Persónuvernd (Iceland) - 2020092288

From GDPRhub
Persónuvernd (Iceland) - 2020092288
LogoIS.png
Authority: Persónuvernd (Iceland)
Jurisdiction: Iceland
Relevant Law: Article 5 GDPR
Article 6 GDPR
Article 7 GDPR
Article 12 GDPR
Article 13 GDPR
Article 24 GDPR
Article 25 GDPR
Article 28(3) GDPR
Article 32 GDPR
Article 32 GDPR
Articles 8, 9, 11, 25 and 27 Act no. 90/2018 on personal data protection
Type: Investigation
Outcome: Violation Found
Started:
Decided: 23.11.2021
Published: 25.11.2021
Fine: 11500000 ISK
Parties: Ministry of Industries and Innovation
YAY ehf.
National Case Number/Name: 2020092288
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Icelandic
Original Source: Persónuvernd (in IS)
Initial Contributor: Tetyana Porokhonko

The Icelandic DPA found that the Ministry of Industries and Innovation and the company YAY contravened the GDPR by collecting personal data without a legal basis and processing it without consent, violated the principle of data minimisation, and failed to comply with its information obligations by processing the personal data of the users of a gift card application, and imposed administrative fines of approximately €50,800 (7,500,000 ISK) and €27,100 (4,000,000 ISK) respectively.

English Summary

Facts

In September 2020, the Icelandic DPA initiated an investigation on a digital gift card application provided by the Ministry of Industries and Innovation (the Ministry), and developed by the company YAY ehf (YAY). The aim of the application was to issue a digital gift certificate to all Icelanders over 18 years old in order to stimulate domestic tourism in the summer 2020 during the COVID-19 pandemic.

After the app was published on 18 June 2020, the DPA became aware that, in order to be able to use the digital gift card, the users of the application had to submit their personal data, such as, email address, phone number, age and gender. Moreover, the users were also required in some cases to give an access to their phones´ camera, microphone, GPS location, calendar, contact information as well as data on USB storage.

The DPA decided to open an investigation to assess whether the collection of users´ data and the acquisition of access rights to their mobile devices by the digital gift card application were in compliance with the GDPR and the Icelandic Act no. 90/2018 on data protection and the processing of personal data. In the context of this investigation, the Icelandic DPA found that the Ministry was the controller of the personal data and that YAY was a processor of the personal data.

Holding

In its decision from 23 November 2021, the Icelandic DPA came to conclusion that the Ministry had breached several principles of the data protection legislation. More specifically, the Icelandic DPA found that the Ministry had (1) collected a large amount of users´ personal data without having a lawful basis; (2) failed to obtain a valid consent for processing of users´ data, (3) required extensive access rights to users´ mobile devices, in violation of the principle of data minimisation and (4) failed to provide the users with adequate information on the use of their data.

Furthermore, the Icelandic DPA stated that both the Ministry and YAY had failed to implement appropriate technical and organizational security measures to ensure the protection of the users´ personal data.

The Icelandic DPA imposed an administrative fine of 7,5 million ISK (approx. €50.800) on the Ministry, and a fine of 4 million ISK (approx. €27.100) on YAY ehf. for violation of Articles 5, 6, 7, 12, 13, 24, 25, 28(3) and 32 GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details.


                    Individuals FAQ complete FAQ electronic monitoring general privacy right to be forgotten right to information about their genotype What is processing? A new privacy legislation 2018Almennt the new legislation other interesting stuff educational booklet: Privacy children's booklet: Private youth booklet: public companies and administration asked and answered all the questions and answers electronic monitoring general privacy access right controllers, processors and vinnslusamningarÁbyrgðarskyldaVinnsluskrárNý Privacy legislation 2018FræðsluefniLög and reglurLög privacy rules and regulations other sacrificed rules and guidelines operating international and European law Solutions Solutions Reviews Licensing Various letters Privacy function Privacy News Mega political process personal data my campaign? How to process personal data in election campaigns? Staff and management for media requests for promotional events policy and gi ldiAnnual Reports201620152014201320122011201020092008200720062005200420032002200120001999Other ContentPrivacy PolicyLegal DisclaimerAccessibilityService DeskTwitterEnglishDecisions in EnglishContactLearningTo reportTopic
             
                
    
    Enter keywords
    
    
      
    
    
  
  
                    SolutionsReviewsLicensingMiscellaneous letters
             
                
                
                                
            Search for solutions
            
        
                
            
                Year from:
                
            
            
                Year to:
                
            
        
                
            Search
        
    
    



    


    


    
      Decision on fines for government travel
      Case no. 2020092288
    

    

     
      
      
        11/25/2021
        
      
      
      
     

    

  

  

  
      Privacy
has imposed administrative fines, on the one hand in the amount of ISK 7,500,000
the Ministry of Industry and Innovation and on the other hand in the amount of ISK 4,000,000. á
the company YAY ehf., for the processing of personal information in connection with government travel.
More specifically, the fines were imposed for violations of fundamental principles
privacy legislation, for example on education obligations, transparency and security
personal information in the Travel applet. Beginning
of the case can be traced to the issuance of a travel gift by the government, which was supposed to encourage Icelanders
for domestic travel in the summer of 2020. This is a digital gift certificate that
was distributed to individuals with a script of the company YAY ehf. Privacy
received a number of suggestions that when using the travel gift was required
extensive personal information and extensive access to users' telephones and was
therefore initiated an investigation. Conclusion
Privacy was that the Ministry of Industry and Innovation, which
responsible for the processing, violated many basic principles
the privacy legislation as well as the processing was extensive. Can be there
mention that there was a lack of authorization for the processing of personal information, e.g. by law, and
that the requirements for approval for processing were not met.
Fairness and transparency were not maintained in the processing, as there were only users
made to accept the general terms of use of the company YAY, instead of
specifically agree to the processing of personal information upon registration in the application. Education
was also unsatisfactory about the processing of personal information that took place in
practice. Finally, neither the Ministry of Industry and Innovation nor YAY ehf.
appropriate technical and organizational measures to ensure processing safety
personal information, such as adjusting and modifying the app settings, as well
of what was not
concluded a processing agreement between the parties as provided by law, but the conclusion of such
of the contract is considered to be an important organizational measure for processing
personal information. In spite of
The Data Protection Authority's suggestions for inadequate education were rectified late
and until the end of the project, users were forced to accept errors
Terms of use when logging in to the script. Then, by mistake of YAY ehf., extensive and
unnecessary access rights in the telephones of the app users, among other things
sensitive personal information, such as confidential calendar information. However
however, the investigation of the case revealed that the personal information of users did not have
have been retrieved on the basis of the aforementioned access rights. The company acknowledged that the processing had taken place before
mistakes and be unnecessary. In addition, the Data Protection Authority came to that conclusion
that the company had not complied with the requirements of the Data Protection Act on built-in and
default privacy when installing the script. There was no data available
which showed that evaluations or tests had been carried out to assess the effectiveness and
program settings, including what
personal information would in fact be requested when logging in to the script and theirs
access rights that would be acquired automatically. The conduct of YAY ehf. therefore not counted
comply with privacy laws in this regard.

    

    
    Decision
On November 23, 2021, the board of the Data Protection Authority made the following decision in a case
no. 2020092288: ContentsI. ProcedureExpansion of the caseReview of communication and due process
processing of the case by the Data Protection AuthorityLase of eventsPoints of view ANRSlocks YAY
ehf.Access
the network security company Syndis ehf.6.1. Restrictions and
disclaimer on the investigation of Syndir ehf.6.2. Athugun Syndis ehf.Athugun
Privacy in the ANR Minutes applet
due to the possible imposition of a government fine
ehf. due to the possible imposition of a government fine II. Reasons for decision Scope Scope Responsible party and processor2.1.
Processing responsibility2.2.
Processing contractLegality of processing3.1. Authorization for processing personal information 3.1.1.
Processing under responsibility ANR 3.1.2. Conditions of approval 3.1.3. Education3.2. Processing under YAY responsibility
ehf.3.3.
Security of personal information3.4. Principles of processing
personal information III. Application of sanctions and conclusion1. Perspectives on the application of sanctions for
brota ANR a.
Nature, scope and purpose of processing b.
Whether the violation was committed intentionally or negligently c.
Measures to reduce the loss of registered persons d.
Responsibility of the guarantor or processor with regard to technical and
organizational measures e.
Previous violation f.
Extent of cooperation with the Data Protection Authority g.
Categories of personal information h.
How was the supervisory authority notified of the violation i.
Compliance with remedial instructions j.
Other burdensome or mitigating factors2. Perspectives on the application of sanctions for
brota YAY ehf. a.
Nature, scope and purpose of processing b.
Whether the violation was committed intentionally or negligently c.
Measures to reduce the loss of registered persons d.
Responsibility of the guarantor or processor with regard to technical and
organizational measures e.
Previous violation f.
Extent of cooperation with the Data Protection Authority g.
Categories of personal information h.
How was the supervisory authority notified of the violation i.
Compliance with remedial instructions j.
Other burdensome or mitigating factors3. Conclusion about
administrative fine 3.1. Conclusion on penalties for violations ANR 3.2. Conclusion on penalties for violations
news coverage that the use of government travel was required
extensive personal information and extensive access to users' telephones decided
Privacy to begin an examination of whether such processing complies with Act no.
90/2018 on personal data protection and processing and regulation (EU)
2016/679. 2. Summary of communication and processing procedures
of the case with the Data Protection AuthorityWith a letter dated September 15, 2020,
announced the Data Protection Authority
Ministry of Innovation (ANR), Finance
and the Ministry of Economic Affairs and the information technology company YAY ehf. on the Agency's own initiative study in
following the dissemination of government travel grants through a script that the company had
developed. The Data Protection Authority requested information on the involvement of each
parties involved in decision-making in connection with the publication of the script, among other things about
purpose and methods of processing personal information about its users. There was also
requested information on whether and what instructions the ministries had given YAY ehf.
on the processing of personal information of the users of the script and whether the processing agreement
had been made. The deadline for reply was 30 September 2020. That
At ANR's request, a further deadline for responding to the Data Protection Authority's request was granted
October 14 Answer ANR was received at 16 p.m. The letter was accompanied by the undersigned
agreement of the Ministry, dated. 15 May this year, with YAY ehf. on the development of a solution
due to government travel. No responses were received
YAY ehf. within the deadline and the Data Protection Authority therefore reiterated its request by letter dated.
November 2, 2020. Answer from YAY ehf. received by letter dated. 9 p.m., along
the aforementioned development agreement of the company with ANR. Considers Privacy is still needed
on the notes of YAY ehf. due to specified items and requested them by letter to
of the company, dated 24. s.m. Privacy did not receive a response to the request and had
Privacy therefore contacted by telephone, on December 28, 2020, and reiterated the request.
Answer YAY ehf. received Privacy by email the same day. February 12, 2021
was YAY ehf. sent a letter of objection regarding a possible decision on
application of sanctions and received a Privacy Response
of the company 24. s.m. along with six accompanying documents. Based on data and answers
YAY ehf. The Data Protection Authority considered that further information was needed regarding the case from ANR and
sent a letter to that effect to the Ministry, dated. April 13, 2021. Three times ANR
after a long period of time to respond to the request of the Data Protection Authority. The deadline was extended
granted in all cases, until 21 May 2021. The Ministry's replies were received
the deadline passed by two e-mails on the 25th s.m. By e-mail
enclose the Ministry's reply letter and the Document of Processing Agreement and annexes thereto
agreement between ANR and YAY from 15 May 2020 together with accompanying documents marked in items from
one to four. In a letter from ANR, dated May 25, 2021, is repeatedly referenced
updated production contract, dated s.d., as attachment 5. Also in
the same letter is either referred to a telephone statement or an e-mail of the day. 2.
October as attachment 6. No document marked attachment 5
or Attachment 6 had, however, been received by letter from ANR. On that occasion sent
Privacy ANR inquiry by email s.d. and requested a copy of the original production contract
on which the updated agreement was based. The agency then requested that it be received
accompanying documents referred to. Answer ANR was received s.d. where it was confirmed that
a reference to a previous production contract would in fact be a reference to a development contract
party, dated May 15, 2020, which had already been sent to the Data Protection Authority. Then came
stated that ANR could not grant the Agency access to Attachment 6. The other 2.
June 2021, the Data Protection Authority sent ANR a letter regarding a possible decision on
application of the agency's sanctions and provided the Ministry with an opportunity to object.
On June 9, s.á. ANR requested a meeting with the Data Protection Authority, with reference to
of the above-mentioned letter from the Agency, to discuss its contents, without further explanation.
The Data Protection Authority rejected ANR's request for a meeting by e-mail, e.g. due to
the investigation of the case is still ongoing. In order to agree to such a meeting at the same time
investigation of the case, special reasons would need to be present, e.g. to be introduced
items that would not be explained or substantiated in writing. Then the Data Protection Authority referred to
its response to the written procedure of the Agency. The same day arrived
Privacy another email from ANR stating, among other things
the ministry considered it important to bring the matter to a successful conclusion and that ANR considers
that its treatment had reached some dilemmas. It would be significantly misaligned and
it would be necessary to obtain further explanations as to why the matter had developed
this way and why not discuss other options for completion
the case but with the imposition of a fine, e.g. with suggestions or recommendations for improvement, and
ANR reiterated its request for a meeting with the Agency. Given that ANR considered the case
misplaced, the ministry responded by email at 10 p.m. where it was crossed
the handling of the case and its position with the institution. There were also issues of the case
reaffirmed and reviewed the main points of Act no. 90/2018 and Regulation (EU)
2016/679 who is experienced in the case. It was also emphasized that the Data Protection Authority is looking into the matter
serious eyes as it specifically tested whether it had been done
important principles of the Privacy Act and the Regulation. Then
The Agency's assessment of the seriousness of the case was based in particular on their number
listed individuals who were covered by the travel donation and who could have been affected
affected by the extensive access permissions that the application initially requested. That
finally, the Agency's request for objections and / or explanations from the Ministry was due
possible application of sanctions repeatedly. Privacy received objections
of the Ministry by letter dated June 21, 2021. That letter states serious
comments on the Data Protection Authority's procedure, among other things due to delays which
the Ministry were granted to object and to provide the Agency further
explanations of the case, reasoning and application to legal provisions, initial assessment of
the seriousness of the matter and the rejection of the Ministry's request for a meeting. Because of
of the above, the Ministry did not consider it to have a real option
secure their rights and interests and that its right to object would in fact be curtailed
the extensive and serious comments of the Ministry and with regard to
its comments that it does not normally work in related matters
privacy agreed to Privacy, despite the fact that the agency believed that
the procedure was in accordance with the Administrative Procedure Act no. 37/1993, to provide the Ministry
increased instructions. The Data Protection Authority therefore sent ANR a letter, dated. July 2, 2021, there
which included procedures, the Agency's initial assessment and
the seriousness of the case, in addition to which justification was provided for repatriation
facts of the case under legal provisions, as well as general instructions were provided
on the interpretation of privacy legislation. ANR was given a deadline of 20 July
2021 to file its opposition to the case. The 6 p.m. requested the Ministry,
by e-mail, after further deadlines until 12 August, so as to submit objections and
that deadline was granted. At 12 p.m. received answers ANR. On June 10, 2021
sent the Data Protection Authority YAY ehf. notice that in view of the technical issues
which was foreseeable to be attempted in the own-initiative study, the Agency had decided
to request the assistance of Syndis ehf., an independent specialist company
in the field of network security and information technology, when conducting the study. With
The announcement was accompanied by a project description of Syndir ehf. along with a budget. Var YAY ehf. given the opportunity to comment on the agency's choice of specialist company due
of the study and its cost estimate. Answer YAY ehf. received the same day where neither
was commented on the examination nor the cost estimate of Syndis ehf. Furthermore
followed the answer of YAY ehf. audit of Syndis ehf. on the security of the company's script,
day. November 7, 2019. On June 22, 2021, the representatives of Syndis ehf. and
Privacy meeting with representatives of YAY ehf. in the premises of the latter, to
to review the data and sources that Syndis ehf. requested to perform
requested audit. YAY ehf. provided access to the required data and
answered questions from Syndis ehf. On August 9, 2021, the Data Protection Authority sent YAY ehf. and ANR
letter together with a report on the audit of Syndir ehf., dated July 6, 2021, and provided an option
to submit comments or further explanations on the content of the report. Was
deadline granted until 19 August s.á. At 12 p.m. received a reply letter from ANR and the other 18.
s.m. received an email from YAY ehf. where it was confirmed that neither ANR nor YAY
ehf. commented on the report of Syndis ehf. It was not clear from the answers of YAY ehf. each position
of the company was to ANR's assertion that the company had made a mistake
collected personal information about the age and gender of users. By email on August 20, 2021
The Data Protection Authority therefore requested the position of YAY ehf. to this point. Answer YAY ehf.
received by two emails on 23 p.m. together with two accompanying documents. Views and explanations of ANR and YAY ehf., as they are
appear in the above data, will be torn down as the occasion arises here
after.3.Case FactsLooking
that on 15 May 2020, ANR signed an agreement with YAY ehf. on solution development
due to government travel grant (hereinafter
development agreement). Objectives of the solution
was issuing digital gift certificates to individuals, eighteen years of age and older, with
Icelandic ID number, which you were supposed to
encourage domestic travel in the summer of 2020. This was a collaborative project
which was based on the government's proposals for measures to strengthen Icelandic
economy following the coronavirus pandemic (Covid-19). In view of the circumstances
great emphasis has been placed on bringing the solution to fruition as soon as possible
power. The government's decision was based on Althingi Act no. 54/2020 on travel gifts which
entered into force on 23 June 2020. The travel gift was made accessible
to the public on 18 June 2020 in the form of a script. Immediately upon use
Privacy notices requesting users' personal information, but
also extensive access to their telephones. The issue was covered in the media
but the Data Protection Authority did not receive any notification or request for comment or advice from ANR
or YAY ehf. about the case.To take advantage
the travel gift, the user had to log in to the script, provide information about
their email address and telephone number as well as agreeing to certain terms. In the first three days after the release of the script, a user was also prompted
to provide information on age and gender at check-in. User could also give
his travel gift to another person and sent with it a greeting with a photo or
video. To give the gift to others, the user had to register an email address
recipient and to use the application's optional extension services and send electronically
greetings with the gift, he was able to agree to give the app access to the camera,
microphone, contacts file and USB storage area in their phone.Days 18.-23. June 2020 downloaded the script, in
in some cases without the knowledge of their owners, very extensive access rights
in users' phones. This included access to a camera to
take photos and videos, as well as a microphone to record audio and
change the speaker settings of your phone. Furthermore, information was requested
the owner of the phone and its location, as well as information about the exact GPS location
of the device. It was also requested to be able to read information about events in
calendar, incl. á m. confidential information, added events and edited and sent
email without the knowledge of the phone owner. Then it was requested to be able to read
contact information and information and data in the phone's USB storage area
as well as editing data there and deleting. Finally, information on wireless was requested
Internet connections and, after being able to manage archiving, receive information
from the Internet, see Internet connections and Internet access server information, run applications
start a device, move small programs, control phone vibrations, prevent
for it to fall asleep, change system settings, set up shortcuts and read
Google Service Configuration (e. Service)
configuration) .4. The views of ANRANR refer to
with Act no. 54/2020, on travel donations, the Althingi has decided to donate
individuals 18 years and older travel gift. Agreements have been reached with YAY
ehf. where the company was considered to be able to provide a technically feasible solution
with speed and without high development costs. Digital Iceland has taken out
security measures YAY ehf. and concluded that the company could
ensure appropriate security. Syndis ehf. also carried out an audit of
the security measures of the company which have revealed adequate security measures
were available.To be able to use
the travel gift was necessary to work with specified
personal information, ie. name and phone number. It was also planned
for in the law that an individual could give his own travel gift and for that
it was necessary to process information about the recipient's e-mail address. Because
if the Ministry considers that the processing was necessary to fulfill the legal obligation
which rests with the responsible party and for work that has been done for the benefit
public interest.The first three days
after the publication of the script, the processor (YAY ehf.) also worked with it
information on the age and gender of users, but has given up and deleted the data accordingly
instructions of ANR, as the Ministry's position was that their acquisition
information was not necessary in order to fulfill obligations
processing parties according to the parties' development agreement, dated May 15, 2020, or later
instructions of ANR. In the notes ANR comes
also stated that on June 18, 2020, immediately after the first release of the script
has been made available to the public, extensive access has been requested
to users' telephones. The Ministry's position was that such
access rights were not necessary to fulfill obligations
processor according to a development agreement or subsequent instructions of ANR. Then the ministry believes
nor have they been necessary to fulfill a legal obligation in connection
in the provision of travel gifts and regrets that the mistake in question took place
processor. When the error was discovered, an updated version was released
of the script on the 22nd. ANR emphasizes that although the script has
requested this extensive access, during the period in question, if the information
never been downloaded or worked with. A distinction needs to be made between the possibilities for
work with personal information and its actual processing.The Ministry protests
because the processing of personal data has violated Article 5. Regulation (EU)
2016/679 and considers that the information was processed in a lawful, fair and
in a transparent manner towards registered persons. ANR therefore refuses to provide information
had been obtained for illegal purposes and that personal information had been processed
for purposes other than the original purpose, which is incompatible with the use of travel expenses
according to Act no. 54/2020. The aim was to obtain personal information
limited to the necessary purpose of the processing. ANR also refers to provisions in
a new production contract, dated May 25, 2021, as a basis for processing,
storage and deletion of personal information due to travel donations. ANR's notes
further stated that when individuals choose to give their travel gift to others and
send greetings in the form of a video with the gift barley processing of the requested
personal information with the consent of the user. In the privacy policy of travel gifts that
appears to users in the smart application states that in connection with such a gift may
the application to request access to additional information from users, such as
camera, microphone, photo and contacts, only and only in cases where
the user himself requests and agrees specifically. In general, there is access to
such data is not necessary for the use of the travel gift
ANR's explanations that it is the Ministry's position that with the development agreement
and processor, dated. May 15, 2020, and instructions issued
e-mail on 11 June, referring to a privacy policy
travel gifts and the Government's privacy policy, are to some extent provided for
applies to the formalities that must be stated in a production contract in accordance with a regulation
(ESB) 2016/679. However, the Ministry agrees with the views of the Data Protection Authority and
acknowledges that the parties' development agreement and subsequent instructions do not apply
holistically, sufficient consideration is given to the formal and material requirements according to para.
Article 28 of the Regulation and therefore the parties have entered into a production agreement, dated
May 25, 2021.ANR has prepared a privacy policy
for the processing that takes place using the script that has been updated
28 May 2021. The privacy policy is accessible on the website Ísland.is and in
the script. It clearly states what personal information is processed, in what
purpose and on what basis. The policy clarifies who is responsible and
each processor. Reference is also made to the privacy policy of the Government of Iceland
where further information can be found on the retention period, the rights of the data subjects
and contact information. In addition, ANR emphasizes that a distinction must be made
on the privacy policy applicable to the travel gift and its use
the script for that purpose on the one hand and an independent privacy policy
processor that applies to other general uses of the unrelated script
utilization of travel donation, however. When information has been received that education about
processing of personal data, which was carried out by a privacy officer
Cabinet, had not appeared in the script the first few days after its publication
its shortcomings have been addressed immediately. Then ANR refers to the updated
privacy policy from May 28, 2021 stating that the script may
request the specified additional personal information if the user requests it himself
by utilizing the additional services of the application and approving it separately
Finally, ANR's explanations also state that it was clear that the project was to
such a scope as this would have required a longer lead-up and
preparation time. In light of the circumstances and the emergency situation that has arisen
society, on the other hand, has focused on faster construction. They make mistakes
which took place at the beginning of the project could be traced to it.5.The views of YAY ehf. Notes by YAY ehf. are that much
to the same extent as the above explanations of ANR and will therefore only be discussed
items in the objections of YAY ehf. which can shed further light on the events of the case. In the explanations of YAY ehf. appears
that the Travel applet has already been based on another applet of the company
has been in use. The existing script has been adapted and prepared
with changed settings and activity in a hurry so that it has happened
the Travel applet. In the first version of the new program, certain features were lost
settings in which have requested various information and access in telephones
users. This was done by mistake but the data, i.e. about age and
the gender of the users that has been collected has already been deleted. When logging in to the script
record user information about themselves, including name, phone number and email address. In the development agreement
party from 15 May 2020, YAY ehf. specified owner of the recorded data
in the solution. Personal information registered in the script is stored in
database owned by YAY ehf. Due to technical reasons, it was decided to YAY
ehf. would be considered the owner of that information by name. By agreement of the parties
it will thus be difficult to decide who is considered the owner and thus the person responsible for that personal information
which were created using the script. On the other hand, YAY ehf. look at that
that ANR had the power of authority and decision-making power over the data in question. Despite the ambiguity
wording in the agreement in question, YAY ehf. that his parties were completely
agree on the role of each of them, ie. that ANR was responsible for the processing and
YAY ehf. processor. YAY ehf. does not consider itself to be their responsible party
data stored in the company's database or the remaining data
may be at the end of the contract period. In the notes of YAY ehf. comes
also stated that no written processing agreement had been made and knew it
to be considered a violation of the Privacy Act for which both parties are responsible. Su
however, this fact does not automatically lead to YAY ehf. is considered a responsible party
of processing. ANR has entrusted YAY ehf. specified processing with a development contract
a party where clear instructions have been given as to the functionality of the script
should have. The parties also worked according to the arrangement that ANR was
responsible for the processing and that it was very clear to users.
Even though ANR's instructions to YAY ehf. has not been documented in
production agreement, the parties agree on what the instructions were and
they are reflected both in the parties' development agreement, ANR's privacy policy and in
party communications (including e-mail communications). In cases where
the processor violates the instructions of the responsible party may come to the processor
is considered responsible for that processing. Have the extensive access permissions,
specified in the first version of the applet in the Android operating system,
have been utilized and YAY ehf. processed personal information that had been collected
in that way it would be examined whether YAY ehf. would be defined as
responsible for such processing. Did not come to that processing and from them
due to the fact that there is little to define the role of the parties in this connection. It is also stated that in an e-mail, on 16 June 2020, ANR requested
that the applet provided information about the gender of users. In other emails the same
Today, the company has received a new instruction from ANR to accept the script's request
gender information at check-out. Then the company received the same
instructions on the collection of information on the age of users, but there is no written one
data on them. If the company replied to ANR on the same day and informed that the request in question
had entered the process and that it would be followed up. However, have been asked
by updating the script until all changes to it have been made and therefore the update has been posted on June 18, 2020.
an update has been made available to users with the Android operating system already the same
evening but users of the iOS operating system not earlier than 20 p.m. due to the traditional
Apple's review process for published widgets that are generally delayed
48 hours. Information on the age and gender of users
iOS operating systems have therefore been collected from 18.-20. June 2020. The purpose of acquisition
of that information has been to process statistical information and analyze which
groups would have taken advantage of the travel gift. Then
is stated in the notes of YAY ehf. to Sin
ehf. has on November 7, 2019, at the request of YAY ehf., carried out a security audit of
the app and view security in the company's Amazon (AWS) cloud environment.
The tests were based on approved OWASP test methods, ie. Mobile Top
10 "," Mobile Security Testing Guide "and" Top 10 ", among others. The audit has
shown that the data that the script worked with was hosted in Ireland. Conclusion
of the audit was that there were neither medium nor large
weaknesses. 6.Involvement of the network security company Syndis ehf. In light of the technicalities
items that were foreseeable to be tried during the investigation of the case counted
Privacy need the help of a self-employed specialist company in the field
network security and information technology where the company's report would be part of an investigation
of the case. On June 7, 2021, the agency therefore applied to the company Syndis ehf. With the involvement of the company
emphasis was placed on researching the access rights requested by the Travel application applet
after and to examine its processing of users' personal information about age and gender.
The aim of this part of the study was to seek an answer to whether
The travel gift had been updated to prevent a request being made
according to access rights that were not related to the purpose of the Travel Gift and whether
the script would have attempted to exploit the above permissions. As stated in section
I.5., Above, YAY ehf. received Syndis ehf. to perform an audit
on a script on November 7, 2019. According to the case file, construction began
of the app Travel Travel not until first in May 2020. It is therefore clear
that the security audit of Syndis ehf., from 7 November 2019, concerned another small program,
i.e. the general script YAY ehf. (Gift certificate from YAY ehf.) And security
the company's data storage in the Amazon cloud solution (AWS). The audit in question did not take place
to the access permissions under review here. Given the study
In this case, privacy concerns another small program and its other components
the institution's assessment that the previous audit of Syndis ehf. does not stand in the way
a professional and impartial study of the security aspects of the Ferðagjafar applet.6.1.Restrictions and reservations on the study of Syndis ehf. Syndis ehf. makes a reservation in its report, dated July 6, 2021
that certain restrictions have been present in the examination of the company which
has created some uncertainty for the study. The report states
that Travel Gift is a small program developed in the framework of React Native, which can be used
to format small programs regardless of platform. YAY ehf. has since used
sees the services of the Expo software platform for publishing
of the app for both Android and iOS operating systems. Among those specified
restrictions on the investigation of Syndis ehf. have been Expo action files that do
enable software developers to release updates directly to mobile devices (e.
mobile devices) that bypass their home updates. However, it is pointed out that they
updates that result in a change in access rights must be made
through the home update system of mobile devices and therefore it is not possible to use
Expo to avoid access control systems for such devices. Syndis also believes
ehf. it limits its research to the fact that the Expo software platform contains shepherds
(e. assembler code) only for 30 days and Syndis ehf. therefore could not be confirmed
what changes were behind the versions in Expo. In addition, there is no reliable
a way to confirm that the shepherd, issued by Expo or
mobile device transfer systems reflect source code
of the script in the data repository that Syndis ehf. was delivered, where used
have been using a multi-platform in the development of the script. Research
Syndis ehf. therefore assumed that the data repository reflected the published
shepherds. During the investigation, nothing was revealed
which challenged those assumptions. Furthermore, it was not possible to test fully
functionality of the Travel applet due to no travel app appearing in
the script during project time. On the other hand, it was stated at a meeting of YAY ehf.,
Syndis ehf. and the Data Protection Authority on 22 June 2021 that the applet Ferðagjöfin has
is based on the same foundation as the YAY script and therefore has also been used for
to examine a specific activity. 6.2Athugun Syndis ehf.Athugun Syndis ehf. revealed that the first version
of the script (version 1.0.2.) was made available to the public on 12 June
2020, but the Travel Gift was not announced until 18 p.m. Then there were
changes made to the script and version 1.0.3 released on the same day, i.e. 18.
June 2020. Subsequently, version 1.0.4 was released by the script, on the 19th,
exclusively for Android operating system, and finally version 1.1 has been released
on the 22nd s.m. It is also stated that there was also a version between version 1.0.4 and 1.1
made updates to the script using Expo.Rannsókn Syndis ehf. demonstrated that the original versions
of the script, i.e. versions 1.0.2, 1.0.3 and 1.0.4, required, among other things, permissions
for access to the phones of users of Android operating systems, ie.
location information, network status, wireless status, camera, editor, network,
document management, audio settings, calendar (read and write access, e.g.
confidential information), contact list, internal and external storage areas (read and
write access), phone status, phone reboot information, microphone to
audio recording, shortcut setup, and motion mode reading. Also
the script required permission to request installation of other packages, permission
to run in the foreground even if other widgets were started, permission to display
a specific type of alert window that appears on top of other scripts, permissions
to use bio-teaching functionality for identification, permission to use fingerprints, possibilities
vibrate and allow the processor and monitor to move
on sleep mode. Syndis ehf. confirmed that version 1.1. and subsequent editions
did not request as extensive access rights as previous versions of the script and
mentioned above. According to Syndis ehf. points
the company's examination of the script of the script to everything from
in its original version, it only used four types of access rights:
access to a camera (optional to send greetings when forwarding travel)
but also to take a picture for the user's ID card), access to a file system
(optional to send a picture with a greeting already on the user's mobile device),
access to audio recording (optional to send greetings when traveling)
another person) and access to a contact book (used when gift certificates are available
sent to contacts). It was stated in the investigation of Syndis ehf. that despite earlier to the original
the version of the script would have required extensive access permissions had not been found
no indication that the script had used sources other than the aforementioned four
access rights. Syndis ehf. until the overwhelming majority
Mobile devices currently in use require users to install widgets
permission to use certain access rights at the time they are
new Year. Such access rights include, for example, access to sensitive data
functionality such as mobile device camera and user personal data. On the other hand
are in use telephones with older operating systems that do not have such control over
permissions of small programs and their number amounted to approximately 5.1% of all
mobile devices in Iceland at the time the script was released. Another matter
about users of Apple mobile devices, because the use of the travel gift was required
version 11 of the iOS operating system that has built-in user control for access rights and
users would then have become aware of any misuse of access rights and could
stopped her.Athugun Syndis ehf. on the prototype of the script also revealed that
version 1.0.2 of the script requested information about the gender and age of users
at registration and that this functionality had been removed in version 1.0.3. Then takes
Syndis ehf. provided that version 1.0.2 has been made available to the public
both operating systems on June 12, 2020 but that the public was not
announced the existence of the Government Travel Gift until 18 p.m. The updated one
version 1.0.3 of the Android operating system has been made available
to the public in the evening of 18 p.m. but not until the second half of the day 20. s.m. for the iOS operating system
in the Apple App Library. When updates are sent to the Google Play applet library
(for Android operating systems) they will be available shortly. When upgrading
in turn sent to the App Store applet (for iOS operating system) will be
it will not be accessible to users until it has passed an audit at Apple.
That process usually takes 48 hours. 7. The Data Protection Authority's observation of the script in September 2020, after
Privacy received comments about the script, the agency noted
its functionality and reviewed the training provided in the processing program
personal information. At check-in was
users are required to accept the general terms and conditions of YAY ehf. which generally apply to purchases
on a product or service through a company script. Privacy reviewed content
the general terms and conditions according to which, among other things, it is assumed that
is a transaction between the user of the script as the buyer and the seller of gift certificates
and that the user provides his credit card number and its period of validity and pays for it
the product. Nowhere is there a discussion of government travel. Other terms
which related to government travel were not accessible. After
login with a phone number, the user got access to the app Travel. Í
therefore, there is a menu with a link to the specific terms of the travel gift
entitled "Travel Terms". Their content
terms, however, were not all visible on the phone and could not be
scroll to read the beginning or end of each line text. Was not
it is therefore possible to read the terms in question on the telephone. There was no requirement to
the user agreed to the specific terms of the travel gift, as specified
in the answers of YAY ehf. In the same menu as before, another link was included
entitled "Personal Information". It was the same text that could be found in it
privacy policy on the company's website but was not specifically addressed
government travel gift in that text. Of observation
The Data Protection Authority could decide that users of government travel gifts would have to
accept the general terms of use of the company YAY ehf. to be able to take advantage of
the gift but the specific terms for it were not
accessible to users.Check
The Data Protection Authority also revealed that in the privacy policy of YAY ehf. was
discusses the handling and storage of personal information and rights by the company
of the registered. The types of personal information collected were not discussed
was about the user or the purpose of the processing due to the use of a travel application script
government. In the privacy policy of YAY ehf., Which contains a reference to
the terms of the company regarding its handling of personal information, came e.g. forward
that when creating access to solutions and using them, the user would need to register
information about their phone number, authentication code and possible credit card number
long. It was also stated that the company used the personal information in question for this purpose
to provide their customers with services under contract with them, such as
user access to the relevant solution, but also to keep track of usage history,
ensure safety and provide the right user with information on the status of the delivery of goods
and implementation of services, as well as ensuring the quality and functionality of the solution. In addition, it was stated
that the company used the information to contact the user in
for commercial purposes, as well as that YAY ehf. stored its customers' data there
to the company would no longer need them to fulfill the goal with
their collection. The rights of the data subject regarding collection and
preservation of personal information.Privacy carried out
same observation again March 2, 2021 and examined whether changes
had been made on the presentation of instruction and approval in the program. Was not wrong
see that changes have been made. Users were still required to agree
the general terms and conditions of YAY ehf. and the terms of the Travel Gift applet still proved
inaccessible to users.Then the Data Protection Authority re-examined August 26, 2021 and
last 9 November s.á. and had then been made
changes to the specific terms of the Travel Gift so that they were legible
telephones, but users were still required to accept the general terms and conditions of YAY ehf. sem
a precondition for the utilization of the government's travel grant. 8. ANR objection process due to possible
imposition of administrative fines
letters from the Data Protection Authority to ANR, dated June 2, 2021 and July 2, 20, were gone
over individual items of Article 47 Act no. 90/2018, which discusses views that
should be taken into account when deciding whether to impose a government fine and what amount
her shall be. ANR was given the opportunity to present its views
in that respect. ANR
replied by letters dated. 21 June 2021 and 12 August s.á. In the notes
The Ministry states that this is its position on the processing of personal data
which has taken place in connection with the utilization of the travel gift has taken over
met the requirements of the Act on Personal Data Protection and Processing of Personal Data. On the other hand
The Ministry reiterates that a project of this magnitude in question would have been necessary
longer lead time and preparation time. Due to circumstances, however, it was
emphasis on speeding up implementation and having preparation and implementation
of the project taken into account to some extent. Had the parties been given more time
could, among other things, have prepared a clearer production contract at the beginning of the project and
ensure better access for users to the privacy policy in the smart application. Then count
the Ministry in question does not justify the application of administrative fines. Regarding the nature of the violation, how serious and how
chronic it was and the number of registered individuals who suffered from it, as well
how serious the damage was, is stated in ANR's notes to the processing
personal information for government travel was necessary to
fulfill a legal obligation that rested on the responsible party, cf. Act no. no. 54/2020 um
travel, but also for a project in the public interest. To individuals
could use the travel gift if it was necessary to work with certain
personal information, ie. the name and phone number of the app user. Then be in
the above law provides that an individual can give his own travel gift
and therefore it was necessary to process information about the recipient's e-mail address
of the gift. The purpose of the processing of the personal information in question was to
verify the utilization of the travel gift.Also
states in the Ministry's notes that when the first version of the script has
made available to the public on 18 June 2020, has been requested
extensive access to users' telephones. It is the position of the Ministry to such
access rights were not necessary to fulfill obligations
processor and has gone far beyond the ministry's instructions and intentions
party. When the error was discovered, an updated version was run
of the script. That edition was published on the 22nd. Then the ministry proposes
emphasizes that even though the script has requested this extensive
access during the four-day period in question was never retrieved
on the basis of the access rights or worked with them. Still
rather it is stated that in the first three days after the release of the script has
been processed with information about the age and gender of users. Attitude
of the Ministry is that the collection of that information by the processor has not
be necessary in order to fulfill the obligations of the processor under the development agreement
party and subsequent instructions of ANR and the processor has deleted the information
the three days in question
the position of the Ministry as to whether the violation was committed intentionally or
negligence states in the aforementioned letter from ANR that the ministry never had any intention
for other than meeting the requirements of the Privacy Act.Regarding
actions taken by the controller or processor in order to
reduce the loss of registered individuals, ANR says that the processor has to immediately
three days later received an order from ANR to stop collecting information
users by age and gender and to delete the data immediately. Then it has been improved
access settings so that users of the app can do better
explain what access the applet actually used. It is also stated that ANR
agree with the views of the Data Protection Authority that the development agreement between the parties and the latter
instructions have not sufficiently taken into account the formal requirements made for such
contracts. This has been remedied by the conclusion of an updated production contract, dated.
25 May 2021, which takes into account formal and material requirements according to para. Article 28
Regulation (EU) 2016/679. The privacy policy was updated on 28 May
2021 with regard to the educational obligation. On the Ministry's position on responsibility
guarantors and processors with regard to technical and organizational
measures that they have implemented, cf. Articles 25 and 32
of the Regulation, states in ANR's explanations that before the Ministry has taken office
agreements with processors, Digital Iceland has taken out the company's security measures
and concluded that the processor could ensure appropriate safety.
Syndis ehf. also carried out an audit of the processor's security measures
which showed that adequate security measures were in place.ANR
states that no previous violations by the Ministry are pending
the scope of cooperation with the Data Protection Authority in order to remedy violations and reduce them
its potential adverse effects are stated in ANR's notes that as can be seen
communication with the Data Protection Authority, the Ministry has tried to respond
information requests from the Data Protection Authority effectively and within that time limit
which has been set by the Ministry. There has never been a will to do anything but show
full cooperation. However, the Ministry must be taken into account
do not normally work in matters related to privacy. It was necessary to
obtain information from other parties to respond to letters from the Data Protection Authority and
the ministry has made every effort to keep the agency informed of developments
and requested an additional deadline when the occasion arose. Requested the Ministry
as well as further instructions from the Data Protection Authority on ways to improve
that the matter could be resolved successfully.Regarding
which categories of personal information have been processed, ANR states in the notes
that sensitive personal information has not been processed in the script
compliance with the instructions of the Data Protection Authority on corrective measures according to Article 42.
of the Act states that the Ministry has not received such instructions. Not so
It is fully clear whether the Data Protection Authority considers the Ministry's improvements to be satisfactory or
not or what further remedial action the ministry would need to take to ensure that
the processing of the case is in a lawful state
states that no applicable rules of conduct have been adopted
here. However, it may be beneficial to work out rules of conduct that apply to processing
personal information when publishing scripts. Will the ministry address it
special inspection.End
rather, the ministry states in its letter that the alleged violations were not hidden
see a profit nor have they been conducive to protecting the Ministry from losses
The Ministry points out its views on the possible amount of administrative fines in its letter
that it is run entirely by the Treasury on the basis of contributions according to
budget and does not earn any special income nor does it have any bank accounts.
The Ministry's financial authority is in the hands of Althingi and is exercised on that basis
financial framework determined by the state budget. Fine decision of one authority
towards another government authority, which is fully run on the basis of contributions from the state treasury,
can therefore not affect its financial framework or projects in other respects there
which the government must continue to carry out the tasks entrusted to it
by law. An administrative fine of one authority over another entails only
a transfer in the accounts that does not affect the financial framework in question and of them
therefore, ANR does not consider it necessary to discuss issues related to it in particular
the amount of the administrative fine in this case.9.The objection process of YAY ehf. because of
possible imposition of administrative finesWith
letter, dated. February 12, 2021, YAY ehf. given the opportunity to object to
possible imposition of a government fine on the company due to the case. In a letter
The Data Protection Authority reviewed the points of view that are attempted in deciding such
sekta.Svar
received by letter dated. February 24, 2021. In the notes of YAY ehf. is emphasized
that the obligations to be considered in connection with the application of administrative fines
is the responsibility of the processor. YAY ehf. had, however, not been involved
processing as a guarantor. It also states that the company considers that
the processing for the travel gift has completely met the requirements of the privacy legislation.
It is not disputed that if the parties had been given more time, there could have been more problems
better to work. Thus, the parties should have completed the written
processing agreement between themselves, ensure would have had better access for users
ANR's privacy policy in the script and configure should have been more detailed
permissions in the Android version of the app from the beginning so that users
it could be clear that access to that information was not in fact being used
which were specified there. However, in the opinion of YAY ehf.
application of administrative fines
nature of the offense, how serious and how long-lasting it was and the number of registered
the persons who suffered it, as well as the severity of the damage they suffered,
is stated in the notes of YAY ehf. that at no point did the broad
access rights during the four-day period (from 18-22 June 2020) in
The Android version of the app has been used or worked with
personal information. It also states that in the first three days after publication
of the script has been processed with information about the gender and age of users who
was later dismissed on the basis of instructions from ANR. Total has 6000
users downloaded the app during this period but have this information immediately
been deleted. It is also stated that this is the assessment of YAY ehf. that no user has
suffered damage in connection with the processing of the material under consideration here. Um
position of YAY ehf. on whether the offense was committed intentionally or negligently
says in the notes of YAY ehf. that there is no violation of privacy law
been committed intentionally by the company. For mistakes have extensive
access permissions were selected for the first version of the app on Android devices
but that was not the intention of the parties. The same applies to the publication of
privacy policy in the script, it was not the intention of the party to the policy
would not be published there in its entirety.Regarding
actions taken by the controller or processor in order to
reduce the loss of registered individuals, says YAY ehf. in their explanations to let
has been from collecting information on age and gender after three days and them
information already deleted. Then the access settings have been changed within
four days from release, so users could better understand
what access the script was actually using
position of YAY ehf. to the responsibility of the guarantor or processor with respect to
the technical and organizational measures which they have implemented,
sbr. Articles 25 and 32 of the Regulation, states in the company's notes that YAY
ehf. shall be fully responsible for the security measures taken
in connection with the use of the script in accordance with the obligations of the company
rest on the basis of privacy legislation. YAY ehf. in this relationship
also for audit by Stafræn Íslands and Syndis ehf. on security measures
of the company, previously reported.YAY
ehf. states that no previous violations of the company are for going
the scope of cooperation with the Data Protection Authority in order to remedy violations and reduce them
its possible harmful effects stated in the notes of YAY ehf. that the company has
emphasized the need to provide the Data Protection Authority with information on all the items requested
has been left. Regarding
which categories of personal information have been processed, YAY ehf. until
their explanations that no sensitive work had been done
personal information. Regarding
compliance with the Data Protection Authority's instructions on corrective measures is stated in YAY
ehf. has not received any such instructions.Then
states that no applicable rules of conduct have been adopted
here. However, it may be beneficial to work out rules of conduct that apply to processing
personal information when publishing scripts. That
Finally, it is stated in the notes of YAY ehf. that no profit was made
in connection with the alleged violations nor has a loss been avoided.II.Reasons for decision 1. Scope Scope
Act no. 90/2018, on personal protection and processing of personal information, and regulations
(ESB) 2016/679, sbr. Paragraph 1 Article 4 of the Act, and thus the jurisdiction
Privacy, cf. Paragraph 1 Article 39 of the Act, covers the processing of personal information
which is automated in part or in full and processed by methods other than
automate personal information that is or should be part of a file
personal information is considered information about the person identified or
personally identifiable individual and an individual is considered personally identifiable if
it can be identified, directly or indirectly, by reference to its identifier
or one or more factors that are characteristic of him, cf. 2. tölul. Article 3
of the Act and point 1. Article 4 of the Regulation.With
processing refers to an action or series of actions in which personal information is processed,
whether the processing is automatic or not, cf. Number 4 Article 3 of the Act
and point 2. Article 4 of the Regulation. The provision also contains a list
as an example of what kind of actions can fall under the definition and says
including that the concept of processing may include methods of making
information available. Then it is considered processing when taken one step in a row
actions required to make personal information available or accessible. This action, to obtain access rights, is considered a step
in a series of actions to make personal information available or accessible and is considered
therefore for processing, cf. Number 4 Article 3
of the Act and point 2. Article 4 of the Regulation, although information will not be available
processed further, cf. the above provisions. This case concerns, on the one hand, acquisition
personal information about users of government travel grants and, on the other hand, the acquisition of access rights
in the telephones of the same users that could lead to further processing of personal information,
including sensitive personal information. In that respect
and having regard to the above provisions, the matter concerns this processing
personal information that falls within the competence of the Data Protection Authority. 2. Responsible party and processorSá
who is responsible for ensuring that the processing of personal information complies with Act no. 90/2018 is
named guarantor. According to point 6. Article 3 of the Act refers to that
an individual, legal entity, governmental authority or other party that decides alone or in
cooperation with other purposes and methods of processing personal information, cf. 7.
tölul. Article 4 Regulation (EU) 2016/679. In the European guidelines
of the Privacy Council no. 7/2020, from 2 September 2020, applies to a decision on
who is considered the responsible party for processing and who is not considered the processing party
only look at the available data, for example
processing contract, but also how the arrangement actually was
manner, i.e. who has in fact decided on the purpose and methods of
processing of personal information. Processor
is an individual, legal entity, government authority or other entity that works with
personal information on behalf of the responsible party, cf. 7. tölul. Article 3 of the Act and 8.
tölul. Article 4 Regulation (EU) 2016 679. As stated in para. Article 28
of the Regulation, a processor who violates the Regulation when
he determines the purpose and methods of processing, are considered to be responsible for
with regard to that processing.2.1.Responsibility of processingIn
In view of the above, it is necessary, before discussing its legitimacy
the processing of personal data discussed here, to determine the liability of each
parties, as the obligations of the responsible party and the processing party differ
their roles according to Act no. 90/2018 and Regulation (EU) 2016 / 679.For
is that in order to take advantage of the travel gift, users had to log in
the script and provide information about its name, phone number and email address. ANR and YAY
ehf. are unanimous in their explanations that for the collection of the personal information
has been instructed by ANR. The Ministry is therefore considered to be the party that decided the purpose
and methods for processing the above personal information and is the responsible party
of that processing.Also
users of the app could give their travel gift to another person, but to
it was necessary to work with the email address of the recipient of the gift. Then they could
users sent greetings with the gift they chose as well as to use such
additional services, they had to agree to access to a microphone, camera,
storage area and contact list in their phones. It is clear from the case file that
ANR requested that such additional services be offered and is therefore considered
responsible for that processing.First
three days after the initial release of the script, i.e. from 18.-20. June 2020, was still
rather request information about the age and gender of users. Available
that ANR gave YAY ehf. instructed to collect this information but then withdrew it
back. Therefore, no decision can be made other than to decide on the purpose and method of
the collection of the above personal information has been taken by ANR. In consultation with
ANR has YAY ehf. then update the script according to the instructions after that
had been made available to the public. Given that both parties to the case
state in their objections that they were fully consulted regarding the timing
the version of the script updates must be considered responsible for ANR
the processing of personal data that took place on the basis of version 1.0.2 of the script,
þ. á m. on information on the age and sex of users, taking into account delays in
publishing process. YAY ehf. is, however, considered a party to that processing. It is also clear that in the first days after the initial publication
of the app (from 18-22 June 2020 for Android operating system and from 18-23.
June 2020 for the iOS operating system), YAY ehf. according to his own words, by mistake, after
very extensive access to information in the telephones of the app users. Af
on the part of the ministry has stated that the acquisition of the extensive access rights
has not been in accordance with its instructions and that the processor has complied
with their mistakes. On behalf of YAY ehf. has been observed to evolve
The travel gift was based on the company's existing script where
such access rights are requested, but the settings in question are mistaken
not been removed when creating the new application. It can therefore only be seen
that YAY ehf. is responsible for those mistakes and the company is therefore considered responsible
the acquisition of the access rights in question and the action involved in the first step
in a series of actions to make user information available. Regarding other processing
personal information, as described above, is considered YAY ehf. processor, cf. 7.
tölul. Article 3 Act no. 90/2018, Coll. also point 8. Article 4 Regulation (EU)
2016 / 679.2.2.VinnslusamningurÍ
Paragraph 3 Article 28 of Regulation (EU) 2016/679, cf. Paragraph 3 Article 25 Act no.
90/2018, states that processing by the processor shall be covered by a contract
or other legal act under EU law or the law of a binding Member State
processor vis-à-vis the responsible party and where the subject is specified and
duration of processing, nature and purpose, type of personal information and
categories of registered persons and the obligations and rights of the responsible party. Then there is
eight paragraphs deal with the elements to be laid down in particular in the contract
between parties for the processing of processors on behalf of the responsible party. It is clear that on
between ANR and YAY ehf. a development agreement was made. Then, on the one hand, took place
e-mail communication in which the Ministry proposed a text of instruction
the applet and, on the other hand, subsequent e-mail communications which covered which
personal information should be collected and who should not. Privacy has been reviewed
the content of the agreement and the communications that took place. The agreement in question
deals in a very limited way with the conditions set out in para. Article 28
of the Regulation concludes production contracts. As for the email communication
which are available in the case, it will not be seen that they satisfy the above
conditions. Regulation (EU) 2016/679 and Act no. 90/2018 assume that always
there shall be a documented instruction from the responsible party for processing
personal data processor. Privacy considers that the requirement for clarity of such
the guarantor's instructions are even richer in terms of their nature and scope
the personal information in question and the personal information that was possible
to apply, i.e. general personal information of all Icelanders who have reached the age of 18
age with an Icelandic ID number but also sensitive personal information of some
users of the Android operating system, e.g. á m. confidential information in a calendar that may
to store sensitive personal information about them or others. The Data Protection Authority also believes that prices must be made rich
requirements for compliance with the law in the performance of senior executives' duties
of the executive branch, in this case the ministry responsible
the scope of innovation, as further specified in the Presidential Decree on
division of political affairs between ministries in the Government of Iceland, no. 119 / 2018.No
is in the above data ANR prescribes the processing of personal data for
of the script in a satisfactory manner and the conclusion of the Data Protection Authority is that
the data in question cannot be equivalent to a production contract within the meaning of the third paragraph. Article 25 fix
no. 90/2018, or the third paragraph. Article 28 Regulation (EU) 2016/679. Does
Privacy serious remarks that the ministry did not go here
make sure that everything was complied with in accordance with Act no.
90/2018 on personal data protection and the processing of personal data and Regulation (EU) 2016/679. 3. Legality of processing All processing of personal information must be stopped
under one of the authorization provisions of Article 9. Act no. 90/2018, Coll. Article 6
Regulation (EU) 2016/679. It is worth mentioning that personal information can be processed
the data subject has given his consent for the processing of his personal data in
for the benefit of one or more specific objectives, cf. Paragraph 1 Article 9 of the Act and point a
Paragraph 1 Article 6 of Regulation (EU) 2016/679, also if the processing is necessary
to fulfill a legal obligation that rests with the responsible party, cf. Paragraph 3 Article 9 Act no.
90/2018 and point c of the first paragraph. Article 6 of the Regulation, or if the processing is necessary
for work carried out in the public interest or in the exercise of official authority
which the responsible party handles, cf. 5. tölul. Article 9 of the Act and item e of the first paragraph. 6.
gr. of the Regulation. In addition, the processing of sensitive personal information will be involved
comply with any of the additional conditions of paragraph 1. Article 11 of the Act, cf. Paragraph 2
Article 9 of the Regulation. In point 3. Article 3 Act no. 90/2018 lists which
information is sensitive, but it is information about race,
ethnic origin, religion (point a); health information, ie.
personal information concerning a person's physical or mental health,
incl. health care he has received, and information on pharmacological,
alcohol and drug use (point b); information about sex and sexual orientation
(point c); and genetic information, biometric information, such as
portraits or fingerprint data, provided that information is processed for that purpose
to identify individuals in a unique way (point d). In assessing whether a permit for processing
personal information is available, it is necessary to check whether the appropriate processing authorization
has been for the processing and the processing is based on the consent of the data subject
check whether the conditions of approval have been met. It also needs to be examined whether
have provided adequate training, whether safety
personal information has been secured, e.g. á m. whether appropriate action has been taken
measures to ensure built-in and default privacy, and whether
principles for the processing of personal data have been complied with.3.1.Authorization for processing
personal information 3.1.1. Processing
under the responsibility of ANRWith Act no. 54/2020, on travel donations, spoke
Althingi stipulates that the government should give to individuals aged 18 and older
travel gift, cf. Paragraph 1 Article 1 of the Act. To verify utilization
of the travel agent, it was necessary to process the specified personal information,
i.e. name, phone number and email address. The Travel Act also provides for this
for an individual to give his own travel gift, cf. Paragraph 3 Article 1
of the Act. In order to be able to give a travel gift, it is necessary to work with
information about the recipient's email address. The aforementioned processing can therefore be based on 3.
tölul. Article 9 Act no. 90/2018 on personal protection and processing of personal information
other conditions of the law are met. It is clear that the original versions of the script were
made available in the Google Play and App Store app libraries on June 12, 2020.
Given that the app was not notified to the public until 18.
s.m. will be based on the fact that the processing of personal information has already begun on that day
the public could first access the script. Act no. 54/2020 on travel donations did not enter into force
until 23 June 2020. The processing in question could therefore not be based on point 3. Article 9
Act no. 90/2018 and point c of the first paragraph. Article 9 of the Regulation, that processing is
necessary for the legal obligation of the guarantor,
until after the entry into force of the law. Then it will not be seen that the processing has, until
that time, may be considered necessary for a work done for the benefit
public interest, cf. 5. tölul. Article 9 Act no. 90/2018 and item e of the first paragraph. 6.
gr. of the Regulation. This authorization requires that such processing be supported
legal authority but already for the reason that the law did not enter into force until 23 June
2020, will not be based on that authority. It has been argued by ANR that in
In light of the state of emergency in the community, emphasis has been placed on faster construction.
The ANR does not substantiate why the emergency in question was justified
the provisions of Act no. 90/2018 and Regulation (EU) 2016/679. Privacy
points out that privacy legislation
applies
regardless of the situation in society at any given time. Privacy considers that though
certain actions, such as pandemic prevention measures, justice
certain processing of personal information, it is not possible to accept that it is possible to
respect Act no. 90/2018 and Regulation (EU) 2016/679, in whole or in part, in
in connection with the provision of travel gifts. The Data Protection Authority does not consider that there was an emergency law perspective
here nor that the processing was in the public interest. Is that a conclusion
of the Agency that the processing of personal data that took place between 18 and 23.
June 2020 did not rely on a satisfactory authorization according to Art. Article 9 Act no.
90/2018 and Article 6. Regulation (EU) 2016/679. In addition, the Data Protection Authority considers it
It is reprehensible that ANR has not ensured that the processing of personal data does not begin
until after the entry into force of the aforementioned law. However, the Data Protection Authority considers that from
entry into force of Act no. 54/2020 on travel donation, on 23 June 2020, must be regarded as such
that the above processing of personal information may be based on point 3. Article 9
Act no. 90/2018 provided that other conditions of the Act are met, e.g. on processing transparency
and education for the registered, cf. discussed in Section 3.1.3 below.Then
It is clear that information was provided on the age and gender of users
of the script. During the preparation of the release of the script, a decision was made in this regard
however, withdrawn by the Ministry, at least regarding
information on the gender of users, as the processing was not considered necessary or in accordance
to Act no. 54/2020 on travel donation. This has been described in the explanations provided
that there has been full consultation between the parties as to when updated version 1.0.3, there
if a request for age and gender had been removed, would be placed in the script libraries.
The collection of personal information about the age and gender of users lasted from 18-20. June
2020. There was no authorization for the processing according to Article 9 Act no. 90/2018 and was
it is therefore contrary to the provisions of the law. In the third paragraph. Article 1 Act no. 54/2020 states to an individual
is allowed to give his own travel gift. On behalf of the Ministry and YAY ehf. has
stated that the user could take advantage of the optional additional services if he
agreed to give the app access to a camera, microphone, contacts file and
USB storage file. It is then examined whether such processing complies with point 1. 9.
gr. Act no. 90/2018 that the processing of personal information is permitted by the data subject
give their consent for the processing of their personal data for the benefit of one or
more specific goals. According to a statement with the bill that became
Act no. 90/2018 states, among other things, about the first paragraph. Article 9 of the Act to the government
can rarely be based on consent, except in exceptional cases when consent
has no influence on the provision of services or human rights. As such
is the opinion of the Data Protection Authority, that the provision of such additional services by ARN, which neither
is necessary to take advantage of the travel gift or the conditions for giving it, can
fall under it. Then test whether the conditions for approval are considered to be
fulfilled, i.e. how it is obtained and whether the guarantor has provided
adequate training before consent was given.3.1.2.Conditions for approvalTo assess whether authorization was in place at
processing of personal information for additional services, according to Act no. 90/2018 and
Regulation (EU) 2016/679, it is necessary to consider whether the conditions
approval according to point 1. Article 9 of the Act, cf. Article 6 (a) of the Regulation,
is considered fulfilled. In point 8. Article 3 Act no. 90/2018, approval is defined
as an unforced, specific, enlightened and unequivocal declaration of intent by the data subject that he
consent, by declaration or unequivocal confirmation, processing of personal information
in itself.In Article 10. Act no. 90/2018, Coll. Article 7 Regulation (EU)
2016/679, the conditions for approval are discussed in more detail. There comes, among other things
stated that when processing is based on consent shall
the guarantor
can show that the registered person has approved the processing
their personal information in accordance with the further conditions of Article 7. of the Regulation. In 2.
mgr. Article 10 of the Act states that if the data subject gives his consent in writing
a statement, which also covers other matters, the request for approval shall be made
presented in such a way that it is distinguishable from the other issues, in an understandable and
accessible form and clear and simple language. In the 4th paragraph. of the provision states that
when assessing whether consent is given voluntarily and voluntarily
the utmost consideration as to whether it is a condition for the performance of the contract that
consent is given for the processing of personal data that is not necessary due to
of the agreement. This is stated in a memorandum with a bill that became law
no. 90/2018 that the regulation sets out more detailed rules and stricter requirements
how approval is obtained, in addition to which companies are obliged according to it
to make the terms of approval transparent and accessible
and have them in an understandable language. Processing based on approval will be included
otherwise, as is always the case when processing personal information, that
comply with high-quality processing methods, take place in
stated, clear and objective purpose and must not go beyond what is necessary
requires. When the Data Protection Authority assesses whether the requirements for consent are met
it takes into account both the processing method used and their nature
information processed. Consent is required
free and independent and is not considered to be when an individual has to consent
specific processing in order to receive services. In point 42 of the foreword
of the Regulation reaffirms the obligation of the guarantor to
can demonstrate that consent has been given and state that it needs to
ensure that the data subject is aware of it and to what extent. It is emphasized that consent should not be considered
granted voluntarily if the data subject has not had a real or
free choice or unable to refuse or withdraw consent without becoming
for damage. The premise of the individual
be able to make an informed decision to give its consent for processing
personal information about themselves and protect their interests, as well as its conditions
consent is complied with, is that he is informed of the processing that takes place and in
what it entails. Prerequisites for knowledge and information on processing
personal information is transparency and education to the data subject about the processing. 3.1.3. EducationOne of the principles of privacy law
on the processing of personal information is that care must be taken to ensure that it is processed
in a lawful, fair and transparent manner towards the data subject, cf. 1.
tölul. Paragraph 1 Article 8 Act no. 90/2018, Coll. also point a of the first paragraph. Article 5
Regulation (EU) 2016/679. To assess whether the condition of transparency was met
the provisions on compulsory education must therefore be complied with. Compulsory education
responsible party, ie. the obligation to provide processing information
the personal data of the data subject, applies regardless of the legal basis of the processing
based on, i.e. whether in the case of consent or due to legal obligation. Then it should
provide the information in question in connection with the processing of personal information about him
the time when the information is obtained from the data subject, cf. Item 61
preamble to Regulation (EU) 2016/679. On the educational obligation, transparency and the data subject's right to
information is discussed in Article 17. Act no. 90/2018 and 12-14. gr. of the Regulation
(ESB) 2016/679. In the first paragraph. Article 17 of the Act states that the responsible party shall do
appropriate measures to ensure the transparency of information and notifications to
a registered person according to the instructions of Article 12. of the Regulation so that he
can exercise its right to information and the right of access. In the second paragraph. same articles,
sbr. also Articles 12 and 13. of the Regulation, states that the data subject has the right
for information on processing, whether personal information is obtained from him
himself or not, as well as the right to access personal information about himself according to
instructions 13.-15. gr. of the Regulation with the exceptions specified in
Paragraph 3 of the provision.In Article 13. of the Regulation deals with the information provided by
shall be provided when collecting personal information from a registered person. In the first paragraph.
of the provision states that when personal information about the data subject is obtained from him
the responsible party shall, when collecting the personal information, report it to him
including the purpose of the proposed processing of the personal information and who
its legal basis is (point c). In the opinion of the Article 29 Working Group, [1] no. WP260 rev. 01, states that it is
the principle of transparency in all forms of education in the form of information on processing
the personal data of the data subject shall be accessible, easy to understand and clear
and a simple matter. As mentioned earlier, the user is logged in to the Travel applet
made to accept the general terms of the company YAY ehf. applicable to general use
the company's scripts and not related to the Travel Gift. The information contained therein
is therefore not applicable to the use of the travel gift. By users
accepted the general terms and conditions, they could access the terms of the travel gift with
by clicking on the link marked "Travel Terms". The text that appears
users there, however, was not readable as only a fraction of it appeared
on the screen. In the above terms were not found the items that
Article 17 Act no. 90/2018 and Article 13. Regulation (EU) 2016/679 require.
Users were also, a.m.k. in the iOS version of the app, impossible to get acquainted with
the above terms in a satisfactory manner. In view of the above
the training provided when the collection of personal information took place is not counted
comply with Article 17 of the Act and Article 13. of the Regulation. In assessing whether
the data subjects were educated when the information was first obtained
does not mean that users could later access a privacy policy
YAY ehf. within the script. In addition, it is the opinion of the Data Protection Authority that the privacy policy
YAY ehf., Which was accessible after the user logged in, did not comply
the requirements made in the Act and the Regulation for the education of YAY ehf.,
on behalf of the guarantor, as this policy does not apply to the Travel Gift applet.
terms that did not apply to the processing that took place due to the travel gift and
therefore did not receive correct information about the processing of personal information about those who
took place in practice. At that time, users could not familiarize themselves with the specific terms of the Travel Gift
as they were inaccessible, a.m.k. at
iOS operating system users. In view of the above, it can not be seen that ANR has acted appropriately
measures to make information accessible, easy to understand and simple
and clear language or provide users with sufficient and correct government travel
information about the processing and their rights due to it so that they could take
informed decision on the planned processing of personal information about them, upon registration
in the program. ANR has therefore not fulfilled its educational obligation as a responsible party,
sbr. conditions of Article 17 Act no. 90/2018 and Article 13. Regulation (EU) 2016/679. As has been stated, users
made to accept the general terms and conditions of YAY ehf. when logging in to the Travel applet
as a basis for all processing of personal information in that script. In them
terms contained information that did not apply to its use. Provide
users are therefore authorized to process personal information about themselves on incorrect grounds.
Furthermore, the general terms and conditions of YAY ehf. nor the terms pertaining to it
The travel gift is considered to meet the requirements for that education
which must be provided to the data subject when personal information is processed about them, cf.
Article 17 of the Act and Article 13. of the Regulation. Where education was not adequate will not be based on
legal authority according to point 3. Article 9 Act no. 90/2018, Coll. also point c 1.
mgr. Article 6 Regulation (EU) 2016/679. For the same reason will not be considered a condition
approval has been fulfilled, with regard to additional services in the script, cf.
1. tölul. Article 9 of the above Act, cf. also point a of the first paragraph. Article 6
of the Regulation and Art. of the Act, cf. Article 7 of the Regulation. 3.2.
Processing
under the responsibility of YAY ehf. According to them
The information available in the case was in versions 1.0.2, 1.0.3 and 1.0.4 of the script
programmed extensive access rights to users' telephones, ie.
location information, network status, wireless status, camera, editor,
network, document management, audio settings, calendar (read and write access, e.g.
confidential information), contact list, internal and external storage areas (read and
write access), phone status, phone reboot information, microphone to
audio recording, shortcut setup, and motion mode reading. Also
the script required permission to request installation of other packages,
permission to run in the foreground even if other widgets were started, permission to
show a specific type of alert window that appears on top of other widgets,
license to use bio-teaching activity for identification, license to use
fingerprints, the possibility of setting on vibration and permission to prevent
CPU and monitor would go to sleep mode. YAY ehf. has acknowledged that
the above action was the result of a mistake. There was no authorization for that
basic processing according to Article 9. Act no. 90/2018 and was therefore the opposite
the provisions of the Act.3.3.Security of personal information According to Art. Act no. 90/2018, Coll. also Article 24.
of Regulation (EU) 2016/679, the responsible party shall make appropriate technical and
organizational measures that take into account the nature, scope, context and purpose
processing and risk for the rights and freedoms of registered persons to ensure
and demonstrate that the processing of personal data meets the requirements of the Regulation. With
the above measures shall ensure that privacy is built in and
default, cf. Article 24 of the Act and Article 25. of the Regulation. Such
measures may, inter alia, be designed to enforce the principles of
privacy, such as data minimization. The above rules of Act no. 90/2018 and Regulation (EU)
2016/679 are reaffirmed in the first paragraph. Article 27 of the Act, cf. also the first paragraph. Article 32
of the Regulation, which states that the responsible party and the processing party shall do
appropriate technical and organizational measures to ensure adequate
security of personal information in the light of the latest technology, implementation costs,
nature, scope, context and purpose of the processing and risk, less likely and
more serious, for the rights and freedoms of individuals according to further instructions
Article 32 of the Regulation, but that article will be considered its main provision
information security. Among the things that the guarantor and processor must do
according to the instructions in question is to introduce a process to test and evaluate regularly
the effectiveness of technical and organizational measures to ensure safety
of processing, cf. paragraph 1 (d) of the provision.In view of the above, here is a special test of whether security
personal information about users of government travel gifts has been sufficient
ensure the adjustment and shaping of the script settings and whether only has
have been processed with the personal information that was necessary for
purpose of processing. Then test whether there was a process to test
and regularly evaluate the effectiveness of technical and organizational measures, such as
tests of the internal functionality of the script and what personal information it obtained
automatically or both of its users upon login or due
additional services. The explanations of both parties to the case state that Digital
Iceland has carried out an audit of the company YAY ehf. with
with regard to the security measures of the company and came to the conclusion that
the processor could ensure appropriate security. Syndis ehf. also
carried out an audit of the safety measures of the processor which has revealed that
adequate safety measures were in place. ANR's notes state that
was the assessment of Stafræns Íslands that YAY ehf. provided sufficient assurance for that
that appropriate technical and organizational measures be taken to:
processing met the requirements of Act no. 90/2018 and Regulation (EU) 2016/679. Have
privacy policy of YAY ehf. have been examined separately but in the terms of YAY ehf.,
state how the company collects, uses, shares and protects personal information
their customers. The purpose of the terms is to ensure that the handling of YAY ehf. á
personal information is in accordance with the basic principles and rules of
privacy and privacy contained in Regulation (EU) 2016/679 ,.
The project team therefore considered it guaranteed that YAY ehf. took care of extreme safety in
processing of personal information. No further data or confirmation was received
Privacy from ANR due to the aforementioned audit of Digital Iceland.
It can also be deduced from the case file that the audit of Syndir ehf. has primarily concerned
aggression and stress testing. In the second paragraph. Article 24 Act no.
90/2018, Coll. also the second paragraph. Article 25 Regulation (EU) 2016/679, states that
the responsible party shall take appropriate technical and organizational measures
to ensure that by default only the personal information is processed as
are necessary for the purpose of the processing at any given time. This obligation applies
about how much personal information is collected, to what extent it is processed
them, how long they are kept and access to them. Do not appear as above
measures have been taken, neither by the responsible party nor the processing party. Then do not lie
for data showing that the audit covered the above items or that
special tests have been performed to evaluate the efficiency and configuration of the application,
m.a. with regard to what personal information would actually be requested
login to the script and the access rights that would be obtained automatically.
It is therefore not the case that the responsible and processing party has done the appropriate technical work
and organizational measures to ensure processing safety
personal information.Then was not done
processing agreement between the parties, as previously discussed, but he
is considered to be an important organizational measure for the processing of personal data
which provides for the fundamentals of processing and contributes to their increased safety
personal information covered by the processing. 3.4. Principles for the processing of personal information As before, processing will be traced
personal information must always meet all the basic requirements of the first paragraph. Article 8 Act no.
90/2018, Coll. Article 5 Regulation (EU) 2016/679. In light of the above try here
in particular whether the processing of personal data in question has taken place
in a lawful, fair and transparent manner towards the data subject (item a)
of the regulatory provision); whether information has been obtained in clear
specified, legitimate and objective purposes and not further processed in other and
incompatible purpose (point (b)); whether the information obtained has
be adequate, appropriate and not in excess of what was necessary
purpose of processing (point (c)); and whether they have been processed in such a way that
the appropriate security of the personal information has been ensured (item f). As has been stated, the Ministry did not
education adequately and therefore did not take appropriate measures to
ensure transparency about the processing of users' personal information
of the script and the processing can therefore not be considered to have been carried out in a reasonable manner
and in a transparent manner towards the data subject, cf. point a of the first paragraph. Article 5
of the Regulation. It is also clear that there was no processing permit
for the processing of personal information about users from 18-22. June 2020 or until the law
no. 54/2020 entered into force at 23 p.m. In addition, there was no time for authorization
processing of information on the age and gender of users. There was also no authorization to procure
extensive access rights to the telephones of the users of the affected script
processor error. It will therefore not be seen that information has been obtained
clearly stated, legitimate and objective purposes and it ensured that they would not be
processed further for other and incompatible purposes, cf. paragraph 1 (b) Article 5
of the Regulation. It is also the opinion of the Data Protection Authority that the acquisition of YAY ehf.
on extensive access rights in users' telephones, cf. further explanation in section I.3.
and I.6.2., and information on age and sex was insufficient and
appropriate and far in excess of what was necessary for the purpose
of processing, cf. paragraph 1 (c) Article 5 of the Regulation. The parties did not enter into a production agreement in
in accordance with para. Article 25 Act no. 90/2018 and the third paragraph. Article 28 of the Regulation
(EU) 2016/679 and it can therefore not be seen that YAY ehf. and ANR has made appropriate
technical and organizational measures to ensure that the default is
only the personal information that was necessary for the purpose was processed
of processing. Furthermore, YAY ehf. not appropriate
technical and organizational measures to ensure safety
personal information when the company used programming from another unrelated script
the Travel applet, without verifying the effectiveness of the measures provided
had been taken to ensure that no wider access was requested
users 'telephones than was needed as well as what users' personal information is
of the script would be made available, cf. 6. tölul. Paragraph 1 Article 8 of the Act and
paragraph 1 (f) Article 5 of the Regulation. Then it will be considered that to perform the first
steps in a series of actions to make the personal information of the users of the app
available, which were neither relevant nor necessary for the purpose
processing, has not complied with the principle of minimizing the processing of personal data or
the principle of proportionality, point 3. Paragraph 1 Article 8 Act no. 90/2018 and point c of the first paragraph. 5.
gr. Regulation (EU) 2016/679. ANR is also responsible for processing
personal information always meets the requirements of the principles of processing
personal information and should be able to demonstrate that this is the case, cf. Paragraph 2 Article 8 fix
no. 90/2018 and the second paragraph. Article 5 Regulation (EU) 2016/679. It is clear that we
preparation for the issuance of the travel gift was significantly lacking in compliance
in writing the instructions of the responsible party, the effectiveness of security measures,
tests and other documentation that is necessary to use when publishing a script. In view of the above, it is therefore an assessment
Privacy that the processing has not complied with the principles of processing personal information,
sbr. Points 1, 2, 3 and 6 Paragraph 1 and the second paragraph. Article 8 Act no. 90/2018, Coll.
also points a, b, c and f of the first paragraph. and the second paragraph. Article 5 Regulation (EU)
2016 / 679.III.Beiting
sanctions 1. Perspectives on the application of sanctions for violations
ANRAð the above-mentioned prestige therefore comes into consideration
whether ANR shall impose administrative fines for the above-mentioned conduct, cf.
Article 46 Act no. 90/2018, Coll. also Article 83. Regulation (EU) 2016/679. We
a decision to that effect and on the amount of the fine, the first paragraph shall be taken into account. Article 47
Act no. 90/2018, Coll. Paragraph 2 Article 83 of the Regulation. Are listed there
issues that may either be of interest to the benefit or to the detriment of him.
The following issues are considered in this case.a.
Nature, scope and purpose of processingAccording to point 1. Paragraph 1 Article 47 Act no. 90/2018,
sbr. point a of the second paragraph. Article 83 of Regulation (EU) 2016/679, this should be taken into account
of any kind, how serious and how long-lasting the breach was, with respect to
nature, scope and purpose of processing, as well as the number of registered individuals as before
what happened and how serious the damage was. In this case, the processing of personal information took place
stated for the purpose of enforcing the government's decision, it took to the general public
personal information, a large number of individuals but the processing lasted for a short time
time. There is no evidence in this case to suggest that individuals
has suffered damage as a result of the processing. According to information from the tourism dashboard [2] published
are
for
with the help of the Icelandic Tourist Board, it is stated that the number of travel gifts applied for in 2020
was 226,158, which was the number of individuals who received unsatisfactory
education for the use of Government Travel. Privacy considers it reprehensible that ANR, which
Ministry of Innovation,
shall have begun the processing of personal information about
number of persons before the law on which the processing was based came into force, that
the training was unsatisfactory and that no processing agreement had been made.
The Data Protection Authority believes that ANR has thereby violated in various ways
basic principles of Act no. 90/2018 on personal protection and processing of personal information
and Regulation (EU) 2016 / 679.b.
Whether the violation was committed intentionally or negligentlyAccording to point 2. Paragraph 1 Article 47 Act no.
90/2018, Coll. paragraph 2 (b) Article 83 of Regulation (EU) 2016/679, should be taken into account
whether the offense was committed intentionally or negligently. Ministry, like
other people who process personal information, take great responsibility for that activity
of them complies with established laws and regulations at any given time. Privacy counts though
that the submitted evidence in the case does not indicate that it was present
ANR's intention to violate the provisions of the Privacy Act either
the time constraint mentioned by the Ministry in its explanations contributed most to the fact that the processing took place with
in the manner described here. Privacy does anyway
serious remarks on the working methods used in the preparation of
issue of the travel gift. c.
Measures to reduce the loss of registered personsAccording to point 3. Paragraph 1 Article 47 Act no.
90/2018, Coll. paragraph 2 (c) Article 83 Regulation (EU)
2016/679, should take into account the measures that have been taken in it
in order to reduce the loss of registered persons. As stated earlier is not available
that individuals have suffered special damage as a result of the illegal processing.
However, it should be noted in this connection that ANR contacted YAY ehf. for
the first edition of Ferðagjafarinn, on 16 June 2020, and requested a procurement
personal information about age and gender would be discontinued and that information deleted. However
however, the parties agreed not to update the script until 6 p.m. sem
did not become available to iOS users until 48 hours later. later. Also that already clear
was that the applet gained extensive access rights in users' telephones was
reissued an updated version of the application. It is clear that ANR has intervened
to take appropriate organizational measures to prevent similar
incident repeats itself. However, it will be considered burdensome
factor that despite the fact that ANR has received information that
the terms of the travel gift appeared unsatisfactory in the script
a few days after it was made available to the public, with them
consequences that users were unable to familiarize themselves with them, the same terms were still
inaccessible to users of the iOS operating system almost a year later or on March 2, 2021.d.
Responsibility of the guarantor or processor with regard to technical and
organizational measuresAccording to point 4. Paragraph 1 Article 47 Act no.
90/2018, Coll. paragraph 2 (d) Article 83 Regulation (EU)
2016/679, should be taken into account how much responsibility the guarantor or
the processor shall, with regard to technical and organizational measures which
they have been implemented. An employment contract is considered, according to 3.
mgr. Article 28 Regulation (EU) 2016/679 and para. Article 25 Act no. 90/2018,
be part of the organizational measures that the responsible party must take to
ensure the security of personal information, cf. Paragraph 1 Article 32 of the Regulation and 1.
mgr. Article 27 of the Act. ANR is therefore responsible for safety
the personal information processed for government travel was not
safe. In the case under consideration here is clear
that the Ministry is responsible for the lack of organizational measures, incl. type
processing agreement and to ensure measures of default privacy in
the script. In the light of the processing in question, it should have been here
there are organizational measures in place that would have prevented the processing from going ahead
presented in the manner previously described. In this connection, it is important to
safety audit of Syndis ehf. took only a limited part of the information security,
i.e. attack and stress resistance. The security audits that were carried out were therefore not relevant
built-in and default privacy that should have ensured that collection and
the processing of personal data would not exceed what the processing authorizations and
the principles of the law and the regulation stipulate. ANR is therefore responsible for that
the security of the personal data processed for government travel was
not guaranteed and that the production contract has not been made satisfactorily
hátt.e.
Previous violationsAccording to point 5. Paragraph 1 Article 47
Act no. 90/2018, Coll. point e of the second paragraph. Article 83 of Regulation (EU) 2016/679, shall
look to previous offenses of the guarantor or processor that matter, if any
are. It is not known that ANR has previously been convicted of a violation
Privacy Act. f.
Scope of co-operation with the Data Protection AuthorityAccording to point 6. Paragraph 1 Article 47 fix
no. 90/2018, Coll. point f 2.
mgr. Article 83 Regulation (EU) 2016/679, the scope of co-operation with
Privacy to correct violations and reduce their harmful effects. For
lies that ANR responded to the Data Protection Authority's requests for further information as a result
that the agency's initiative study began, but was repeated
requested extended deadlines that affected the speed of processing the case
at the Data Protection Authority.g.
Categories of personal informationAccording to item 7. Paragraph 1 Article 47 Act no.
90/2018, Coll. point g of the second paragraph. Article 83 Regulation (EU)
2016/679, the categories of personal data breaches must be considered
influence. The processing of personal information in practice only covered general personal information. h.
How was the supervisory authority notified of the infringement? Paragraph 1 Article 47 Act no.
90/2018, Coll. point h of the second paragraph. Article 83 Regulation (EU)
2016/679, it must be considered how the supervisory authority was
made aware of violations. It is known that the Data Protection Authority received suggestions
to the public shortly after the first release of the script. The matter was then discussed
the media. Neither the responsible party nor the processing party drew the attention of the Data Protection Authority
málinu.i.
Compliance with remedial instructionsAccording to point 9. Paragraph 1
Article 47 Act no. 90/2018, Coll. paragraph 2 (i) Article 83 Regulation (EU)
2016/679, should be looked at
to comply with the Data Protection Authority's instructions on remedial measures on the basis
Article 42 of the Act. No instructions were given in connection with the handling of the case and
therefore, this aspect does not come up for further consideration.j.
Other burdensome or mitigating factorsAccording to point 11. Paragraph 1 Article 47 Act no.
90/2018, Coll. point k of the second paragraph. Article 83 Regulation (EU)
2016/679, burdensome or mitigating factors other than theirs should be considered
listed earlier in the provision, such as gains or losses incurred
directly or indirectly due to a violation. In this connection, it is to be considered that ANR has
put in some work, in collaboration with the processor, in order to update
procedures, conclude a production agreement between the parties in a documented manner and rectify deficiencies
on the publication of educational material, in connection with the processing of personal information due
government travel gifts. The ministry went into that work after an initiative study
Privacy started. It is also considered a mitigating factor
a party who does not work for financial purposes but works in the public interest. However, it is considered a burdensome factor that 2.
March 2021, just over eight months after the release of the script, were
The terms of the Travel Gift still make it inaccessible to iOS users and that 9.
November 2021, users have still been forced to accept the wrong terms when logging in
in the script.2. Perspectives on the application of sanctions for violations
YAY ehf.a.
Nature, scope and purpose of processingAccording to point 1. Paragraph 1 Article 47 Act no. 90/2018,
sbr. point a of the second paragraph. Article 83 of Regulation (EU) 2016/679, this should be taken into account
of any kind, how serious and how long-lasting the breach was, with respect to
nature, scope and purpose of processing, as well as the number of registered individuals as before
what happened and how serious the damage was. It is clear that
mistake of YAY ehf. to quickly adapt existing scripts to a new version
for the dissemination of travel gifts to Icelanders, has failed to adjust programming
access rights. With the publication of Ferðagjaf together with the aforementioned access rights
was taken the first step in a series of actions for the purpose of doing
personal information available and thus accessible. Such an action is considered
processing of personal information within the meaning of point 4. Article 3 Act no. 90/2018 and 2.
tölul. Article 4 Regulation (EU) 2016/679. This is extensive
access rights in the telephones of the users of the travel gift who made general and
sensitive personal information available. It will be evaluated for mitigating factors
the request for the extensive access rights lasted for a short time and that they were
not used for the collection of personal information and therefore went further processing
personal information on the basis of which is not provided. However, not only
look at the listed individuals who were actually affected
but also those who could have been affected by the acquisition of the said
sources. According to information from the tourism dashboard, 226,158 individuals attended
the travel gift in 2020. In terms of number of users
The Android operating system, which would not have been aware of the acquisition in question
access rights, it can be assumed that there is a significant number of people or
over 11,500 individuals. b.
Whether the violation was committed intentionally or negligentlyAccording to point 2. Paragraph 1 Article 47 Act no.
90/2018, Coll. paragraph 2 (b) Article 83 of Regulation (EU) 2016/679, should be taken into account
whether the offense was committed intentionally or negligently. The processing as here
is under review appears to have occurred due to human error and has nothing
stated in the case which indicates that there is a breach of intent. However
on the other hand, the Data Protection Authority makes serious remarks to a company that specializes
in the publication of small programs, which by their nature often work with extensive personal information, have
did not use good workmanship in preparing the release of the program. c.
Measures to reduce the loss of registered personsAccording to point 3. Paragraph 1 Article 47 Act no.
90/2018, Coll. paragraph 2 (c) Article 83 of Regulation (EU) 2016/679, should be taken into account
the measures that have been taken in order to reduce the losses of registered persons
individuals. In this connection, it is important that when it was clear that the request was made
after the aforementioned extensive access rights in users' telephones were violated
with the updated version of the script where settings were adjusted.d.
Responsibility of the guarantor or processor with regard to technical and
organizational measuresAccording to point 4. Paragraph 1 Article 47 Act no.
90/2018, Coll. paragraph 2 (d) Article 83 of Regulation (EU) 2016/679, should be taken into account
how much responsibility the guarantor or processor has with regard to
technical and organizational measures. As previously stated, YAY ehf.
responsible for the mistakes that led to the very widespread
access rights were obtained in the telephones of the users of the travel gift. YAY ehf. counts
responsible for the processing involved and as such is responsible for that
take appropriate technical and organizational measures, such as with
appropriate tests, to ensure that by default only those
personal information is made available or processed as necessary
of the processing at any given time. A production contract is also considered, cf.
Paragraph 3 Article 28 Regulation (EU) 2016/679 and para. Article 25 Act no. 90/2018
be part of the organizational measures that the processor must take to
ensure the security of personal information, cf. Paragraph 1 Article 32 of the Regulation and 1.
mgr. Article 27 of the Act. YAY ehf. is therefore responsible for the safety
the personal information processed for government travel was not
safe. e.
Previous violationsAccording to point 5. Paragraph 1 Article 47
Act no. 90/2018, Coll. point e of the second paragraph. Article 83 of Regulation (EU) 2016/679, shall
look to previous offenses of the guarantor or processor that matter, if any
are. It is not clear that YAY ehf. has previously been fined for violating Act no.
90/2018 on personal data protection and processing and regulation (EU)
2016 / 679.f.
Scope of co-operation with the Data Protection AuthorityAccording to point 6. Paragraph 1 Article 47 Act no.
90/2018, Coll. paragraph 2 (f) Article 83 of Regulation (EU) 2016/679, should be taken into account
extensive cooperation with the Data Protection Authority in order to remedy violations and reduce them
its harmful effects. Initially, it was slow to gather information
representatives of YAY ehf. which led to repeated and repeated requests from
Privacy. YAY ehf. provided, however, the Data Protection Authority and representatives of Syndir ehf. easy
access to the data and information requested for the purpose of
perform a study of the script and its publishing history, e.g.
Categories of personal informationAccording to item 7. Paragraph 1 Article 47 Act no.
90/2018, Coll. point g of the second paragraph. Article 83 of Regulation (EU) 2016/679, should be taken into account
the categories of personal data breaches affected. These are sources
to make general and sensitive personal information available. h.
How was the supervisory authority notified of the infringement? Paragraph 1 Article 47 Act no.
90/2018, Coll. point h of the second paragraph. Article 83 of Regulation (EU) 2016/679, should be taken into account
the manner in which the supervisory authority was made aware of the breach. For
It is clear that the Data Protection Authority received suggestions from the public shortly after the first
version of the script. The issue was also covered in the media. Neither
the responsible party or the processing party drew the attention of the Data Protection Authority to the case.i.
Compliance with remedial instructionsAccording to point 9. Paragraph 1 Article 47 Act no.
90/2018, Coll. paragraph 2 (i) Article 83 of Regulation (EU) 2016/679, should be taken into account
compliance with the Data Protection Authority's instructions on remedial measures on the basis of 42.
gr. of the Act. No instructions were given in connection with the handling of the case and therefore
this aspect will not be examined further.j.
Other burdensome or mitigating factorsAccording to point 11. Paragraph 1 Article 47 Act no.
90/2018, Coll. point k of the second paragraph. Article 83 of Regulation (EU) 2016/679, should be taken into account
other burdensome or mitigating factors than those listed earlier
the provision, such as gains or losses avoided directly or indirectly
stopped due to a violation. In this connection, it is to be considered that YAY ehf. has put in
some work, in collaboration with the responsible party, in order to update procedures, come
on a production contract between him and him in a documented manner and to fix deficiencies
publication of educational material in connection with the processing of personal information due to
government travel gifts. YAY ehf. went into that work after an initiative study
Privacy began. It is then considered a mitigating factor that YAY ehf. showed
good will to co-operate with the Data Protection Authority due to Syndir's audit and reporting
ehf. at the request of the Privacy on the script and has paid for the incident
cost of that work.3.Conclusion of
administrative fine A decision on whether to impose an administrative fine on ANR and or YAY ehf. í
This case depends on a comprehensive assessment of the factors discussed here
in front. ANR did not fulfill the obligations of Act no. 90/2018 and Regulation (EU)
2016/679 which led to the processing of personal information about a lot
number of individuals without legitimate processing licenses. Also lacking in validity
consent was obtained for the processing of personal data when users used it
the app's additional services to give your own travel gift to another person.
In addition, the training was inadequate so that users could not familiarize themselves with the terms
of the travel gift which were a prerequisite for the processing of personal information about them. Then the mistakes of YAY ehf. to without processing authorization or knowledge
users were asked for extensive access rights to their phones. Then ANR and YAY ehf. not appropriate technical and organizational
measures to ensure the security of the personal data processed for the project,
such as with built-in and default privacy and with the conclusion of a processing contract.3.1. Conclusion on penalties
for violations of ANREinn and traced above in Section II.2. um
the legitimacy of the processing, it is clear that the processing of ANR violated points 1, 2, 3 and 6.
Paragraph 1 and the second paragraph. Article 8, paragraphs 1 and 3 Article 9, Article 10, Article 17, Article 24 and
Paragraph 3 Article 25 and the first paragraph. Article 27 Act no. 90/2018, Coll. a-, b-, c- and f-points
Paragraph 1 and the second paragraph. Article 5, points a and c of the first paragraph. Article 6, Article 7, Article 12, 13
Article 24, Article 24, Article 25, Article 3 Article 28 and Article 32. Regulation (EU) 2016/679.
It is stated in Article 46. Act no. 90/2018, Coll. Article 83 of the Regulation, that violation
against. Articles 5, 6, 7, 13, 25, 28 and 32 of the Regulation may concern
administrative fines.With
taking into account the views set out above on the determination of sanctions
the administrative fine is deemed to be appropriately determined at ISK 7,500,000. 3.2. Conclusion
on penalties for violations YAY ehf.Eins
and is outlined above in Section II.2. on the legitimacy of processing is known to process YAY
ehf. violated points 1, 2, 3 and 6. Paragraph 1 Article 8, Article 9, Article 11 and 3.
mgr. Article 25 and the first paragraph. Article 27 Act no. 90/2018, Coll. also a-, b-, c- and
paragraph 1 (f) Article 5, Article 6, Article 9, paragraph 3 Article 28 and Article 32. of the Regulation
(EU) 2016 679. It is stated in Article 46. Act no. 90/2018, Coll. Article 83
of the Regulation, that violations of Articles 5, 6, 28 and 32 of the Regulation can
subject to administrative fines
views set out above on the determination of sanctions and for their implementation
are strict requirements for clarity of sanctions and sanctions. Provisions
Number 4 Article 3 Act no. 90/2018, Coll. also point 2. Article 4 of the Regulation
(EU) 2016/679, will not be considered sufficiently clear, in this sense, that it
take action or the first step in a series of actions to make personal information
available and possibly accessible, ie. without real accessibility
been established. It is therefore the opinion of the Data Protection Authority that there is no reason to do so
to fine YAY ehf. due to the processing involved in the programming of the extensive
access permissions contained in the app The Travel Gift. However, the Data Protection Authority considers this lack of
security, cf. Paragraph 3 Article 25 and the first paragraph. Article 27 Act no. 90/2018, Coll. Paragraph 3
Article 28 and Article 32. of Regulation (EU) 2016/679 reprehensible, especially in light of
that YAY ehf. specializes in making scripts and has it burdensome
influence on the determination of the amount of the fine. With
taking into account the views set out above on the determination of sanctions
a government fine is deemed to be appropriately set at ISK 4,000,000, but as a deduction
the fine is the payment of costs due to the audit of Syndir ehf. and reporting to
the amount of ISK 800,000.




Note: Processing
of the Ministry of Industry and Innovation on personal information about users for travel donations
the government violated points 1, 2, 3 and 6. Paragraph 1 and the second paragraph. Article 8, 1st and
Paragraph 3 Article 9, Article 10, Article 17, Article 24, paragraph 3 Article 25 and the first paragraph. Article 27
Act no. 90/2018, Coll. points a, b, c and f of the first paragraph. and the second paragraph. Article 5, points a and c
Paragraph 1 Article 6, Article 7, Article 12, Article 13, Article 24, Article 25 and the third paragraph. Article 28
and Article 32. Regulation (EU) 2016/679. A government fine of ISK 7,500,000 has been imposed
at the Ministry of Industry and Innovation. The fine shall be paid to the Treasury within
two months from the date of the decision. Processing
YAY ehf. on personal information about users due to government travel donation broke
against points 1, 2, 3 and 6. Paragraph 1 Article 8, Article 9, Article 11, paragraph 3 Article 25 and
Paragraph 1 Article 27 Act no. 90/2018, Coll. also points a, b, c and f of the first paragraph. 5.
Article 6, Article 6, Article 9, Article 3 Article 28 and Article 32. Regulation (EU) 2016 679. Is 4,000,000
ISK administrative fine imposed on YAY ehf. The fine shall be paid to the Treasury within
two months from the date of the decision. In view of the fact that deficiencies have been rectified during processing
of the case, the Data Protection Authority does not consider it necessary to issue instructions for improvements, that
for now, about other than to lay
is for the Ministry of Industry and Innovation and YAY ehf. to handle the script
so that before users sign up for the program, they will receive instruction accordingly
Article 17 Act no. 90/2018 and Article 13. Regulation (EU) 2016/679. Privacy,
November 23, 2021Olafur
Garðarsson ChairmanBjörn Geirsson Sindri M. StephensenVilhelmína Haraldsdóttir Þorvarður Kári Ólafsson



[1] On the basis of Art. of the Directive
95/46 / EC created a working group (Article 29 working group), composed of representatives
data protection authorities in Member States, which served e.g. the role of
promote a coherent interpretation of key concepts. European Privacy Council (EDPB)
later replaced the working group and has agreed to the guidelines in question
of the group, cf. the Council's statement on support for the older guidelines of the Article 29 Working Group
no. 1/2018.



[2] https://www.maelabordferdathjonustunnar.is/is/hagstaerdir/ferdagjof


    





















  
                    Privacy PolicyLegal DisclaimerAccessibilityService DeskTwitter