Persónuvernd (Iceland) - 2020010611

From GDPRhub
Revision as of 15:24, 30 March 2022 by Cms (talk | contribs)
Persónuvernd (Iceland) - 2020010611
LogoIS.png
Authority: Persónuvernd (Iceland)
Jurisdiction: Iceland
Relevant Law: Article 5(1)(a) GDPR
Article 5(1)(c) GDPR
Article 6 GDPR
Type: Complaint
Outcome: Upheld
Started: 19.04.2019
Decided: 08.03.2022
Published: 14.03.2022
Fine: 1,000,000 ISK
Parties: Harpa Music and Conference Center
National Case Number/Name: 2020010611
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Icelandic
Original Source: Persónuvernd (in IS)
Initial Contributor: Cesar Manso-Sayao

The Icelandic DPA issued a fine of approximately €7000 against a music and conference center for requiring customers to provide their ID number when purchasing tickets in violation of Article 5(1) GDPR, Article 5(2) GDPR and Article 6 GDPR.

English Summary

Facts

A data subject issued a complaint with the Icelandic DPA due to the fact that they were required to provide their ID number when purchasing tickets for a musical event in a Harpa Music and Conference Center (the controller) through the ticket sales system Tix Miðasala (processor). When they were not able to purchase the tickets without providing the ID number, the data subject contacted the processor.

The processor informed the data subject that they were not required to fill in their full ID number, and that it was enough to provide the first six digits, which correspond to their date of birth in Icelandic ID numbers. The data subject considered that their ID number or date of birth were unnecessary data requirements for the purchase of a ticket.

The controller claimed that the processor collected the ID number in order to verify the identity of the person collecting the tickets purchased online, and that this is a common practice among event organizers in Iceland.

Holding

The Icelandic DPA launched its investigation, and found that the field for the ID number was marked as a necessary requirement when purchasing a ticket with the processor’s online platform. The DPA noted that the controller and the processor’s privacy policies stated that the customer’s ID number was collected in order to verify their identity, and that there was no indication in these policies, or during the purchase process, that this was an optional requirement which could be fulfilled with just the first six digits corresponding to the date of birth.

The DPA also noted that this field was required before the data subject chose the ticket delivery method. In cases where the ticket is delivered to a physical address or an email, it would not be necessary to provide the ID number, as this requirement is only relevant when collecting the tickets personally at the venue’s booth.

Furthermore, the DPA held that requiring a data subject’s ID number, or their date of birth, was not necessary data in order to purchase an event ticket, and that verification of the ticket buyer could be carried out through other means, such as a confirmation of payment, address, email or telephone number. According to the DPA, under national law, the requirement of an ID number is subject to an objective purpose, and only when necessary to ensure secure identification. In this case, the DPA held that this threshold had not been met, and that an ID number, which also includes the date of birth, was an excessive requirement for the purpose of collecting a purchased event ticket.

Based on these considerations, the DPA held that the processing of this data was unlawful under Article 6 GDPR, and violated the principle of lawfulness, fairness and transparency, as well as the principle data minimisation, pursuant to Article 5(1)(a) GDPR and Article 5(1)(c) GDPR respectively. Based on these breaches, the DPA issued a fine of approximately €7000 (ISK 1,000,000) against controller, as the responsible party for this data collection. It also ordered both the controller and processor to delete the ID numbers it had previously collected before the start of the COVID19 pandemic, when the ID requirement was introduced in order to carry out contact tracing based on public health regulations.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details.

Solutions

Collection of personal information for the purchase of tickets for an event in Harpa - fine decision

3/14/2022

The Data Protection Authority ruled in a case where a complaint was made about the collection of information on the ID number and date of birth of an individual by Harpa Music and Conference Center ohf. in connection with his electronic purchase of tickets. This was a complaint about processing that took place before Covid-19 arrived in Iceland and thus before rules were set that required the registration of personal information in connection with event attendance.

The Data Protection Authority came to the conclusion that it would not have been necessary to collect information on the complainant's ID numbers and date of birth for the purpose of handing him a ticket, as it would have been possible to fulfill the contract for the purchase without it. The processing would thus not have taken place on the basis of a processing authorization and would not have complied with the principles of data protection legislation on legality, fairness, transparency and minimization of data. The processing had also violated the special provisions of the law that the use of an ID number is subject to its objective purpose and is necessary to ensure secure identification.

Harpa Music and Conference Center Ltd. was submitted. to stop collecting information on ID numbers and dates of birth in connection with individuals' purchase of tickets for events organized by the company, and to delete available information on ID numbers and dates of birth of individuals that had been collected for the purpose of identifying them upon delivery of sold tickets.

An administrative fine in the amount of ISK 1,000,000 was imposed on Harpa Music and Conference Center ohf. In deciding on the amount of the fine, it had e.g. effect for reduction to Harpa Music and Conference Center ohf. it was not possible to change the implementation after the establishment of rules for infection control, which required the registration of personal information in connection with event attendance. All that could be seen was that the information had been collected in good faith that the processing was lawful.



Ruling

At a meeting of the Board of the Data Protection Authority on 8 March 2022, the following ruling was issued in case no. 2020010611 (formerly 2019040834):

I.
Procedure
1.
Outline of case

On April 9, 2019, the Data Protection Authority received complaint [A] (hereinafter the complainant). The complaint concerned a request for registration of an ID number or information on the date of birth when purchasing tickets for entertainment on behalf of Harpa Music and Conference Center ohf. (hereafter Harpa) through the electronic ticket sales system Tix Miðasala ehf. These incidents occurred before Covid-19 arrived in Iceland and thus before rules were set that required the registration of personal information in connection with event attendance, cf. first paragraph 7. Article 5 of Regulation no. 957/2020 on the restriction of meetings due to epidemics, which entered into force on 5 October 2020.



By letter dated April 23, 2019, Harpa and Tix Miðasala ehf. notified of the complaint received and invited to comment on it. The answer was provided by Tix Miðasala ehf. by e-mail on 9 May s.á. and by Harpa by letter dated 23. s.m. By letter dated On 1 October this year, repeatedly on 17 December this year, the Data Protection Authority requested further information from the companies. Harpa responded by letter dated. January 27, 2020. By letter dated 16 April this year, the Data Protection Authority informed Tix Miðasala ehf. on Harpa's responses and the institution's primary position to be responsible for the processing of personal data that was complained about. Was Tix Miðasala ehf. offered to provide comments or explanations on that occasion but no response was received from the company. By letter dated July 22, repeatedly, by letter dated 3 September this year, telephone and e-mail on 28 October this year, as well as a letter dated January 13, 2021, the Data Protection Authority requested further information from Harpa. The company responded by letter dated. February 2, s.á. By letter dated On 12 April this year, Harpa's Data Protection Authority announced that the Agency considered that there might be grounds for applying Article 46. Act no. 90/2018, on personal data protection and the processing of personal data, where the institution is authorized to impose administrative fines in accordance with Article 83. Regulation (EU) 2016/679. Harpa responded by letter dated. May 4 s.á. By letter dated 15 December, the Data Protection Authority requested further explanations from Harpa regarding the institution's examination of the company's website, cf. discussed in Section I.4. Harpa responded by letter dated. February 1, 2022.

In resolving the case, all documents and their accompanying documents have been taken into account, although not all of them are described in this ruling.

The handling of the case has been delayed due to delays in responses from Harpa and due to work by the Data Protection Authority.

2.
The complainant's views

It is stated in the complaint that the complainant was not able to buy tickets for an event on behalf of Harpa through the ticket sales system of Tix Miðasala ehf. without registering their ID number. Later, Tix Miðasala ehf. however, he informed that it was enough to register the first six digits of the ID number, i.e. date of birth, when purchasing tickets. Copies of those emails followed the complaint.



The complainant does not consider it necessary to have an ID number or information on the date of birth in order to ensure a secure identification when handing in tickets.

3.
Harpa's views

On behalf of Harpa, it is based on the collection of the ID number of those who buy tickets for events organized by the company through the ticket sales system of Tix Miðasala ehf. is necessary in order to ensure a secure identification when tickets are later picked up at the company's ticket booth. When handing in tickets at Harpa's ticket sales, individuals are asked for their name and ID number, in addition to presenting identification, in order to identify the person in question as ticket buyers.



The processing is necessary to fulfill a contract with registered individuals and is based on points 1 and 2. Paragraph 1 Article 9 Act no. 90/2018 on personal protection and processing of personal information. Reference is made in this connection that registration is optional. This is not a cash transaction where tickets are not delivered in parallel with ticket purchases, but the purchase can take place many months before delivery and changes to tickets, at the request of customers, require the use of the ticket buyer's ID number.

Harpa also considers that the processing fulfills the conditions of Article 13. Act no. 90/2018. By using an ID number, Harpa can ensure that ticket buyers do not lose their right to enjoy an event despite the loss of tickets. Given how long it can take from purchase to delivery, it is common for other information about ticket buyers, such as email addresses or phone numbers, to change. The ID number, on the other hand, is a fixed and unique means of identification.

Harpa's responses also state that ticket buyers can choose from three delivery methods of tickets. In this way, buyers can have tickets sent by e-mail, letter to the specified place of purchase or pick them up at Harpa's ticket booth.

On behalf of Harpa, it is based on the fact that the company is considered responsible for the processing to which the complaint relates, but that Tix Miðasala ehf. is considered a processor. In this connection, reference is made, among other things, to the fact that a processing agreement has been made between the companies, which stipulates, among other things, the processing of information on key figures.

Harpa objects to the fact that there is reason to impose a government fine on the company for the processing of personal information that is being discussed in this case.

Harpa points out in this connection that the company's delay in responding to the Data Protection Authority was not due to indifference or lack of cooperation, but that a new employee took on responsibility for privacy issues within the company and that challenges due to Covid-19 delayed the response.

In addition, new rules for disease control prevented the company from making the registration of the ID number technically optional when purchasing tickets, while the case was being processed, and that the provision of information to those registered in this regard would be updated. The company hopes that this can be changed by removing the infection control restrictions.

Finally, Harpa is based on the fact that there is a long tradition among event organizers in Iceland of registering ID numbers when buying tickets, as this is considered the safest way to identify ticket buyers.

4.
The views of Tix Miðasala ehf.

On behalf of Tix Miðasala ehf. It has been stated that buyers can limit the provision of information in the ticket sales process to the date of birth. The company deems this information necessary to ensure secure identification when collecting tickets, for refunds due to cancellation of a show or for changes in events, such as due to a new date or location.

5.
Privacy Policy

On 15 February 2021, the Data Protection Authority carried out an inspection on the website of Harpa and Tix Miðasala ehf. due to the processing discussed here. This inspection revealed that it was possible to buy tickets on behalf of Harpa on the company's website, which directed the buyer to the ticket sales system of Tix Miðasala ehf. It was also possible to buy tickets for the same event directly through the website of Tix Miðasala ehf. It was possible to buy tickets by logging in to the buyer's special website, but it was also possible to buy tickets without logging in.



When purchasing tickets, there was a star-marked column where the registration of the buyer's ID number was assumed. Information that registration of an ID number was optional did not appear in the ticket sales system itself or in the privacy policies of Harpa and Tix Miðasala ehf. which were accessible on their websites. On the contrary, Harpa's privacy policy stated that the company collected information on individuals' ID numbers when purchasing tickets to ensure the delivery of tickets to the rightful owners. ID number information was obtained before the ticket delivery method was chosen.

In a letter from Harpa, dated February 1, 2022, it was confirmed that the arrangement of the ticket sales system was the same in the spring of 2019, i.e. at the time of the processing of the case in question.

II.
Assumptions and conclusion
1.
Delimitation of case - Scope - Responsible party

This case concerns the collection of information about an individual in connection with his purchase of tickets for an event in Harpa through the electronic ticket sales system of Tix Miðasala ehf. It is known that information was requested on the complainant's ID number with a star-marked box. The Data Protection Authority considers that this must be the basis for collecting his ID number, regardless of what has been stated that the registration of information about his date of birth was a technical minimum requirement, as no information in this regard was found on the websites of Harpa or Tix Miðasala ehf. . It is therefore not possible to consider that this was an optional registration of an ID number. However, it is clear that by collecting the complainant's ID number, information on his date of birth was also collected. In view of the above, this case concerns the processing of personal information which falls within the scope of Act no. 90/2018 and Regulation (EU) 2016/679, cf. Paragraph 1 Article 4 of the Act, point 2. Article 3 of the Act and point 1. Article 4 of the Regulation, as well as point 4. Article 3 of the Act and point 2. of the Regulation. It follows that the processing of personal information in question falls within the competence of the Data Protection Authority, cf. Paragraph 1 Article 39 of the Act.



On the other hand, the Data Protection Authority points out that the events of this case took place before the Covid-19 pandemic reached Iceland. This ruling therefore does not consider the collection of personal information that took place on the basis of the Epidemiological Control Act no. 19/1997 or other legal sources that have been established on the basis of them.

The person responsible for the processing of personal information complies with Act no. 90/2018 is named the responsible party. According to point 6. Article 3 of the Act refers to an individual, legal entity, government authority or other party who decides alone or in collaboration with another purpose and methods of processing personal information, cf. 7. tölul. Article 4 of the Regulation. As such, Harpa is considered to be responsible for the processing in question.

According to point 7. Article 3 Act no. 90/2018, the individual or legal entity, government authority or other party that processes personal information on behalf of the responsible party is considered to be a processing party, cf. 8. tölul. Article 4 of the Regulation. Based on the relevant documents in the case, it is considered necessary to assume that Tix Miðasala ehf. is considered to have processed the complainant's personal information which is being discussed here on behalf of Harpa. Tix Miðasala ehf. therefore a processor in the above sense.

2.
Legality of processing

According to Art. Act no. 90/2018, Coll. Article 6 of Regulation (EU) 2016/679, the processing of personal data is only permitted if any of the factors described in the provision are present. It may be mentioned that personal information may be processed if it is necessary to fulfill an agreement to which the data subject is a party or to take measures at the request of the data subject before an agreement is made, cf. 2. tölul. Article 9 of the Act and Article 6 (b). of the Regulation. It will not be seen that other processing authorizations can be considered. In this connection, it is specifically pointed out that the registration was required, as previously stated. The processing could therefore not be based on consent, cf. 1. tölul. Article 9 of the Act and Article 6 (a). of the Regulation, provided that the arrangement of the registration did not meet the conditions of point 8. Article 3 of the Act in this regard.



At the same time, the principles of the first paragraph must be observed when processing personal information. Article 8 Act no. 90/2018, Coll. Article 5 Regulation (EU) 2016/679. Among other things, it stipulates that personal information shall be processed in a lawful, fair and transparent manner towards the data subject (point 1 of the legal provision) and that it shall be sufficient, relevant and not in excess of what is necessary for the purpose of the processing (3. point of the legal provision). According to para. Article 8 of the Act, the responsible party is responsible for ensuring that the processing of personal data always complies with the provisions of the first paragraph. and shall be able to demonstrate it.

In addition to the above, the use of an ID number is subject to its objective purpose and is necessary to ensure a secure identification and the Data Protection Authority may prohibit the use of an ID number, cf. Article 13 Act no. 90/2018.

The legitimacy of the collection of ID numbers in cash transactions has been tested in the ruling practice of the Data Protection Authority. In the Agency's ruling of 22 June 2011 in case no. 2011/198 tried to explain the provision of point 2. Paragraph 1 Article 8 the then applicable Act no. 77/2000, on personal protection and handling of personal information, which was analogous to the aforementioned provision of point 2. Article 9 Act no. 90/2018. The ruling stated, among other things, that the provision covered the processing of personal information about the data subject that was necessary to fulfill a contract with him, such as to know who should deliver the ordered product. It is in the nature of things that this is a cash transaction, this condition would not apply unless it is specifically stated and it is clear that for some reason such transactions would not be carried out unless an ID number was registered. The Data Protection Authority considers that the same views apply to the explanation of the aforementioned provision of point 2. Article 9 Act no. 90/2018 when tickets are delivered electronically, as the payments of the parties are then made simultaneously.

Then it is to be considered that in other cases, ie. when tickets are purchased online and delivered to the buyer at a ticket booth or by post, the data subject has made his payment, even though the person in question is not allowed to deliver the tickets at the same time. In this respect, the transaction is the same for Harpa as if it were a cash payment transaction, given that the company receives its payment as soon as the purchase is made, even though tickets will be delivered later. Therefore, essentially the same views apply to these delivery methods as were stated in the aforementioned ruling.

Harpa has stated that a name and ID number are required, as well as the presentation of identification, when tickets that have been purchased electronically are picked up at the company's ticket booth. However, it is clear that the company also offers other methods of delivery for such purchases, more specifically electronic delivery by e-mail and mailing of tickets to the address provided by the buyer when purchasing the tickets, but it is clear that the ID number is not used to ensure identification. upon delivery. However, in view of the provisions of Chapter I.5, that information on the ID number of ticket buyers is obtained before the delivery method is chosen, it will be assumed that the information is collected regardless of the delivery method chosen by the buyer.

It has also been stated by Harpa and the company's processors that no unambiguous requirement has been made for the registration of an ID number when purchasing tickets, as it was technically sufficient to register information on the date of birth.

In the opinion of the Data Protection Authority, in light of the above, it is clear that a secure identification could have been ensured when delivering tickets sold by other means than using the ID number or information on the complainant's date of birth, such as presenting a confirmation of payment or using address, email or telephone number. was applicable, regardless of which delivery method the complainant chose. Accordingly, it is not possible to consider that the collection of an ID number or information on the complainant's date of birth was necessary for Harpa, within the meaning of the above provisions, in order to provide the complainant with tickets he had purchased, as the agreement could be fulfilled using other identifying information. It cannot be seen that the purchase was so special in other respects that it justified the collection of the complainant's ID number.

Is it therefore the conclusion of the Data Protection Authority that the collection of information on the ID number and date of birth of the complainant did not comply with point 2. Article 9 Act no. 90/2018 and item b of Article 6. of Regulation (EU) 2016/679 nor the principle of point 3. Paragraph 1 Article 8 of the Act and point c of the first paragraph. Article 5 of the Regulation where information on the ID number was in excess of what was necessary to ensure a secure identification in connection with the delivery of tickets to the complainant. Furthermore, it is the conclusion of the Data Protection Authority that the collection of the complainant's ID number did not comply with Article 13. of the Act in view of the fact that the processing was not necessary.

The Data Protection Authority also considers that since the complainant had not been informed that it was optional to register information on the ID number, but that it had been made to appear that such registration was required, Harpa had not complied with the principle of point 1. Paragraph 1 Article 8 of the Act and item a of the first paragraph. Article 5 of the Regulation that the processing be carried out in a lawful, fair and transparent manner towards him.

3.
Conclusion and instructions

With reference to what is described in Section II.2. is the conclusion of the Data Protection Authority that by collecting information on the ID number and date of birth of the complainant in favor of handing him a ticket, which he bought in an electronic ticket sales system, Harpa has violated the provisions of Article 9. Act no. 90/2018 and Article 6. Regulation (EU) 2016/679 on processing authorizations, principle of point 3. Paragraph 1 Article 8 of the Act and point c of the first paragraph. Article 5 of the Regulation on Data Minimization, and the principle of point 1. Paragraph 1 Article 8 of the Act and item a of the first paragraph. Article 5 of the Regulation on Legality, Fairness and Transparency. In addition, the collection of information on the complainant's ID number violated the provisions of Article 13. of the Act.



In accordance with the above conclusion, and with reference to Article 13. and points 4 and 6. Article 42 Act no. 90/2018, Harpa is asked to stop collecting information on ID numbers and birthdays of individuals for the purpose of delivering tickets to events organized by the company, while other laws or rules do not require such information collection. Furthermore, the company shall delete all available information on ID numbers and dates of birth of individuals that has been collected for the purpose of identifying them upon delivery of sold tickets, to the extent that other laws or regulations do not prescribe that such information be stored. No later than April 8, 2022, Harpa shall send the Data Protection Authority confirmation that these instructions have been complied with.

III.
Application of sanctions
1.
Perspectives on the application of sanctions

Next, it will be examined whether Harpa should be fined by the government for the above-mentioned violations, cf. Article 46 Act no. 90/2018, Coll. also Article 83. Regulation (EU) 2016/679. In deciding in this regard and on the amount of the fine, the first paragraph shall be taken into account. Article 47 Act no. 90/2018, Coll. Paragraph 2 Article 83 of the Regulation. It lists issues that can either be of interest to the benefit of the party or to his disadvantage. The following points are considered in this case.





a. Of what nature, how serious and how long-lasting the violation is

According to point 1. Paragraph 1 Article 47 Act no. 90/2018, Coll. point a of the second paragraph. Article 83 of Regulation (EU) 2016/679, the nature, severity and duration of the violation must be taken into account, in terms of the nature, scope and purpose of the processing, as well as the number of registered individuals who suffered it and how serious the damage was.



In applying these provisions, the Data Protection Authority has in its implementation taken into account the number of individuals who are in the same situation, ie. who have suffered similar offenses, and not only those offenses that directly concern the person filing the complaint. In this connection, reference is made to Chapter II.3.a in the Agency's ruling of 15 June 2021 in case no. 2020010545.

In the present case, information was collected on the complainant's ID number. This is the processing of general personal information which is, however, subject to special conditions, cf. Article 13 Act no. 90/2018. Accordingly, this case only concerns personal information about the complainant. Despite this, it is clear from Harpa's answers that information on the ID numbers of many individuals has for a long time been collected in connection with their purchase of tickets for events organized by the company for the benefit of their delivery, ie. at least from the date of complaint on 9 April 2019 until the entry into force of Regulation no. 957/2020 on 5 October 2020, which required the collection of personal information in connection with event attendance. This should be taken into account when deciding on the imposition and amount of administrative fines.

On the other hand, in the opinion of the Data Protection Authority, it is clear that Harpa could not change this practice after rules were set for infection control, which required the registration of personal information in connection with event attendance. The collection of ID numbers on the basis of those rules therefore does not affect the assessment of how long the violation was.

There is also no evidence that the complainant or other individuals have suffered damage as a result of the processing.



b. Whether the offense was committed intentionally or through negligence

According to point 2. Paragraph 1 Article 47 Act no. 90/2018, Coll. paragraph 2 (b) Article 83 of Regulation (EU) 2016/679, it must be considered whether the violation was committed intentionally or negligently.



In the opinion of the Data Protection Authority, it can only be seen that Harpa collected the information in question in good faith that the processing was lawful. In addition, the company has relied on the fact that the processing has been in accordance with the accepted practice of companies in this country that carry out similar operations. Accordingly, it will be assumed that the offense was committed through negligence.



c. Responsibility of the guarantor or processor with regard to technical and organizational measures

According to point 4. Paragraph 1 Article 47 Act no. 90/2018, Coll. paragraph 2 (d) Article 83 of Regulation (EU) 2016/679, the amount of responsibility of the responsible party or processor must be taken into account with regard to the technical and organizational measures that they have implemented.
In the case in question and taking into account the available data, e.g. á m. Harpa's production agreement with Tix Miðasala ehf., it can only be seen that Harpa bears full responsibility for the production in question.





d. Previous offenses of the guarantor that matter, if any

According to point 5. Paragraph 1 Article 47 Act no. 90/2018, Coll. point e of the second paragraph. Article 83 of Regulation (EU) 2016/679, should be considered for previous offenses of the responsible party or processor that are relevant, if any.



No information is available on such violations that could be considered in this case.



e. Extent of cooperation with the Data Protection Authority

According to point 6. Paragraph 1 Article 47 Act no. 90/2018, Coll. paragraph 2 (f) Article 83 of Regulation (EU) 2016/679, the scope of co-operation with the Data Protection Authority must be considered in order to remedy a breach and reduce its harmful effects.



It is known that the Data Protection Authority had difficulty obtaining information on the matter from Harpa. In this connection, it is especially pointed out that Harpa's answers regarding the case were received by the Data Protection Authority in some cases after the deadline for responses had passed and following repeated requests, cf. further discussion in Chapter I.1. Harpa has claimed that the delay in responding was due, among other things, to changes in the company's staffing and the Covid-19 pandemic. In the opinion of the Data Protection Authority, this does not explain all the delays that have occurred in the company's responses. In this connection, it should be pointed out that the Agency granted the company additional time limits for these reasons during the operation of the case, which have not been respected in all cases. It will therefore be assumed that there is a lack of co-operation with the Agency in this respect, within the meaning of the cited provision.

On the other hand, it seems that Harpa has informed the Data Protection Authority about the planned changes to the ticket sales system aimed at making the registration of the ID number optional, as well as about training for customers in this regard, which could not be undertaken due to the company's obligation to register Visitor Information, in accordance with Covid-19 Pandemic Legislation and Regulations. Harpa has also requested instructions from the Data Protection Authority on the correct implementation regarding the processing in question. The Data Protection Authority considers that this may be Harpa's efforts to make the necessary improvements.

Following a comprehensive assessment of the above points of view, it is appropriate to respect Harpa's lack of co-operation to some extent.

2.
Result on the levy and the amount of the fine

According to the first paragraph. Article 46 Act no. 90/2018, Coll. Article 83 of Regulation (EU) 2016/679, the Data Protection Authority may impose administrative fines on each responsible party or processor pursuant to Art. Paragraph 4 of the provision that violates any of the provisions of the Regulation and the Act listed in the second and third paragraphs. of the provision.



In point 1. Paragraph 3 Article 46 Act no. 90/2018, Coll. paragraph 5 (a) Article 83 of Regulation (EU) 2016/679, states that violations of the basic rules on processing according to Articles 5, 6, 7 and 9 of the Regulation may be subject to administrative fines. However, a violation of Article 13 of the Act not administrative fines.

As stated earlier, Harpa violated the provisions of Article 9. Act no. 90/2018 and Article 6. Regulation (EU) 2016/679 on processing authorizations, principle of point 3. Paragraph 1 Article 8 of the Act and point c of the first paragraph. Article 5 of the Regulation on Data Minimization, and the principle of point 1. Paragraph 1 Article 8 of the Act and item a of the first paragraph. Article 5 of the Regulation on Legality, Fairness and Transparency.

In view of all the above, it is the conclusion of the Data Protection Authority that an administrative fine should be imposed on Harpa.

According to the above, the amount of administrative fines for violations of the aforementioned provisions is subject to the third paragraph. Article 46 Act no. 90/2018, Coll. Paragraph 5 Article 83 Regulation (EU) 2016/679. Administrative fines according to para. of the provision can amount to ISK 100,000. to ISK 2.4 billion. or in the case of a company up to 4% of the company's total annual turnover worldwide in the preceding financial year, whichever is higher, and a fine has been determined accordingly.

In view of the views outlined above on the determination of sanctions, the administrative fine is deemed to be appropriately set at ISK 1,000,000.

U r s k u r ð a r o r ð:

Harpa music and conference center ohf. violated Article 9. Act no. 90/2018 and Article 6. Regulation (EU) 2016/679 on processing authorizations, principle of point 3. Paragraph 1 Article 8 of the Act and point c of the first paragraph. Article 5 of the Regulation on Data Minimization and the principle of point 1. Paragraph 1 Article 8 of the Act and item a of the first paragraph. Article 5 of the Regulation on Legality, Fairness and Transparency by collecting information on ID number and date of birth [A] due to his purchase of a ticket for an event organized by the company. Then Harpa broke the music and conference center ohf. against the provisions of Article 13. of the Act by collecting information on ID number [A].



It is proposed to Harpa Music and Conference Center ohf. to stop collecting information on ID numbers and dates of birth in connection with individuals' purchase of tickets for events organized by the company, while other laws or regulations do not require such information collection. Furthermore, the company shall delete all available information on ID numbers and dates of birth of individuals that has been collected for the purpose of identifying them upon delivery of sold tickets, to the extent that other laws or regulations do not prescribe that such information be stored. No later than April 8, 2022, Harpa shall send the Data Protection Authority confirmation that these instructions have been complied with.

A fine of ISK 1,000,000 is imposed on Harpa Music and Conference Center Ltd. The fine shall be paid to the Treasury within one month from the date of this ruling, cf. Paragraph 6 Article 46 Act no. 90/2018.

Privacy, March 8, 2022

Ólafur Garðarsson

chairman



Björn Geirsson Sindri M. Stephensen



Vilhelmína Haraldsdóttir Þorvarður Kári Ólafsson