Östergötland Region – €243,800 Fine (Sweden, 2020)

€243,800Integritetsskyddsmyndigheten3 December 2020Sweden
final
Fine

General GDPR enforcement action

This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.

The Swedish DPA fined Östergötland Region for not securing patient information properly. Employees had access to more data than they needed, which could lead to privacy breaches. This case shows the importance of limiting access to sensitive data to protect patient privacy.

What happened

Östergötland Region did not implement proper security measures, allowing excessive access to patient data.

Who was affected

Patients whose data was stored in the hospital information system Cosmic.

What the authority found

The Swedish DPA determined that Östergötland Region violated GDPR by not ensuring data security and failing to restrict access to necessary personnel.

Why this matters

This decision highlights the critical need for organizations to conduct thorough risk assessments and enforce strict access controls on sensitive data. It serves as a reminder that inadequate data protection can result in substantial penalties.

GDPR Articles Cited

AI-verified

Art. 5(1)(f) GDPR
Art. 5(2) GDPR
Art. 32(1) GDPR
View original scraped data
Art. 5(1)(f) GDPR
Art. 5(2) GDPR
Art. 32(1) GDPR
Art. 32(2) GDPR

Original data from scraper before AI verification against source document.

Source verified 6 March 2026
articles corrected
Sweden enforcementIntegritetsskyddsmyndigheten actionsAll Östergötland Region actions
Full Legal Summary
Detailed

The Swedish DPA (Integritetsskyddsmyndigheten) fined Östergötland Region SEK 2,500,000 (EUR 243,800) for failing to implement adequate technical and organizational measures to ensure information security. It was found that there was no risk analysis regarding the access to patient data. Authorizations for users of the hospital information system Cosmic were not assigned according to the principle of minimum access. This gave users full access to confidential patient data that they did not need for work purposes.

Related Enforcement Actions (0)

No other enforcement actions found for Östergötland Region in SE

This is the only recorded action for this entity in this jurisdiction.

Details

Fine Date

3 December 2020

Authority

Integritetsskyddsmyndigheten

Fine Amount

€243,800

Enforcement Tracker ID

ETid-469

Sources

About this data

Data: CMS GDPR Enforcement Tracker
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. Östergötland Region - Sweden (2020). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: