Umeå University – €54,000 Fine (Sweden, 2020)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Umeå University was fined EUR 54,000 for not properly protecting sensitive data in a research project. They stored police reports about male rape incidents on a U.S. cloud service without enough security measures. This matters because it highlights the importance of securing sensitive data, especially when using third-party services.
What happened
Umeå University stored sensitive police reports in a U.S. cloud service without adequate security measures.
Who was affected
Individuals named in police reports about male rape incidents, whose personal and sensitive data were exposed.
What the authority found
The Swedish DPA found that Umeå University failed to protect sensitive data, violating GDPR's requirements for data security.
Why this matters
This case underscores the need for organizations to ensure robust data protection, especially when handling sensitive information in research projects. It serves as a reminder to evaluate the security of third-party cloud services.
GDPR Articles Cited
The Swedish DPA (Integritetsskyddsmyndigheten) fined Umeå University SEK 550,000 (EUR 54,000) as a result of its failure to apply appropriate technical and organizational measures to protect data. As part of a research project on male rape, the university had stored several police reports on such related incidents in the cloud of a U.S. service provider. The reports contained the names, ID numbers and contact details of the data subjects, as well as information about their health and sex lives, alongside information about the suspected crime. The DPA notes that the storage in that cloud does not adequately protect such particularly sensitive data. In addition, one of the investigation reports was sent unencrypted to the Swedish police via email. However, the controller had neither documented the incident nor reported it to the DPA.
Related Enforcement Actions (1)
Other enforcement actions involving Umeå University in SE
Details
Fine Date
11 December 2020
Authority
Integritetsskyddsmyndigheten
Fine Amount
€54,000
Enforcement Tracker ID
ETid-482
About this data
Cite as: Cookie Fines. Umeå University - Sweden (2020). Retrieved from cookiefines.eu
Last updated: