Persónuvernd (Iceland) - Case no. 2021101924
Persónuvernd - Case no. 2021101924 | |
---|---|
Authority: | Persónuvernd (Iceland) |
Jurisdiction: | Iceland |
Relevant Law: | Article 6(1)(a) GDPR Article 6(1)(f) GDPR |
Type: | Complaint |
Outcome: | Partly Upheld |
Started: | |
Decided: | 29.11.2022 |
Published: | 23.12.2022 |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | Case no. 2021101924 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Icelandic |
Original Source: | Icelandic DPA (in IS) |
Initial Contributor: | n/a |
The Icelandic DPA held that a provider of a digital signature and verification service violated Articles 5(1) and 6(1) GDPR by processing a data subject's email address and social security number, respectively, without valid consent and contrary to the principle of data minimisation.
English Summary
Facts
Signet, the controller, is a web portal which allows its users to digitally sign and verify documents. At the time of the processing of the data subject's personal data, which is the complainant in this case, the controller used, among other things, the sharing of its users' email addresses and social security number to verify that the service connects parties securely and to ensure that documents are transferred between the correct recipients. Every user of the service gained access to this personal data. Crucially, the social security number is not stored on Signet but on the national register of Iceland. Signet, however, is an access provider to the national register. The concrete mechanisms of how the security was achieved through public access to the email addresses and social security numbers was not explained in detail, neither in the case nor on the service's website.
The concerned data subject had used Signet to sign a document. For that purpose, the data subject had shared her social security number and email address with the controller. The controller published the personal data and made it available to all Signet users.
Subsequently, the data subject sent a complaint to the Icelandic DPA concerning the processing of her data, argued that the controller had processed her personal data without a legal basis. Moreover, the data subject maintained that the processing was unlawful, unfair, not appropriate and far beyond what is necessary (see the GDPR principles in Articles 5(1)(a) and (5)(1)(b) GDPR). Additionally, the controller had not complied with its information duties pursuant to Article 13 and 14 GDPR. No information about the processing of personal data appear in the terms of use and the privacy policy was not referred to when the data subject logged into the system.
The controller responded that they had processed the personal data based on the data subject's consent. When first accessing the service, the data subject had agreed to the terms of use. The terms and conditions describe the publication of email addresses and that other Signet users would gain access to them. The sharing of email addresses is one of the core mechanisms through which Signet connects parties securely and ensures that documents are transferred between the correct recipients. In regards to the social security number, the controller pointed out that Signet users gain access to social security numbers through the national register once they have identified themselves in the Signet system. The social security number is thus not saved on the Signet service.
Holding
The DPA structured its holding in three parts. First, it assessed whether the processing of the email address and social security number could have been done on the basis of consent. The DPA answered the first question in the negative, therefore, it assessed, secondly, whether the processing instead could have taken place based on legitimate consent. Lastly, the DPA discussed whether the controller had infringed its duties to provide data subjects with information.
Firstly, on the question of consent, the DPA pointed out that any given consent has to meet the conditions of Article 7 GDPR. Consent must be presented in such a way that it is easily distinguishable from the other issues, in an understandable and accessible form and in clear and simple language. When assessing whether consent is given "freely", utmost consideration should be given to whether it is conditional for the execution of the contract. Moreover, the data subject must be aware that consent has been provided and to what extent. Consent should not be deemed to have been given freely if the data subject does not have a real or free choice or cannot refuse or withdraw consent without detrimental consequences. Consent is thus not considered to be given voluntarily if it is not possible to give separate consent for separate actions in the processing of personal data.
Considering the above, the DPA held that the consent to disclose the data personal data could not have met the conditions of being "unforced, defined, informed, and unequivocal" as the consent was a condition for the provision of the Signet service. The given consent was not specifically distinguished from other conditions of the terms of use.
Secondly, the DPA considered, separately, whether the processing of the data subject's email or social security number could have been based on legitimate interest.
Regarding the email address, the DPA failed to see how the controller's legitimate interest could weigh stronger than the data subject's interests, as it can be assumed that the security of recipients of documents through Signet can be ensured by other means, for example, through the national register (see the analysis below) and in such a way that personal information is only displayed to subscribers of the service who need it to verify the legitimacy of a certain document, its signature, or sender and recipient. The purpose of the social security number is, among other things, to secure personal authentication. Information about individuals' email addresses, however, is not public information, but information that each person chooses to provide. It does not play the same role as social security numbers in secure personal authentication. Consequently, the DPA held that the controller's interests in disclosing the complainant's email address will not be considered to outweigh the complainant's interests in the non-disclosure of the email address
Regarding the social security number, the DPA held that subscribers to Signet may have a legitimate interest in accessing other users' social security number through the national register, i.e. in order to ensure secure identification of recipients. The DPA did not consider that this, by its nature, suitable to substantially threaten the basic rights and freedom of the data subject. The DPA, therefore, held that the processing in question could be compatible with Article 6(1)(f) GDPR.
Nevertheless, the DPA decided that in the particular circumstances of the case, it was unclear whether the controller had upheld the Article 5(1)(c) GDPR data minimisation principle as all of Signet's users were granted access to the data subject's social security number in the national register. Considering the purpose for which Signet's services are provided, i.e. to electronically sign of documents, the DPA stated that only paid subscribers to the service, and not all its users, who need to ensure secure identification of prospective recipients of documents, and therefore would have an interest in the social security numbers. Unforgivably, neither the case nor Signal's website further elaborate on the difference between users and subscribers.
Lastly, regarding the informational duties of the controller, the DPA pointed out that, according to Article 5(1)(a) GDPR, a controller is required to process personal data in a legal, fair and transparent manner. In order to assess whether the conditions for transparency have been met, it is necessary, as here, to check whether the information obligation has been carried out by the controller. According to Articles 13 and 14 GDPR, data subjects have, among other things, the right to be informed about the processing of their data. However, pursuant to Article 14(5)(b) GDPR, the controller's information obligation does not apply if and to the extent that it costs excessive effort to provide the information. In this regard, the number of registered persons must be taken into account (Recital 62 GDPR). Taking into account the interests of the data subject and with regard to the number of registered persons, i.e. of all the persons who appear in the national register, the DPA held that the exemption of Article 14(5)(b) GDPR applies to the processing of personal data by the controller as they provided Signet subscribers with access to the data subject's social security number in the national register. Consequently, the processing was considered to be fair and transparent towards the data subject.
Considering all the above, the DPA ordered the controller to bring its processing in line with the GDPR. Since it had come to the attention of the DPA that the controller had already adjusted in services in such a way that the national register was only available to subscribers of the Signal service, the DPA did not deem it necessary to give it necessary to give the controller additional instructions in the matter. In regards to the email addresses, however, the controller was ordered to immediately stop their publication, until their processing is brought in line with the GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details.
Solutions Processing of personal information by Advania Ísland ehf. Case no. 2021101924 29.11.2022 Companies and organizations can base their processing on legitimate interests, but the principles of the Personal Protection Act must always be considered, including proportionality, reliability and security of information. However, if the interests of the data subject that the processing does not take place outweigh the legitimate interests of the processing, the processing should not be carried out. In this case, the individual's interests outweighed Advania's legitimate interests in disclosing his email address. ---- Personal protection ruled in a case where there was a complaint about the processing of Advania Ísland ehf. on personal information in connection with the provision of Signet's services, www.signet.is. More specifically, the complaint was based on the fact that information about the complainant's social security number and email address was published and accessible to all users and subscribers of Signet for an indefinite period of time. The Data Protection Authority's conclusion was that Advania's interests in being able to disclose information about the complainant's email address to all users of the Signet service could not outweigh the complainant's interests in the fact that such disclosure does not take place. The Personal Protection Agency therefore proposed to Advania to stop the publication of the email addresses of users of the Signet service and to send a confirmation of this to the Personal Protection Authority no later than January 3, 2023. With regard to the publication of the complainant's social security number, the Personal Protection Authority believed that Advania could have a legitimate interest in the fact that information on social security numbers accessible through the national register, in order to ensure safe personal identification of the recipients, but that proportionality had not been taken care of during the processing. Ruling about a complaint about the processing of personal data by Advania Ísland ehf. in case no. 2021101924: i Procedure On October 4, 2021, Personal Data Protection received a complaint from [B]'s lawyer on behalf of [A] (hereinafter the complainant) about the processing of personal information about her by Advania Ísland ehf. (hereinafter Advania) in connection with the provision of Signet's services, www.signet.is. More specifically, the complaint was based on the fact that information about the complainant's social security number and email address was published and accessible to all users and subscribers of Signet for an indefinite period of time. Personal protection invited Advania to comment on the complaint by letter, dated 30 August 2022, and the company's answers were received on 19 September s.á. Personal protection requested more information from Advania by letter dated 26 a.m., and the company's answers were received on 14 October s.á. The complainant was then given the opportunity to provide comments on Advania's answers by letter dated 19. p.m., and they were received by e-mail from the complainant's lawyer on 9 November s.á. When resolving the case, all the above-mentioned documents have been taken into account, although not all of them are separately explained in the following ruling. ___________________ There is a dispute about Advania's authorization to publish information about the complainant's social security number and email address in connection with the provision of Signet's electronic signature service. The complaint states that the complainant used Signet's web portal to sign documents she received from her clients who use the service. For that purpose, the complainant's contacts communicated information to Advania, i.a. about the complainant's social security number and email address. Subsequently, this information became available to all Signet subscribers. They can thus look up the complainant's name and get information about her social security number and email address, along with information that she was a Signet user. The complainant believes that Advania has no authorization for the processing of personal information, which consists in publishing her social security number and email address to all users and subscribers of Signet. The complainant also relies on the fact that the processing is not in accordance with the principles of the Personal Protection Act, as the processing is neither lawful nor fair, not appropriate and far beyond what is necessary. The complainant also believes that the long retention period of the information is not in accordance with the principles of the Personal Protection Act, but it is stated in Advania's personal protection policy that information about social security number and email address is not deleted unless specifically requested. In addition to the above, the complainant relies on the fact that Advania has not fulfilled its educational obligation according to paragraph 2. Article 17 Act no. 90/2018, on personal protection and processing of personal information, cf. Articles 13 and 14 regulation (EU) 2016/679, and it refers to the fact that no information about the processing of personal data appears in Signet's terms of use. Also, Signet's privacy policy was not referred to when the complainant logged into the system and there is no reference to such a policy in the user terms of the service. In the comments of the complainant's lawyer to Advania's answers, it was pointed out that the complainant's acceptance of the terms of use could not include consent within the meaning of the Privacy Act for the processing or sharing of personal information to third parties, i.e. other users of the system. It was also pointed out that Advania's interests in being able to publish information about the complainant, incl. her email address, which could not be looked up in the national register, could not outweigh the complainant's right to privacy. Advania is based on the fact that the complainant has consented to the processing of personal information about himself, the complaint relates to, by ticking the acceptance of the terms of use of the service when first logging in to www.signet.is. It is pointed out that the terms and conditions deal with the publication of an email address and that it states that the email address is visible to other users of the service. Advania also refers to the fact that the publication of email addresses in Signet is part of connecting parties securely, i.e. in order to ensure that a document is sent to the right recipient, and that the processing is thus legal and fair and in full compliance with the principles of the Privacy Act. Advania further points out that the company's privacy policy contains information that users can change or delete information about email addresses and phone numbers in Signet, but this does not affect users' ability to use the service. Regarding the use of social security numbers, Advania points out that Signet subscribers have access to the national register once they have identified themselves in the system. Information about social security number is thus not saved in Signet and not made available to subscribers for an indefinite period of time. It is based on the fact that by using information about the identity number of expected recipients of documents through Signet, the probability of a document being sent to the wrong recipient is reduced. In this way, the interests of registered persons are taken care of and the security of the electronic signature process is increased. In Advania's opinion, the processing is therefore permitted on the basis of item 6. Article 9 Act no. 90/2018, on personal protection and processing of personal information. At the same time, the use of a social security number should therefore have a practical purpose and is a necessary element in the electronic signing process to ensure secure personal identification, cf. Article 13 of the law. II. Conclusion 1. Lawfulness of processing 1.1. Legal environment This case concerns the processing of personal information about the complainant, which involved the publication of information about her social security number and email address on Signet, an electronic signature service operated by Advania. It concerns the processing of personal information that falls under the authority of Personal Protection. Advania Ísland ehf. is considered to be the party responsible for said processing according to Act no. 90/2018, on personal protection and processing of personal data, and Regulation (EU) 2016/679. All processing of personal data must be covered by one of the authorized provisions of Article 9. Act no. 90/2018, cf. Article 6 of regulation (EU) 2016/679. One can mention that personal data can be processed if the data subject has given his consent to their processing for the benefit of one or more specific goals, cf. Number 1. Article 9 of the legal provision and point a of the 1st paragraph Article 6 of the regulation clause, or if the processing is necessary for the legitimate interests of the responsible party or a third party, unless the interests or fundamental rights and freedoms of the data subject that require the protection of personal data outweigh, cf. Number 6. Article 9 of the legal provision and point f of paragraph 1. Article 6 of the regulatory provision. As is the case here, in the opinion of the Data Protection Authority, it cannot be seen that other processing authorizations according to the aforementioned provision can be considered. In addition to authorization according to Article 9 Act no. 90/2018, the processing of personal information must be compatible with all the principles of paragraph 1. Article 8 of the law, cf. Article 5 of regulation (EU) 2016/679. The principles stipulate, among other things, that personal data must be processed in a lawful, fair and transparent manner towards the data subject, cf. Number 1. of the legal provision and point a of the regulatory provision, and that they must be sufficient, appropriate and not beyond what is necessary based on the purpose of the processing, cf. Number 3. of the legal provision and point c of the regulatory provision. In addition to the above, the use of a social security number depends on the fact that it has a specific purpose and is necessary to ensure secure identification, cf. Article 13 Act no. 90/2018. When evaluating authorization for processing, provisions in other laws that are applicable in each case must also be taken into account. In paragraph 2 Article 3 Act no. 140/2019, on the registration of individuals, states that the National Register of Iceland manages the national register and related registers, handles the operation and development of the national register's databases and information systems, and handles the registration of individuals in the register. The delivery of information from the national register is also discussed in Article 12. of the same law, but according to paragraph 1 of the provision, all communication from the national register is subject to permission. It also states that the sharing and delivery of national register information to customers is carried out on the basis of agreements and terms set by the organization and the rules of the Act on Personal Protection and Processing of Personal Information apply to the sharing and use of social security numbers and other personally identifiable information. According to number 8. Article 3 Act no. 90/2018 and No. 11 Paragraph 1 Article 4 of Regulation (EU) 2016/679, consent is considered to be an unforced, specific, informed and unequivocal declaration of intent by the data subject that he consents, through a statement or unequivocal confirmation, to the processing of personal data about him. When processing is based on consent, the responsible party must be able to demonstrate that the registered person has consented to the processing of their personal data according to the conditions of paragraph 1. Article 10 Act no. 90/2018, cf. Article 7 of regulation (EU) 2016/679. If the registered person gives his consent in a written statement, which also concerns other issues, the request for consent must be presented in such a way that it is easily distinguishable from the other issues, in an understandable and accessible form and in clear and simple language, cf. Paragraph 2 of the same provision as paragraph 2. Article 7 of regulation (EU) 2016/679. When assessing whether consent is given voluntarily, utmost consideration should be given to whether it is a condition for the execution of the contract, i.e. on m. provision of services, that consent is given for the processing of personal data that is not necessary for the purpose of the contract, cf. Paragraph 4 of the same provision as paragraph 4. Article 7 of regulation (EU) 2016/679. Sections 42 and 43 of the preamble to Regulation (EU) 2016/679 further state that when processing is based on the consent of the data subject, it should be ensured, in particular in connection with a written statement on another issue, that the data subject is aware that consent has been provided and to what extent. Consent should not be deemed to have been given voluntarily if the data subject does not have a real or free choice or cannot refuse or withdraw consent without suffering harm. Consent is thus not considered to be given voluntarily if it is not possible to give separate consent for separate actions in the processing of personal data or if the execution of an agreement, i.a. the provision of services is covered by the consent, even if the consent is not necessary for the execution of the contract. 1.2. Disclosure of information about email addresses On Advania's part, it is based on the fact that the complainant has agreed to the processing of personal information, which consists in the disclosure of his email address to other Signet users, by accepting Signet's terms of use with a check mark when logging in for the first time at www.signet.is. In the opinion of the Data Protection Authority, it will not be considered that such acceptance of the terms of use of the service can include consent to the processing of personal information that meets the above conditions of being unforced, defined, informed and unequivocal declaration of intent by the data subject that he consents to the processing of personal information about him. It is clear that Signet's terms of use are a prerequisite for using the service, and the consent cannot therefore be considered unforced. If the consent is not specifically distinguished from other conditions of the terms of use. The processing could therefore not rely on number 1. Article 9 Act no. 90/2018, cf. point a, paragraph 1 Article 6 of regulation (EU) 2016/679. As is the case here, item 6 comes into consideration in particular. Article 9 of the law, cf. point f, paragraph 1 Article 6 of the regulation, to the effect that personal data may be processed if it is necessary to protect legitimate interests, unless the fundamental rights and freedoms of the data subject outweigh it. With regard to the publication of the complainant's email address in Signet, which is accessible to all users of the service, it has been stated that Advania considered that the processing of personal information about the complainant was based on his consent. It will therefore not be considered that the company has specifically assessed the legitimate interests that the company protects, whether the processing is necessary in the interest of those interests, or whether its legitimate interests in said processing have outweighed the interests of the data subject. As is the case here, in the opinion of the Data Protection Authority, it cannot be seen that Advania's interests in being able to disclose information about the complainant's email address to all users of the Signet service outweigh the complainant's interests in the fact that such disclosure does not take place. It can be assumed that the security of recipients of documents through Signet can be ensured by other means, for example through the national register, cf. below, and in such a way that personal information is only displayed to subscribers of the service who need to send documents to individuals for signature. The purpose of the social security number is, among other things, secure personal identification and as discussed above is in law no. 140/2019, on the registration of individuals, stipulates the authorizations of the National Register of Iceland to share information from the National Register and to authorize others to share such information. Information about individuals' email addresses, however, is not public information, but information that each person chooses to provide, and does not play the same role as social security numbers in secure personal identification. With reference to the above, Advania's interests in disclosing the complainant's email address will not be considered to outweigh the complainant's interests in the non-disclosure of such disclosure. That processing could therefore not be supported by an authorization according to item 6. Article 9 Act no. 90/2018, cf. point f, paragraph 1 Article 6 of regulation (EU) 2016/679. 1.3. Processing of information about social security numbers Regarding the publication of the complainant's social security number through Signet, it has been stated by Advania that Signet's registered subscribers have access to the national register, but Advania is among the brokers of the national register. In Advania's response letter to Personal Protection, dated On October 14, 2022, it was noted that Signet's service had been changed in such a way that access to national registers was now only available to users with a subscription to Signet and not to other users of the service, as was the case before. In Advania's answers, it was also stated that by searching for a person's name in the system, information from the National Registry about the person's name, social security number, address and zip code appears, but the information is not saved in Signet. On Advania's part, it was also based on the fact that with Signet subscribers' access to information from the national register about the identity number of expected recipients of documents through Signet, the chances of a document being sent to the wrong person would be reduced. In this way, the interests of subscribers and registered persons would be taken care of, and the security of the electronic signature process would be increased. In Article 13 Act no. 90/2018 defines when it is permissible to use a social security number and when it is not. It states that the use is permitted if it has an objective purpose and is necessary to ensure secure personal identification. The provisions of Article 13 is the provision of Article 9 for filling. The guarantor must thus both fulfill one of the authorization provisions of paragraph 1. Article 9 and conduct the processing of social security numbers in accordance with Article 13. of the law, in addition to which the processing must be compatible with all the principles of paragraph 1. Article 8 of the law, cf. Article 5 of regulation (EU) 2016/679. In the opinion of the Data Protection Authority, subscribers to Signet may have a legitimate interest in the fact that information about the recipient's social security number is accessible through the national register and that the processing is necessary in the interest of their interests, i.e. in order to ensure secure identification of recipients. It will not be seen that the processing of personal data carried out by the use of Signet subscribers in the national register is by its nature suitable to threaten the basic rights and freedom of the complainant in such a way that the stated interests of the responsible parties are considered to be more important. Is it therefore the opinion of the Personal Protection Authority that the processing in question can be compatible with section 6. Article 9 Act no. 90/2018. At the same time, the Data Protection Authority believes that the access of Signet subscribers to the national register and the use of the identity number of expected recipients of documents can serve a practical purpose and be a necessary element in the electronic signing process to ensure secure personal identification, cf. Article 13 Act no. 90/2018. From the available case documents, however, it is clear that when the processing of the complainant's personal information to which the complaint relates took place, all users of the Signet service had access to the complainant's identification number in the national register. Considering the purpose for which Signet's services are provided, i.e. to pay for the electronic signing of documents, in the opinion of the Data Protection Authority, it must not be seen that people other than subscribers to the service, who need to ensure secure identification of prospective recipients of documents, have an interest in being able to look up recipients' identification numbers in the national register. As is the case here, in the opinion of the Personal Protection Authority, it cannot be seen that proportionality was observed during the processing when all users of the service were granted access to the national register. It was therefore a condition of number 3. Paragraph 1 Article 8 Act no. 90/2018, cf. c-point 1. paragraph Article 5 of Regulation (EU) 2016/679, not fulfilled as the processing was before, but as stated above, the processing of personal data must satisfy all the basic requirements of paragraph 1. Article 8 of the law, cf. Article 5 of the regulation. In number 1 Paragraph 1 Article 8 of the law, cf. point a, paragraph 1 Article 5 of the regulation, it is also required that personal data is processed in a legal, fair and transparent manner towards the data subject. In order to assess whether the conditions for transparency have been met, it is necessary, as here, to check whether the educational obligation has been carried out by the responsible party. According to paragraph 2 Article 17 Act no. 90/2018, the registered person has, among other things, the right to information about processing, whether personal information is obtained from him or not, according to instructions 13.-14. art. of regulation (EU) 2016/679. However, the responsible party's training obligation does not apply if and to the extent that it costs excessive effort to provide the training, cf. point b of paragraph 5 Article 14 of the regulation. In that regard, i.a. to take into account the number of registered persons, cf. Section 62 of the preamble of the regulation. Taking into account the interests of the complainant that the processing concerns and with regard to the number of registered persons, i.e. of all the persons who appear in the national register, in the opinion of the Personal Protection Authority, the exemption clause of paragraph 5. Article 14 of the regulation applies to the processing of personal data by Advania to provide Signet subscribers with access to the complainant's identification number in the national register. With reference to the above, the said processing of personal information must be considered fair and transparent towards the data subject. 2. Instructions It has been stated that Signet's service has been changed in such a way that the lookup system of the National Register of Iceland is now only accessible to Signet subscribers. In view of the above-mentioned changes that have been made, the Personal Protection Agency does not consider it necessary to direct instructions to Advania regarding improvements regarding the publication of social security numbers. With reference to items 4 and 6. Article 42 Act no. 90/2018, however, it is proposed to Advania to stop publishing the email addresses of users of the Signet service. Confirmation that the publication has been stopped must be received by Personal Protection no later than January 3, 2022. However, Advania may be permitted to publish users' email addresses again if the processing is brought in accordance with the provisions of Act no. 90/2018 and Regulation (EU) 2016/679. The company must then send the Data Protection Authority a description of it, before the processing begins, how it will be secured and on the basis of which authority in Article 9. Act no. 90/2018 and paragraph 1 Article 6 regulation (EU) 2016/679 the processing takes place. In this regard, Advania is instructed that if the processing is to be carried out on the basis of the data subject's consent, cf. Number 1. Paragraph 1 Article 9 Act no. 90/2018, the data subject must be informed about the processing in question, the consent must be free, distinguished from other processing operations and granted with a special operation. Ruling: Publication of Advania Iceland ehf. at email address [A] did not comply with the provisions of Act no. 90/2018, on personal protection and processing of personal information, cf. regulation (EU) 2016/679, on authorization for processing. Publication of Advania Iceland ehf. on social security number [A] did not comply with the provisions of Act no. 90/2018, on personal protection and processing of personal information, cf. regulation (EU) 2016/679. Advania Iceland ehf. must stop the publication of the email addresses of users of the Signet service and send confirmation that this has been done to Personal Protection no later than January 3, 2023. Advania Ísland ehf. however, it may be permitted to publish users' email addresses again if the processing is brought in accordance with the provisions of Act no. 90/2018 and Regulation (EU) 2016/679. The company must then send the Data Protection Authority a description of it, before the processing begins, how it will be secured and on the basis of which authority in Article 9. Act no. 90/2018 and paragraph 1 Article 6 regulation (EU) 2016/679 the processing takes place. Privacy, November 29, 2022 Ólafur Garðarsson chairman Björn Geirsson Sindri M. Stephensen Vilhelmína Haraldsdóttir Þorvarður Kári Ólafsson