IMY (Sweden) - IMY-2023-1647
| IMY - IMY-2023-1647 | |
|---|---|
 | |
| Authority: | IMY (Sweden) |
| Jurisdiction: | Sweden |
| Relevant Law: | Article 35(1) GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | |
| Published: | |
| Fine: | 300,000 SEK |
| Parties: | n/a |
| National Case Number/Name: | IMY-2023-1647 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Swedish |
| Original Source: | IMY-2023-1647 (in SV) |
| Initial Contributor: | sh |
The Swedish DPA fined Östersund's Childrens and Education Board 300,000 SEK (around €26,524) for breaching Article 35(1) GDPR. The Board failed to conduct a data protection impact assesment prior to using Google Workspace in schools.
English Summary
Facts
Östersund has twenty-four schools that use Google Workspace since 2020. It is employed for communicating, teaching, and assigning and turning in homework. Google Workspace processes the personal data of 1,303 employees and 5,945 students, including names, email addresses, and class and group memberships.
In 2014 a different entity in Östersund (the regional Council of Jämtland County) conducted an impact assesment on the use of google applications in education and determined that they could be used.
In 2020, The Childrens and Education Board of the muncipality of Östersund (the controller) decided to integrate Google Workspace into their own systems and schools but did not conduct an impact assesment, believing that the 2014 assesment was sufficient. It was only after such an integration that the controller initated an impact assesment. This process has been ongoing for three years and was still not completed by the time of the DPA's investigation.
The Swedish DPA started an investigation concerning the controller.
The controller wrote to the DPA and explained that parts of the ongoing impact assesment had been reported and acted upon. For example, policy documents have been established, training courses developed and storage restrictions implemented. They also noted that the impact assessment has so far revealed the same concerns as the 2014 report. The only question that remained was whether using Google Workspace required the transfer of personal data to a third country (a nation outside the EU/EEA).
Holding
The question for the DPA was whether there was an obligation on the controller to carry out an impact assesment before the controller started processing personal data in 2020.
First, the DPA's investigation confirmed that the controller did not carry out an impact assesment before Google Workspace was used in 2020 and that the work to carry out an impact assesment has not yet been completed.
Second, it should have been clear to the controller that the processing was high risk and required an impact assesment. The DPA cited Recital 75 and 76 GDPR which, in combination, state that when data processing involves children and a large number of data subjects, it is considered high risk processing. Article 35(1) GDPR outlines that impact assesments are necessary when processing is likely to result in high risk. It was also clear that the controller needed to conduct an impact assesment under Article 35(4) GDPR. This provision requires DPAs to publish a list of the types of processing operations that require impact assesements. Critera 5 and 7 of the Swedish DPA's list were met as the processing was carried out on children and for a large number of data subjects.
Third, the Swedish DPA did not believe that the controller's actions after 2020 provided mitigating circumstances that would reduce the size of a potential fine. This was due to the fact that the controller should have established and implemented these measures prior to the use of the service, not after. Not to mention that the impact assesment had not yet been concluded after three years which demonstrated a high level of sustained negligence. The DPA also considered it to be highly likely that the processing of personal data in a US cloud company would result in the transfer of personal data to third countries but did not elaborate on this point in their decision.
Against this background, the DPA found the controller to have breached its obligation under Article 35(1) GDPR and fined it 300,000 SEK (around €26,524) .
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.
