Umeå University – €48,400 Fine (Sweden, 2020)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Umeå University was fined for sending sensitive police investigation reports via unencrypted email. This breach of security measures under GDPR highlights the importance of protecting personal data, especially when it involves sensitive information. The university's failure to secure these communications resulted in a fine from the Swedish Data Protection Authority.
What happened
Researchers at Umeå University sent sensitive police investigation reports via unencrypted email.
Who was affected
Individuals involved in the police investigation reports, including victims and suspects, were affected.
What the authority found
The Swedish DPA found that Umeå University failed to implement adequate security measures to protect sensitive personal data, violating GDPR requirements.
Why this matters
This case underscores the need for universities and research institutions to ensure robust data protection practices, especially when handling sensitive information. It serves as a reminder that even accidental breaches can lead to significant penalties under GDPR.
GDPR Articles Cited
National Law Articles
Two researchers from Umeå University in Sweden acquired copies of all preliminary investigation reports in Sweden for 2014 on cases of rape of male victims from the police. In July 2016, the Swedish Police Authority sent paper copies of the investigation reports to the researchers by mail carrier. In November 2017, the researchers contacted Swedish Police Authority and asked for additional information about one of the cases. The researchers attached a scanned copy of one of the investigations to an email sent unencrypted. When the Swedish Police Authority pointed out the inappropriateness of sending sensitive material via unencrypted emails, the researchers claimed it was an unintentional act and blamed the human factor. In February 2019, the research team wanted more information on the same rape case and sent the same investigation report again in an unencrypted email to the Swedish Police Authority. The researchers also claimed the second email to be an accident. After this incident the Swedish Police Authority wrote an official letter dated April 3, 2019, which was sent to the Swedish DPA (Datainspektionen). The DPA launched an investigation to determine whether Umeå University had breached the GDPR. The preliminary investigatory reports contain special categories of personal data such as data about health and sex life and information about suspected offences. They also contain names, contact details and personal numbers of victims and suspects. The research team changed their routines after the first unencrypted email, but could not explain why they then sent the same report a second time in an unencrypted email In September 2019, Umeå University analyzed the data breach and found that it did not pose a high risk to the rights and freedoms of data subjects. As the email was addressed to a staff member at Swedish Police Authority who provided the researchers with the reports, the university concluded that there was no evidence of actual harm or unauthorized disc
Related Enforcement Actions (1)
Other enforcement actions involving Umeå University in SE
Details
Fine Date
10 December 2020
Authority
DPA Datainspektionen
Fine Amount
€48,400
550,000 SEK
GDPRhub ID
gdprhub-3011About this data
Cite as: Cookie Fines. Umeå University - Sweden (2020). Retrieved from cookiefines.eu
Last updated: