Data protection fines over ‘travel gift’ app
Persónuvernd has fined the ministry 7.5 million krónur, as it was responsible for the implementation of the Ferðagjöf scheme, and Yay, which designed the app, four million krónur.
The ministry did not ensure permission for the processing of personal information, and also did not ensure fairness and transparency as the project was implemented. One illustration of this was in the fact that users were only asked to accept the general conditions of Yay, the app developer, and not any special permission for processing personal data when logging into the app. As well as this, Yay also demanded more access permissions of its users than the app really needed.
The app required calendar access that it did not actually need. Representatives of Yay have admitted this was an accident and that it was indeed unnecessary. Yay also did not fulfil Persónuvernd rules on in-built and automatic data protections in the set-up of the app. Neither the company nor the ministry engaged appropriate technical and planning measures to ensure secure processing of personal data, including in the adjustment and shaping of app settings. There was also no working contract signed between the two, which was also against the law.
Persónuvernd Points out that remedial action was taken late, despite requests from the Authority, which resulted in users needing to approve inappropriate user terms until the project ended.