Styrelsen för Karolinska Universitetssjukhuset – €352,000 Fine (Sweden, 2020)

€352,000DPA Datainspektionen2 December 2020Sweden
final
Fine

General GDPR enforcement action

This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.

Karolinska University Hospital in Sweden was fined for not properly restricting access to patient records. They allowed healthcare staff to see almost all medical records, regardless of their job needs. This matters because it highlights the importance of limiting access to sensitive data to protect patient privacy.

What happened

Karolinska University Hospital allowed healthcare staff to access nearly all patient records without restricting access based on job necessity.

Who was affected

Patients whose medical records were accessible to healthcare staff without necessary job-related reasons.

What the authority found

The Swedish DPA found that the hospital failed to limit access to personal data and did not ensure proper security measures, violating GDPR rules.

Why this matters

This case emphasizes the need for hospitals and similar institutions to implement strict access controls to protect patient information. It serves as a reminder that organizations must ensure only necessary personnel can access sensitive data.

GDPR Articles Cited

AI-verified

Art. 5(1)(f) GDPR
Art. 5(2) GDPR
Art. 32(1) GDPR
Art. 32(2) GDPR
View original scraped data
Art. 5(1)(f) GDPR
Art. 5(2) GDPR
Art. 32(1) GDPR
Art. 32(2) GDPR

Original data from scraper before AI verification against source document.

National Law Articles

AI-identified

Chapter 4, Section 2 Patient Data Act (2008:355)
Chapter 6, Section 7 Patient Data Act (2008:355)
Chapter 4, Section 2 HSLF-FS 2016:40
Source verified 6 March 2026
national law identified
amount discrepancy
Sweden enforcementDPA Datainspektionen actionsAll Styrelsen för Karolinska Universitetssjukhuset actions
Full Legal Summary
Detailed

The Karolinska University Hospital gave the healthcare personnel different access to patient journals based on whether they were doctors or nurses. Thus, this system enabled access to almost all the medical care records regardless of necessity. Had the Karolinska University Hospital taken organisational measures to limit access to personal data in the medical record system, under Article 32 GDPR? The DPA held that the Karolinska University Hospital had not restricted access to patient journals based on a necessity for performing the individual healthcare personnel’s work. The hospital had thus not taken appropriate organisational measures under Article 5(1) and 32 GDPR to limit access to personal data. The hospital had therefore also failed to ensure appropriate security for personal data under Article 5(2) GDPR.

Related Enforcement Actions (0)

No other enforcement actions found for Styrelsen för Karolinska Universitetssjukhuset in SE

This is the only recorded action for this entity in this jurisdiction.

Details

Fine Date

2 December 2020

Authority

DPA Datainspektionen

Fine Amount

€352,000

4,000,000 SEK

GDPRhub ID

gdprhub-2981

Sources

About this data

Data: GDPRhub (noyb.eu)
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. Styrelsen för Karolinska Universitetssjukhuset - Sweden (2020). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: