The Icelandic Data Protection Authority published two administrative fine decisions earlier this week. These are the first decisions of the Authority where administrative fines are imposed.

Both decisions concerned data breaches and the lack of appropriate security measures.

The first fine was imposed on the National Center of Addiction Medicine (“S.Á.Á”), in the amount of EUR 20.643. The case concerned a data breach at S.Á.Á. which occurred when a former employee, which had left his job a year before the breach was detected and reported, received boxes that were supposed to only contain his personal belongings, contained as well significant amount of patient data. This included records containing the names of approximately 3.000 people who had attended rehabilitation for alcohol and substance abuse and detailed health records of 252 former patients. The documents included detailed data such as therapist notes from interviews with patients, which included information related to health and criminal conduct. The Data Protection Authority considered the processing to be a processing of sensitive personal data over a long period of time which affected a significant number of patients, as well as their families.

The second fine was imposed on an upper secondary school in Reykjavík, the amount of EUR 8.945. The case concerned a data breach which occurred when a teacher at the school sent an e-mail to his students and their parents/guardians, 57 people in total. Attached to the e-mail was a document that the teacher believed to contain information on consultation appointments. By mistake, the attachment however included information about interviews that had previously been taken with other students, 18 in total. The document therefore included sensitive personal data about the teacher’s students from the previous year, including information about the well-being of the students, their study performance and social conditions. In limited cases the data included information on intervention by child protection services and student's physical as well as mental illness.

Both data breaches were adequately reported to the Icelandic Data Protection Authority, but the Authority concluded that the breaches were a result of a lack of implementation of appropriate data protection policies and appropriate technical and organisational measures to protect the data by the controllers. Neither controller had taken sufficient measures to ensure that the personal data of their clients and students would not become available to unauthorised persons.

It may not come as a surprise that the first fines in Iceland concern lack of appropriate security measures. Since the GDPR entered into force in May 2018, European data protection authorities have issued 123 administrative fines. Of those, 51 decision relate to a lack of appropriate security measures and the highest fines also concern such infringements.

The Icelandic market has been waiting to see how the Icelandic Authority will handle its powers to impose administrative fines, as the Authority did not have such power before the implementation of the GDPR. It is only now, nearly two years after the GDPR has been implemented, that the Authority has used these powers. It will thus be interesting to see whether the troll is finally awake and whether we can expect more decisions like these in the coming months.