Aleris Sjukvård AB – €1,320,000 Fine (Sweden, 2020)

€1,320,000DPA Datainspektionen2 December 2020Sweden
final
Fine

General GDPR enforcement action

This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.

Sweden's Datainspektionen fined Aleris Sjukvård AB for not properly limiting access to patient records. They found that the healthcare provider allowed too many employees to access sensitive information without proper checks. This case highlights the importance of securing patient data and conducting risk assessments.

What happened

Aleris Sjukvård AB allowed broad access to patient journals without conducting necessary risk assessments.

Who was affected

Patients whose medical records were stored in Aleris's 'TakeCare' system.

What the authority found

The Swedish DPA found that Aleris failed to implement adequate security measures for patient data, violating GDPR's requirements for data protection.

Why this matters

This fine underscores the need for healthcare providers to strictly control access to sensitive data and perform thorough risk analyses. It serves as a warning to other organizations handling personal health information.

GDPR Articles Cited

AI-verified

Art. 5(1)(f) GDPR
Art. 5(2) GDPR
Art. 32(1) GDPR
Art. 32(2) GDPR
View original scraped data
Art. 5(1)(f) GDPR
Art. 5(2) GDPR
Art. 32(1) GDPR
Art. 32(2) GDPR

Original data from scraper before AI verification against source document.

National Law Articles

AI-identified

Patientdatalagen (2008:355)
Source verified 5 March 2026
articles corrected
national law identified
amount discrepancy
Sweden enforcementDPA Datainspektionen actionsAll Aleris Sjukvård AB actions
Full Legal Summary
Detailed

The audit to Aleris Sjukvård AB from the Swedish DPA was initiated in May 2019. Aleris is a healthcare provider and uses a system named "TakeCare" as the main journal keeping system where they store and maintain the patients' journals. According to the Patient Data Act, a caregiver must conduct a needs and risk analysis before allocating access rights in the patients' journals. The DPA found that Aleris Sjukvård AB did not carry out these assessments and it has granted access to patients' journal to all employees apart from the technicians. By doing so, Aleris Sjukvård AB breached the obligation to apply appropriate technical and organisational measures to ensure the security of the personal data, imposed to controllers by Article 32 GDPR. The DPA imposed a fine of 15 millions SEK (approximately €1466000).

Related Enforcement Actions (0)

No other enforcement actions found for Aleris Sjukvård AB in SE

This is the only recorded action for this entity in this jurisdiction.

Details

Fine Date

2 December 2020

Authority

DPA Datainspektionen

Fine Amount

€1,320,000

15,000,000 SEK

GDPRhub ID

gdprhub-2984

Sources

About this data

Data: GDPRhub (noyb.eu)
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. Aleris Sjukvård AB - Sweden (2020). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: