Enforcement

€1,300,000 fine - Data Protection Authority of Sweden

The Swedish DPA has imposed a fine of EUR 1.3 million on Avanza Bank AB. The controller had used so-called meta pixels on its website and app, which caused personal data such as securities holdings and account numbers to be transmitted to Meta. These transfers took place from November 15, 2019 to June 2, 2021 due to incorrect settings. After becoming aware of this, Avanza deactivated the pixels and confirmed that Meta had deleted the data. Avanza has also improved its internal data security proc

€26,500 fine - Data Protection Authority of Sweden

The Swedish DPA has imposed a fine of EUR 26,500 on the Östersund Municipality's Department for Children and Education. The authority had failed to carry out a data protection impact assessment before introducing the digital school platform Google Workspace in 24 schools in the municipality.

€43,000 fine - Data Protection Authority of Sweden

The Swedish DPA has imposed a fine of EUR 43,000 on Indecap AB. The controller had accidentally sent an email to a large number of its customers containing an Excel document including a report with personal data of other customers. The document cotained information on social security numbers, e-mail addresses, information on selected funds, etc. of more than 52,000 individuals. During its investigation, the DPA found that the controller had failed to implement appropriate technical and organizat

€30,000 fine - Data Protection Authority of Sweden

The Swedish DPA has imposed a fine of EUR 30,000 on H&M for sending out marketing messages, despite the fact that data subjects had exercised their right to objection. Six data subjects had filed a complaint against the controller with the DPA. The DPA found that the controller did not have sufficient systems and procedures in place to facilitate data subjects exercising their right to object to direct marketing.

€3,000,000 fine - Data Protection Authority of Sweden

The Swedish DPA has fined Trygg-Hansa EUR 3 million for serious data security breaches. The security breach was discovered when a recipient of an email from Trygg-Hansa realized that by changing a web link, they could access other customers' documents without authentication. Due to these security breaches, it was possible to access sensitive data of about 650,000 customers, including health, financial and contact information, over a span of more than two years, from October 2018 to February 2021

€25,000 fine - Data Protection Authority of Sweden

The Swedish DPA has imposed a fine of EUR 25,000 on CDON AB. The Austrian organization None of your Business (NOYB) had filed a complaint against the company in light of the Schrems II judgment, stating that the company was unlawfully transferring personal data to the US. The company had used Google Analytics for visitor statistics and based the data processing by the statistics tool on the EU standard contractual clauses in the absence of an EU Commission adequacy decision for the USA. In the c

€1,000,000 fine - Data Protection Authority of Sweden

The Swedish DPA has imposed a fine of EUR 1 million on Tele2 Sverige Aktiebolag. The Austrian organization None of your Business (NOYB) had filed a complaint against the company in light of the Schrems II judgment, stating that the company was unlawfully transferring personal data to the US. The company had used Google Analytics for visitor statistics and based the data processing by the statistics tool on the EU standard contractual clauses, as no adequacy decision had been issued by the EU Com

€1,100,000 fine - Data Protection Authority of Sweden

The Swedish DPA has imposed a fine of EUR 1.1 million on Bonnier News AB. During its investigation, the DPA found that Bonnier News collects customer data, for example, through their surfing behavior or through purchases from different subsidiaries. However, the DPA also found that Bonnier News had collected and processed this data without the consent of the data subjects. Bonnier News relied on an predominant interest as a legal basis, but the DPA noted that customers could not expect their dat

€4,900,000 fine - Data Protection Authority of Sweden

The Swedish Data Protection Authority (DPA) has imposed a fine of EUR 4.9 million on the music streaming provider Spotify. The DPA had launched an investigation after receiving a number of complaints and following a lawsuit filed against Spotify by the Austrian organization 'None of your Business'. In its investigation, the DPA found that Spotify had not sufficiently complied with data subject rights. Spotify failed, for example, to provide data subjects with sufficient information about the ori

€17,600 fine - Data Protection Authority of Sweden

The Swedish DPA has fined Skåne region EUR 17,600. An employee of the region had lost an unencrypted USB stick containing the social security numbers and sensitive personal data of nearly 2,000 people. The DPA found that the region had failed to implement adequate technical and organizational measures to protect personal data.

€720,000 fine - Data Protection Authority of Sweden

The Swedish DPA has imposed a fine of EUR 720,000 on Klarna Bank AB. Klarna is a financial company that processes a large number of personal data in various ways. As part of its investigation, the DPA found that Klarna had not properly complied with its information obligations. For example, Klarna did not provide sufficient information on its website about the purpose and legal basis for the processing of personal data. In addition, with regard to the transfer of data to Swedish and foreign cred

€18,630 fine - Data Protection Authority of Sweden

A school in Skellefteå made a trial to use facial recognition technology. The fine was imposed against the school which had used facial recognition technology to monitor the attendance of students. Even though, in general, data processing for the purpose of monitoring attendance is possible doing so with facial recognition is disproportioned to the goal to monitor attendance. The supervisory authority is of the opinion that biometric data of students was processed which is why Art. 9 GDPR is app