Details:
| Summary | The Icelandic DPA has imposed a fine of EUR 16,600 on the municipality of Garðabær. The municipality had used the Google Education system without sufficiently complying with data protection regulations. In particular, the municipality did not fulfill its obligations when selecting Google as a processor and the processing agreement with Google did not comply with data protection requirements. Furthermore, the municipality did not ensure that the student data was not processed for purposes other than those specified by the municipality. Furthermore, the retention period was not considered appropriate but rather too extensive. In imposing the fine, particular consideration was given to the protection of sensitive children’s data. Although no demonstrable damage had occurred, it was criticized that Garðabær had not sufficiently ensured the secure transfer of data to the US in the past. However, the municipality cooperated transparently with the data protection authority and revised its data protection practices. |
| Link: | link |
| Related articles: | Art. 5 (1) GDPR, Art. 24 (1) GDPR, Art. 28 GDPR |
| Type: | Non-compliance with general data processing principles |
| Fine: | EUR 16,600 |
| Sector | Public Sector and Education |
All data is based on The CMS’s Law GDPR Enforcement Tracker Source: https://www.enforcementtracker.com/