Icelandic SA: the municipality of Kópavogur fined EUR 19.907 for the use of Google Workspace for Education

26 April 2024

Background information

  • Date of final decision: 28/11/2023
  • National case
  • Controller: the municipality of Kópavogur
  • Legal Reference(s): Article 5 (Principles relating to processing of personal data), Article 6 (Lawfulness of processing), Article 24 (Responsibility of the controller), Article 25 (Data protection by design and by default),  Article 28 (Processor),  Article 35 (Data protection impact assessment), Article 44 (General principle for transfers),  Article 46 (Transfers by way of appropriate safeguards)
  • Decision: Compliance order,  Administrative fine
  • Key words: accountability, purpose limitation, data minimisation, storage limitations, data processing agreement, data protection impact assessment, transfer to third countries, children, education, cloud-based services

 

Summary of the Decision


Origin of the case  

In October 2021, the EDPB selected “the use of cloud in the public sector” for its 2022 Coordinated Enforcement Action. The Icelandic SA decided to investigate the use of cloud services in elementary schools as part of this coordinated action. The investigation was limited to the use of Google Workspace for Education, Google’s educational system, in the five largest municipalities in Iceland, in addition to the use of Seesaw in the municipality of Kópavogur. This case only concerns the use of Google’s educational system in the municipality of Kópavogur.


Key Findings 

The Icelandic SA’s investigation revealed that students’ personal data were not only processed on the instructions of the municipality of Kópavogur, but also for Google’s own purposes. The municipality failed to demonstrate how further processing by Google was compatible with the purpose for which students’ personal data were initially collected i.e., in order to provide education in accordance with the national compulsory school act.
The Icelandic SA concluded that the municipality of Kópavogur infringed multiple Articles of the GDPR with its use of Google’s educational system i.e.:

  • Failure to ensure and to be able to demonstrate that processing is performed in accordance with the Regulation (Articles 5, 24(1) & 28(1) GDPR)
  • Data processing agreement did not meet the minimum requirements (Article 28(3)(a) GDPR)
  • Failure to demonstrate a specified, explicit, and legitimate purpose for all processing operations (Article 5(1)(b) GDPR)
  • Failure to ensure that data is not further processed in a manner that is incompatible with the initial purpose (Articles 5(1)(b) & 6(4) GDPR)
  • Failure to ensure data minimisation (Articles 5(1)(c) & 25 GDPR)
  • Failure to ensure a proportionate storage period (Article 5(1)(e) GDPR)
  • Failure to carry out a data protection impact assessment (Articles 35(1) & 35(11) GDPR)
  • Data transferred to the United States without appropriate safeguards (Articles 44 & 46 GDPR)


Decision 

The Icelandic SA ordered the municipality of Kópavogur to bring the processing operations in Google’s educational system into compliance with the Regulation. Furthermore, the Icelandic SA imposed a fine of app. EUR 19.907 (ISK 3,000,000) on the municipality of Kópavogur.

 

For further information:



 

The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.