Enforcement

€565,000 fine - Data Protection Authority of Sweden (Integritetsskyddsmyndigheten)

The Swedish DPA has imposed a fine of EUR 565,500 on Sportadmin i Skandinavien AB. The controller suffered a sucessfull cyber attack, resulting in personal and special category data of 2,126,075 individuals, including minors, beeing published in the darknet. The attack happend due to an succesfull SQL injection on one of the controllers websites, which had not been protected against this kind of attack, granting the attacker access to the controllers server, allowing him to exfiltrate said data.

€6,800 fine - Data Protection Authority of Sweden (Integritetsskyddsmyndigheten)

The Swedish DPA has imposed a fine of EUR 6,800 on AB Storstockholms Lokaltrafik. The controller, a public transportation company, requires employees operating a ferry to take a breathalyzer test before each departure. The results of the test are stored afterwards. The DPA found that there is no legal basis for this data processing.

€6,800 fine - Data Protection Authority of Sweden (Integritetsskyddsmyndigheten)

The Swedish DPA has imposed a fine of EUR 6,800 on Waxholms Ångfartygs AB. The controller, a public transportation company, requires employees operating a ferry to take a breathalyzer test before each departure. The results of the test are stored afterwards. The DPA found that there is no legal basis for this data processing.

6.800 euro boete - De Zweedse Autoriteit voor Gegevensbescherming (Integritetsskyddsmyndigheten).

De Zweedse autoriteit voor gegevensbescherming (DPA) heeft AB Storstockholms Lokaltrafik een boete van 6.800 euro opgelegd. Dit bedrijf, dat actief is in het openbaar vervoer, vereist dat medewerkers die een veerboot besturen, een alcoholtest ondergaan voor elke afvaart. De resultaten van deze test worden vervolgens opgeslagen. De DPA heeft geconstateerd dat er geen wettelijke basis is voor deze gegevensverwerking.

6.800 euro boete - De Zweedse Autoriteit voor Gegevensbescherming (Integritetsskyddsmyndigheten).

De Zweedse gegevensbeschermingsautoriteit heeft Waxholms Ångfartygs AB een boete van 6.800 euro opgelegd. De verantwoordelijke, een bedrijf voor openbaar vervoer, vereist dat medewerkers die een veerboot besturen, een alcoholtest ondergaan vóór elke afvaart. De resultaten van deze test worden vervolgens opgeslagen. De gegevensbeschermingsautoriteit heeft geconstateerd dat er geen wettelijke basis is voor deze gegevensverwerking.

€9,200 fine - Data Protection Authority of Sweden (Integritetsskyddsmyndigheten)

The Swedish DPA has imposed a fine of EUR 9,200 on the Swedish Disrimination Ombudsman. The controller was unable to implement sufficient data security measures, resulting in the unauthorized disclosure of sensitive data.

9.200 euro boete - De Zweedse Autoriteit voor Gegevensbescherming (Integritetsskyddsmyndigheten).

De Zweedse gegevensbeschermingsautoriteit heeft een boete van 9.200 euro opgelegd aan de Zweedse Ombudsman voor Discriminatie. De verantwoordelijke partij was niet in staat om voldoende maatregelen voor gegevensbeveiliging te implementeren, wat resulteerde in de ongeautoriseerde openbaarmaking van gevoelige gegevens.

€18,400 fine - Data Protection Authority of Sweden (Integritetsskyddsmyndigheten)

The Swedish DPA has imposed a fine of EUR 18,400 on the Granit Bostad Beritsholm AB. The controller, a property management company, installed CCTV cameras in an apartment complex without sufficient legal basis. Additionally, the controller failed to inform data subjects about the video surveillance.

€698,000 fine - Data Protection Authority of Sweden (Integritetsskyddsmyndigheten)

The Swedish DPA has imposed a fine of EUR 698,000 on Apohem AB. The controller had used so-called meta pixels on its website which, due to incorrect settings, caused personal data of customers who had consented to marketing cookies to be transmitted to Meta. The controller had used the tool to improve its marketing on Facebook and Instagram, without intending to transmit the data. During its investigation, the DPA found that the controller had failed to implement appropriate technical and organi

€3,200,000 fine - Data Protection Authority of Sweden (Integritetsskyddsmyndigheten)

The Swedish DPA has imposed a fine of EUR 3.2 million on Apoteket AB. The controller had used so-called meta pixels on its website which, due to incorrect settings, caused personal data of customers to be transmitted to Meta. The controller had used the tool to improve its marketing on Facebook and Instagram, without intending to transmit the data. During its investigation, the DPA found that the controller had failed to implement appropriate technical and organizational measures to protect pers

€70,000 fine - Data Protection Authority of Sweden (Integritetsskyddsmyndigheten)

The Swedish DPA has fined the Stockholm School Board EUR 70,000 for excessive video surveillance in a school. A school had installed extensive video surveillance due to past problems with incendiary crimes. During its investigation, the DPA found that there were about 50 fixed cameras in the school monitoring hallways, stairwells and corridors in conjunction with doors, toilets and student lockers. Surveillance was taking place 24/7 with image recording. The DPA concluded that video surveillance

€17,900 fine - Data Protection Authority of Sweden (Integritetsskyddsmyndigheten)

The Swedish DPA has imposed a fine of EUR 17,900 on Dalarna Region. The region had sent out invitations for patient visits where the respective healthcare facility, such as a children's hospital, was visible on the envelope window. The DPA found that this visibility allowed unauthorized persons to gain access to patients' personal data. The DPA concluded that the region had failed to implement adequate technical and organizational measures to protect personal data.

€152,000 fine - Data Protection Authority of Sweden (Integritetsskyddsmyndigheten)

The Swedish DPA has imposed a fine of EUR 152,000 on the Uppsala hospital board. The fine is the result of an investigation by the Uppsala Region (the regional board and the hospital board). DPA had received two reports of incidents involving personal data from Uppsala region. The incidents involved sensitive personal health data that was transferred unencrypted to recipients inside and outside Sweden. Accordingly, Uppsala University Hospital had sent emails containing patient data to patients a

€28,500 fine - Data Protection Authority of Sweden (Integritetsskyddsmyndigheten)

The Swedish DPA has imposed a fine of EUR 28,500 on the Uppsala regional board. The fine is the result of an investigation of the Uppsala region (the regional board and the hospital board). The DPA had received two reports of incidents involving personal data from the Uppsala region. The incidents involved sensitive personal health data that had been transferred unencrypted to recipients inside and outside Sweden. The regional board had transmitted sensitive personal data and personal identity n

€1,600,000 fine - Data Protection Authority of Sweden (Integritetsskyddsmyndigheten)

The Swedish DPA has fined Storstockholms Lokaltrafik (Stockholm Local Transport Company) EUR 1,600,000. The controller had equipped ticket inspectors with body-worn cameras, which were designed to prevent threatening situations, document incidents, and ensure that the right person was fined for traveling on Stockholm's public transportation without a valid ticket. Ticket inspectors were required to keep the camera on for their entire shift and were therefore able to film all passengers who passe

€34,800 fine - Data Protection Authority of Sweden (Integritetsskyddsmyndigheten)

The Swedish DPA has imposed a fine of EUR 34,800 on the directorate of the Östra Skaraborg Rescue Service. The DPA had received information that several fire stations in Östra Skaraborg operated surveillance cameras that filmed areas where firefighters were changing during an emergency, whereupon it initiated a review of the camera surveillance. The video surveillance was taking place around the clock, although the controller itself stated that video surveillance was only required in case of eme

€1,200,000 fine - Data Protection Authority of Sweden (Integritetsskyddsmyndigheten)

The Swedish DPA has imposed a fine of EUR 1,200,000 on MedHelp AB. The fine is related to an investigation against three companies and three Swedish regions. In all 21 regions of Sweden, a telephone hotline that offers advice on various health-related topics can be reached by dialing 1177. Each region operates its own health advice service, either internally or through contracted subcontractors, but together they form a national network. In 2019, the media reported that recorded calls to the 117

€25,000 fine - Data Protection Authority of Sweden (Integritetsskyddsmyndigheten)

The Swedish DPA has imposed a fine of EUR 25,000 on Region Värmland. The fine is related to an investigation against three companies and three Swedish regions. In all 21 regions of Sweden, a telephone hotline that offers advice on various health-related topics can be reached by dialing 1177. Each region operates its own health advice service, either internally or through contracted subcontractors, but together they form a national network. In 2019, the media reported that recorded calls to the 1

€50,000 fine - Data Protection Authority of Sweden (Integritetsskyddsmyndigheten)

The Swedish DPA has imposed a fine of EUR 50,000 on Region Stockholm. The fine is related to an investigation against three companies and three Swedish regions. In all 21 regions of Sweden, a telephone hotline that offers advice on various health-related topics can be reached by dialing 1177. Each region operates its own health advice service, either internally or through contracted subcontractors, but together they form a national network. In 2019, the media reported that recorded calls to the

€64,500 fine - Data Protection Authority of Sweden (Integritetsskyddsmyndigheten)

The Swedish DPA has imposed a fine of EUR 64,500 on Voice Integrate Nordic AB. The fine is related to an investigation against three companies and three Swedish regions. In all 21 regions of Sweden, a telephone hotline that offers advice on various health-related topics can be reached by dialing 1177. Each region operates its own health advice service, either internally or through contracted subcontractors, but together they form a national network. In 2019, the media reported that recorded call

€25,000 fine - Data Protection Authority of Sweden (Integritetsskyddsmyndigheten)

The Swedish DPA has imposed a fine of EUR 25,000 on Region Sörmland. The fine is related to an investigation against three companies and three Swedish regions. In all 21 regions of Sweden, a telephone hotline that offers advice on various health-related topics can be reached by dialing 1177. Each region operates its own health advice service, either internally or through contracted subcontractors, but together they form a national network. In 2019, the media reported that recorded calls to the 1

€29,500 fine - Data Protection Authority of Sweden (Integritetsskyddsmyndigheten)

The Swedish DPA (Integritetsskyddsmyndigheten) fined the housing company Uppsalahem AB SEK 300,000 (EUR 29,500). The housing company had installed surveillance cameras in an apartment building to monitor one floor after disturbances and security incidents occurred. The cameras not only monitored the staircase, but also the front door of a resident. Therefore, when the door was opened, the inside of the apartment was also captured by the video surveillance. While the company may have had a legiti

€54,000 fine - Data Protection Authority of Sweden (Integritetsskyddsmyndigheten)

The Swedish DPA (Integritetsskyddsmyndigheten) fined Umeå University SEK 550,000 (EUR 54,000) as a result of its failure to apply appropriate technical and organizational measures to protect data. As part of a research project on male rape, the university had stored several police reports on such related incidents in the cloud of a U.S. service provider. The reports contained the names, ID numbers and contact details of the data subjects, as well as information about their health and sex lives,

€341,300 fine - Data Protection Authority of Sweden (Integritetsskyddsmyndigheten)

The Swedish DPA (Integritetsskyddsmyndigheten) fined Sahlgrenska University Hospital SEK 3,500,000 (EUR 341,300) for failing to implement adequate technical and organizational measures to ensure information security. It was found that there was no risk analysis regarding the access to patient data. Authorizations for users of the hospital information systems Melior and Nationell patientöversikt were not assigned according to the principle of minimum access. This gave users full access to confide

€1,168,000 fine - Data Protection Authority of Sweden (Integritetsskyddsmyndigheten)

The Swedish DPA (Integritetsskyddsmyndigheten) fined Aleris Sjukvård AB SEK 12,000,000 (EUR 1,168,000) for failing to implement adequate technical and organizational measures to ensure information security. It was found that there was no risk analysis regarding the access to patient data. Authorizations for users of the hospital information system Nationell patientöversikt (NPÖ) were not assigned according to the principle of minimum access. This gave users full access to confidential patient da

€2,900,000 fine - Data Protection Authority of Sweden (Integritetsskyddsmyndigheten)

The Swedish DPA (Integritetsskyddsmyndigheten) fined Capio St. Göran AB SEK 30,000,000 (EUR 2,900,000) for failing to implement adequate technical and organizational measures to ensure information security. It was found that there was no risk analysis regarding the access to patient data. Authorizations for users of the hospital information systems Cosmic, Nationell patientöversikt and TakeCare were not assigned according to the principle of minimum access. This gave users full access to confide

€1,463,000 fine - Data Protection Authority of Sweden (Integritetsskyddsmyndigheten)

The Swedish DPA (Integritetsskyddsmyndigheten) fined Aleris Sjukvård AB SEK 15,000,000 (EUR 1,463,000) for failing to implement adequate technical and organizational measures to ensure information security. It was found that there was no risk analysis regarding the access to patient data. Authorizations for users of the hospital information system TakeCare were not assigned according to the principle of minimum access. This gave users full access to confidential patient data that they did not ne

€243,800 fine - Data Protection Authority of Sweden (Integritetsskyddsmyndigheten)

The Swedish DPA (Integritetsskyddsmyndigheten) fined Östergötland Region SEK 2,500,000 (EUR 243,800) for failing to implement adequate technical and organizational measures to ensure information security. It was found that there was no risk analysis regarding the access to patient data. Authorizations for users of the hospital information system Cosmic were not assigned according to the principle of minimum access. This gave users full access to confidential patient data that they did not need f

€243,800 fine - Data Protection Authority of Sweden (Integritetsskyddsmyndigheten)

The Swedish DPA (Integritetsskyddsmyndigheten) fined Västerbotten Region SEK 2,500,000 (EUR 243,800) for failing to implement adequate technical and organizational measures to ensure information security. It was found that there was no risk analysis regarding the access to patient data. Authorizations for users of the medical record system NCS Cross were not assigned according to the principle of minimum access. This gave users full access to confidential patient data that they did not need for

€390,100 fine - Data Protection Authority of Sweden (Integritetsskyddsmyndigheten)

The Swedish DPA (Integritetsskyddsmyndigheten) fined Karolinska University Hospital of Solna SEK 4,000,000 (EUR 390,100) for failing to implement adequate technical and organizational measures to ensure information security. It was found that there was no risk analysis regarding the access to patient data. Authorizations for users of the hospital information system TakeCare were not assigned according to the principle of minimum access. This gave users full access to confidential patient data th

€19,500 fine - Data Protection Authority of Sweden (Integritetsskyddsmyndigheten)

The Swedish DPA imposed a fine on the municipality of Gnosjö for illegal video surveillance in a care home for persons with certain functional disabilities.

€394,000 fine - Data Protection Authority of Sweden (Integritetsskyddsmyndigheten)

The Swedish DPA imposed a fine on the City of Stockholm for data breaches on a school education platform. The platform consists of different subsystems, including a system for monitoring school attendance, a student administration system, an interface for parents and an administration interface for teachers. In one of the subsystems, a lack of ability to restrict user access to the data has allowed a significant number of staff to access information about students using a protected identity. In

€1,900 fine - Data Protection Authority of Sweden (Integritetsskyddsmyndigheten)

Unlawful usage of surveillance cameras. In the decision, the data protection authority stressed that sound recordings have additional privacy implications, especially in a residential building, and that in this case there is nothing to justify sound recording. In addition, the decision orders the housing association to stop the cameras recording staircases and entrances, to stop sound recording and to improve the information on camera surveillance.

€11,200 fine - Data Protection Authority of Sweden (Integritetsskyddsmyndigheten)

Publication of personal data of a patient without sufficient legal basis.

€18,700 fine - Data Protection Authority of Sweden (Integritetsskyddsmyndigheten)

The DPA's decision shows that it took almost five months for the company to notify the data subjects of a data breach and almost three months for the DPA to receive a notification of a data breach concerning an security lack of IT systems of the company.

€5,000,000 fine - Data Protection Authority of Sweden (Integritetsskyddsmyndigheten)

Original Fine Summary: The Swedish data protection authority has fined Google LLC € 7 million for failing to adequately comply with its obligations regarding the right of data subjects to have search results removed from the results list. Integritetsskyddsmyndigheten had already completed a review in 2017 of the way in which Google deals with the right of individuals to have search results removed from Google's search engine and that Integritetsskyddsmyndigheten had instructed Google to remove a

€35,000 fine - Data Protection Authority of Sweden (Integritetsskyddsmyndigheten)

Nusvar AB, operator of the website Mrkoll.se, which provides information on all Swedes over 16 years of age, had published information on people who are overdue.