Icelandic DPA issues fine to the Ministry of Industries and Innovation and YAY ehf. for data processing through a digital gift card app

The Icelandic DPA has issued a fine of 7,5 million ISK (approx. 50.800 euros) to the Ministry of Industries and Innovation and of 4 million ISK (approx. 27.100 euros) to YAY ehf. for multiple infringements of the core provisions of the data protection legislation.

Due to economic difficulties in Iceland caused by Covid-19 the Icelandic government decided, in early 2020, to boost the tourism sector and small businesses by issuing a digital gift certificate of 5000 IKR (approx. 34 euros) individuals comiciled in Iceland, 18 years and older. The Icelandic government contracted a company that issued a digital gift card app based on an already existing app developed by the same company. After the app was first published, the Icelandic DPA received tips from data subjects on the amount of personal data the app was using and the extensive access rights it claimed in the user's mobile device. The Icelandic DPA subsequently decided to examine on its own initiative whether the project complied with the GDPR.

Speed of publication and human error at the root of the unlawful and unnecessary data processing

In its decision, the Icelandic DPA notes that due to the economic situation, a heavy emphasis was placed on the speed of both the programming and the publication of the app, resulting in inadequate adjustment of settings. This led to unlawful and unnecessary collection of considerable amounts of personal data and the collection of access rights to the user's mobile devices.

Data subjects not adequately informed of the processing and their consent for the processing not ensured

Furthermore, requirements for consent for processing were not met and the information the data subjects received when signing into the app was inadequate.

Security of the personal data inadequate

Additionally, the controller and the processor had not ensured the appropriate security of the personal data. A processing agreement, according to Article 28(3), was not made and the controller and processor failed to implement data protection by design and by default, that should have ensured data minimization, when designing the app.

Multiple infringements and the scope of processing - Number of data subjects potentially affected

When deciding the fine, the Icelandic DPA took into account, among other things, the nature and scope of the processing as well as the multiple infringements of the GDPR. The Ministry of Industries and Innovation was fined 7,5 million ISK (approx. 50.800 Euros) and the company YAY ehf. was fined 4 million ISK (approx. 27.100 Euros).

For further information: https://www.personuvernd.is/urlausnir/akvordun-um-sekt-vegna-ferdagjafar-stjornvalda