May 262022
 
 May 26, 2022  Posted by  Breaches, Non-U.S.

Background information

Date of final decision: 3 May 2022
National case:  2020051610
Controller:  HEI ehf. (HEI – Medical Travel)
Legal Reference: lawfulness of processing (Article 6), right of access (Article 15)
Decision: infringement of the GDPR, fine 1.5 million ISK (approx. 10.700 Euros).
Key words: lawfulness of processing, access request, e-mail list, erasure of personal data.

Summary of the Decision

Origin of the case

A complaint was made to the Icelandic SA about the use of the complainant’s e-mail address at HEI ehf., a medical travel agency in Iceland, as well as the company’s handling of the complainant’s request for access.

Key Findings

In its decision, the Icelandic SA notes that an employee at HEI ehf. had obtained the complainant´s, and several other doctors´, e-mail addresses, by logging into the internal website of the Icelandic Medical Association, with the access of a doctor who was a family member of the employee. HEI used the mailing list to send a targeted e-mail to doctors, including the complainant. In determining the fine, the Icelandic DPA considered that even though HEI had considered itself authorized to use the list, there was nothing in the case that proved that the company had ascertained the lawfulness of processing.

Furthermore, the complainant’s request for access had not been processed in accordance with the law. After the complainant had requested access of his data, the company erased his data. The company could therefore not answer the Icelandic SA´s questions on how many doctors were on the mailing list.

Decision

When deciding the fine, the Icelandic SA took into account, among other things, how the mailing list was collected and then used as well as the erasure of the complainant’s data. HEI ehf. was fined 1.5 million ISK (approx. 10.700 Euros).

For further information: decision in national language Vinnsla á persónuupplýsingum og afgreiðsla aðgangsbeiðni hjá HEI – Medical Travel – sektarákvörðun.

 

The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.

Source: EDPB

Sorry, the comment form is closed at this time.