Persónuvernd - 2020031243: Difference between revisions

From GDPRhub
 
(2 intermediate revisions by the same user not shown)
Line 11: Line 11:


|Original_Source_Name_1=Personuvernd
|Original_Source_Name_1=Personuvernd
|Original_Source_Link_1=https://www.personuvernd.is/urlausnir/vinnsla-creditinfo-lanstrausts-hf.-i-tengslum-vid-gerd-skyrslna-um-lanshaefi-1
|Original_Source_Link_1=https://www.personuvernd.is/urlausnir/midlun-grunnskola-a-personuupplysingum-nemanda-til-radgjafarfyrirtaekis
|Original_Source_Language_1=Icelandic
|Original_Source_Language_1=Icelandic
|Original_Source_Language__Code_1=IS
|Original_Source_Language__Code_1=IS
Line 80: Line 80:
The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details.
The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details.


      Creditinfo processing
<pre>
Lánstraust hf. in connection with the preparation of credit reports
  The Data Protection Authority has ruled in a case where it was complained that the primary school had passed sensitive personal information about the complainant's child to a counseling company after the decision was made that the company would no longer be involved in the case of the child being treated at the school. The ruling concludes that the school was not allowed to continue disseminating personal information about the student to a self-employed consulting company after the decision was made that the company would no longer be involved in the student's case. Did not change that, even though the recipient of the e-mail had already been informed of the case and therefore it was not new information except to a limited extent.  
      Case no.
2020010708
     
        27.4.2021
     
      Privacy has ruled that
Creditinfo has been authorized to use information on previous registrations on
defaults in the preparation of credit ratings for individuals with reference to previous precedents
on the same subject. Furthermore, the Data Protection Authority ruled that Creditinfo did not
required by law to consider the income and assets of individuals in making
reports on the credit rating of individual data Privacy can not be met
the complainant's request that the processing of information about him by Creditinfo be stopped and
registration of the company's default register would be terminated unless he authorized it.


    Ruling
Ruling
On March 18, 2021, the Data Protection Authority issued a ruling in case no.
On April 7, 2021, the Data Protection Authority issued a ruling in case no. 2020031243:
2020010708 (former case no. 2019122373): I. Proceedings 1. Abstract
 
case On December 18, 2019, the Data Protection Authority received a complaint from [A] (hereinafter)
I.
complainant) over the processing of personal information about him by Creditinfo Lánstraust
Procedure
hf. (Creditinfo) in connection with the preparation of reports on his credit rating. By e-mail, dated April 14, 2020, the Data Protection Authority requested further information
 
information from the complainant. The complainant's reply was received by e-mail the same day. With
1.
letter, dated. June 23, 2020, the Data Protection Authority requested further information from
Outline of case
complainant. The complainant's reply was received by two emails on 7 July 2020 and 3.
On March 21, 2020, the Data Protection Authority received a complaint from [A] and [B] (hereinafter referred to as the complainants) that [primary school X] had sent an e-mail containing sensitive information about their child to a counseling company after the school's partnership with the company ended.
October s.á. By letter dated November 2, 2020, Creditinfo was notified of the above
 
complaint and given the opportunity to comment on it. Creditinfo's reply was received
By e-mail from the Data Protection Authority to the complainants on 29 September 2020, the subject of the complaint was further defined and a reply was received from the complainants by e-mail on 5 October. By letter dated On 5 October 2020, [compulsory school X] was invited to submit explanations regarding the complaint. The answer was by letter dated. November 6, 2020.
Privacy 23 November s.á. All of the above have been taken into account in resolving the case
 
data, although not all of them are specifically described in the following
All the above documents have been taken into account in resolving the case, although not all of them are specifically described in the following ruling.
ruling. The handling of this case has been delayed due to heavy work at the Data Protection Authority. 2. Perspectives
 
complainantComplains about it
2.
that Creditinfo stores and uses information about the complainant's previous defaults
Complainants' views
to Arion Bank when preparing credit rating reports for four years
On behalf of the complainants, it has been stated that the company KVAN has been hired to work on the bullying case of the complainant's child who attends [primary school X]. In [...] a joint decision was made by the education department of [municipality Y, [primary school X] and the complainants that the school's bullying team would take over the case from KVAN and that the company would not be further involved in the case. Three weeks after that decision [...], a KVAN employee sent an e-mail to an employee [primary school X] asking about the status of the complainant's child. On the same day, an employee of the school replied to the e-mail and provided information on the status of the case, without the complainants' consent. The e-mail contained the child's name and sensitive personal information about it.
registration, even though they have long been settled. Creditinfo does not accept
 
based on solvency and solvency, incl. the complainant's equity position at that time
The complainants only became aware of this after requesting access to all data about themselves and their child at [primary school X].
as credit rating reports are retrieved from Creditinfo's system
 
financial institutions and other parties. The complainant states that he has requested
3.
correction of the assessment, but Creditinfo aims to preserve these
Perspectives [primary school X]
information, through Arion Bank. The complainant considers that
[Primary school X] has stated that the consulting company KVAN has been contacted in connection with the bullying case of the complainant's child at the school. KVAN's consultant has been working on the case [for several months] or until it has been decided that KVAN will not be further involved in the case and that the bullying team [primary school X] will take over. Three weeks later, a KVAN employee sent an e-mail to an employee [elementary school X] asking about the situation. An employee of the school had replied to the e-mail, but the employee had not been aware that the collaboration with KVAN had been terminated and he had therefore been in good faith in his communication with KVAN. The e-mail did not contain any new personal information that the KVAN employee in question was not already aware of. Despite this, the municipality has apologized to the complainants.
information about his previous defaults is unreliable and misleading. He refers to
 
that can not be considered normal to defaults, which were not due
II.
bankrupt or advertised in Lögbirtingarblaði, live for years after they have
Assumptions and conclusion
have been settled with a financial institution or other parties. Requires its complainant
 
that the processing will be stopped and registration in Creditinfo's default register will be stopped unless
1.
the person registered is her home. Wishes complaining
Scope - Responsible
also after receiving information on the method used for calculations
Scope of Act no. 90/2018, on personal data protection and the processing of personal data, and Regulation (EU) 2016/679, cf. Paragraph 1 Article 4 of the Act, and thereby the authority of the Data Protection Authority, cf. Paragraph 1 Article 39 of the Act, covers the processing of personal data that is partly or wholly automated and the processing by other methods than automatic of personal data that are or are to become part of a file.
on his credit rating. It will not be seen what quality control is going on already
 
credit rating calculations are performed. Then it is reprehensible to use information about
This case concerns the dissemination of personal information about the complainant's child by [compulsory school X] and therefore falls within the competence of the Data Protection Authority.
defaults that have long since been settled in this way against interests
 
of the individual. The complainant was in no way able to influence
The dissemination of personal information took place on behalf of [compulsory school X] and [compulsory school X] will therefore be considered responsible for the processing in question, cf. 6. tölul. Article 3 Act no. 90/2018, Coll. 7. tölul. Article 4 of the Regulation.
calculations or receive information in a transparent way about how it was calculated
 
was that he had the credit rating that Creditinfo had sold to a third party
2.
party. 3. Perspectives
Conclusion
Creditinfo Lánstraust hf. Creditinfo refers to
All processing of personal data must be subject to one of the authorization provisions of Article 9. Act no. 90/2018, Coll. Article 6 Regulation (EU) 2016/679. It may be mentioned that personal information may be processed if it is necessary to fulfill a legal obligation that rests with the responsible party, cf. 3. tölul. Article 9 of the Act (cf. item c of the first paragraph of Article 6 of the Regulation), or in the exercise of public authority, cf. 5. tölul. of the legal provision (cf. item e of the regulatory provision). In addition, the processing of sensitive personal data, such as personal data concerning the physical or mental health of an individual, must comply with any of the additional conditions of paragraph 1. Article 11 of the Act, cf. Article 9 of the Regulation.
that according to Act no. 33/2013 on consumer loans, great emphasis is placed on doing so
 
is a reliable credit rating in the run-up to the consumer loan agreement and reports
In assessing whether the processing is authorized, the provisions of other applicable laws must also be considered. Act no. 91/2008 on compulsory schools and rules set according to them, for example Regulation on the responsibilities and obligations of members of the school community in compulsory schools no. 1040/2011.
Creditinfo is intended to be useful in preparing such an assessment. Privacy has
 
consider that it does not constitute an unauthorized disclosure of information
Although it can be accepted that compulsory schools have an obligation to respond to and process bullying cases in accordance with the above, it cannot be seen that the school is allowed to continue disseminating personal information about students to a self-employed counseling company after a decision has been made that the company no longer exists. to the case. The Data Protection Authority considers it reprehensible in light of the nature of the documents in question that [compulsory school X] did not ensure that all employees who were involved in the complainant's child's case were informed that the collaboration with KVAN had ended. Does not change the fact that the recipient of the e-mail has already been informed of the case and therefore it is not new information except to a limited extent.
default claims that have been submitted, that they affect the outcome
 
credit rating reports, within the time limits provided by Creditinfo's operating license, provisions
According to the above, it will not be considered that there was an authorization for [primary school X] to pass on personal information about the complainant's child to the consulting company KVAN after the collaboration with it ended. For that reason alone, the Data Protection Authority considers that the processing [of primary school X] of personal information about the complainant's child has not been in accordance with Act no. 90/2018, on personal protection and processing of personal information, cf. Regulation (EU) 2016/679.
Act on Personal Data Protection and Processing of Personal Data no. 90/2018 and provisions
 
of Regulation no. 246/2001 set, provided that the information itself is available
 
does not reach the recipients of the assessment. It is referred to that in para. Articles 2.7. í
Ú r s k u r ð a r o r ð:
the current operating license of Creditinfo from 29 December 2017 (case no. 2017/1541), which
The dissemination of [primary school X] of personal information about child [A and B] by e-mail to KVAN [...] was not in accordance with Act no. 90/2018, on personal data protection and processing, and Regulation (EU) 2016/679.
was renewed on 28 June 2019 (case no. 2019/1202), is discussed
 
deletion of information. It states, among other things, that information on
 
individual debts are known to have been repaid. Then it should be deleted
Privacy, April 7, 2021
information from the register when they are four years old. In the article replaced
 
also stated that the company may store information for an additional three years and may
 
use the information to comply with requests from registered individuals
Helga Þórisdóttir Helga Sigríður Þórhallsdóttir
knowledge of the processing of personal information about themselves and to resolve disputes about
</pre>
the validity of the registration. A maximum of four years have elapsed since registration
information on the default register may also be used for preparation
credit rating at the request of the data subject, provided that no information is provided
the requirements themselves only hold statistical results, cf. Paragraph 2
Articles 2.7. The previous registrations which had affected the complainant's credit rating,
at the time the complaint was filed, was dated 27 June 2017
and June 14, 2018 and therefore be less than four years old. Credit rating
Creditinfo assesses the probability of default and registration in the default register for the next twelve
months. The statistical prediction of future events must be based on historical
information such as the return and payment history. No default information
and the history of payment in the past does not affect the credit rating is the basis
pulled away from the usefulness of the assessment. Such an assessment would not satisfy the provisions of Article 5.
Act no. 33/2013 on consumer loans and would run counter to comments on Article 10. í
a bill that became that law, which states that a credit rating can
among other things, based on punctuation and payment history. It has proven to be historic
information on returns, defaults and payment history has great predictive value
probability of default in the future. II.Conditions
and conclusion1. Scope
Guarantor Scope of Act no.
90/2018, on the protection of personal data and the processing of personal data, and Regulation (EU)
2016/679, Coll. Paragraph 1 Article 4 of the Act, and thereby the authority of the Data Protection Authority, cf.
Paragraph 1 Article 39 of the Act, covers the processing of personal information that is automatic
part or whole and processing by methods other than automatic on
personal information that is or should be part of a file. For personal information
information about an identified or personally identifiable individual and
an individual is considered personally identifiable if it is possible to personally identify him / her directly
or indirectly, by reference to his identity or one or more elements which
are characteristic of him, cf. 2. tölul. Article 3 of the Act and point 1. Article 4
of the Regulation.With processing means
in an action or sequence of actions in which personal information is processed, either
which the processing is automatic or not, cf. Number 4 Article 3 of the Act and point 2.
Article 4 of the Regulation.This case relates to
processing of the complainant's personal data when preparing his credit rating
Creditinfo. In that respect
and having regard to the above provisions, this case concerns processing
personal information that falls within the competence of the Data Protection Authority. There is also a complaint
request information on the method used to calculate credit ratings
complainant. In that regard, it is worth looking at
The tasks of the Data Protection Authority are described in more detail in Article 39. Act no. 90/2018 and according to
therefore, the agency monitors that processing complies with Act no. 90/2018 and
Regulation (EU) 2016/679, special provisions in laws concerning the processing of personal data
and other rules on the subject. With reference to this, cf. also justification in
ruling of the Data Protection Authority, dated 11 September 2020, in case no.
2020010592, will not be seen for inspection
The Data Protection Authority will review the mathematical calculation formula and
Creditinfo's probability assessment in connection with the calculation of individuals' credit ratings.
That part of the complaint must therefore be considered to fall outside the scope
of the Data Protection Act and thus the authority of the Data Protection Authority. However, it does fall into place
the role of the Data Protection Authority is to assess the proposed criteria
basis for making credit ratings for individuals, such as whether Creditinfo is
may use information on previous registrations in the default register. The person responsible
that the processing of personal information complies with Act no. 90/2018 is mentioned
responsible party. According to point 6. Article 3 of the Act refers to an individual,
a legal entity, government authority or other party that decides alone or in cooperation with others
purpose and methods of processing personal information, cf. 7. tölul. Article 4 of the Regulation.
Creditinfo has over
to employ information systems on financial matters and creditworthiness and work with
information in them in order to communicate them to subscribers. That processing is on
Creditinfo's responsibility and the company is therefore considered to be responsible for that processing
which consisted of the use of the complainant's information recorded there
made the company's reports on the assessment of the complainant's credit rating. 2. Operating license
Creditinfo Lánstraust hf. Operation of a financial information office and processing of relevant information
financial issues and creditworthiness of individuals and legal entities, incl. default registration
and the preparation of credit ratings, in order to communicate them to others, shall be subject to authorization
Privacy, cf. Paragraph 1 Article 15 Act no. 90/2018. Creditinfo's activities
is largely covered by this provision and has been granted by the Data Protection Authority
the company has an operating license in accordance with it, cf. now in terms of individuals
Creditinfo's operating license for the processing of financial information and
credit, dated. 29 December 2017 (case no. 2017/1541 with the Data Protection Authority).
The Data Protection Authority has also granted the company an operating license for processing
information on legal entities, dated 23 December 2016 (case no. 2016/1822 at
Privacy), and temporary operating licenses for the processing of personal information in
in favor of a credit rating, dated 23 August 2018 (case no. 2018/1229 at
Privacy). 3. Legality of processing All processing of personal information must be covered
any of the authorization provisions of Article 9. Act no. 90/2018, Coll. Article 6 of the Regulation
(ESB) 2016/679. These include point 6. of the provision, cf. point e of the first paragraph. Article 6
of the Regulation, which states that the processing of personal data is permitted if
it is necessary for legitimate interests as a guarantor or third party
may except the interests or fundamental rights and freedoms of the data subject which require
protection of personal data is more important. The Data Protection Authority considers this provision to be applicable
on the processing of personal information that takes place in Creditinfo's information systems in
in connection with the preparation of reports on the complainant's credit rating. In addition to the authorization according to the above, there will be processing
personal data to comply with the principles of the first paragraph. Article 8 Act no. 90/2018. Er
among other things, it stipulates that personal information must be processed legally,
fair and transparent to the data subject (point 1); that they should
obtained for clearly stated, legitimate and objective purposes and not processed
rather for other and incompatible purposes (paragraph 2); that they should be
adequate, appropriate and not in excess of what is necessary for the purpose
of processing (point 3); and that they should be reliable and updated accordingly
needs (point 4) In the light of the above, it should be borne in mind that
Privacy has several times before taken the position that Creditinfo has
may use information on previous entries in the default register
preparation of credit ratings for individuals. Please refer to it for a ruling
Privacy, dated 11 September 2020, in case no. 2020010592, where
the agency came to the conclusion that Creditinfo was allowed to use
information on entry in the company's default register when preparing credit rating reports
the complainant, for a maximum of four years from the registration of that information, cf. provisions
in Creditinfo's operating license thereon. Regarding the rationale of the Data Protection Authority
In this regard, reference is made to the above-mentioned ruling of the institution, which the Data Protection Authority considers
the same views apply in the case at hand. The complaint also comments that it has not
if the complainant's asset position is taken into account when making a credit rating with Creditinfo.
In this connection, it is to be considered that the Data Protection Authority has previously taken that position
that Creditinfo was not obliged by law to look at income and assets
individuals when preparing reports on the creditworthiness of individuals. Refer to it
ruling of the Data Protection Authority, dated 22 June 2020, in case no. 2020010678 and
ruling, dated 11 September 2020, in case no. 2020010592. Regarding
the reasoning of the Data Protection Authority in this regard refers to the above rulings
of the institution, but the Data Protection Authority considers the same views to apply in this case. Regarding the complainant's requirements for the processing of information on
he at Creditinfo will be suspended and registration on the company's default register
will be stopped unless he authorizes it to be considered by the Data Protection Authority
previously ruled that such a claim cannot be met. Refer to it and
justification for the ruling of the Data Protection Authority, dated January 25, 2016, in case
no. 2015/1457, but the Agency considers the same views to apply in this case. In view of the above, the conclusion of the Data Protection Authority is that
Creditinfo's processing of information on the complainant's previous entries in the default register
in making a credit rating of him has complied with Act no. 90/2018, on privacy
and processing of personal information. Ú r s k u r
ð a r o r ð: Creditinfo processing
Lánstraust hf. on personal information about [A] for the purpose of reporting on
his credit rating complied with Act no. 90/2018, on personal data protection and processing
personal data, and Regulation (EU) 2016/679. In Privacy, March 18, 2021Helga
Þórisdóttir Helga Sigríður Þórhallsdóttir

Latest revision as of 10:03, 6 May 2021

Persónuvernd - 2020031243
LogoIS.png
Authority: Persónuvernd (Iceland)
Jurisdiction: Iceland
Relevant Law: Article 8 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 07.04.2021
Published: 15.04.2021
Fine: None
Parties: n/a
National Case Number/Name: 2020031243
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Icelandic
Original Source: Personuvernd (in IS)
Initial Contributor: n/a

The Icelandic DPA held that a primary school was not permitted to disclose information about a child to a consulting company after termination of collaboration.

English Summary

Facts

On March 21, 2020, the DPA received a complaint that a primary school had sent an e-mail containing sensitive information about a child to a counseling company after the school's partnership with the company ended.

According to the complainant, the company KVAN was hired by a school to work on the bullying case of the complainants’ child. The municipality’s education department and the complainant decided that the school's bullying team would take over the case from KVAN and that the company would not be further involved in the case.

Three weeks after that decision, a KVAN employee sent an e-mail to a school employee asking about the status of the complainant's child. On the same day, an employee of the school replied to the e-mail and provided information on the status of the case, without the complainants' consent. The e-mail contained the child's name and sensitive personal information about it. The complainants only became aware of this after requesting access to all data about themselves and their child at the school.

According to the school, the employee that had replied to KVAN’s e-mail had not been aware that the collaboration with the company had been terminated and he had therefore been in good faith in his communication. The e-mail did not contain any new personal information that the KVAN employee in question was not already aware of. Despite this, the municipality has apologized to the complainants.


Dispute

Holding

The DPA found school’s behavior reprehensible in light of the nature of the documents in question that the school did not ensure that all employees who were involved in the complainant's child's case were informed that the termination of collaboration with KVAN. The fact that the recipient of the e-mail had already been informed of the case and therefore it was not new information except to a limited extend did not matter.

The DPA considered that there was no authorization for the school to pass on personal information about the complainant's child to the consulting company KVAN after the collaboration with it ended. For that reason alone, the DPA held that the processing of personal information about the complainant's child was not in accordance with Act no. 90/2018 on personal protection and processing of personal information and GDPR.


Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details.

  The Data Protection Authority has ruled in a case where it was complained that the primary school had passed sensitive personal information about the complainant's child to a counseling company after the decision was made that the company would no longer be involved in the case of the child being treated at the school. The ruling concludes that the school was not allowed to continue disseminating personal information about the student to a self-employed consulting company after the decision was made that the company would no longer be involved in the student's case. Did not change that, even though the recipient of the e-mail had already been informed of the case and therefore it was not new information except to a limited extent. 

Ruling
On April 7, 2021, the Data Protection Authority issued a ruling in case no. 2020031243:

I.
Procedure

1.
Outline of case
On March 21, 2020, the Data Protection Authority received a complaint from [A] and [B] (hereinafter referred to as the complainants) that [primary school X] had sent an e-mail containing sensitive information about their child to a counseling company after the school's partnership with the company ended.

By e-mail from the Data Protection Authority to the complainants on 29 September 2020, the subject of the complaint was further defined and a reply was received from the complainants by e-mail on 5 October. By letter dated On 5 October 2020, [compulsory school X] was invited to submit explanations regarding the complaint. The answer was by letter dated. November 6, 2020.

All the above documents have been taken into account in resolving the case, although not all of them are specifically described in the following ruling.

2.
Complainants' views
On behalf of the complainants, it has been stated that the company KVAN has been hired to work on the bullying case of the complainant's child who attends [primary school X]. In [...] a joint decision was made by the education department of [municipality Y, [primary school X] and the complainants that the school's bullying team would take over the case from KVAN and that the company would not be further involved in the case. Three weeks after that decision [...], a KVAN employee sent an e-mail to an employee [primary school X] asking about the status of the complainant's child. On the same day, an employee of the school replied to the e-mail and provided information on the status of the case, without the complainants' consent. The e-mail contained the child's name and sensitive personal information about it.

The complainants only became aware of this after requesting access to all data about themselves and their child at [primary school X].

3.
Perspectives [primary school X]
[Primary school X] has stated that the consulting company KVAN has been contacted in connection with the bullying case of the complainant's child at the school. KVAN's consultant has been working on the case [for several months] or until it has been decided that KVAN will not be further involved in the case and that the bullying team [primary school X] will take over. Three weeks later, a KVAN employee sent an e-mail to an employee [elementary school X] asking about the situation. An employee of the school had replied to the e-mail, but the employee had not been aware that the collaboration with KVAN had been terminated and he had therefore been in good faith in his communication with KVAN. The e-mail did not contain any new personal information that the KVAN employee in question was not already aware of. Despite this, the municipality has apologized to the complainants.

II.
Assumptions and conclusion

1.
Scope - Responsible
Scope of Act no. 90/2018, on personal data protection and the processing of personal data, and Regulation (EU) 2016/679, cf. Paragraph 1 Article 4 of the Act, and thereby the authority of the Data Protection Authority, cf. Paragraph 1 Article 39 of the Act, covers the processing of personal data that is partly or wholly automated and the processing by other methods than automatic of personal data that are or are to become part of a file.

This case concerns the dissemination of personal information about the complainant's child by [compulsory school X] and therefore falls within the competence of the Data Protection Authority.

The dissemination of personal information took place on behalf of [compulsory school X] and [compulsory school X] will therefore be considered responsible for the processing in question, cf. 6. tölul. Article 3 Act no. 90/2018, Coll. 7. tölul. Article 4 of the Regulation.

2.
Conclusion
All processing of personal data must be subject to one of the authorization provisions of Article 9. Act no. 90/2018, Coll. Article 6 Regulation (EU) 2016/679. It may be mentioned that personal information may be processed if it is necessary to fulfill a legal obligation that rests with the responsible party, cf. 3. tölul. Article 9 of the Act (cf. item c of the first paragraph of Article 6 of the Regulation), or in the exercise of public authority, cf. 5. tölul. of the legal provision (cf. item e of the regulatory provision). In addition, the processing of sensitive personal data, such as personal data concerning the physical or mental health of an individual, must comply with any of the additional conditions of paragraph 1. Article 11 of the Act, cf. Article 9 of the Regulation.

In assessing whether the processing is authorized, the provisions of other applicable laws must also be considered. Act no. 91/2008 on compulsory schools and rules set according to them, for example Regulation on the responsibilities and obligations of members of the school community in compulsory schools no. 1040/2011.

Although it can be accepted that compulsory schools have an obligation to respond to and process bullying cases in accordance with the above, it cannot be seen that the school is allowed to continue disseminating personal information about students to a self-employed counseling company after a decision has been made that the company no longer exists. to the case. The Data Protection Authority considers it reprehensible in light of the nature of the documents in question that [compulsory school X] did not ensure that all employees who were involved in the complainant's child's case were informed that the collaboration with KVAN had ended. Does not change the fact that the recipient of the e-mail has already been informed of the case and therefore it is not new information except to a limited extent.

According to the above, it will not be considered that there was an authorization for [primary school X] to pass on personal information about the complainant's child to the consulting company KVAN after the collaboration with it ended. For that reason alone, the Data Protection Authority considers that the processing [of primary school X] of personal information about the complainant's child has not been in accordance with Act no. 90/2018, on personal protection and processing of personal information, cf. Regulation (EU) 2016/679.


Ú r s k u r ð a r o r ð:
The dissemination of [primary school X] of personal information about child [A and B] by e-mail to KVAN [...] was not in accordance with Act no. 90/2018, on personal data protection and processing, and Regulation (EU) 2016/679.


Privacy, April 7, 2021


Helga Þórisdóttir Helga Sigríður Þórhallsdóttir