The Personal Data Protection Authority has pronounced itself in a case in which it has been reported that medical records of the complainant and his son were sent to the legal address of the minor and not to the complainant by the hospital of Akureyri (SAK).
According to the hospital, it has recognized that there were not taken into account the difference with the addresses and data, so they were sent to the legal address of the child. Anyway, data was sent with registered mail and given back to SAK in a sealed envelope so personal data was not read by unauthorized persons.
Since then, documents were sent by registered mail to the complainant.
The Data Protection Authority considered that, in view of the sensitive nature of the data concerned, it was highly reprehensible that SAK did not ensure that the data were sent to the correct address. The fact that the data were sent by registered mail and returned in an intact packaging has not changed. The processing has not been deemed in compliance with Law no. 90/2018, in the matter of personal protection and processing of personal data.