Iceland Iceland

Sjúkratyringur Íslands

13,400 €

GDPR enforcement action by Icelandic data protection authority ('Persónuvernd') on 2023-06-28.

Rank · Sector
#121
of 270 in Health Care
Rank · Iceland
#16
of 22
Rank · All fines
#1,242
of 3,051

Case details

Authority
Icelandic data protection authority ('Persónuvernd')
Date
2023-06-28
Controller / Processor
Sjúkratyringur Íslands
Sector
Health Care
Quoted Articles
Art. 5 (1) f) GDPR, Art. 25 GDPR, Art. 32 GDPR
Type of violation
Insufficient technical and organisational measures to ensure information security

Summary

The Icelandic DPA has imposed a fine of EUR 13,400 on Sjúkratyringur Íslands. During its investigation, the DPA found that the controller had failed to implement adequate technical and organizational measures to protect personal data.
This included the lack of multi-factor authentication for access to health information and the controller's use of real data in the development of a system.

In assessing the fine, it was considered aggravating that a large number of individuals were affected by the security deficiencies. A mitigating factor was the fact that the controller cooperated fully with the investigation and implemented the measures ordered.

Open original source Links to the regulator's original publication or another source.

Related fines

Iceland
Iceland
2023-06-27
257,000 €
ETid-1952
Creditinfo Lánstraust hf.
Finance, Insurance and Consulting
Iceland
Iceland
2023-07-03
81,000 €
ETid-1940
Heilsuveru
Health Care
Iceland
Iceland
2021-11-23
51,000 €
ETid-916
Icelandic Ministry of Industry and Innovation
Public Sector and Education
Iceland
Iceland
2023-06-27
51,000 €
ETid-1948
eCommerce 2020 ApS
Finance, Insurance and Consulting
Iceland
Iceland
2022-05-03
36,000 €
ETid-1154
City of Reykjavík
Public Sector and Education
Iceland
Iceland
2025-02-17
34,300 €
ETid-2602
Primary Health Care in the Capital Area
Health Care
Back to all fines