National Center of Addiction Medicine fined ISK 3 million

On 05/Mar/2020, National Center of Addiction Medicine received a privacy fine of ISK 3,000,000. The enforcement authority (Icelandic Data Protection Authority) has cited these legal provisions in imposing the fine on National Center of Addiction Medicine: Article 32 GDPR/ Article 5 GDPR/ GDPR/


Date of enforcement action:
Jurisdiction: Fine imposed:
Iceland Flag for Iceland, which is the jurisdiction taking enforcement action ISK 3,000,000 (US$21,000)
Defendant company or entity: Industry segment:
National Center of Addiction Medicine Medical / Non-profit /

Case summary

On 5 March 2020, the Icelandic Supervisory Authority (SA) took the decision to impose an administrative fine of ISK 3,000,000 (EUR 20.643) on the National Center of Addiction Medicine in a case relating to a personal data breach.

The National Center of Addiction Medicine is an NGO that operates a detoxification clinic and four inpatient and outpatient rehabilitation centers, as well as a center for family services and a social center in Iceland. Its services are delivered by a staff of medical doctors, psychologists, registered nurses, nurse practitioners and licensed counselors.

The breach occurred when a former employee of the National Center of Addiction Medicine received boxes containing what were supposed to be personal belongings that he had left there. However, it turned out that the boxes contained patient data as well, including health records of 252 former patients and records containing the names of approximately 3,000 people who had attended rehabilitation for alcohol and substance abuse.

After carrying out an investigation of the data breach, the SA concluded that the breach was a result of a lack of implementation of appropriate data protection policies and appropriate technical and organisational measures to protect the data by the controller. The lack of appropriate measures to protect the personal data therefore constituted violations of, inter alia, Art. 5(1)f and Art. 32 of the GDPR.

When determining the fine, the Icelandic Data Protection Authority referred to the nature of the personal data involved in the breach, which were data concerning health, and the large scope of the processing. The SA also cited the nature of the National Center of Addiction Medicine as a non-profit health care provider and the fact that the Center had made considerable efforts to improve handling of personal data, beginning before the breach came to light.



A number of factors were remarked on as possible mitigation for the amount of the fine:

No evidence of intentional disregard – “There is nothing other than the fact that human error has occurred here and nothing has been stated in the case which indicates that this is a deliberate violation.”

Prompt action to remedy, and prompt reporting to the authority – “In this context, it is important to [us that the respondent company] immediately contacted the aforementioned former employee of the organization when informed of the security breach, and requested that the data be returned.┬áThe security breach was also reported to the Data Protection Authority.”

Measures were being developed at the time of the breach to deal with this precise scenario – “shortly before the respondent company became aware of the security breach, the organization had established working rules on the treatment of workers in dealing with work documents. Namely, an employee should be given the opportunity to review work space and compile their private documents and other belongings before leaving his place of business. [As part of this policy it is] totally not allowed to bring work documents with him. [The policy] states that a supervisor may be present when an employee completes his or her private documents upon retirement.”

While the respondent company had two other data breaches on its record, its response to these was “satisfactory” – Prior breaches were therefore not of great weight in determining a fine.

Cooperation – The respondent company had “complied with the requirements and instructions of the Data Protection Authority as a result of being informed of the security breach, as well as offering good access to the premises and staff during the processing of the case.”

The company reported the breach in good time and promptly – “Furthermore, the organization has responded well to the Privacy Policy’s requests for clarification and information within the time limits provided.”

Measures taken on own initiative to remedy data processing shortcomings – The company “on its own initiative submitted data on modified and well-established procedures for the processing of personal data.” In addition, the company had “undertaken extensive work within the association, in collaboration with privacy experts, with a view to updating procedures, in a documented manner, in connection with the processing of personal information within the organization.┬áThis work was started before the security breach occurred.”

Given the non-profit nature of the respondent, the services provided, and the mitigating circumstances demonstrated, it is likely that the Icelandic Data Protection Authority had issued a fine at the lower end of the range for this data breach.

Applicable legal provisions

Enforcement information

Enforcement authority: Type of enforcement action:
Icelandic Data Protection Authority Flag for Iceland, which is the jurisdiction taking enforcement action Penalty notice
Subject to appeal?
Not known

File or case number


Cite this fine in your work

Data Privacy Fines Index. (2020-03-05 04:57) National Center of Addiction Medicine fined ISK 3 million. Retrieved from

Entry last updated: 2020-04-15 05:26 GMT.