Data protection fines over ‘travel gift’ app

25.11.2021 - 13:26
Mynd með færslu
 Mynd: RÚV
Persónuvernd, the data protection authority, has issued a fine to the Ministry of Industries and Innovation and to the company Yay for breaching basic data protection rules. The ministry and the company violated the ‘educational obligation’, and transparency and security of personal information requirements when they released the app people used to access the government’s Ferðagjöf, or ‘travel gift’.

Persónuvernd has fined the ministry 7.5 million krónur, as it was responsible for the implementation of the Ferðagjöf scheme, and Yay, which designed the app, four million krónur. 

The ministry did not ensure permission for the processing of personal information, and also did not ensure fairness and transparency as the project was implemented. One illustration of this was in the fact that users were only asked to accept the general conditions of Yay, the app developer, and not any special permission for processing personal data when logging into the app. As well as this, Yay also demanded more access permissions of its users than the app really needed.  

The app required calendar access that it did not actually need. Representatives of Yay have admitted this was an accident and that it was indeed unnecessary. Yay also did not fulfil Persónuvernd rules on in-built and automatic data protections in the set-up of the app. Neither the company nor the ministry engaged appropriate technical and planning measures to ensure secure processing of personal data, including in the adjustment and shaping of app settings. There was also no working contract signed between the two, which was also against the law. 

Persónuvernd Points out that remedial action was taken late, despite requests from the Authority, which resulted in users needing to approve inappropriate user terms until the project ended. 

Click to follow RÚV English on Facebook.