Sweden
Umeå University
GDPR enforcement action by Data Protection Authority of Sweden (Integritetsskyddsmyndigheten) on 2020-12-11.
Case details
- Authority
- Data Protection Authority of Sweden (Integritetsskyddsmyndigheten)
- Date
- 2020-12-11
- Controller / Processor
- Umeå University
- Sector
- Public Sector and Education
- Quoted Articles
- Art. 5 (1) f) GDPR, Art. 32 (1), (2) GDPR
- Type of violation
- Insufficient technical and organisational measures to ensure information security
Summary
The Swedish DPA (Integritetsskyddsmyndigheten) fined Umeå University SEK 550,000 (EUR 54,000) as a result of its failure to apply appropriate technical and organizational measures to protect data.
As part of a research project on male rape, the university had stored several police reports on such related incidents in the cloud of a U.S. service provider. The reports contained the names, ID numbers and contact details of the data subjects, as well as information about their health and sex lives, alongside information about the suspected crime. The DPA notes that the storage in that cloud does not adequately protect such particularly sensitive data.
In addition, one of the investigation reports was sent unencrypted to the Swedish police via email. However, the controller had neither documented the incident nor reported it to the DPA.
Related fines