Controller and processor fined by Icelandic DPA after app collected an unnecessary amount of data without the necessary consent.
At the start of the COVID-19 pandemic the Icelandic government issued gift cards to adult citizens due to the economic strain brought on by the effects of the pandemic. They were issued through an app that was created extremely quickly due to time constraints. As a result, the app settings were inadequately adjusted. This led to several personal data issues, specifically the unnecessary collection of substantial amounts of personal data and the collection of access rights to users’ mobile devices. There were several complaints to the Icelandic DPA when the app was first published, from data subjects concerned about the amount of personal data that the app was using as well as the access rights that the app had to their mobile devices.
An unnecessary amount of data was being processed, without the necessary consent.
Due to the speed of publication of the app, coupled with human error, an unnecessary amount of personal data was processed. This was due to the fact that the app’s settings were not adjusted appropriately. These settings also led to the collection of access rights on users’ mobile devices. The Icelandic DPA then discovered that the necessary consent was also not obtained from data subjects. This was a violation of Article 7 of the GDPR, which outlines the conditions for valid consent. In addition, Article 12 (transparency) and Article 13 (information to be provided where personal data are collected from the data subject) we’re not met, the Icelandic DPA concluded that the information given to data subjects was insufficient.
The controller and processor were both fined €50,800 and €27,100 respectively.
The Icelandic DPA, in coming to a decision on a fine for this, took into account the fact that there were multiple GDPR violations. There were several GDPR violations associated with the use of this app including Principles relating to processing of personal data (Article 5), Lawfulness of processing (Article 6), Conditions for consent (Article 7), Processing of special categories of personal data (Article 9), Transparency (Article 12), Information to be provided where personal data are collected from the data subject (Article 13), Responsibility of the controller (Article 24), Data protection by design and by default (Article 25), and Processing contract (Article 28(3)), Security of processing (Article 32). In addition to this, the Supervisory Authority considered the nature and scope of the processing as well as the number of data subjects possibly affected. Both the Ministry of Industries and Innovation and the company YAY ehf we’re fined €50,800 and €27,100 respectively.