Penalty fee for personal data incident

Decision of the Authority for Privacy Protection

On April 26, 2023, the Authority for Privacy Protection ordered one of Sweden's regions to pay a penalty fee of SEK 200,000 due to a violation of the Data Protection Regulation. Below is a description of the current decision and general information about obligations under the Data Protection Regulation.

As a result of a reported personal data incident and complaints from registered individuals, the Authority for Privacy Protection initiated supervision against one of Sweden's regions. An employee of the region had lost an unencrypted USB drive containing personal data about approximately 2,000 individuals.

The Authority for Privacy Protection assessed that the region had not taken sufficient measures to ensure an appropriate level of security in relation to the risk of the processing.

The fact that the security requirements of the Data Protection Regulation had not been met was considered serious, as the specific type of personal data on the USB drive required strong protection. The data was subject to confidentiality and linked health information with a large number of patients. According to the Authority for Privacy Protection, this posed a high risk to the rights and freedoms of the individuals concerned.

The USB drive had not been recovered during the supervision and it was also unclear how the personal data had been disseminated. This was considered by the Authority for Privacy Protection to be an aggravating circumstance.

The Authority for Privacy Protection decided to impose an administrative penalty fee of SEK 200,000 on the region.

In summary

There are high requirements for personal data management as a result of the requirements of the Data Protection Regulation and other data protection provisions. The Privacy Protection Authority has further emphasized the importance of measures to achieve an appropriate level of security in relation to the risk of personal data processing, as stated in the decision of April 26, 2023.

The provisions on the handling of personal data are still difficult to manage in practice, despite several years having passed since the Data Protection Regulation and other provisions came into force, especially for employers who regularly process various types of personal data, including sensitive personal data.

In summary

• Understand the process: An employment contract establishes the working relationship between the employer and the employee, and it is important to understand how and when this contract is entered into.
• Ensure that personal data is handled securely to avoid data breaches and loss.
• Adhere to strict requirements under the Data Protection Regulation and other relevant data protection provisions.
• Establish clear procedures and policies for the processing of personal data and ensure that all employees are aware of them.
• Provide regular training and updates to keep staff informed about data protection provisions and best practices.
• Have a plan for handling and reporting any personal data incidents and comply with applicable legal requirements to notify the appropriate authorities and affected parties.