IMY (Sweden) - IMY-2023-1647

From GDPRhub
Revision as of 14:51, 5 December 2023 by Sh (talk | contribs)
IMY - IMY-2023-1647
LogoSE.png
Authority: IMY (Sweden)
Jurisdiction: Sweden
Relevant Law: Article 35(1) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published:
Fine: 300,000 SEK
Parties: n/a
National Case Number/Name: IMY-2023-1647
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Swedish
Original Source: IMY-2023-1647 (in SV)
Initial Contributor: sh

The Swedish DPA fined Östersund's Childrens and Education Board 300,000 SEK (around €26,524) for breaching Article 35(1) GDPR. The Board failed to conduct a data protection impact assesment prior to using Google Workspace for Education in schools.

English Summary

Facts

Östersund has twenty-four schools that use Google Workspace since 2020. It is employed for communicating, teaching, and assigning and turning in homework. Google Workspace processes the personal data of 1,303 employees and 5,945 students, including names, email addresses, and class and group memberships. The Childrens and Education Board of the muncipality of Östersund holds itself out as the data controller for the processing of personal data when the schools use Google Workspace.

In 2014 a different entity in Östersund (the regional Council of Jämtland County) conducted an impact assesment on google apps in education and determined that it could be used. In 2020, The Childrens and Education Board of the muncipality of Östersund decided to integrate Google Workspace into their own systems and schools but did not conduct an impact assesment, believing that the 2014 assesment was sufficient.

It was only after the integration of Google Workspace into both their own systems and schools in 2020 that the Board initated an impact assesment. This process has been ongoing for three years and was still not completed by the time of the DPA's investigation. The Board wrote to the DPA and explained that parts of the ongoing impact assesment had been reported and acted upon. For example, policy documents have been established, training courses developed and storage restrictions implemented. They also noted that the impact assessment has so far revealed the same concerns as the 2014 report. The only question that remained was whether using Google Workspace required the transfer of personal data to a third country (a nation outside the EU/EEA).

Holding

The question for the DPA was whether there was an obligation on the Board to carry out an impact assesment before the Board started processing personal data in 2020.

First, the DPA's investigation confirmed that the Board did not carry out an impact assesment before Google Workspace was used in 2020 and that the work to carry out an impact assesment has not yet been completed.

Second, the DPA cited Recital 75 and 76 GDPR which, in combination, state that when data processing involves children and a large number of data subjects it is considered high risk processing. Article 35(1) GDPR states that impact assesments are necessary when processing is likely to result in high risk. Moreover, Article 35(4) GDPR requires DPA's to draw up and publish a list of the types of processing operations subject to the requirements of impact assesements. Critera 5 and 7 of the Swedish DPA's list were met as the processing was carried out on children and for a large number of data subjects.

Third, the Swedish DPA did not believe that the Board's actions after 2020 provided mitigating circumstances that would reduce the size of a potential fine. This was due to the fact that the Board should have established and implemented these measures prior to the use of the service, not after.

Against this background, the DPA found the Board to have breached its obligation under Article 35(1) GDPR and fined it 300,000 SEK (around €26,524) .

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.