Uppsala regional board – €28,500 Fine (Sweden, 2022)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The Swedish data protection authority fined Uppsala regional board EUR 28,500 for not adequately protecting sensitive patient data. The board sent emails with personal health information unencrypted, risking unauthorized access. This highlights the importance of securing sensitive information, especially in healthcare settings.
What happened
Uppsala regional board transmitted sensitive patient data via email without proper encryption, leading to a data protection violation.
Who was affected
Patients whose sensitive health data was sent unencrypted by Uppsala regional board.
What the authority found
The Swedish DPA determined that the regional board did not take sufficient security measures to protect sensitive data, breaching GDPR requirements.
Why this matters
This case serves as a reminder for organizations, particularly in healthcare, to ensure robust data protection measures are in place. It emphasizes the importance of encryption to safeguard sensitive information from unauthorized access.
GDPR Articles Cited
The Swedish DPA has imposed a fine of EUR 28,500 on the Uppsala regional board. The fine is the result of an investigation of the Uppsala region (the regional board and the hospital board). The DPA had received two reports of incidents involving personal data from the Uppsala region. The incidents involved sensitive personal health data that had been transferred unencrypted to recipients inside and outside Sweden. The regional board had transmitted sensitive personal data and personal identity numbers via email. The actual transmission of the emails was encrypted, but the information in the emails was not. The emails in question contained patient data that was automatically sent to the appropriate health administrators in the region, as well as patient data that was manually sent to researchers and physicians in the region. For this reason, the DPA found that the regional board had not taken adequate technical and organizational measures to protect the data from unauthorized access, for example.
Related Enforcement Actions (0)
No other enforcement actions found for Uppsala regional board in SE
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
26 January 2022
Authority
Integritetsskyddsmyndigheten
Fine Amount
€28,500
Enforcement Tracker ID
ETid-1013
About this data
Cite as: Cookie Fines. Uppsala regional board - Sweden (2022). Retrieved from cookiefines.eu
Last updated: