that the processing had been in accordance with the law.
Opinion on political parties' use of social media before parliamentary elections – Guidance and proposals
In March 2020, the Icelandic DPA approved an opinion which was the conclusion of the DPA's investigation of how political parties used social media platforms in the run up to the parliamentary elections in 2016 and 2017, for the purpose of defining target groups and directing marketing at them. The focus was on (a) how personal data of members of political parties, collected by the parties, were processed in this regard as well as (b) the data of the general electorate. The DPA concluded with observations and guidelines for the future.
The investigation revealed that two of the eight parties that currently have representatives in Parliament used their members' data, i.e. e-mails and phone numbers, to direct messages to them at Facebook. The conclusion of the DPA was that this processing of personal data entailed processing of sensitive personal data which could be lawful on the basis of Article 9(2)(d) of Regulation (EU) 2016/679 if it was part of traditional processing by political parties. Processing of sensitive personal data beyond that would have to be based on Article 9(2)(1) of the Regulation. The DPA observed that, in this case, party members had not been sufficiently informed regarding this particular use of their data. The DPA concluded i.a. that political parties must provide their members sufficient information regarding processing of their data, which is a requirement both regarding explicit consent as a legal basis and transparency of processing. Political parties should also provide a real option for data subjects to object to the processing.
The investigation also revealed that all of the political parties that currently have representatives in Parliament used personal data to reach voters on social media in this period. All used Facebook to create target groups to reach so-called core audiences and some also their own custom audiences and/or lookalike audiences. Most of the parties also used Instagram and Youtube. The variables that they used varied in sophistication and some of the parties used advertising agencies and/or data handlers for target group analysis and/or targeting marketing at unspecified groups, determined, then, by the company in question. The DPA concluded that, in this regard, political parties must provide sufficient information to data subjects to ensure transparency. Messages from political parties, directed at target groups on social media platforms, should for example include a link directing users to their websites where there should be accessible and clear information about what personal data are used, how and for what purposes. Furthermore, when directing messages to target groups, data subjects must be ensured the opportunity to object to the processing of personal data that entails.
In addition, political parties must consider the obligation to make processing contracts when applicable.