Decision of the Authority for Privacy Protection

On April 26, 2023, the Authority for Privacy Protection ordered one of Sweden's regions to pay a penalty fee of SEK 200,000 due to a violation of the Data Protection Regulation. Below is a description of the current decision and general information about obligations under the Data Protection Regulation.

As a result of a reported personal data incident and complaints from registered individuals, the Authority for Privacy Protection initiated supervision against one of Sweden's regions. An employee of the region had lost an unencrypted USB drive containing personal data about approximately 2,000 individuals.

The Authority for Privacy Protection assessed that the region had not taken sufficient measures to ensure an appropriate level of security in relation to the risk of the processing.

The fact that the security requirements of the Data Protection Regulation had not been met was considered serious, as the specific type of personal data on the USB drive required strong protection. The data was subject to confidentiality and linked health information with a large number of patients. According to the Authority for Privacy Protection, this posed a high risk to the rights and freedoms of the individuals concerned.

The USB drive had not been recovered during the supervision and it was also unclear how the personal data had been disseminated. This was considered by the Authority for Privacy Protection to be an aggravating circumstance.

The Authority for Privacy Protection decided to impose an administrative penalty fee of SEK 200,000 on the region.

In summary

There are high requirements for personal data management as a result of the requirements of the Data Protection Regulation and other data protection provisions. The Privacy Protection Authority has further emphasized the importance of measures to achieve an appropriate level of security in relation to the risk of personal data processing, as stated in the decision of April 26, 2023.

The provisions on the handling of personal data are still difficult to manage in practice, despite several years having passed since the Data Protection Regulation and other provisions came into force, especially for employers who regularly process various types of personal data, including sensitive personal data.

In summary

  • Understand the process: An employment contract establishes the working relationship between the employer and the employee, and it is important to understand how and when this contract is entered into.
  • Ensure that personal data is handled securely to avoid data breaches and loss.
  • Adhere to strict requirements under the Data Protection Regulation and other relevant data protection provisions.
  • Establish clear procedures and policies for the processing of personal data and ensure that all employees are aware of them.
  • Provide regular training and updates to keep staff informed about data protection provisions and best practices.
  • Have a plan for handling and reporting any personal data incidents and comply with applicable legal requirements to notify the appropriate authorities and affected parties.

Related articles

This website uses cookies

Cookies ("cookies") consist of small text files. The text files contain data which is stored on your device. To be able to place some type of cookies we need your consent. We at Alex AB (publ), corporate identity number 559338-7698 use these types of cookies. To read more about which cookies we use and storage duration, click here to get to our cookiepolicy.

Manage your cookie-settings

Necessary cookies

Necessary cookies are cookies that need to be placed for fundamental functions on the website to work. Fundamental functions are for instance cookies that are needed for you to use menus and navigate the website.

Statistical cookies

To know how you interact with the website we place cookies to collect statistics. These cookies anonymize personal data.

Ad measurement cookies

To be able to provide a better service and experience we place cookies to tailor marketing for you. Another purpose for this placement is to market products or services to you, give tailored offers or market and give recommendations on new concepts based on what you have bought from us previously.

Ad measurement user cookies

In order to show relevant ads we place cookies to tailor ads for you

Personalized ads cookies

To show relevant and personal ads we place cookies to provide unique offers that are tailored to your user data