On April 26, 2023, the Swedish Data Protection Authority issued a fine of 200,000 SEK to a region in Sweden for violation of the General Data Protection Regulation. Below is a description of the current decision and an overview of obligations under the General Data Protection Regulation.
On April 26, 2023, the Authority for Privacy Protection ordered one of Sweden's regions to pay a penalty fee of SEK 200,000 due to a violation of the Data Protection Regulation. Below is a description of the current decision and general information about obligations under the Data Protection Regulation.
As a result of a reported personal data incident and complaints from registered individuals, the Authority for Privacy Protection initiated supervision against one of Sweden's regions. An employee of the region had lost an unencrypted USB drive containing personal data about approximately 2,000 individuals.
The Authority for Privacy Protection assessed that the region had not taken sufficient measures to ensure an appropriate level of security in relation to the risk of the processing.
The fact that the security requirements of the Data Protection Regulation had not been met was considered serious, as the specific type of personal data on the USB drive required strong protection. The data was subject to confidentiality and linked health information with a large number of patients. According to the Authority for Privacy Protection, this posed a high risk to the rights and freedoms of the individuals concerned.
The USB drive had not been recovered during the supervision and it was also unclear how the personal data had been disseminated. This was considered by the Authority for Privacy Protection to be an aggravating circumstance.
The Authority for Privacy Protection decided to impose an administrative penalty fee of SEK 200,000 on the region.
There are high requirements for personal data management as a result of the requirements of the Data Protection Regulation and other data protection provisions. The Privacy Protection Authority has further emphasized the importance of measures to achieve an appropriate level of security in relation to the risk of personal data processing, as stated in the decision of April 26, 2023.
The provisions on the handling of personal data are still difficult to manage in practice, despite several years having passed since the Data Protection Regulation and other provisions came into force, especially for employers who regularly process various types of personal data, including sensitive personal data.