Persónuvernd - 2020010382
|Persónuvernd - 2020010382|
|Relevant Law:||Article 5(1)(f) GDPR|
Article 32 GDPR
Article 83(2)(c) GDPR
|Parties:||Breiðholt Multicultural School|
|National Case Number/Name:||2020010382|
|European Case Law Identifier:||n/a|
|Original Source:||Persónuvernd (in IS)|
Persónuvernd imposed a fine of 1 300 000 ISK (approx. 9000 euro) on Breiðholt Multicultural School for lacking technical and organisational measures and being in breach of Article 5(1)(f) and Article 32 GDPR. The security breach took place when a teacher mistakenly attached a document, which included special categories of data from earlier interviews, in an email to new students at the school.
English Summary[edit | edit source]
Facts[edit | edit source]
Persónuvernd received a notification of a personal data breach from Breiðholt Multicultural School. According to the notification, an attachment containing sensitive information about earlier students was mistakenly sent by a teacher to new students. The teacher mistakenly sent an email with an attachment that included information about interviews that had been conducted the previous semester. The document contained special categories of data concerning the former students. The comments included information about the students’ well-being, learning outcomes and social conditions. The information was to a large extent about qualities that the students’ lacked. In one case it related to the fact that the child protection authorities were connected. In another case there was information about mental health, and in another case, physical health.
Holding[edit | edit source]
Persónuvernd highlighted that personal data must be processed in accordance to the principles found in Article 5 GDPR, in this case Article 5(1)(f) GDPR. In addition, Persónuvernd highlighted Article 32 GDPR as operationalising the requirement to implement adequate technical and organisational measures to ensure the secure processing of personal data.
In light of the requirements for controllers to provide adequate security of personal data, Persónuvernd found that the dissemination of special categories of data was not in line with the requirements as found in GDPR.
In reference to Article 83(2)(c), the Supervisory Authority referenced mitigating factors carried out by the school when assessing the fine.
Comment[edit | edit source]
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details.