Sweden
Uppsala regional board
GDPR enforcement action by Data Protection Authority of Sweden (Integritetsskyddsmyndigheten) on 2022-01-26.
Case details
- Authority
- Data Protection Authority of Sweden (Integritetsskyddsmyndigheten)
- Date
- 2022-01-26
- Controller / Processor
- Uppsala regional board
- Sector
- Health Care
- Quoted Articles
- Art. 32 (1) GDPR
- Type of violation
- Insufficient technical and organisational measures to ensure information security
Summary
The Swedish DPA has imposed a fine of EUR 28,500 on the Uppsala regional board.
The fine is the result of an investigation of the Uppsala region (the regional board and the hospital board). The DPA had received two reports of incidents involving personal data from the Uppsala region. The incidents involved sensitive personal health data that had been transferred unencrypted to recipients inside and outside Sweden.
The regional board had transmitted sensitive personal data and personal identity numbers via email. The actual transmission of the emails was encrypted, but the information in the emails was not. The emails in question contained patient data that was automatically sent to the appropriate health administrators in the region, as well as patient data that was manually sent to researchers and physicians in the region.
For this reason, the DPA found that the regional board had not taken adequate technical and organizational measures to protect the data from unauthorized access, for example.
Related fines