The decision to initiate the reviews was based on the Data Protection Authority’s policy on audits for 2024, according to which the processing of personal data in smart solutions and/or financial institutions’ software systems was a priority during the year.

After initial examination of the information and data provided by the above mentioned parties, the Data Protection Authority decided to complete its examination of Íslandsbanki hf., Landsbanki hf. and Reiknistofa bankanna hf., without initiating an audit or an initiative examination thereafter. The Data Protection Authority also decided to have terminate its examination of Kvika banki hf., but considered it necessary to send the B-bank instructions on the rules that apply to the registration of security breaches under the Data Protection Act, as there was not a full consistency between the reported security breaches of Kvika banki hf. to the Data Protection Authority and the bank’s register of security breaches.

However, following the initial review, Data Protection Authority decided to audit the processing of personal data in the Arion banki’s online bank. When deciding to open an audit of Arion banki, it was considered, among other things, that a number of reported security breaches by the Bank regarding the processing of personal data in the Internet Bank had presumably occurred. The purpose of the audit was to examine whether information security in the online bank of Arion banki was ensured in accordance with the data protection legislation, with regard to access to unauthorised personal data in the systems. More specifically, it was examined whether measures were taken to prevent the access to personal data on customers, which appeared in the online bank with other customers on the basis of authorization, such as a mandate or legal representation, from remaining available when the authorization on which access was based was removed.

The investigation by the Data Protection Authority revealed that Arion banki hf. is now implementing technical and organisational security measures in accordance with the provisions of the Data Protection Act, in relation to the security risks that were being examined. With reference to this, the audit was cancelled and the case closed by the Data Protection Authority.