Persónuvernd (Iceland) - 2020092288: Difference between revisions
mNo edit summary |
No edit summary |
||
(6 intermediate revisions by 2 users not shown) | |||
Line 68: | Line 68: | ||
}} | }} | ||
The Icelandic DPA | The Icelandic DPA found that the Ministry of Industries and Innovation and the company YAY contravened the GDPR by collecting personal data without a legal basis and processing it without consent, violated the principle of data minimisation, and failed to comply with its information obligations by processing the personal data of the users of a gift card application, and imposed administrative fines of approximately €50,800 (7,500,000 ISK) and €27,100 (4,000,000 ISK) respectively. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
In September 2020, the Icelandic DPA initiated an investigation on a digital gift card application provided by the Ministry of Industries and Innovation (the Ministry), and developed by the company YAY ehf (YAY). The aim of the application was to issue a digital gift certificate to all Icelanders over 18 years old in order to stimulate domestic tourism in the summer 2020 during the COVID-19 pandemic. | |||
After the app was published on 18 June 2020, the DPA became aware that, in order to be able to use the digital gift card, the users of the application had to submit their personal data, such as, email address, phone number, age and gender. Moreover, the users were also required in some cases to give an access to their phones´ camera, microphone, GPS location, calendar, contact information as well as data on USB storage. | |||
The DPA decided to open an investigation to assess whether the collection of users´ data and the acquisition of access rights to their mobile devices by the digital gift card application were in compliance with the GDPR and the Icelandic Act no. 90/2018 on data protection and the processing of personal data. In the context of this investigation, the Icelandic DPA found that the Ministry was the controller of the personal data and that YAY was a processor of the personal data. | |||
=== Holding === | === Holding === | ||
In its decision from 23 November 2021, the DPA came to conclusion that the Ministry | In its decision from 23 November 2021, the Icelandic DPA came to conclusion that the Ministry had breached several principles of the data protection legislation. More specifically, the Icelandic DPA found that the Ministry had (1) collected a large amount of users´ personal data without having a lawful basis; (2) failed to obtain a valid consent for processing of users´ data, (3) required extensive access rights to users´ mobile devices, in violation of the principle of data minimisation and (4) failed to provide the users with adequate information on the use of their data. | ||
Furthermore, the DPA stated that both the | Furthermore, the Icelandic DPA stated that both the Ministry and YAY had failed to implement appropriate technical and organizational security measures to ensure the protection of the users´ personal data. | ||
The Icelandic DPA imposed an administrative fine of 7,5 million ISK (approx. €50.800) on the Ministry, and a fine of 4 million ISK (approx. €27.100) on YAY ehf. for violation of Articles 5, 6, 7, 12, 13, 24, 25, 28(3) and 32 GDPR. | |||
== Comment == | == Comment == |
Latest revision as of 13:06, 22 December 2021
Persónuvernd (Iceland) - 2020092288 | |
---|---|
Authority: | Persónuvernd (Iceland) |
Jurisdiction: | Iceland |
Relevant Law: | Article 5 GDPR Article 6 GDPR Article 7 GDPR Article 12 GDPR Article 13 GDPR Article 24 GDPR Article 25 GDPR Article 28(3) GDPR Article 32 GDPR Article 32 GDPR Articles 8, 9, 11, 25 and 27 Act no. 90/2018 on personal data protection |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 23.11.2021 |
Published: | 25.11.2021 |
Fine: | 11500000 ISK |
Parties: | Ministry of Industries and Innovation YAY ehf. |
National Case Number/Name: | 2020092288 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Icelandic |
Original Source: | Persónuvernd (in IS) |
Initial Contributor: | Tetyana Porokhonko |
The Icelandic DPA found that the Ministry of Industries and Innovation and the company YAY contravened the GDPR by collecting personal data without a legal basis and processing it without consent, violated the principle of data minimisation, and failed to comply with its information obligations by processing the personal data of the users of a gift card application, and imposed administrative fines of approximately €50,800 (7,500,000 ISK) and €27,100 (4,000,000 ISK) respectively.
English Summary
Facts
In September 2020, the Icelandic DPA initiated an investigation on a digital gift card application provided by the Ministry of Industries and Innovation (the Ministry), and developed by the company YAY ehf (YAY). The aim of the application was to issue a digital gift certificate to all Icelanders over 18 years old in order to stimulate domestic tourism in the summer 2020 during the COVID-19 pandemic.
After the app was published on 18 June 2020, the DPA became aware that, in order to be able to use the digital gift card, the users of the application had to submit their personal data, such as, email address, phone number, age and gender. Moreover, the users were also required in some cases to give an access to their phones´ camera, microphone, GPS location, calendar, contact information as well as data on USB storage.
The DPA decided to open an investigation to assess whether the collection of users´ data and the acquisition of access rights to their mobile devices by the digital gift card application were in compliance with the GDPR and the Icelandic Act no. 90/2018 on data protection and the processing of personal data. In the context of this investigation, the Icelandic DPA found that the Ministry was the controller of the personal data and that YAY was a processor of the personal data.
Holding
In its decision from 23 November 2021, the Icelandic DPA came to conclusion that the Ministry had breached several principles of the data protection legislation. More specifically, the Icelandic DPA found that the Ministry had (1) collected a large amount of users´ personal data without having a lawful basis; (2) failed to obtain a valid consent for processing of users´ data, (3) required extensive access rights to users´ mobile devices, in violation of the principle of data minimisation and (4) failed to provide the users with adequate information on the use of their data.
Furthermore, the Icelandic DPA stated that both the Ministry and YAY had failed to implement appropriate technical and organizational security measures to ensure the protection of the users´ personal data.
The Icelandic DPA imposed an administrative fine of 7,5 million ISK (approx. €50.800) on the Ministry, and a fine of 4 million ISK (approx. €27.100) on YAY ehf. for violation of Articles 5, 6, 7, 12, 13, 24, 25, 28(3) and 32 GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details.
Individuals FAQ complete FAQ electronic monitoring general privacy right to be forgotten right to information about their genotype What is processing? A new privacy legislation 2018Almennt the new legislation other interesting stuff educational booklet: Privacy children's booklet: Private youth booklet: public companies and administration asked and answered all the questions and answers electronic monitoring general privacy access right controllers, processors and vinnslusamningarÁbyrgðarskyldaVinnsluskrárNý Privacy legislation 2018FræðsluefniLög and reglurLög privacy rules and regulations other sacrificed rules and guidelines operating international and European law Solutions Solutions Reviews Licensing Various letters Privacy function Privacy News Mega political process personal data my campaign? How to process personal data in election campaigns? Staff and management for media requests for promotional events policy and gi ldiAnnual Reports201620152014201320122011201020092008200720062005200420032002200120001999Other ContentPrivacy PolicyLegal DisclaimerAccessibilityService DeskTwitterEnglishDecisions in EnglishContactLearningTo reportTopic Enter keywords SolutionsReviewsLicensingMiscellaneous letters Search for solutions Year from: Year to: Search Decision on fines for government travel Case no. 2020092288 11/25/2021 Privacy has imposed administrative fines, on the one hand in the amount of ISK 7,500,000 the Ministry of Industry and Innovation and on the other hand in the amount of ISK 4,000,000. á the company YAY ehf., for the processing of personal information in connection with government travel. More specifically, the fines were imposed for violations of fundamental principles privacy legislation, for example on education obligations, transparency and security personal information in the Travel applet. Beginning of the case can be traced to the issuance of a travel gift by the government, which was supposed to encourage Icelanders for domestic travel in the summer of 2020. This is a digital gift certificate that was distributed to individuals with a script of the company YAY ehf. Privacy received a number of suggestions that when using the travel gift was required extensive personal information and extensive access to users' telephones and was therefore initiated an investigation. Conclusion Privacy was that the Ministry of Industry and Innovation, which responsible for the processing, violated many basic principles the privacy legislation as well as the processing was extensive. Can be there mention that there was a lack of authorization for the processing of personal information, e.g. by law, and that the requirements for approval for processing were not met. Fairness and transparency were not maintained in the processing, as there were only users made to accept the general terms of use of the company YAY, instead of specifically agree to the processing of personal information upon registration in the application. Education was also unsatisfactory about the processing of personal information that took place in practice. Finally, neither the Ministry of Industry and Innovation nor YAY ehf. appropriate technical and organizational measures to ensure processing safety personal information, such as adjusting and modifying the app settings, as well of what was not concluded a processing agreement between the parties as provided by law, but the conclusion of such of the contract is considered to be an important organizational measure for processing personal information. In spite of The Data Protection Authority's suggestions for inadequate education were rectified late and until the end of the project, users were forced to accept errors Terms of use when logging in to the script. Then, by mistake of YAY ehf., extensive and unnecessary access rights in the telephones of the app users, among other things sensitive personal information, such as confidential calendar information. However however, the investigation of the case revealed that the personal information of users did not have have been retrieved on the basis of the aforementioned access rights. The company acknowledged that the processing had taken place before mistakes and be unnecessary. In addition, the Data Protection Authority came to that conclusion that the company had not complied with the requirements of the Data Protection Act on built-in and default privacy when installing the script. There was no data available which showed that evaluations or tests had been carried out to assess the effectiveness and program settings, including what personal information would in fact be requested when logging in to the script and theirs access rights that would be acquired automatically. The conduct of YAY ehf. therefore not counted comply with privacy laws in this regard. Decision On November 23, 2021, the board of the Data Protection Authority made the following decision in a case no. 2020092288: ContentsI. ProcedureExpansion of the caseReview of communication and due process processing of the case by the Data Protection AuthorityLase of eventsPoints of view ANRSlocks YAY ehf.Access the network security company Syndis ehf.6.1. Restrictions and disclaimer on the investigation of Syndir ehf.6.2. Athugun Syndis ehf.Athugun Privacy in the ANR Minutes applet due to the possible imposition of a government fine ehf. due to the possible imposition of a government fine II. Reasons for decision Scope Scope Responsible party and processor2.1. Processing responsibility2.2. Processing contractLegality of processing3.1. Authorization for processing personal information 3.1.1. Processing under responsibility ANR 3.1.2. Conditions of approval 3.1.3. Education3.2. Processing under YAY responsibility ehf.3.3. Security of personal information3.4. Principles of processing personal information III. Application of sanctions and conclusion1. Perspectives on the application of sanctions for brota ANR a. Nature, scope and purpose of processing b. Whether the violation was committed intentionally or negligently c. Measures to reduce the loss of registered persons d. Responsibility of the guarantor or processor with regard to technical and organizational measures e. Previous violation f. Extent of cooperation with the Data Protection Authority g. Categories of personal information h. How was the supervisory authority notified of the violation i. Compliance with remedial instructions j. Other burdensome or mitigating factors2. Perspectives on the application of sanctions for brota YAY ehf. a. Nature, scope and purpose of processing b. Whether the violation was committed intentionally or negligently c. Measures to reduce the loss of registered persons d. Responsibility of the guarantor or processor with regard to technical and organizational measures e. Previous violation f. Extent of cooperation with the Data Protection Authority g. Categories of personal information h. How was the supervisory authority notified of the violation i. Compliance with remedial instructions j. Other burdensome or mitigating factors3. Conclusion about administrative fine 3.1. Conclusion on penalties for violations ANR 3.2. Conclusion on penalties for violations news coverage that the use of government travel was required extensive personal information and extensive access to users' telephones decided Privacy to begin an examination of whether such processing complies with Act no. 90/2018 on personal data protection and processing and regulation (EU) 2016/679. 2. Summary of communication and processing procedures of the case with the Data Protection AuthorityWith a letter dated September 15, 2020, announced the Data Protection Authority Ministry of Innovation (ANR), Finance and the Ministry of Economic Affairs and the information technology company YAY ehf. on the Agency's own initiative study in following the dissemination of government travel grants through a script that the company had developed. The Data Protection Authority requested information on the involvement of each parties involved in decision-making in connection with the publication of the script, among other things about purpose and methods of processing personal information about its users. There was also requested information on whether and what instructions the ministries had given YAY ehf. on the processing of personal information of the users of the script and whether the processing agreement had been made. The deadline for reply was 30 September 2020. That At ANR's request, a further deadline for responding to the Data Protection Authority's request was granted October 14 Answer ANR was received at 16 p.m. The letter was accompanied by the undersigned agreement of the Ministry, dated. 15 May this year, with YAY ehf. on the development of a solution due to government travel. No responses were received YAY ehf. within the deadline and the Data Protection Authority therefore reiterated its request by letter dated. November 2, 2020. Answer from YAY ehf. received by letter dated. 9 p.m., along the aforementioned development agreement of the company with ANR. Considers Privacy is still needed on the notes of YAY ehf. due to specified items and requested them by letter to of the company, dated 24. s.m. Privacy did not receive a response to the request and had Privacy therefore contacted by telephone, on December 28, 2020, and reiterated the request. Answer YAY ehf. received Privacy by email the same day. February 12, 2021 was YAY ehf. sent a letter of objection regarding a possible decision on application of sanctions and received a Privacy Response of the company 24. s.m. along with six accompanying documents. Based on data and answers YAY ehf. The Data Protection Authority considered that further information was needed regarding the case from ANR and sent a letter to that effect to the Ministry, dated. April 13, 2021. Three times ANR after a long period of time to respond to the request of the Data Protection Authority. The deadline was extended granted in all cases, until 21 May 2021. The Ministry's replies were received the deadline passed by two e-mails on the 25th s.m. By e-mail enclose the Ministry's reply letter and the Document of Processing Agreement and annexes thereto agreement between ANR and YAY from 15 May 2020 together with accompanying documents marked in items from one to four. In a letter from ANR, dated May 25, 2021, is repeatedly referenced updated production contract, dated s.d., as attachment 5. Also in the same letter is either referred to a telephone statement or an e-mail of the day. 2. October as attachment 6. No document marked attachment 5 or Attachment 6 had, however, been received by letter from ANR. On that occasion sent Privacy ANR inquiry by email s.d. and requested a copy of the original production contract on which the updated agreement was based. The agency then requested that it be received accompanying documents referred to. Answer ANR was received s.d. where it was confirmed that a reference to a previous production contract would in fact be a reference to a development contract party, dated May 15, 2020, which had already been sent to the Data Protection Authority. Then came stated that ANR could not grant the Agency access to Attachment 6. The other 2. June 2021, the Data Protection Authority sent ANR a letter regarding a possible decision on application of the agency's sanctions and provided the Ministry with an opportunity to object. On June 9, s.á. ANR requested a meeting with the Data Protection Authority, with reference to of the above-mentioned letter from the Agency, to discuss its contents, without further explanation. The Data Protection Authority rejected ANR's request for a meeting by e-mail, e.g. due to the investigation of the case is still ongoing. In order to agree to such a meeting at the same time investigation of the case, special reasons would need to be present, e.g. to be introduced items that would not be explained or substantiated in writing. Then the Data Protection Authority referred to its response to the written procedure of the Agency. The same day arrived Privacy another email from ANR stating, among other things the ministry considered it important to bring the matter to a successful conclusion and that ANR considers that its treatment had reached some dilemmas. It would be significantly misaligned and it would be necessary to obtain further explanations as to why the matter had developed this way and why not discuss other options for completion the case but with the imposition of a fine, e.g. with suggestions or recommendations for improvement, and ANR reiterated its request for a meeting with the Agency. Given that ANR considered the case misplaced, the ministry responded by email at 10 p.m. where it was crossed the handling of the case and its position with the institution. There were also issues of the case reaffirmed and reviewed the main points of Act no. 90/2018 and Regulation (EU) 2016/679 who is experienced in the case. It was also emphasized that the Data Protection Authority is looking into the matter serious eyes as it specifically tested whether it had been done important principles of the Privacy Act and the Regulation. Then The Agency's assessment of the seriousness of the case was based in particular on their number listed individuals who were covered by the travel donation and who could have been affected affected by the extensive access permissions that the application initially requested. That finally, the Agency's request for objections and / or explanations from the Ministry was due possible application of sanctions repeatedly. Privacy received objections of the Ministry by letter dated June 21, 2021. That letter states serious comments on the Data Protection Authority's procedure, among other things due to delays which the Ministry were granted to object and to provide the Agency further explanations of the case, reasoning and application to legal provisions, initial assessment of the seriousness of the matter and the rejection of the Ministry's request for a meeting. Because of of the above, the Ministry did not consider it to have a real option secure their rights and interests and that its right to object would in fact be curtailed the extensive and serious comments of the Ministry and with regard to its comments that it does not normally work in related matters privacy agreed to Privacy, despite the fact that the agency believed that the procedure was in accordance with the Administrative Procedure Act no. 37/1993, to provide the Ministry increased instructions. The Data Protection Authority therefore sent ANR a letter, dated. July 2, 2021, there which included procedures, the Agency's initial assessment and the seriousness of the case, in addition to which justification was provided for repatriation facts of the case under legal provisions, as well as general instructions were provided on the interpretation of privacy legislation. ANR was given a deadline of 20 July 2021 to file its opposition to the case. The 6 p.m. requested the Ministry, by e-mail, after further deadlines until 12 August, so as to submit objections and that deadline was granted. At 12 p.m. received answers ANR. On June 10, 2021 sent the Data Protection Authority YAY ehf. notice that in view of the technical issues which was foreseeable to be attempted in the own-initiative study, the Agency had decided to request the assistance of Syndis ehf., an independent specialist company in the field of network security and information technology, when conducting the study. With The announcement was accompanied by a project description of Syndir ehf. along with a budget. Var YAY ehf. given the opportunity to comment on the agency's choice of specialist company due of the study and its cost estimate. Answer YAY ehf. received the same day where neither was commented on the examination nor the cost estimate of Syndis ehf. Furthermore followed the answer of YAY ehf. audit of Syndis ehf. on the security of the company's script, day. November 7, 2019. On June 22, 2021, the representatives of Syndis ehf. and Privacy meeting with representatives of YAY ehf. in the premises of the latter, to to review the data and sources that Syndis ehf. requested to perform requested audit. YAY ehf. provided access to the required data and answered questions from Syndis ehf. On August 9, 2021, the Data Protection Authority sent YAY ehf. and ANR letter together with a report on the audit of Syndir ehf., dated July 6, 2021, and provided an option to submit comments or further explanations on the content of the report. Was deadline granted until 19 August s.á. At 12 p.m. received a reply letter from ANR and the other 18. s.m. received an email from YAY ehf. where it was confirmed that neither ANR nor YAY ehf. commented on the report of Syndis ehf. It was not clear from the answers of YAY ehf. each position of the company was to ANR's assertion that the company had made a mistake collected personal information about the age and gender of users. By email on August 20, 2021 The Data Protection Authority therefore requested the position of YAY ehf. to this point. Answer YAY ehf. received by two emails on 23 p.m. together with two accompanying documents. Views and explanations of ANR and YAY ehf., as they are appear in the above data, will be torn down as the occasion arises here after.3.Case FactsLooking that on 15 May 2020, ANR signed an agreement with YAY ehf. on solution development due to government travel grant (hereinafter development agreement). Objectives of the solution was issuing digital gift certificates to individuals, eighteen years of age and older, with Icelandic ID number, which you were supposed to encourage domestic travel in the summer of 2020. This was a collaborative project which was based on the government's proposals for measures to strengthen Icelandic economy following the coronavirus pandemic (Covid-19). In view of the circumstances great emphasis has been placed on bringing the solution to fruition as soon as possible power. The government's decision was based on Althingi Act no. 54/2020 on travel gifts which entered into force on 23 June 2020. The travel gift was made accessible to the public on 18 June 2020 in the form of a script. Immediately upon use Privacy notices requesting users' personal information, but also extensive access to their telephones. The issue was covered in the media but the Data Protection Authority did not receive any notification or request for comment or advice from ANR or YAY ehf. about the case.To take advantage the travel gift, the user had to log in to the script, provide information about their email address and telephone number as well as agreeing to certain terms. In the first three days after the release of the script, a user was also prompted to provide information on age and gender at check-in. User could also give his travel gift to another person and sent with it a greeting with a photo or video. To give the gift to others, the user had to register an email address recipient and to use the application's optional extension services and send electronically greetings with the gift, he was able to agree to give the app access to the camera, microphone, contacts file and USB storage area in their phone.Days 18.-23. June 2020 downloaded the script, in in some cases without the knowledge of their owners, very extensive access rights in users' phones. This included access to a camera to take photos and videos, as well as a microphone to record audio and change the speaker settings of your phone. Furthermore, information was requested the owner of the phone and its location, as well as information about the exact GPS location of the device. It was also requested to be able to read information about events in calendar, incl. á m. confidential information, added events and edited and sent email without the knowledge of the phone owner. Then it was requested to be able to read contact information and information and data in the phone's USB storage area as well as editing data there and deleting. Finally, information on wireless was requested Internet connections and, after being able to manage archiving, receive information from the Internet, see Internet connections and Internet access server information, run applications start a device, move small programs, control phone vibrations, prevent for it to fall asleep, change system settings, set up shortcuts and read Google Service Configuration (e. Service) configuration) .4. The views of ANRANR refer to with Act no. 54/2020, on travel donations, the Althingi has decided to donate individuals 18 years and older travel gift. Agreements have been reached with YAY ehf. where the company was considered to be able to provide a technically feasible solution with speed and without high development costs. Digital Iceland has taken out security measures YAY ehf. and concluded that the company could ensure appropriate security. Syndis ehf. also carried out an audit of the security measures of the company which have revealed adequate security measures were available.To be able to use the travel gift was necessary to work with specified personal information, ie. name and phone number. It was also planned for in the law that an individual could give his own travel gift and for that it was necessary to process information about the recipient's e-mail address. Because if the Ministry considers that the processing was necessary to fulfill the legal obligation which rests with the responsible party and for work that has been done for the benefit public interest.The first three days after the publication of the script, the processor (YAY ehf.) also worked with it information on the age and gender of users, but has given up and deleted the data accordingly instructions of ANR, as the Ministry's position was that their acquisition information was not necessary in order to fulfill obligations processing parties according to the parties' development agreement, dated May 15, 2020, or later instructions of ANR. In the notes ANR comes also stated that on June 18, 2020, immediately after the first release of the script has been made available to the public, extensive access has been requested to users' telephones. The Ministry's position was that such access rights were not necessary to fulfill obligations processor according to a development agreement or subsequent instructions of ANR. Then the ministry believes nor have they been necessary to fulfill a legal obligation in connection in the provision of travel gifts and regrets that the mistake in question took place processor. When the error was discovered, an updated version was released of the script on the 22nd. ANR emphasizes that although the script has requested this extensive access, during the period in question, if the information never been downloaded or worked with. A distinction needs to be made between the possibilities for work with personal information and its actual processing.The Ministry protests because the processing of personal data has violated Article 5. Regulation (EU) 2016/679 and considers that the information was processed in a lawful, fair and in a transparent manner towards registered persons. ANR therefore refuses to provide information had been obtained for illegal purposes and that personal information had been processed for purposes other than the original purpose, which is incompatible with the use of travel expenses according to Act no. 54/2020. The aim was to obtain personal information limited to the necessary purpose of the processing. ANR also refers to provisions in a new production contract, dated May 25, 2021, as a basis for processing, storage and deletion of personal information due to travel donations. ANR's notes further stated that when individuals choose to give their travel gift to others and send greetings in the form of a video with the gift barley processing of the requested personal information with the consent of the user. In the privacy policy of travel gifts that appears to users in the smart application states that in connection with such a gift may the application to request access to additional information from users, such as camera, microphone, photo and contacts, only and only in cases where the user himself requests and agrees specifically. In general, there is access to such data is not necessary for the use of the travel gift ANR's explanations that it is the Ministry's position that with the development agreement and processor, dated. May 15, 2020, and instructions issued e-mail on 11 June, referring to a privacy policy travel gifts and the Government's privacy policy, are to some extent provided for applies to the formalities that must be stated in a production contract in accordance with a regulation (ESB) 2016/679. However, the Ministry agrees with the views of the Data Protection Authority and acknowledges that the parties' development agreement and subsequent instructions do not apply holistically, sufficient consideration is given to the formal and material requirements according to para. Article 28 of the Regulation and therefore the parties have entered into a production agreement, dated May 25, 2021.ANR has prepared a privacy policy for the processing that takes place using the script that has been updated 28 May 2021. The privacy policy is accessible on the website Ísland.is and in the script. It clearly states what personal information is processed, in what purpose and on what basis. The policy clarifies who is responsible and each processor. Reference is also made to the privacy policy of the Government of Iceland where further information can be found on the retention period, the rights of the data subjects and contact information. In addition, ANR emphasizes that a distinction must be made on the privacy policy applicable to the travel gift and its use the script for that purpose on the one hand and an independent privacy policy processor that applies to other general uses of the unrelated script utilization of travel donation, however. When information has been received that education about processing of personal data, which was carried out by a privacy officer Cabinet, had not appeared in the script the first few days after its publication its shortcomings have been addressed immediately. Then ANR refers to the updated privacy policy from May 28, 2021 stating that the script may request the specified additional personal information if the user requests it himself by utilizing the additional services of the application and approving it separately Finally, ANR's explanations also state that it was clear that the project was to such a scope as this would have required a longer lead-up and preparation time. In light of the circumstances and the emergency situation that has arisen society, on the other hand, has focused on faster construction. They make mistakes which took place at the beginning of the project could be traced to it.5.The views of YAY ehf. Notes by YAY ehf. are that much to the same extent as the above explanations of ANR and will therefore only be discussed items in the objections of YAY ehf. which can shed further light on the events of the case. In the explanations of YAY ehf. appears that the Travel applet has already been based on another applet of the company has been in use. The existing script has been adapted and prepared with changed settings and activity in a hurry so that it has happened the Travel applet. In the first version of the new program, certain features were lost settings in which have requested various information and access in telephones users. This was done by mistake but the data, i.e. about age and the gender of the users that has been collected has already been deleted. When logging in to the script record user information about themselves, including name, phone number and email address. In the development agreement party from 15 May 2020, YAY ehf. specified owner of the recorded data in the solution. Personal information registered in the script is stored in database owned by YAY ehf. Due to technical reasons, it was decided to YAY ehf. would be considered the owner of that information by name. By agreement of the parties it will thus be difficult to decide who is considered the owner and thus the person responsible for that personal information which were created using the script. On the other hand, YAY ehf. look at that that ANR had the power of authority and decision-making power over the data in question. Despite the ambiguity wording in the agreement in question, YAY ehf. that his parties were completely agree on the role of each of them, ie. that ANR was responsible for the processing and YAY ehf. processor. YAY ehf. does not consider itself to be their responsible party data stored in the company's database or the remaining data may be at the end of the contract period. In the notes of YAY ehf. comes also stated that no written processing agreement had been made and knew it to be considered a violation of the Privacy Act for which both parties are responsible. Su however, this fact does not automatically lead to YAY ehf. is considered a responsible party of processing. ANR has entrusted YAY ehf. specified processing with a development contract a party where clear instructions have been given as to the functionality of the script should have. The parties also worked according to the arrangement that ANR was responsible for the processing and that it was very clear to users. Even though ANR's instructions to YAY ehf. has not been documented in production agreement, the parties agree on what the instructions were and they are reflected both in the parties' development agreement, ANR's privacy policy and in party communications (including e-mail communications). In cases where the processor violates the instructions of the responsible party may come to the processor is considered responsible for that processing. Have the extensive access permissions, specified in the first version of the applet in the Android operating system, have been utilized and YAY ehf. processed personal information that had been collected in that way it would be examined whether YAY ehf. would be defined as responsible for such processing. Did not come to that processing and from them due to the fact that there is little to define the role of the parties in this connection. It is also stated that in an e-mail, on 16 June 2020, ANR requested that the applet provided information about the gender of users. In other emails the same Today, the company has received a new instruction from ANR to accept the script's request gender information at check-out. Then the company received the same instructions on the collection of information on the age of users, but there is no written one data on them. If the company replied to ANR on the same day and informed that the request in question had entered the process and that it would be followed up. However, have been asked by updating the script until all changes to it have been made and therefore the update has been posted on June 18, 2020. an update has been made available to users with the Android operating system already the same evening but users of the iOS operating system not earlier than 20 p.m. due to the traditional Apple's review process for published widgets that are generally delayed 48 hours. Information on the age and gender of users iOS operating systems have therefore been collected from 18.-20. June 2020. The purpose of acquisition of that information has been to process statistical information and analyze which groups would have taken advantage of the travel gift. Then is stated in the notes of YAY ehf. to Sin ehf. has on November 7, 2019, at the request of YAY ehf., carried out a security audit of the app and view security in the company's Amazon (AWS) cloud environment. The tests were based on approved OWASP test methods, ie. Mobile Top 10 "," Mobile Security Testing Guide "and" Top 10 ", among others. The audit has shown that the data that the script worked with was hosted in Ireland. Conclusion of the audit was that there were neither medium nor large weaknesses. 6.Involvement of the network security company Syndis ehf. In light of the technicalities items that were foreseeable to be tried during the investigation of the case counted Privacy need the help of a self-employed specialist company in the field network security and information technology where the company's report would be part of an investigation of the case. On June 7, 2021, the agency therefore applied to the company Syndis ehf. With the involvement of the company emphasis was placed on researching the access rights requested by the Travel application applet after and to examine its processing of users' personal information about age and gender. The aim of this part of the study was to seek an answer to whether The travel gift had been updated to prevent a request being made according to access rights that were not related to the purpose of the Travel Gift and whether the script would have attempted to exploit the above permissions. As stated in section I.5., Above, YAY ehf. received Syndis ehf. to perform an audit on a script on November 7, 2019. According to the case file, construction began of the app Travel Travel not until first in May 2020. It is therefore clear that the security audit of Syndis ehf., from 7 November 2019, concerned another small program, i.e. the general script YAY ehf. (Gift certificate from YAY ehf.) And security the company's data storage in the Amazon cloud solution (AWS). The audit in question did not take place to the access permissions under review here. Given the study In this case, privacy concerns another small program and its other components the institution's assessment that the previous audit of Syndis ehf. does not stand in the way a professional and impartial study of the security aspects of the Ferðagjafar applet.6.1.Restrictions and reservations on the study of Syndis ehf. Syndis ehf. makes a reservation in its report, dated July 6, 2021 that certain restrictions have been present in the examination of the company which has created some uncertainty for the study. The report states that Travel Gift is a small program developed in the framework of React Native, which can be used to format small programs regardless of platform. YAY ehf. has since used sees the services of the Expo software platform for publishing of the app for both Android and iOS operating systems. Among those specified restrictions on the investigation of Syndis ehf. have been Expo action files that do enable software developers to release updates directly to mobile devices (e. mobile devices) that bypass their home updates. However, it is pointed out that they updates that result in a change in access rights must be made through the home update system of mobile devices and therefore it is not possible to use Expo to avoid access control systems for such devices. Syndis also believes ehf. it limits its research to the fact that the Expo software platform contains shepherds (e. assembler code) only for 30 days and Syndis ehf. therefore could not be confirmed what changes were behind the versions in Expo. In addition, there is no reliable a way to confirm that the shepherd, issued by Expo or mobile device transfer systems reflect source code of the script in the data repository that Syndis ehf. was delivered, where used have been using a multi-platform in the development of the script. Research Syndis ehf. therefore assumed that the data repository reflected the published shepherds. During the investigation, nothing was revealed which challenged those assumptions. Furthermore, it was not possible to test fully functionality of the Travel applet due to no travel app appearing in the script during project time. On the other hand, it was stated at a meeting of YAY ehf., Syndis ehf. and the Data Protection Authority on 22 June 2021 that the applet Ferðagjöfin has is based on the same foundation as the YAY script and therefore has also been used for to examine a specific activity. 6.2Athugun Syndis ehf.Athugun Syndis ehf. revealed that the first version of the script (version 1.0.2.) was made available to the public on 12 June 2020, but the Travel Gift was not announced until 18 p.m. Then there were changes made to the script and version 1.0.3 released on the same day, i.e. 18. June 2020. Subsequently, version 1.0.4 was released by the script, on the 19th, exclusively for Android operating system, and finally version 1.1 has been released on the 22nd s.m. It is also stated that there was also a version between version 1.0.4 and 1.1 made updates to the script using Expo.Rannsókn Syndis ehf. demonstrated that the original versions of the script, i.e. versions 1.0.2, 1.0.3 and 1.0.4, required, among other things, permissions for access to the phones of users of Android operating systems, ie. location information, network status, wireless status, camera, editor, network, document management, audio settings, calendar (read and write access, e.g. confidential information), contact list, internal and external storage areas (read and write access), phone status, phone reboot information, microphone to audio recording, shortcut setup, and motion mode reading. Also the script required permission to request installation of other packages, permission to run in the foreground even if other widgets were started, permission to display a specific type of alert window that appears on top of other scripts, permissions to use bio-teaching functionality for identification, permission to use fingerprints, possibilities vibrate and allow the processor and monitor to move on sleep mode. Syndis ehf. confirmed that version 1.1. and subsequent editions did not request as extensive access rights as previous versions of the script and mentioned above. According to Syndis ehf. points the company's examination of the script of the script to everything from in its original version, it only used four types of access rights: access to a camera (optional to send greetings when forwarding travel) but also to take a picture for the user's ID card), access to a file system (optional to send a picture with a greeting already on the user's mobile device), access to audio recording (optional to send greetings when traveling) another person) and access to a contact book (used when gift certificates are available sent to contacts). It was stated in the investigation of Syndis ehf. that despite earlier to the original the version of the script would have required extensive access permissions had not been found no indication that the script had used sources other than the aforementioned four access rights. Syndis ehf. until the overwhelming majority Mobile devices currently in use require users to install widgets permission to use certain access rights at the time they are new Year. Such access rights include, for example, access to sensitive data functionality such as mobile device camera and user personal data. On the other hand are in use telephones with older operating systems that do not have such control over permissions of small programs and their number amounted to approximately 5.1% of all mobile devices in Iceland at the time the script was released. Another matter about users of Apple mobile devices, because the use of the travel gift was required version 11 of the iOS operating system that has built-in user control for access rights and users would then have become aware of any misuse of access rights and could stopped her.Athugun Syndis ehf. on the prototype of the script also revealed that version 1.0.2 of the script requested information about the gender and age of users at registration and that this functionality had been removed in version 1.0.3. Then takes Syndis ehf. provided that version 1.0.2 has been made available to the public both operating systems on June 12, 2020 but that the public was not announced the existence of the Government Travel Gift until 18 p.m. The updated one version 1.0.3 of the Android operating system has been made available to the public in the evening of 18 p.m. but not until the second half of the day 20. s.m. for the iOS operating system in the Apple App Library. When updates are sent to the Google Play applet library (for Android operating systems) they will be available shortly. When upgrading in turn sent to the App Store applet (for iOS operating system) will be it will not be accessible to users until it has passed an audit at Apple. That process usually takes 48 hours. 7. The Data Protection Authority's observation of the script in September 2020, after Privacy received comments about the script, the agency noted its functionality and reviewed the training provided in the processing program personal information. At check-in was users are required to accept the general terms and conditions of YAY ehf. which generally apply to purchases on a product or service through a company script. Privacy reviewed content the general terms and conditions according to which, among other things, it is assumed that is a transaction between the user of the script as the buyer and the seller of gift certificates and that the user provides his credit card number and its period of validity and pays for it the product. Nowhere is there a discussion of government travel. Other terms which related to government travel were not accessible. After login with a phone number, the user got access to the app Travel. Í therefore, there is a menu with a link to the specific terms of the travel gift entitled "Travel Terms". Their content terms, however, were not all visible on the phone and could not be scroll to read the beginning or end of each line text. Was not it is therefore possible to read the terms in question on the telephone. There was no requirement to the user agreed to the specific terms of the travel gift, as specified in the answers of YAY ehf. In the same menu as before, another link was included entitled "Personal Information". It was the same text that could be found in it privacy policy on the company's website but was not specifically addressed government travel gift in that text. Of observation The Data Protection Authority could decide that users of government travel gifts would have to accept the general terms of use of the company YAY ehf. to be able to take advantage of the gift but the specific terms for it were not accessible to users.Check The Data Protection Authority also revealed that in the privacy policy of YAY ehf. was discusses the handling and storage of personal information and rights by the company of the registered. The types of personal information collected were not discussed was about the user or the purpose of the processing due to the use of a travel application script government. In the privacy policy of YAY ehf., Which contains a reference to the terms of the company regarding its handling of personal information, came e.g. forward that when creating access to solutions and using them, the user would need to register information about their phone number, authentication code and possible credit card number long. It was also stated that the company used the personal information in question for this purpose to provide their customers with services under contract with them, such as user access to the relevant solution, but also to keep track of usage history, ensure safety and provide the right user with information on the status of the delivery of goods and implementation of services, as well as ensuring the quality and functionality of the solution. In addition, it was stated that the company used the information to contact the user in for commercial purposes, as well as that YAY ehf. stored its customers' data there to the company would no longer need them to fulfill the goal with their collection. The rights of the data subject regarding collection and preservation of personal information.Privacy carried out same observation again March 2, 2021 and examined whether changes had been made on the presentation of instruction and approval in the program. Was not wrong see that changes have been made. Users were still required to agree the general terms and conditions of YAY ehf. and the terms of the Travel Gift applet still proved inaccessible to users.Then the Data Protection Authority re-examined August 26, 2021 and last 9 November s.á. and had then been made changes to the specific terms of the Travel Gift so that they were legible telephones, but users were still required to accept the general terms and conditions of YAY ehf. sem a precondition for the utilization of the government's travel grant. 8. ANR objection process due to possible imposition of administrative fines letters from the Data Protection Authority to ANR, dated June 2, 2021 and July 2, 20, were gone over individual items of Article 47 Act no. 90/2018, which discusses views that should be taken into account when deciding whether to impose a government fine and what amount her shall be. ANR was given the opportunity to present its views in that respect. ANR replied by letters dated. 21 June 2021 and 12 August s.á. In the notes The Ministry states that this is its position on the processing of personal data which has taken place in connection with the utilization of the travel gift has taken over met the requirements of the Act on Personal Data Protection and Processing of Personal Data. On the other hand The Ministry reiterates that a project of this magnitude in question would have been necessary longer lead time and preparation time. Due to circumstances, however, it was emphasis on speeding up implementation and having preparation and implementation of the project taken into account to some extent. Had the parties been given more time could, among other things, have prepared a clearer production contract at the beginning of the project and ensure better access for users to the privacy policy in the smart application. Then count the Ministry in question does not justify the application of administrative fines. Regarding the nature of the violation, how serious and how chronic it was and the number of registered individuals who suffered from it, as well how serious the damage was, is stated in ANR's notes to the processing personal information for government travel was necessary to fulfill a legal obligation that rested on the responsible party, cf. Act no. no. 54/2020 um travel, but also for a project in the public interest. To individuals could use the travel gift if it was necessary to work with certain personal information, ie. the name and phone number of the app user. Then be in the above law provides that an individual can give his own travel gift and therefore it was necessary to process information about the recipient's e-mail address of the gift. The purpose of the processing of the personal information in question was to verify the utilization of the travel gift.Also states in the Ministry's notes that when the first version of the script has made available to the public on 18 June 2020, has been requested extensive access to users' telephones. It is the position of the Ministry to such access rights were not necessary to fulfill obligations processor and has gone far beyond the ministry's instructions and intentions party. When the error was discovered, an updated version was run of the script. That edition was published on the 22nd. Then the ministry proposes emphasizes that even though the script has requested this extensive access during the four-day period in question was never retrieved on the basis of the access rights or worked with them. Still rather it is stated that in the first three days after the release of the script has been processed with information about the age and gender of users. Attitude of the Ministry is that the collection of that information by the processor has not be necessary in order to fulfill the obligations of the processor under the development agreement party and subsequent instructions of ANR and the processor has deleted the information the three days in question the position of the Ministry as to whether the violation was committed intentionally or negligence states in the aforementioned letter from ANR that the ministry never had any intention for other than meeting the requirements of the Privacy Act.Regarding actions taken by the controller or processor in order to reduce the loss of registered individuals, ANR says that the processor has to immediately three days later received an order from ANR to stop collecting information users by age and gender and to delete the data immediately. Then it has been improved access settings so that users of the app can do better explain what access the applet actually used. It is also stated that ANR agree with the views of the Data Protection Authority that the development agreement between the parties and the latter instructions have not sufficiently taken into account the formal requirements made for such contracts. This has been remedied by the conclusion of an updated production contract, dated. 25 May 2021, which takes into account formal and material requirements according to para. Article 28 Regulation (EU) 2016/679. The privacy policy was updated on 28 May 2021 with regard to the educational obligation. On the Ministry's position on responsibility guarantors and processors with regard to technical and organizational measures that they have implemented, cf. Articles 25 and 32 of the Regulation, states in ANR's explanations that before the Ministry has taken office agreements with processors, Digital Iceland has taken out the company's security measures and concluded that the processor could ensure appropriate safety. Syndis ehf. also carried out an audit of the processor's security measures which showed that adequate security measures were in place.ANR states that no previous violations by the Ministry are pending the scope of cooperation with the Data Protection Authority in order to remedy violations and reduce them its potential adverse effects are stated in ANR's notes that as can be seen communication with the Data Protection Authority, the Ministry has tried to respond information requests from the Data Protection Authority effectively and within that time limit which has been set by the Ministry. There has never been a will to do anything but show full cooperation. However, the Ministry must be taken into account do not normally work in matters related to privacy. It was necessary to obtain information from other parties to respond to letters from the Data Protection Authority and the ministry has made every effort to keep the agency informed of developments and requested an additional deadline when the occasion arose. Requested the Ministry as well as further instructions from the Data Protection Authority on ways to improve that the matter could be resolved successfully.Regarding which categories of personal information have been processed, ANR states in the notes that sensitive personal information has not been processed in the script compliance with the instructions of the Data Protection Authority on corrective measures according to Article 42. of the Act states that the Ministry has not received such instructions. Not so It is fully clear whether the Data Protection Authority considers the Ministry's improvements to be satisfactory or not or what further remedial action the ministry would need to take to ensure that the processing of the case is in a lawful state states that no applicable rules of conduct have been adopted here. However, it may be beneficial to work out rules of conduct that apply to processing personal information when publishing scripts. Will the ministry address it special inspection.End rather, the ministry states in its letter that the alleged violations were not hidden see a profit nor have they been conducive to protecting the Ministry from losses The Ministry points out its views on the possible amount of administrative fines in its letter that it is run entirely by the Treasury on the basis of contributions according to budget and does not earn any special income nor does it have any bank accounts. The Ministry's financial authority is in the hands of Althingi and is exercised on that basis financial framework determined by the state budget. Fine decision of one authority towards another government authority, which is fully run on the basis of contributions from the state treasury, can therefore not affect its financial framework or projects in other respects there which the government must continue to carry out the tasks entrusted to it by law. An administrative fine of one authority over another entails only a transfer in the accounts that does not affect the financial framework in question and of them therefore, ANR does not consider it necessary to discuss issues related to it in particular the amount of the administrative fine in this case.9.The objection process of YAY ehf. because of possible imposition of administrative finesWith letter, dated. February 12, 2021, YAY ehf. given the opportunity to object to possible imposition of a government fine on the company due to the case. In a letter The Data Protection Authority reviewed the points of view that are attempted in deciding such sekta.Svar received by letter dated. February 24, 2021. In the notes of YAY ehf. is emphasized that the obligations to be considered in connection with the application of administrative fines is the responsibility of the processor. YAY ehf. had, however, not been involved processing as a guarantor. It also states that the company considers that the processing for the travel gift has completely met the requirements of the privacy legislation. It is not disputed that if the parties had been given more time, there could have been more problems better to work. Thus, the parties should have completed the written processing agreement between themselves, ensure would have had better access for users ANR's privacy policy in the script and configure should have been more detailed permissions in the Android version of the app from the beginning so that users it could be clear that access to that information was not in fact being used which were specified there. However, in the opinion of YAY ehf. application of administrative fines nature of the offense, how serious and how long-lasting it was and the number of registered the persons who suffered it, as well as the severity of the damage they suffered, is stated in the notes of YAY ehf. that at no point did the broad access rights during the four-day period (from 18-22 June 2020) in The Android version of the app has been used or worked with personal information. It also states that in the first three days after publication of the script has been processed with information about the gender and age of users who was later dismissed on the basis of instructions from ANR. Total has 6000 users downloaded the app during this period but have this information immediately been deleted. It is also stated that this is the assessment of YAY ehf. that no user has suffered damage in connection with the processing of the material under consideration here. Um position of YAY ehf. on whether the offense was committed intentionally or negligently says in the notes of YAY ehf. that there is no violation of privacy law been committed intentionally by the company. For mistakes have extensive access permissions were selected for the first version of the app on Android devices but that was not the intention of the parties. The same applies to the publication of privacy policy in the script, it was not the intention of the party to the policy would not be published there in its entirety.Regarding actions taken by the controller or processor in order to reduce the loss of registered individuals, says YAY ehf. in their explanations to let has been from collecting information on age and gender after three days and them information already deleted. Then the access settings have been changed within four days from release, so users could better understand what access the script was actually using position of YAY ehf. to the responsibility of the guarantor or processor with respect to the technical and organizational measures which they have implemented, sbr. Articles 25 and 32 of the Regulation, states in the company's notes that YAY ehf. shall be fully responsible for the security measures taken in connection with the use of the script in accordance with the obligations of the company rest on the basis of privacy legislation. YAY ehf. in this relationship also for audit by Stafræn Íslands and Syndis ehf. on security measures of the company, previously reported.YAY ehf. states that no previous violations of the company are for going the scope of cooperation with the Data Protection Authority in order to remedy violations and reduce them its possible harmful effects stated in the notes of YAY ehf. that the company has emphasized the need to provide the Data Protection Authority with information on all the items requested has been left. Regarding which categories of personal information have been processed, YAY ehf. until their explanations that no sensitive work had been done personal information. Regarding compliance with the Data Protection Authority's instructions on corrective measures is stated in YAY ehf. has not received any such instructions.Then states that no applicable rules of conduct have been adopted here. However, it may be beneficial to work out rules of conduct that apply to processing personal information when publishing scripts. That Finally, it is stated in the notes of YAY ehf. that no profit was made in connection with the alleged violations nor has a loss been avoided.II.Reasons for decision 1. Scope Scope Act no. 90/2018, on personal protection and processing of personal information, and regulations (ESB) 2016/679, sbr. Paragraph 1 Article 4 of the Act, and thus the jurisdiction Privacy, cf. Paragraph 1 Article 39 of the Act, covers the processing of personal information which is automated in part or in full and processed by methods other than automate personal information that is or should be part of a file personal information is considered information about the person identified or personally identifiable individual and an individual is considered personally identifiable if it can be identified, directly or indirectly, by reference to its identifier or one or more factors that are characteristic of him, cf. 2. tölul. Article 3 of the Act and point 1. Article 4 of the Regulation.With processing refers to an action or series of actions in which personal information is processed, whether the processing is automatic or not, cf. Number 4 Article 3 of the Act and point 2. Article 4 of the Regulation. The provision also contains a list as an example of what kind of actions can fall under the definition and says including that the concept of processing may include methods of making information available. Then it is considered processing when taken one step in a row actions required to make personal information available or accessible. This action, to obtain access rights, is considered a step in a series of actions to make personal information available or accessible and is considered therefore for processing, cf. Number 4 Article 3 of the Act and point 2. Article 4 of the Regulation, although information will not be available processed further, cf. the above provisions. This case concerns, on the one hand, acquisition personal information about users of government travel grants and, on the other hand, the acquisition of access rights in the telephones of the same users that could lead to further processing of personal information, including sensitive personal information. In that respect and having regard to the above provisions, the matter concerns this processing personal information that falls within the competence of the Data Protection Authority. 2. Responsible party and processorSá who is responsible for ensuring that the processing of personal information complies with Act no. 90/2018 is named guarantor. According to point 6. Article 3 of the Act refers to that an individual, legal entity, governmental authority or other party that decides alone or in cooperation with other purposes and methods of processing personal information, cf. 7. tölul. Article 4 Regulation (EU) 2016/679. In the European guidelines of the Privacy Council no. 7/2020, from 2 September 2020, applies to a decision on who is considered the responsible party for processing and who is not considered the processing party only look at the available data, for example processing contract, but also how the arrangement actually was manner, i.e. who has in fact decided on the purpose and methods of processing of personal information. Processor is an individual, legal entity, government authority or other entity that works with personal information on behalf of the responsible party, cf. 7. tölul. Article 3 of the Act and 8. tölul. Article 4 Regulation (EU) 2016 679. As stated in para. Article 28 of the Regulation, a processor who violates the Regulation when he determines the purpose and methods of processing, are considered to be responsible for with regard to that processing.2.1.Responsibility of processingIn In view of the above, it is necessary, before discussing its legitimacy the processing of personal data discussed here, to determine the liability of each parties, as the obligations of the responsible party and the processing party differ their roles according to Act no. 90/2018 and Regulation (EU) 2016 / 679.For is that in order to take advantage of the travel gift, users had to log in the script and provide information about its name, phone number and email address. ANR and YAY ehf. are unanimous in their explanations that for the collection of the personal information has been instructed by ANR. The Ministry is therefore considered to be the party that decided the purpose and methods for processing the above personal information and is the responsible party of that processing.Also users of the app could give their travel gift to another person, but to it was necessary to work with the email address of the recipient of the gift. Then they could users sent greetings with the gift they chose as well as to use such additional services, they had to agree to access to a microphone, camera, storage area and contact list in their phones. It is clear from the case file that ANR requested that such additional services be offered and is therefore considered responsible for that processing.First three days after the initial release of the script, i.e. from 18.-20. June 2020, was still rather request information about the age and gender of users. Available that ANR gave YAY ehf. instructed to collect this information but then withdrew it back. Therefore, no decision can be made other than to decide on the purpose and method of the collection of the above personal information has been taken by ANR. In consultation with ANR has YAY ehf. then update the script according to the instructions after that had been made available to the public. Given that both parties to the case state in their objections that they were fully consulted regarding the timing the version of the script updates must be considered responsible for ANR the processing of personal data that took place on the basis of version 1.0.2 of the script, þ. á m. on information on the age and sex of users, taking into account delays in publishing process. YAY ehf. is, however, considered a party to that processing. It is also clear that in the first days after the initial publication of the app (from 18-22 June 2020 for Android operating system and from 18-23. June 2020 for the iOS operating system), YAY ehf. according to his own words, by mistake, after very extensive access to information in the telephones of the app users. Af on the part of the ministry has stated that the acquisition of the extensive access rights has not been in accordance with its instructions and that the processor has complied with their mistakes. On behalf of YAY ehf. has been observed to evolve The travel gift was based on the company's existing script where such access rights are requested, but the settings in question are mistaken not been removed when creating the new application. It can therefore only be seen that YAY ehf. is responsible for those mistakes and the company is therefore considered responsible the acquisition of the access rights in question and the action involved in the first step in a series of actions to make user information available. Regarding other processing personal information, as described above, is considered YAY ehf. processor, cf. 7. tölul. Article 3 Act no. 90/2018, Coll. also point 8. Article 4 Regulation (EU) 2016 / 679.2.2.VinnslusamningurÍ Paragraph 3 Article 28 of Regulation (EU) 2016/679, cf. Paragraph 3 Article 25 Act no. 90/2018, states that processing by the processor shall be covered by a contract or other legal act under EU law or the law of a binding Member State processor vis-à-vis the responsible party and where the subject is specified and duration of processing, nature and purpose, type of personal information and categories of registered persons and the obligations and rights of the responsible party. Then there is eight paragraphs deal with the elements to be laid down in particular in the contract between parties for the processing of processors on behalf of the responsible party. It is clear that on between ANR and YAY ehf. a development agreement was made. Then, on the one hand, took place e-mail communication in which the Ministry proposed a text of instruction the applet and, on the other hand, subsequent e-mail communications which covered which personal information should be collected and who should not. Privacy has been reviewed the content of the agreement and the communications that took place. The agreement in question deals in a very limited way with the conditions set out in para. Article 28 of the Regulation concludes production contracts. As for the email communication which are available in the case, it will not be seen that they satisfy the above conditions. Regulation (EU) 2016/679 and Act no. 90/2018 assume that always there shall be a documented instruction from the responsible party for processing personal data processor. Privacy considers that the requirement for clarity of such the guarantor's instructions are even richer in terms of their nature and scope the personal information in question and the personal information that was possible to apply, i.e. general personal information of all Icelanders who have reached the age of 18 age with an Icelandic ID number but also sensitive personal information of some users of the Android operating system, e.g. á m. confidential information in a calendar that may to store sensitive personal information about them or others. The Data Protection Authority also believes that prices must be made rich requirements for compliance with the law in the performance of senior executives' duties of the executive branch, in this case the ministry responsible the scope of innovation, as further specified in the Presidential Decree on division of political affairs between ministries in the Government of Iceland, no. 119 / 2018.No is in the above data ANR prescribes the processing of personal data for of the script in a satisfactory manner and the conclusion of the Data Protection Authority is that the data in question cannot be equivalent to a production contract within the meaning of the third paragraph. Article 25 fix no. 90/2018, or the third paragraph. Article 28 Regulation (EU) 2016/679. Does Privacy serious remarks that the ministry did not go here make sure that everything was complied with in accordance with Act no. 90/2018 on personal data protection and the processing of personal data and Regulation (EU) 2016/679. 3. Legality of processing All processing of personal information must be stopped under one of the authorization provisions of Article 9. Act no. 90/2018, Coll. Article 6 Regulation (EU) 2016/679. It is worth mentioning that personal information can be processed the data subject has given his consent for the processing of his personal data in for the benefit of one or more specific objectives, cf. Paragraph 1 Article 9 of the Act and point a Paragraph 1 Article 6 of Regulation (EU) 2016/679, also if the processing is necessary to fulfill a legal obligation that rests with the responsible party, cf. Paragraph 3 Article 9 Act no. 90/2018 and point c of the first paragraph. Article 6 of the Regulation, or if the processing is necessary for work carried out in the public interest or in the exercise of official authority which the responsible party handles, cf. 5. tölul. Article 9 of the Act and item e of the first paragraph. 6. gr. of the Regulation. In addition, the processing of sensitive personal information will be involved comply with any of the additional conditions of paragraph 1. Article 11 of the Act, cf. Paragraph 2 Article 9 of the Regulation. In point 3. Article 3 Act no. 90/2018 lists which information is sensitive, but it is information about race, ethnic origin, religion (point a); health information, ie. personal information concerning a person's physical or mental health, incl. health care he has received, and information on pharmacological, alcohol and drug use (point b); information about sex and sexual orientation (point c); and genetic information, biometric information, such as portraits or fingerprint data, provided that information is processed for that purpose to identify individuals in a unique way (point d). In assessing whether a permit for processing personal information is available, it is necessary to check whether the appropriate processing authorization has been for the processing and the processing is based on the consent of the data subject check whether the conditions of approval have been met. It also needs to be examined whether have provided adequate training, whether safety personal information has been secured, e.g. á m. whether appropriate action has been taken measures to ensure built-in and default privacy, and whether principles for the processing of personal data have been complied with.3.1.Authorization for processing personal information 3.1.1. Processing under the responsibility of ANRWith Act no. 54/2020, on travel donations, spoke Althingi stipulates that the government should give to individuals aged 18 and older travel gift, cf. Paragraph 1 Article 1 of the Act. To verify utilization of the travel agent, it was necessary to process the specified personal information, i.e. name, phone number and email address. The Travel Act also provides for this for an individual to give his own travel gift, cf. Paragraph 3 Article 1 of the Act. In order to be able to give a travel gift, it is necessary to work with information about the recipient's email address. The aforementioned processing can therefore be based on 3. tölul. Article 9 Act no. 90/2018 on personal protection and processing of personal information other conditions of the law are met. It is clear that the original versions of the script were made available in the Google Play and App Store app libraries on June 12, 2020. Given that the app was not notified to the public until 18. s.m. will be based on the fact that the processing of personal information has already begun on that day the public could first access the script. Act no. 54/2020 on travel donations did not enter into force until 23 June 2020. The processing in question could therefore not be based on point 3. Article 9 Act no. 90/2018 and point c of the first paragraph. Article 9 of the Regulation, that processing is necessary for the legal obligation of the guarantor, until after the entry into force of the law. Then it will not be seen that the processing has, until that time, may be considered necessary for a work done for the benefit public interest, cf. 5. tölul. Article 9 Act no. 90/2018 and item e of the first paragraph. 6. gr. of the Regulation. This authorization requires that such processing be supported legal authority but already for the reason that the law did not enter into force until 23 June 2020, will not be based on that authority. It has been argued by ANR that in In light of the state of emergency in the community, emphasis has been placed on faster construction. The ANR does not substantiate why the emergency in question was justified the provisions of Act no. 90/2018 and Regulation (EU) 2016/679. Privacy points out that privacy legislation applies regardless of the situation in society at any given time. Privacy considers that though certain actions, such as pandemic prevention measures, justice certain processing of personal information, it is not possible to accept that it is possible to respect Act no. 90/2018 and Regulation (EU) 2016/679, in whole or in part, in in connection with the provision of travel gifts. The Data Protection Authority does not consider that there was an emergency law perspective here nor that the processing was in the public interest. Is that a conclusion of the Agency that the processing of personal data that took place between 18 and 23. June 2020 did not rely on a satisfactory authorization according to Art. Article 9 Act no. 90/2018 and Article 6. Regulation (EU) 2016/679. In addition, the Data Protection Authority considers it It is reprehensible that ANR has not ensured that the processing of personal data does not begin until after the entry into force of the aforementioned law. However, the Data Protection Authority considers that from entry into force of Act no. 54/2020 on travel donation, on 23 June 2020, must be regarded as such that the above processing of personal information may be based on point 3. Article 9 Act no. 90/2018 provided that other conditions of the Act are met, e.g. on processing transparency and education for the registered, cf. discussed in Section 3.1.3 below.Then It is clear that information was provided on the age and gender of users of the script. During the preparation of the release of the script, a decision was made in this regard however, withdrawn by the Ministry, at least regarding information on the gender of users, as the processing was not considered necessary or in accordance to Act no. 54/2020 on travel donation. This has been described in the explanations provided that there has been full consultation between the parties as to when updated version 1.0.3, there if a request for age and gender had been removed, would be placed in the script libraries. The collection of personal information about the age and gender of users lasted from 18-20. June 2020. There was no authorization for the processing according to Article 9 Act no. 90/2018 and was it is therefore contrary to the provisions of the law. In the third paragraph. Article 1 Act no. 54/2020 states to an individual is allowed to give his own travel gift. On behalf of the Ministry and YAY ehf. has stated that the user could take advantage of the optional additional services if he agreed to give the app access to a camera, microphone, contacts file and USB storage file. It is then examined whether such processing complies with point 1. 9. gr. Act no. 90/2018 that the processing of personal information is permitted by the data subject give their consent for the processing of their personal data for the benefit of one or more specific goals. According to a statement with the bill that became Act no. 90/2018 states, among other things, about the first paragraph. Article 9 of the Act to the government can rarely be based on consent, except in exceptional cases when consent has no influence on the provision of services or human rights. As such is the opinion of the Data Protection Authority, that the provision of such additional services by ARN, which neither is necessary to take advantage of the travel gift or the conditions for giving it, can fall under it. Then test whether the conditions for approval are considered to be fulfilled, i.e. how it is obtained and whether the guarantor has provided adequate training before consent was given.3.1.2.Conditions for approvalTo assess whether authorization was in place at processing of personal information for additional services, according to Act no. 90/2018 and Regulation (EU) 2016/679, it is necessary to consider whether the conditions approval according to point 1. Article 9 of the Act, cf. Article 6 (a) of the Regulation, is considered fulfilled. In point 8. Article 3 Act no. 90/2018, approval is defined as an unforced, specific, enlightened and unequivocal declaration of intent by the data subject that he consent, by declaration or unequivocal confirmation, processing of personal information in itself.In Article 10. Act no. 90/2018, Coll. Article 7 Regulation (EU) 2016/679, the conditions for approval are discussed in more detail. There comes, among other things stated that when processing is based on consent shall the guarantor can show that the registered person has approved the processing their personal information in accordance with the further conditions of Article 7. of the Regulation. In 2. mgr. Article 10 of the Act states that if the data subject gives his consent in writing a statement, which also covers other matters, the request for approval shall be made presented in such a way that it is distinguishable from the other issues, in an understandable and accessible form and clear and simple language. In the 4th paragraph. of the provision states that when assessing whether consent is given voluntarily and voluntarily the utmost consideration as to whether it is a condition for the performance of the contract that consent is given for the processing of personal data that is not necessary due to of the agreement. This is stated in a memorandum with a bill that became law no. 90/2018 that the regulation sets out more detailed rules and stricter requirements how approval is obtained, in addition to which companies are obliged according to it to make the terms of approval transparent and accessible and have them in an understandable language. Processing based on approval will be included otherwise, as is always the case when processing personal information, that comply with high-quality processing methods, take place in stated, clear and objective purpose and must not go beyond what is necessary requires. When the Data Protection Authority assesses whether the requirements for consent are met it takes into account both the processing method used and their nature information processed. Consent is required free and independent and is not considered to be when an individual has to consent specific processing in order to receive services. In point 42 of the foreword of the Regulation reaffirms the obligation of the guarantor to can demonstrate that consent has been given and state that it needs to ensure that the data subject is aware of it and to what extent. It is emphasized that consent should not be considered granted voluntarily if the data subject has not had a real or free choice or unable to refuse or withdraw consent without becoming for damage. The premise of the individual be able to make an informed decision to give its consent for processing personal information about themselves and protect their interests, as well as its conditions consent is complied with, is that he is informed of the processing that takes place and in what it entails. Prerequisites for knowledge and information on processing personal information is transparency and education to the data subject about the processing. 3.1.3. EducationOne of the principles of privacy law on the processing of personal information is that care must be taken to ensure that it is processed in a lawful, fair and transparent manner towards the data subject, cf. 1. tölul. Paragraph 1 Article 8 Act no. 90/2018, Coll. also point a of the first paragraph. Article 5 Regulation (EU) 2016/679. To assess whether the condition of transparency was met the provisions on compulsory education must therefore be complied with. Compulsory education responsible party, ie. the obligation to provide processing information the personal data of the data subject, applies regardless of the legal basis of the processing based on, i.e. whether in the case of consent or due to legal obligation. Then it should provide the information in question in connection with the processing of personal information about him the time when the information is obtained from the data subject, cf. Item 61 preamble to Regulation (EU) 2016/679. On the educational obligation, transparency and the data subject's right to information is discussed in Article 17. Act no. 90/2018 and 12-14. gr. of the Regulation (ESB) 2016/679. In the first paragraph. Article 17 of the Act states that the responsible party shall do appropriate measures to ensure the transparency of information and notifications to a registered person according to the instructions of Article 12. of the Regulation so that he can exercise its right to information and the right of access. In the second paragraph. same articles, sbr. also Articles 12 and 13. of the Regulation, states that the data subject has the right for information on processing, whether personal information is obtained from him himself or not, as well as the right to access personal information about himself according to instructions 13.-15. gr. of the Regulation with the exceptions specified in Paragraph 3 of the provision.In Article 13. of the Regulation deals with the information provided by shall be provided when collecting personal information from a registered person. In the first paragraph. of the provision states that when personal information about the data subject is obtained from him the responsible party shall, when collecting the personal information, report it to him including the purpose of the proposed processing of the personal information and who its legal basis is (point c). In the opinion of the Article 29 Working Group, [1] no. WP260 rev. 01, states that it is the principle of transparency in all forms of education in the form of information on processing the personal data of the data subject shall be accessible, easy to understand and clear and a simple matter. As mentioned earlier, the user is logged in to the Travel applet made to accept the general terms of the company YAY ehf. applicable to general use the company's scripts and not related to the Travel Gift. The information contained therein is therefore not applicable to the use of the travel gift. By users accepted the general terms and conditions, they could access the terms of the travel gift with by clicking on the link marked "Travel Terms". The text that appears users there, however, was not readable as only a fraction of it appeared on the screen. In the above terms were not found the items that Article 17 Act no. 90/2018 and Article 13. Regulation (EU) 2016/679 require. Users were also, a.m.k. in the iOS version of the app, impossible to get acquainted with the above terms in a satisfactory manner. In view of the above the training provided when the collection of personal information took place is not counted comply with Article 17 of the Act and Article 13. of the Regulation. In assessing whether the data subjects were educated when the information was first obtained does not mean that users could later access a privacy policy YAY ehf. within the script. In addition, it is the opinion of the Data Protection Authority that the privacy policy YAY ehf., Which was accessible after the user logged in, did not comply the requirements made in the Act and the Regulation for the education of YAY ehf., on behalf of the guarantor, as this policy does not apply to the Travel Gift applet. terms that did not apply to the processing that took place due to the travel gift and therefore did not receive correct information about the processing of personal information about those who took place in practice. At that time, users could not familiarize themselves with the specific terms of the Travel Gift as they were inaccessible, a.m.k. at iOS operating system users. In view of the above, it can not be seen that ANR has acted appropriately measures to make information accessible, easy to understand and simple and clear language or provide users with sufficient and correct government travel information about the processing and their rights due to it so that they could take informed decision on the planned processing of personal information about them, upon registration in the program. ANR has therefore not fulfilled its educational obligation as a responsible party, sbr. conditions of Article 17 Act no. 90/2018 and Article 13. Regulation (EU) 2016/679. As has been stated, users made to accept the general terms and conditions of YAY ehf. when logging in to the Travel applet as a basis for all processing of personal information in that script. In them terms contained information that did not apply to its use. Provide users are therefore authorized to process personal information about themselves on incorrect grounds. Furthermore, the general terms and conditions of YAY ehf. nor the terms pertaining to it The travel gift is considered to meet the requirements for that education which must be provided to the data subject when personal information is processed about them, cf. Article 17 of the Act and Article 13. of the Regulation. Where education was not adequate will not be based on legal authority according to point 3. Article 9 Act no. 90/2018, Coll. also point c 1. mgr. Article 6 Regulation (EU) 2016/679. For the same reason will not be considered a condition approval has been fulfilled, with regard to additional services in the script, cf. 1. tölul. Article 9 of the above Act, cf. also point a of the first paragraph. Article 6 of the Regulation and Art. of the Act, cf. Article 7 of the Regulation. 3.2. Processing under the responsibility of YAY ehf. According to them The information available in the case was in versions 1.0.2, 1.0.3 and 1.0.4 of the script programmed extensive access rights to users' telephones, ie. location information, network status, wireless status, camera, editor, network, document management, audio settings, calendar (read and write access, e.g. confidential information), contact list, internal and external storage areas (read and write access), phone status, phone reboot information, microphone to audio recording, shortcut setup, and motion mode reading. Also the script required permission to request installation of other packages, permission to run in the foreground even if other widgets were started, permission to show a specific type of alert window that appears on top of other widgets, license to use bio-teaching activity for identification, license to use fingerprints, the possibility of setting on vibration and permission to prevent CPU and monitor would go to sleep mode. YAY ehf. has acknowledged that the above action was the result of a mistake. There was no authorization for that basic processing according to Article 9. Act no. 90/2018 and was therefore the opposite the provisions of the Act.3.3.Security of personal information According to Art. Act no. 90/2018, Coll. also Article 24. of Regulation (EU) 2016/679, the responsible party shall make appropriate technical and organizational measures that take into account the nature, scope, context and purpose processing and risk for the rights and freedoms of registered persons to ensure and demonstrate that the processing of personal data meets the requirements of the Regulation. With the above measures shall ensure that privacy is built in and default, cf. Article 24 of the Act and Article 25. of the Regulation. Such measures may, inter alia, be designed to enforce the principles of privacy, such as data minimization. The above rules of Act no. 90/2018 and Regulation (EU) 2016/679 are reaffirmed in the first paragraph. Article 27 of the Act, cf. also the first paragraph. Article 32 of the Regulation, which states that the responsible party and the processing party shall do appropriate technical and organizational measures to ensure adequate security of personal information in the light of the latest technology, implementation costs, nature, scope, context and purpose of the processing and risk, less likely and more serious, for the rights and freedoms of individuals according to further instructions Article 32 of the Regulation, but that article will be considered its main provision information security. Among the things that the guarantor and processor must do according to the instructions in question is to introduce a process to test and evaluate regularly the effectiveness of technical and organizational measures to ensure safety of processing, cf. paragraph 1 (d) of the provision.In view of the above, here is a special test of whether security personal information about users of government travel gifts has been sufficient ensure the adjustment and shaping of the script settings and whether only has have been processed with the personal information that was necessary for purpose of processing. Then test whether there was a process to test and regularly evaluate the effectiveness of technical and organizational measures, such as tests of the internal functionality of the script and what personal information it obtained automatically or both of its users upon login or due additional services. The explanations of both parties to the case state that Digital Iceland has carried out an audit of the company YAY ehf. with with regard to the security measures of the company and came to the conclusion that the processor could ensure appropriate security. Syndis ehf. also carried out an audit of the safety measures of the processor which has revealed that adequate safety measures were in place. ANR's notes state that was the assessment of Stafræns Íslands that YAY ehf. provided sufficient assurance for that that appropriate technical and organizational measures be taken to: processing met the requirements of Act no. 90/2018 and Regulation (EU) 2016/679. Have privacy policy of YAY ehf. have been examined separately but in the terms of YAY ehf., state how the company collects, uses, shares and protects personal information their customers. The purpose of the terms is to ensure that the handling of YAY ehf. á personal information is in accordance with the basic principles and rules of privacy and privacy contained in Regulation (EU) 2016/679 ,. The project team therefore considered it guaranteed that YAY ehf. took care of extreme safety in processing of personal information. No further data or confirmation was received Privacy from ANR due to the aforementioned audit of Digital Iceland. It can also be deduced from the case file that the audit of Syndir ehf. has primarily concerned aggression and stress testing. In the second paragraph. Article 24 Act no. 90/2018, Coll. also the second paragraph. Article 25 Regulation (EU) 2016/679, states that the responsible party shall take appropriate technical and organizational measures to ensure that by default only the personal information is processed as are necessary for the purpose of the processing at any given time. This obligation applies about how much personal information is collected, to what extent it is processed them, how long they are kept and access to them. Do not appear as above measures have been taken, neither by the responsible party nor the processing party. Then do not lie for data showing that the audit covered the above items or that special tests have been performed to evaluate the efficiency and configuration of the application, m.a. with regard to what personal information would actually be requested login to the script and the access rights that would be obtained automatically. It is therefore not the case that the responsible and processing party has done the appropriate technical work and organizational measures to ensure processing safety personal information.Then was not done processing agreement between the parties, as previously discussed, but he is considered to be an important organizational measure for the processing of personal data which provides for the fundamentals of processing and contributes to their increased safety personal information covered by the processing. 3.4. Principles for the processing of personal information As before, processing will be traced personal information must always meet all the basic requirements of the first paragraph. Article 8 Act no. 90/2018, Coll. Article 5 Regulation (EU) 2016/679. In light of the above try here in particular whether the processing of personal data in question has taken place in a lawful, fair and transparent manner towards the data subject (item a) of the regulatory provision); whether information has been obtained in clear specified, legitimate and objective purposes and not further processed in other and incompatible purpose (point (b)); whether the information obtained has be adequate, appropriate and not in excess of what was necessary purpose of processing (point (c)); and whether they have been processed in such a way that the appropriate security of the personal information has been ensured (item f). As has been stated, the Ministry did not education adequately and therefore did not take appropriate measures to ensure transparency about the processing of users' personal information of the script and the processing can therefore not be considered to have been carried out in a reasonable manner and in a transparent manner towards the data subject, cf. point a of the first paragraph. Article 5 of the Regulation. It is also clear that there was no processing permit for the processing of personal information about users from 18-22. June 2020 or until the law no. 54/2020 entered into force at 23 p.m. In addition, there was no time for authorization processing of information on the age and gender of users. There was also no authorization to procure extensive access rights to the telephones of the users of the affected script processor error. It will therefore not be seen that information has been obtained clearly stated, legitimate and objective purposes and it ensured that they would not be processed further for other and incompatible purposes, cf. paragraph 1 (b) Article 5 of the Regulation. It is also the opinion of the Data Protection Authority that the acquisition of YAY ehf. on extensive access rights in users' telephones, cf. further explanation in section I.3. and I.6.2., and information on age and sex was insufficient and appropriate and far in excess of what was necessary for the purpose of processing, cf. paragraph 1 (c) Article 5 of the Regulation. The parties did not enter into a production agreement in in accordance with para. Article 25 Act no. 90/2018 and the third paragraph. Article 28 of the Regulation (EU) 2016/679 and it can therefore not be seen that YAY ehf. and ANR has made appropriate technical and organizational measures to ensure that the default is only the personal information that was necessary for the purpose was processed of processing. Furthermore, YAY ehf. not appropriate technical and organizational measures to ensure safety personal information when the company used programming from another unrelated script the Travel applet, without verifying the effectiveness of the measures provided had been taken to ensure that no wider access was requested users 'telephones than was needed as well as what users' personal information is of the script would be made available, cf. 6. tölul. Paragraph 1 Article 8 of the Act and paragraph 1 (f) Article 5 of the Regulation. Then it will be considered that to perform the first steps in a series of actions to make the personal information of the users of the app available, which were neither relevant nor necessary for the purpose processing, has not complied with the principle of minimizing the processing of personal data or the principle of proportionality, point 3. Paragraph 1 Article 8 Act no. 90/2018 and point c of the first paragraph. 5. gr. Regulation (EU) 2016/679. ANR is also responsible for processing personal information always meets the requirements of the principles of processing personal information and should be able to demonstrate that this is the case, cf. Paragraph 2 Article 8 fix no. 90/2018 and the second paragraph. Article 5 Regulation (EU) 2016/679. It is clear that we preparation for the issuance of the travel gift was significantly lacking in compliance in writing the instructions of the responsible party, the effectiveness of security measures, tests and other documentation that is necessary to use when publishing a script. In view of the above, it is therefore an assessment Privacy that the processing has not complied with the principles of processing personal information, sbr. Points 1, 2, 3 and 6 Paragraph 1 and the second paragraph. Article 8 Act no. 90/2018, Coll. also points a, b, c and f of the first paragraph. and the second paragraph. Article 5 Regulation (EU) 2016 / 679.III.Beiting sanctions 1. Perspectives on the application of sanctions for violations ANRAð the above-mentioned prestige therefore comes into consideration whether ANR shall impose administrative fines for the above-mentioned conduct, cf. Article 46 Act no. 90/2018, Coll. also Article 83. Regulation (EU) 2016/679. We a decision to that effect and on the amount of the fine, the first paragraph shall be taken into account. Article 47 Act no. 90/2018, Coll. Paragraph 2 Article 83 of the Regulation. Are listed there issues that may either be of interest to the benefit or to the detriment of him. The following issues are considered in this case.a. Nature, scope and purpose of processingAccording to point 1. Paragraph 1 Article 47 Act no. 90/2018, sbr. point a of the second paragraph. Article 83 of Regulation (EU) 2016/679, this should be taken into account of any kind, how serious and how long-lasting the breach was, with respect to nature, scope and purpose of processing, as well as the number of registered individuals as before what happened and how serious the damage was. In this case, the processing of personal information took place stated for the purpose of enforcing the government's decision, it took to the general public personal information, a large number of individuals but the processing lasted for a short time time. There is no evidence in this case to suggest that individuals has suffered damage as a result of the processing. According to information from the tourism dashboard [2] published are for with the help of the Icelandic Tourist Board, it is stated that the number of travel gifts applied for in 2020 was 226,158, which was the number of individuals who received unsatisfactory education for the use of Government Travel. Privacy considers it reprehensible that ANR, which Ministry of Innovation, shall have begun the processing of personal information about number of persons before the law on which the processing was based came into force, that the training was unsatisfactory and that no processing agreement had been made. The Data Protection Authority believes that ANR has thereby violated in various ways basic principles of Act no. 90/2018 on personal protection and processing of personal information and Regulation (EU) 2016 / 679.b. Whether the violation was committed intentionally or negligentlyAccording to point 2. Paragraph 1 Article 47 Act no. 90/2018, Coll. paragraph 2 (b) Article 83 of Regulation (EU) 2016/679, should be taken into account whether the offense was committed intentionally or negligently. Ministry, like other people who process personal information, take great responsibility for that activity of them complies with established laws and regulations at any given time. Privacy counts though that the submitted evidence in the case does not indicate that it was present ANR's intention to violate the provisions of the Privacy Act either the time constraint mentioned by the Ministry in its explanations contributed most to the fact that the processing took place with in the manner described here. Privacy does anyway serious remarks on the working methods used in the preparation of issue of the travel gift. c. Measures to reduce the loss of registered personsAccording to point 3. Paragraph 1 Article 47 Act no. 90/2018, Coll. paragraph 2 (c) Article 83 Regulation (EU) 2016/679, should take into account the measures that have been taken in it in order to reduce the loss of registered persons. As stated earlier is not available that individuals have suffered special damage as a result of the illegal processing. However, it should be noted in this connection that ANR contacted YAY ehf. for the first edition of Ferðagjafarinn, on 16 June 2020, and requested a procurement personal information about age and gender would be discontinued and that information deleted. However however, the parties agreed not to update the script until 6 p.m. sem did not become available to iOS users until 48 hours later. later. Also that already clear was that the applet gained extensive access rights in users' telephones was reissued an updated version of the application. It is clear that ANR has intervened to take appropriate organizational measures to prevent similar incident repeats itself. However, it will be considered burdensome factor that despite the fact that ANR has received information that the terms of the travel gift appeared unsatisfactory in the script a few days after it was made available to the public, with them consequences that users were unable to familiarize themselves with them, the same terms were still inaccessible to users of the iOS operating system almost a year later or on March 2, 2021.d. Responsibility of the guarantor or processor with regard to technical and organizational measuresAccording to point 4. Paragraph 1 Article 47 Act no. 90/2018, Coll. paragraph 2 (d) Article 83 Regulation (EU) 2016/679, should be taken into account how much responsibility the guarantor or the processor shall, with regard to technical and organizational measures which they have been implemented. An employment contract is considered, according to 3. mgr. Article 28 Regulation (EU) 2016/679 and para. Article 25 Act no. 90/2018, be part of the organizational measures that the responsible party must take to ensure the security of personal information, cf. Paragraph 1 Article 32 of the Regulation and 1. mgr. Article 27 of the Act. ANR is therefore responsible for safety the personal information processed for government travel was not safe. In the case under consideration here is clear that the Ministry is responsible for the lack of organizational measures, incl. type processing agreement and to ensure measures of default privacy in the script. In the light of the processing in question, it should have been here there are organizational measures in place that would have prevented the processing from going ahead presented in the manner previously described. In this connection, it is important to safety audit of Syndis ehf. took only a limited part of the information security, i.e. attack and stress resistance. The security audits that were carried out were therefore not relevant built-in and default privacy that should have ensured that collection and the processing of personal data would not exceed what the processing authorizations and the principles of the law and the regulation stipulate. ANR is therefore responsible for that the security of the personal data processed for government travel was not guaranteed and that the production contract has not been made satisfactorily hátt.e. Previous violationsAccording to point 5. Paragraph 1 Article 47 Act no. 90/2018, Coll. point e of the second paragraph. Article 83 of Regulation (EU) 2016/679, shall look to previous offenses of the guarantor or processor that matter, if any are. It is not known that ANR has previously been convicted of a violation Privacy Act. f. Scope of co-operation with the Data Protection AuthorityAccording to point 6. Paragraph 1 Article 47 fix no. 90/2018, Coll. point f 2. mgr. Article 83 Regulation (EU) 2016/679, the scope of co-operation with Privacy to correct violations and reduce their harmful effects. For lies that ANR responded to the Data Protection Authority's requests for further information as a result that the agency's initiative study began, but was repeated requested extended deadlines that affected the speed of processing the case at the Data Protection Authority.g. Categories of personal informationAccording to item 7. Paragraph 1 Article 47 Act no. 90/2018, Coll. point g of the second paragraph. Article 83 Regulation (EU) 2016/679, the categories of personal data breaches must be considered influence. The processing of personal information in practice only covered general personal information. h. How was the supervisory authority notified of the infringement? Paragraph 1 Article 47 Act no. 90/2018, Coll. point h of the second paragraph. Article 83 Regulation (EU) 2016/679, it must be considered how the supervisory authority was made aware of violations. It is known that the Data Protection Authority received suggestions to the public shortly after the first release of the script. The matter was then discussed the media. Neither the responsible party nor the processing party drew the attention of the Data Protection Authority málinu.i. Compliance with remedial instructionsAccording to point 9. Paragraph 1 Article 47 Act no. 90/2018, Coll. paragraph 2 (i) Article 83 Regulation (EU) 2016/679, should be looked at to comply with the Data Protection Authority's instructions on remedial measures on the basis Article 42 of the Act. No instructions were given in connection with the handling of the case and therefore, this aspect does not come up for further consideration.j. Other burdensome or mitigating factorsAccording to point 11. Paragraph 1 Article 47 Act no. 90/2018, Coll. point k of the second paragraph. Article 83 Regulation (EU) 2016/679, burdensome or mitigating factors other than theirs should be considered listed earlier in the provision, such as gains or losses incurred directly or indirectly due to a violation. In this connection, it is to be considered that ANR has put in some work, in collaboration with the processor, in order to update procedures, conclude a production agreement between the parties in a documented manner and rectify deficiencies on the publication of educational material, in connection with the processing of personal information due government travel gifts. The ministry went into that work after an initiative study Privacy started. It is also considered a mitigating factor a party who does not work for financial purposes but works in the public interest. However, it is considered a burdensome factor that 2. March 2021, just over eight months after the release of the script, were The terms of the Travel Gift still make it inaccessible to iOS users and that 9. November 2021, users have still been forced to accept the wrong terms when logging in in the script.2. Perspectives on the application of sanctions for violations YAY ehf.a. Nature, scope and purpose of processingAccording to point 1. Paragraph 1 Article 47 Act no. 90/2018, sbr. point a of the second paragraph. Article 83 of Regulation (EU) 2016/679, this should be taken into account of any kind, how serious and how long-lasting the breach was, with respect to nature, scope and purpose of processing, as well as the number of registered individuals as before what happened and how serious the damage was. It is clear that mistake of YAY ehf. to quickly adapt existing scripts to a new version for the dissemination of travel gifts to Icelanders, has failed to adjust programming access rights. With the publication of Ferðagjaf together with the aforementioned access rights was taken the first step in a series of actions for the purpose of doing personal information available and thus accessible. Such an action is considered processing of personal information within the meaning of point 4. Article 3 Act no. 90/2018 and 2. tölul. Article 4 Regulation (EU) 2016/679. This is extensive access rights in the telephones of the users of the travel gift who made general and sensitive personal information available. It will be evaluated for mitigating factors the request for the extensive access rights lasted for a short time and that they were not used for the collection of personal information and therefore went further processing personal information on the basis of which is not provided. However, not only look at the listed individuals who were actually affected but also those who could have been affected by the acquisition of the said sources. According to information from the tourism dashboard, 226,158 individuals attended the travel gift in 2020. In terms of number of users The Android operating system, which would not have been aware of the acquisition in question access rights, it can be assumed that there is a significant number of people or over 11,500 individuals. b. Whether the violation was committed intentionally or negligentlyAccording to point 2. Paragraph 1 Article 47 Act no. 90/2018, Coll. paragraph 2 (b) Article 83 of Regulation (EU) 2016/679, should be taken into account whether the offense was committed intentionally or negligently. The processing as here is under review appears to have occurred due to human error and has nothing stated in the case which indicates that there is a breach of intent. However on the other hand, the Data Protection Authority makes serious remarks to a company that specializes in the publication of small programs, which by their nature often work with extensive personal information, have did not use good workmanship in preparing the release of the program. c. Measures to reduce the loss of registered personsAccording to point 3. Paragraph 1 Article 47 Act no. 90/2018, Coll. paragraph 2 (c) Article 83 of Regulation (EU) 2016/679, should be taken into account the measures that have been taken in order to reduce the losses of registered persons individuals. In this connection, it is important that when it was clear that the request was made after the aforementioned extensive access rights in users' telephones were violated with the updated version of the script where settings were adjusted.d. Responsibility of the guarantor or processor with regard to technical and organizational measuresAccording to point 4. Paragraph 1 Article 47 Act no. 90/2018, Coll. paragraph 2 (d) Article 83 of Regulation (EU) 2016/679, should be taken into account how much responsibility the guarantor or processor has with regard to technical and organizational measures. As previously stated, YAY ehf. responsible for the mistakes that led to the very widespread access rights were obtained in the telephones of the users of the travel gift. YAY ehf. counts responsible for the processing involved and as such is responsible for that take appropriate technical and organizational measures, such as with appropriate tests, to ensure that by default only those personal information is made available or processed as necessary of the processing at any given time. A production contract is also considered, cf. Paragraph 3 Article 28 Regulation (EU) 2016/679 and para. Article 25 Act no. 90/2018 be part of the organizational measures that the processor must take to ensure the security of personal information, cf. Paragraph 1 Article 32 of the Regulation and 1. mgr. Article 27 of the Act. YAY ehf. is therefore responsible for the safety the personal information processed for government travel was not safe. e. Previous violationsAccording to point 5. Paragraph 1 Article 47 Act no. 90/2018, Coll. point e of the second paragraph. Article 83 of Regulation (EU) 2016/679, shall look to previous offenses of the guarantor or processor that matter, if any are. It is not clear that YAY ehf. has previously been fined for violating Act no. 90/2018 on personal data protection and processing and regulation (EU) 2016 / 679.f. Scope of co-operation with the Data Protection AuthorityAccording to point 6. Paragraph 1 Article 47 Act no. 90/2018, Coll. paragraph 2 (f) Article 83 of Regulation (EU) 2016/679, should be taken into account extensive cooperation with the Data Protection Authority in order to remedy violations and reduce them its harmful effects. Initially, it was slow to gather information representatives of YAY ehf. which led to repeated and repeated requests from Privacy. YAY ehf. provided, however, the Data Protection Authority and representatives of Syndir ehf. easy access to the data and information requested for the purpose of perform a study of the script and its publishing history, e.g. Categories of personal informationAccording to item 7. Paragraph 1 Article 47 Act no. 90/2018, Coll. point g of the second paragraph. Article 83 of Regulation (EU) 2016/679, should be taken into account the categories of personal data breaches affected. These are sources to make general and sensitive personal information available. h. How was the supervisory authority notified of the infringement? Paragraph 1 Article 47 Act no. 90/2018, Coll. point h of the second paragraph. Article 83 of Regulation (EU) 2016/679, should be taken into account the manner in which the supervisory authority was made aware of the breach. For It is clear that the Data Protection Authority received suggestions from the public shortly after the first version of the script. The issue was also covered in the media. Neither the responsible party or the processing party drew the attention of the Data Protection Authority to the case.i. Compliance with remedial instructionsAccording to point 9. Paragraph 1 Article 47 Act no. 90/2018, Coll. paragraph 2 (i) Article 83 of Regulation (EU) 2016/679, should be taken into account compliance with the Data Protection Authority's instructions on remedial measures on the basis of 42. gr. of the Act. No instructions were given in connection with the handling of the case and therefore this aspect will not be examined further.j. Other burdensome or mitigating factorsAccording to point 11. Paragraph 1 Article 47 Act no. 90/2018, Coll. point k of the second paragraph. Article 83 of Regulation (EU) 2016/679, should be taken into account other burdensome or mitigating factors than those listed earlier the provision, such as gains or losses avoided directly or indirectly stopped due to a violation. In this connection, it is to be considered that YAY ehf. has put in some work, in collaboration with the responsible party, in order to update procedures, come on a production contract between him and him in a documented manner and to fix deficiencies publication of educational material in connection with the processing of personal information due to government travel gifts. YAY ehf. went into that work after an initiative study Privacy began. It is then considered a mitigating factor that YAY ehf. showed good will to co-operate with the Data Protection Authority due to Syndir's audit and reporting ehf. at the request of the Privacy on the script and has paid for the incident cost of that work.3.Conclusion of administrative fine A decision on whether to impose an administrative fine on ANR and or YAY ehf. í This case depends on a comprehensive assessment of the factors discussed here in front. ANR did not fulfill the obligations of Act no. 90/2018 and Regulation (EU) 2016/679 which led to the processing of personal information about a lot number of individuals without legitimate processing licenses. Also lacking in validity consent was obtained for the processing of personal data when users used it the app's additional services to give your own travel gift to another person. In addition, the training was inadequate so that users could not familiarize themselves with the terms of the travel gift which were a prerequisite for the processing of personal information about them. Then the mistakes of YAY ehf. to without processing authorization or knowledge users were asked for extensive access rights to their phones. Then ANR and YAY ehf. not appropriate technical and organizational measures to ensure the security of the personal data processed for the project, such as with built-in and default privacy and with the conclusion of a processing contract.3.1. Conclusion on penalties for violations of ANREinn and traced above in Section II.2. um the legitimacy of the processing, it is clear that the processing of ANR violated points 1, 2, 3 and 6. Paragraph 1 and the second paragraph. Article 8, paragraphs 1 and 3 Article 9, Article 10, Article 17, Article 24 and Paragraph 3 Article 25 and the first paragraph. Article 27 Act no. 90/2018, Coll. a-, b-, c- and f-points Paragraph 1 and the second paragraph. Article 5, points a and c of the first paragraph. Article 6, Article 7, Article 12, 13 Article 24, Article 24, Article 25, Article 3 Article 28 and Article 32. Regulation (EU) 2016/679. It is stated in Article 46. Act no. 90/2018, Coll. Article 83 of the Regulation, that violation against. Articles 5, 6, 7, 13, 25, 28 and 32 of the Regulation may concern administrative fines.With taking into account the views set out above on the determination of sanctions the administrative fine is deemed to be appropriately determined at ISK 7,500,000. 3.2. Conclusion on penalties for violations YAY ehf.Eins and is outlined above in Section II.2. on the legitimacy of processing is known to process YAY ehf. violated points 1, 2, 3 and 6. Paragraph 1 Article 8, Article 9, Article 11 and 3. mgr. Article 25 and the first paragraph. Article 27 Act no. 90/2018, Coll. also a-, b-, c- and paragraph 1 (f) Article 5, Article 6, Article 9, paragraph 3 Article 28 and Article 32. of the Regulation (EU) 2016 679. It is stated in Article 46. Act no. 90/2018, Coll. Article 83 of the Regulation, that violations of Articles 5, 6, 28 and 32 of the Regulation can subject to administrative fines views set out above on the determination of sanctions and for their implementation are strict requirements for clarity of sanctions and sanctions. Provisions Number 4 Article 3 Act no. 90/2018, Coll. also point 2. Article 4 of the Regulation (EU) 2016/679, will not be considered sufficiently clear, in this sense, that it take action or the first step in a series of actions to make personal information available and possibly accessible, ie. without real accessibility been established. It is therefore the opinion of the Data Protection Authority that there is no reason to do so to fine YAY ehf. due to the processing involved in the programming of the extensive access permissions contained in the app The Travel Gift. However, the Data Protection Authority considers this lack of security, cf. Paragraph 3 Article 25 and the first paragraph. Article 27 Act no. 90/2018, Coll. Paragraph 3 Article 28 and Article 32. of Regulation (EU) 2016/679 reprehensible, especially in light of that YAY ehf. specializes in making scripts and has it burdensome influence on the determination of the amount of the fine. With taking into account the views set out above on the determination of sanctions a government fine is deemed to be appropriately set at ISK 4,000,000, but as a deduction the fine is the payment of costs due to the audit of Syndir ehf. and reporting to the amount of ISK 800,000. Note: Processing of the Ministry of Industry and Innovation on personal information about users for travel donations the government violated points 1, 2, 3 and 6. Paragraph 1 and the second paragraph. Article 8, 1st and Paragraph 3 Article 9, Article 10, Article 17, Article 24, paragraph 3 Article 25 and the first paragraph. Article 27 Act no. 90/2018, Coll. points a, b, c and f of the first paragraph. and the second paragraph. Article 5, points a and c Paragraph 1 Article 6, Article 7, Article 12, Article 13, Article 24, Article 25 and the third paragraph. Article 28 and Article 32. Regulation (EU) 2016/679. A government fine of ISK 7,500,000 has been imposed at the Ministry of Industry and Innovation. The fine shall be paid to the Treasury within two months from the date of the decision. Processing YAY ehf. on personal information about users due to government travel donation broke against points 1, 2, 3 and 6. Paragraph 1 Article 8, Article 9, Article 11, paragraph 3 Article 25 and Paragraph 1 Article 27 Act no. 90/2018, Coll. also points a, b, c and f of the first paragraph. 5. Article 6, Article 6, Article 9, Article 3 Article 28 and Article 32. Regulation (EU) 2016 679. Is 4,000,000 ISK administrative fine imposed on YAY ehf. The fine shall be paid to the Treasury within two months from the date of the decision. In view of the fact that deficiencies have been rectified during processing of the case, the Data Protection Authority does not consider it necessary to issue instructions for improvements, that for now, about other than to lay is for the Ministry of Industry and Innovation and YAY ehf. to handle the script so that before users sign up for the program, they will receive instruction accordingly Article 17 Act no. 90/2018 and Article 13. Regulation (EU) 2016/679. Privacy, November 23, 2021Olafur Garðarsson ChairmanBjörn Geirsson Sindri M. StephensenVilhelmína Haraldsdóttir Þorvarður Kári Ólafsson [1] On the basis of Art. of the Directive 95/46 / EC created a working group (Article 29 working group), composed of representatives data protection authorities in Member States, which served e.g. the role of promote a coherent interpretation of key concepts. European Privacy Council (EDPB) later replaced the working group and has agreed to the guidelines in question of the group, cf. the Council's statement on support for the older guidelines of the Article 29 Working Group no. 1/2018. [2] https://www.maelabordferdathjonustunnar.is/is/hagstaerdir/ferdagjof Privacy PolicyLegal DisclaimerAccessibilityService DeskTwitter