Persónuvernd - 2020031243: Difference between revisions

Latest revision as of 10:03, 6 May 2021

Persónuvernd - 2020031243

Authority:	Persónuvernd (Iceland)
Jurisdiction:	Iceland
Relevant Law:	Article 8 GDPR
Type:	Complaint
Outcome:	Upheld
Started:
Decided:	07.04.2021
Published:	15.04.2021
Fine:	None
Parties:	n/a
National Case Number/Name:	2020031243
European Case Law Identifier:	n/a
Appeal:	n/a
Original Language(s):	Icelandic
Original Source:	Personuvernd (in IS)
Initial Contributor:	n/a

The Icelandic DPA held that a primary school was not permitted to disclose information about a child to a consulting company after termination of collaboration.

English Summary

Facts

On March 21, 2020, the DPA received a complaint that a primary school had sent an e-mail containing sensitive information about a child to a counseling company after the school's partnership with the company ended.

According to the complainant, the company KVAN was hired by a school to work on the bullying case of the complainants’ child. The municipality’s education department and the complainant decided that the school's bullying team would take over the case from KVAN and that the company would not be further involved in the case.

Three weeks after that decision, a KVAN employee sent an e-mail to a school employee asking about the status of the complainant's child. On the same day, an employee of the school replied to the e-mail and provided information on the status of the case, without the complainants' consent. The e-mail contained the child's name and sensitive personal information about it. The complainants only became aware of this after requesting access to all data about themselves and their child at the school.

According to the school, the employee that had replied to KVAN’s e-mail had not been aware that the collaboration with the company had been terminated and he had therefore been in good faith in his communication. The e-mail did not contain any new personal information that the KVAN employee in question was not already aware of. Despite this, the municipality has apologized to the complainants.

Dispute

Holding

The DPA found school’s behavior reprehensible in light of the nature of the documents in question that the school did not ensure that all employees who were involved in the complainant's child's case were informed that the termination of collaboration with KVAN. The fact that the recipient of the e-mail had already been informed of the case and therefore it was not new information except to a limited extend did not matter.

The DPA considered that there was no authorization for the school to pass on personal information about the complainant's child to the consulting company KVAN after the collaboration with it ended. For that reason alone, the DPA held that the processing of personal information about the complainant's child was not in accordance with Act no. 90/2018 on personal protection and processing of personal information and GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details.

The Data Protection Authority has ruled in a case where it was complained that the primary school had passed sensitive personal information about the complainant's child to a counseling company after the decision was made that the company would no longer be involved in the case of the child being treated at the school. The ruling concludes that the school was not allowed to continue disseminating personal information about the student to a self-employed consulting company after the decision was made that the company would no longer be involved in the student's case. Did not change that, even though the recipient of the e-mail had already been informed of the case and therefore it was not new information except to a limited extent.

Ruling
On April 7, 2021, the Data Protection Authority issued a ruling in case no. 2020031243:

I.
Procedure

1.
Outline of case
On March 21, 2020, the Data Protection Authority received a complaint from [A] and [B] (hereinafter referred to as the complainants) that [primary school X] had sent an e-mail containing sensitive information about their child to a counseling company after the school's partnership with the company ended.

By e-mail from the Data Protection Authority to the complainants on 29 September 2020, the subject of the complaint was further defined and a reply was received from the complainants by e-mail on 5 October. By letter dated On 5 October 2020, [compulsory school X] was invited to submit explanations regarding the complaint. The answer was by letter dated. November 6, 2020.

All the above documents have been taken into account in resolving the case, although not all of them are specifically described in the following ruling.

2.
Complainants' views
On behalf of the complainants, it has been stated that the company KVAN has been hired to work on the bullying case of the complainant's child who attends [primary school X]. In [...] a joint decision was made by the education department of [municipality Y, [primary school X] and the complainants that the school's bullying team would take over the case from KVAN and that the company would not be further involved in the case. Three weeks after that decision [...], a KVAN employee sent an e-mail to an employee [primary school X] asking about the status of the complainant's child. On the same day, an employee of the school replied to the e-mail and provided information on the status of the case, without the complainants' consent. The e-mail contained the child's name and sensitive personal information about it.

The complainants only became aware of this after requesting access to all data about themselves and their child at [primary school X].

3.
Perspectives [primary school X]
[Primary school X] has stated that the consulting company KVAN has been contacted in connection with the bullying case of the complainant's child at the school. KVAN's consultant has been working on the case [for several months] or until it has been decided that KVAN will not be further involved in the case and that the bullying team [primary school X] will take over. Three weeks later, a KVAN employee sent an e-mail to an employee [elementary school X] asking about the situation. An employee of the school had replied to the e-mail, but the employee had not been aware that the collaboration with KVAN had been terminated and he had therefore been in good faith in his communication with KVAN. The e-mail did not contain any new personal information that the KVAN employee in question was not already aware of. Despite this, the municipality has apologized to the complainants.

II.
Assumptions and conclusion

1.
Scope - Responsible
Scope of Act no. 90/2018, on personal data protection and the processing of personal data, and Regulation (EU) 2016/679, cf. Paragraph 1 Article 4 of the Act, and thereby the authority of the Data Protection Authority, cf. Paragraph 1 Article 39 of the Act, covers the processing of personal data that is partly or wholly automated and the processing by other methods than automatic of personal data that are or are to become part of a file.

This case concerns the dissemination of personal information about the complainant's child by [compulsory school X] and therefore falls within the competence of the Data Protection Authority.

The dissemination of personal information took place on behalf of [compulsory school X] and [compulsory school X] will therefore be considered responsible for the processing in question, cf. 6. tölul. Article 3 Act no. 90/2018, Coll. 7. tölul. Article 4 of the Regulation.

2.
Conclusion
All processing of personal data must be subject to one of the authorization provisions of Article 9. Act no. 90/2018, Coll. Article 6 Regulation (EU) 2016/679. It may be mentioned that personal information may be processed if it is necessary to fulfill a legal obligation that rests with the responsible party, cf. 3. tölul. Article 9 of the Act (cf. item c of the first paragraph of Article 6 of the Regulation), or in the exercise of public authority, cf. 5. tölul. of the legal provision (cf. item e of the regulatory provision). In addition, the processing of sensitive personal data, such as personal data concerning the physical or mental health of an individual, must comply with any of the additional conditions of paragraph 1. Article 11 of the Act, cf. Article 9 of the Regulation.

In assessing whether the processing is authorized, the provisions of other applicable laws must also be considered. Act no. 91/2008 on compulsory schools and rules set according to them, for example Regulation on the responsibilities and obligations of members of the school community in compulsory schools no. 1040/2011.

Although it can be accepted that compulsory schools have an obligation to respond to and process bullying cases in accordance with the above, it cannot be seen that the school is allowed to continue disseminating personal information about students to a self-employed counseling company after a decision has been made that the company no longer exists. to the case. The Data Protection Authority considers it reprehensible in light of the nature of the documents in question that [compulsory school X] did not ensure that all employees who were involved in the complainant's child's case were informed that the collaboration with KVAN had ended. Does not change the fact that the recipient of the e-mail has already been informed of the case and therefore it is not new information except to a limited extent.

According to the above, it will not be considered that there was an authorization for [primary school X] to pass on personal information about the complainant's child to the consulting company KVAN after the collaboration with it ended. For that reason alone, the Data Protection Authority considers that the processing [of primary school X] of personal information about the complainant's child has not been in accordance with Act no. 90/2018, on personal protection and processing of personal information, cf. Regulation (EU) 2016/679.

Ú r s k u r ð a r o r ð:
The dissemination of [primary school X] of personal information about child [A and B] by e-mail to KVAN [...] was not in accordance with Act no. 90/2018, on personal data protection and processing, and Regulation (EU) 2016/679.

Privacy, April 7, 2021

Helga Þórisdóttir Helga Sigríður Þórhallsdóttir

@@ Line 81: / Line 81: @@
 <pre>
-      Creditinfo processing
+  The Data Protection Authority has ruled in a case where it was complained that the primary school had passed sensitive personal information about the complainant's child to a counseling company after the decision was made that the company would no longer be involved in the case of the child being treated at the school. The ruling concludes that the school was not allowed to continue disseminating personal information about the student to a self-employed consulting company after the decision was made that the company would no longer be involved in the student's case. Did not change that, even though the recipient of the e-mail had already been informed of the case and therefore it was not new information except to a limited extent.
-Lánstraust hf. in connection with the preparation of credit reports
-      Case no.
-2020010708
-.4.2021
-      Privacy has ruled that
-Creditinfo has been authorized to use information on previous registrations on
-defaults in the preparation of credit ratings for individuals with reference to previous precedents
-on the same subject. Furthermore, the Data Protection Authority ruled that Creditinfo did not
-required by law to consider the income and assets of individuals in making
-reports on the credit rating of individual data Privacy can not be met
-the complainant's request that the processing of information about him by Creditinfo be stopped and
-registration of the company's default register would be terminated unless he authorized it.
-    Ruling
+Ruling
-On March 18, 2021, the Data Protection Authority issued a ruling in case no.
+On April 7, 2021, the Data Protection Authority issued a ruling in case no. 2020031243:
-2020010708 (former case no. 2019122373): I. Proceedings 1. Abstract
-case On December 18, 2019, the Data Protection Authority received a complaint from [A] (hereinafter)
-complainant) over the processing of personal information about him by Creditinfo Lánstraust
-hf. (Creditinfo) in connection with the preparation of reports on his credit rating. By e-mail, dated April 14, 2020, the Data Protection Authority requested further information
-information from the complainant. The complainant's reply was received by e-mail the same day. With
-letter, dated. June 23, 2020, the Data Protection Authority requested further information from
-complainant. The complainant's reply was received by two emails on 7 July 2020 and 3.
-October s.á. By letter dated November 2, 2020, Creditinfo was notified of the above
-complaint and given the opportunity to comment on it. Creditinfo's reply was received
-Privacy 23 November s.á. All of the above have been taken into account in resolving the case
-data, although not all of them are specifically described in the following
-ruling. The handling of this case has been delayed due to heavy work at the Data Protection Authority. 2. Perspectives
-complainantComplains about it
-that Creditinfo stores and uses information about the complainant's previous defaults
-to Arion Bank when preparing credit rating reports for four years
-registration, even though they have long been settled. Creditinfo does not accept
-based on solvency and solvency, incl. the complainant's equity position at that time
-as credit rating reports are retrieved from Creditinfo's system
-financial institutions and other parties. The complainant states that he has requested
-correction of the assessment, but Creditinfo aims to preserve these
-information, through Arion Bank. The complainant considers that
-information about his previous defaults is unreliable and misleading. He refers to
-that can not be considered normal to defaults, which were not due
-bankrupt or advertised in Lögbirtingarblaði, live for years after they have
-have been settled with a financial institution or other parties. Requires its complainant
-that the processing will be stopped and registration in Creditinfo's default register will be stopped unless
-the person registered is her home. Wishes complaining
-also after receiving information on the method used for calculations
-on his credit rating. It will not be seen what quality control is going on already
-credit rating calculations are performed. Then it is reprehensible to use information about
-defaults that have long since been settled in this way against interests
-of the individual. The complainant was in no way able to influence
-calculations or receive information in a transparent way about how it was calculated
-was that he had the credit rating that Creditinfo had sold to a third party
-party. 3. Perspectives
-Creditinfo Lánstraust hf. Creditinfo refers to
-that according to Act no. 33/2013 on consumer loans, great emphasis is placed on doing so
-is a reliable credit rating in the run-up to the consumer loan agreement and reports
-Creditinfo is intended to be useful in preparing such an assessment. Privacy has
-consider that it does not constitute an unauthorized disclosure of information
-default claims that have been submitted, that they affect the outcome
-credit rating reports, within the time limits provided by Creditinfo's operating license, provisions
-Act on Personal Data Protection and Processing of Personal Data no. 90/2018 and provisions
-of Regulation no. 246/2001 set, provided that the information itself is available
-does not reach the recipients of the assessment. It is referred to that in para. Articles 2.7. í
-the current operating license of Creditinfo from 29 December 2017 (case no. 2017/1541), which
-was renewed on 28 June 2019 (case no. 2019/1202), is discussed
-deletion of information. It states, among other things, that information on
-individual debts are known to have been repaid. Then it should be deleted
-information from the register when they are four years old. In the article replaced
-also stated that the company may store information for an additional three years and may
-use the information to comply with requests from registered individuals
-knowledge of the processing of personal information about themselves and to resolve disputes about
-the validity of the registration. A maximum of four years have elapsed since registration
-information on the default register may also be used for preparation
-credit rating at the request of the data subject, provided that no information is provided
-the requirements themselves only hold statistical results, cf. Paragraph 2
-Articles 2.7. The previous registrations which had affected the complainant's credit rating,
-at the time the complaint was filed, was dated 27 June 2017
-and June 14, 2018 and therefore be less than four years old. Credit rating
-Creditinfo assesses the probability of default and registration in the default register for the next twelve
-months. The statistical prediction of future events must be based on historical
-information such as the return and payment history. No default information
-and the history of payment in the past does not affect the credit rating is the basis
-pulled away from the usefulness of the assessment. Such an assessment would not satisfy the provisions of Article 5.
-Act no. 33/2013 on consumer loans and would run counter to comments on Article 10. í
-a bill that became that law, which states that a credit rating can
-among other things, based on punctuation and payment history. It has proven to be historic
-information on returns, defaults and payment history has great predictive value
-probability of default in the future. II.Conditions
-and conclusion1. Scope
-Guarantor Scope of Act no.
-/2018, on the protection of personal data and the processing of personal data, and Regulation (EU)
-/679, Coll. Paragraph 1 Article 4 of the Act, and thereby the authority of the Data Protection Authority, cf.
-Paragraph 1 Article 39 of the Act, covers the processing of personal information that is automatic
-part or whole and processing by methods other than automatic on
-personal information that is or should be part of a file. For personal information
-information about an identified or personally identifiable individual and
-an individual is considered personally identifiable if it is possible to personally identify him / her directly
-or indirectly, by reference to his identity or one or more elements which
-are characteristic of him, cf. 2. tölul. Article 3 of the Act and point 1. Article 4
-of the Regulation.With processing means
-in an action or sequence of actions in which personal information is processed, either
-which the processing is automatic or not, cf. Number 4 Article 3 of the Act and point 2.
-Article 4 of the Regulation.This case relates to
-processing of the complainant's personal data when preparing his credit rating
-Creditinfo. In that respect
-and having regard to the above provisions, this case concerns processing
-personal information that falls within the competence of the Data Protection Authority. There is also a complaint
-request information on the method used to calculate credit ratings
-complainant. In that regard, it is worth looking at
-The tasks of the Data Protection Authority are described in more detail in Article 39. Act no. 90/2018 and according to
-therefore, the agency monitors that processing complies with Act no. 90/2018 and
-Regulation (EU) 2016/679, special provisions in laws concerning the processing of personal data
-and other rules on the subject. With reference to this, cf. also justification in
-ruling of the Data Protection Authority, dated 11 September 2020, in case no.
-2020010592, will not be seen for inspection
-The Data Protection Authority will review the mathematical calculation formula and
-Creditinfo's probability assessment in connection with the calculation of individuals' credit ratings.
-That part of the complaint must therefore be considered to fall outside the scope
-of the Data Protection Act and thus the authority of the Data Protection Authority. However, it does fall into place
-the role of the Data Protection Authority is to assess the proposed criteria
-basis for making credit ratings for individuals, such as whether Creditinfo is
-may use information on previous registrations in the default register. The person responsible
-that the processing of personal information complies with Act no. 90/2018 is mentioned
-responsible party. According to point 6. Article 3 of the Act refers to an individual,
-a legal entity, government authority or other party that decides alone or in cooperation with others
-purpose and methods of processing personal information, cf. 7. tölul. Article 4 of the Regulation.
-Creditinfo has over
-to employ information systems on financial matters and creditworthiness and work with
-information in them in order to communicate them to subscribers. That processing is on
-Creditinfo's responsibility and the company is therefore considered to be responsible for that processing
-which consisted of the use of the complainant's information recorded there
-made the company's reports on the assessment of the complainant's credit rating. 2. Operating license
-Creditinfo Lánstraust hf. Operation of a financial information office and processing of relevant information
-financial issues and creditworthiness of individuals and legal entities, incl. default registration
-and the preparation of credit ratings, in order to communicate them to others, shall be subject to authorization
-Privacy, cf. Paragraph 1 Article 15 Act no. 90/2018. Creditinfo's activities
-is largely covered by this provision and has been granted by the Data Protection Authority
-the company has an operating license in accordance with it, cf. now in terms of individuals
-Creditinfo's operating license for the processing of financial information and
-credit, dated. 29 December 2017 (case no. 2017/1541 with the Data Protection Authority).
-The Data Protection Authority has also granted the company an operating license for processing
-information on legal entities, dated 23 December 2016 (case no. 2016/1822 at
-Privacy), and temporary operating licenses for the processing of personal information in
-in favor of a credit rating, dated 23 August 2018 (case no. 2018/1229 at
-Privacy). 3. Legality of processing All processing of personal information must be covered
-any of the authorization provisions of Article 9. Act no. 90/2018, Coll. Article 6 of the Regulation
-(ESB) 2016/679. These include point 6. of the provision, cf. point e of the first paragraph. Article 6
-of the Regulation, which states that the processing of personal data is permitted if
-it is necessary for legitimate interests as a guarantor or third party
-may except the interests or fundamental rights and freedoms of the data subject which require
-protection of personal data is more important. The Data Protection Authority considers this provision to be applicable
-on the processing of personal information that takes place in Creditinfo's information systems in
-in connection with the preparation of reports on the complainant's credit rating. In addition to the authorization according to the above, there will be processing
-personal data to comply with the principles of the first paragraph. Article 8 Act no. 90/2018. Er
-among other things, it stipulates that personal information must be processed legally,
-fair and transparent to the data subject (point 1); that they should
-obtained for clearly stated, legitimate and objective purposes and not processed
-rather for other and incompatible purposes (paragraph 2); that they should be
-adequate, appropriate and not in excess of what is necessary for the purpose
-of processing (point 3); and that they should be reliable and updated accordingly
-needs (point 4) In the light of the above, it should be borne in mind that
-Privacy has several times before taken the position that Creditinfo has
-may use information on previous entries in the default register
-preparation of credit ratings for individuals. Please refer to it for a ruling
-Privacy, dated 11 September 2020, in case no. 2020010592, where
-the agency came to the conclusion that Creditinfo was allowed to use
-information on entry in the company's default register when preparing credit rating reports
-the complainant, for a maximum of four years from the registration of that information, cf. provisions
-in Creditinfo's operating license thereon. Regarding the rationale of the Data Protection Authority
-In this regard, reference is made to the above-mentioned ruling of the institution, which the Data Protection Authority considers
-the same views apply in the case at hand. The complaint also comments that it has not
-if the complainant's asset position is taken into account when making a credit rating with Creditinfo.
-In this connection, it is to be considered that the Data Protection Authority has previously taken that position
-that Creditinfo was not obliged by law to look at income and assets
-individuals when preparing reports on the creditworthiness of individuals. Refer to it
-ruling of the Data Protection Authority, dated 22 June 2020, in case no. 2020010678 and
-ruling, dated 11 September 2020, in case no. 2020010592. Regarding
-the reasoning of the Data Protection Authority in this regard refers to the above rulings
-of the institution, but the Data Protection Authority considers the same views to apply in this case. Regarding the complainant's requirements for the processing of information on
-he at Creditinfo will be suspended and registration on the company's default register
-will be stopped unless he authorizes it to be considered by the Data Protection Authority
-previously ruled that such a claim cannot be met. Refer to it and
-justification for the ruling of the Data Protection Authority, dated January 25, 2016, in case
-no. 2015/1457, but the Agency considers the same views to apply in this case. In view of the above, the conclusion of the Data Protection Authority is that
-Creditinfo's processing of information on the complainant's previous entries in the default register
-in making a credit rating of him has complied with Act no. 90/2018, on privacy
-and processing of personal information. Ú r s k u r
-ð a r o r ð: Creditinfo processing
-Lánstraust hf. on personal information about [A] for the purpose of reporting on
-his credit rating complied with Act no. 90/2018, on personal data protection and processing
-personal data, and Regulation (EU) 2016/679. In Privacy, March 18, 2021Helga
-Þórisdóttir Helga Sigríður Þórhallsdóttir
+I.
+Procedure
+.
+Outline of case
+On March 21, 2020, the Data Protection Authority received a complaint from [A] and [B] (hereinafter referred to as the complainants) that [primary school X] had sent an e-mail containing sensitive information about their child to a counseling company after the school's partnership with the company ended.
+By e-mail from the Data Protection Authority to the complainants on 29 September 2020, the subject of the complaint was further defined and a reply was received from the complainants by e-mail on 5 October. By letter dated On 5 October 2020, [compulsory school X] was invited to submit explanations regarding the complaint. The answer was by letter dated. November 6, 2020.
+All the above documents have been taken into account in resolving the case, although not all of them are specifically described in the following ruling.
+.
+Complainants' views
+On behalf of the complainants, it has been stated that the company KVAN has been hired to work on the bullying case of the complainant's child who attends [primary school X]. In [...] a joint decision was made by the education department of [municipality Y, [primary school X] and the complainants that the school's bullying team would take over the case from KVAN and that the company would not be further involved in the case. Three weeks after that decision [...], a KVAN employee sent an e-mail to an employee [primary school X] asking about the status of the complainant's child. On the same day, an employee of the school replied to the e-mail and provided information on the status of the case, without the complainants' consent. The e-mail contained the child's name and sensitive personal information about it.
+The complainants only became aware of this after requesting access to all data about themselves and their child at [primary school X].
+.
+Perspectives [primary school X]
+[Primary school X] has stated that the consulting company KVAN has been contacted in connection with the bullying case of the complainant's child at the school. KVAN's consultant has been working on the case [for several months] or until it has been decided that KVAN will not be further involved in the case and that the bullying team [primary school X] will take over. Three weeks later, a KVAN employee sent an e-mail to an employee [elementary school X] asking about the situation. An employee of the school had replied to the e-mail, but the employee had not been aware that the collaboration with KVAN had been terminated and he had therefore been in good faith in his communication with KVAN. The e-mail did not contain any new personal information that the KVAN employee in question was not already aware of. Despite this, the municipality has apologized to the complainants.
+II.
+Assumptions and conclusion
+.
+Scope - Responsible
+Scope of Act no. 90/2018, on personal data protection and the processing of personal data, and Regulation (EU) 2016/679, cf. Paragraph 1 Article 4 of the Act, and thereby the authority of the Data Protection Authority, cf. Paragraph 1 Article 39 of the Act, covers the processing of personal data that is partly or wholly automated and the processing by other methods than automatic of personal data that are or are to become part of a file.
+This case concerns the dissemination of personal information about the complainant's child by [compulsory school X] and therefore falls within the competence of the Data Protection Authority.
+The dissemination of personal information took place on behalf of [compulsory school X] and [compulsory school X] will therefore be considered responsible for the processing in question, cf. 6. tölul. Article 3 Act no. 90/2018, Coll. 7. tölul. Article 4 of the Regulation.
+.
+Conclusion
+All processing of personal data must be subject to one of the authorization provisions of Article 9. Act no. 90/2018, Coll. Article 6 Regulation (EU) 2016/679. It may be mentioned that personal information may be processed if it is necessary to fulfill a legal obligation that rests with the responsible party, cf. 3. tölul. Article 9 of the Act (cf. item c of the first paragraph of Article 6 of the Regulation), or in the exercise of public authority, cf. 5. tölul. of the legal provision (cf. item e of the regulatory provision). In addition, the processing of sensitive personal data, such as personal data concerning the physical or mental health of an individual, must comply with any of the additional conditions of paragraph 1. Article 11 of the Act, cf. Article 9 of the Regulation.
+In assessing whether the processing is authorized, the provisions of other applicable laws must also be considered. Act no. 91/2008 on compulsory schools and rules set according to them, for example Regulation on the responsibilities and obligations of members of the school community in compulsory schools no. 1040/2011.
+Although it can be accepted that compulsory schools have an obligation to respond to and process bullying cases in accordance with the above, it cannot be seen that the school is allowed to continue disseminating personal information about students to a self-employed counseling company after a decision has been made that the company no longer exists. to the case. The Data Protection Authority considers it reprehensible in light of the nature of the documents in question that [compulsory school X] did not ensure that all employees who were involved in the complainant's child's case were informed that the collaboration with KVAN had ended. Does not change the fact that the recipient of the e-mail has already been informed of the case and therefore it is not new information except to a limited extent.
+According to the above, it will not be considered that there was an authorization for [primary school X] to pass on personal information about the complainant's child to the consulting company KVAN after the collaboration with it ended. For that reason alone, the Data Protection Authority considers that the processing [of primary school X] of personal information about the complainant's child has not been in accordance with Act no. 90/2018, on personal protection and processing of personal information, cf. Regulation (EU) 2016/679.
+Ú r s k u r ð a r o r ð:
+The dissemination of [primary school X] of personal information about child [A and B] by e-mail to KVAN [...] was not in accordance with Act no. 90/2018, on personal data protection and processing, and Regulation (EU) 2016/679.
+Privacy, April 7, 2021
+Helga Þórisdóttir Helga Sigríður Þórhallsdóttir
 </pre>