If Skadeförsäkring AB – Complaint Upheld (Sweden, 2023)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
If Skadeförsäkring AB sent sensitive health information via email without proper encryption. The Swedish DPA found this practice insecure and upheld the complaint. This case underscores the importance of using strong security measures when handling sensitive data.
What happened
If Skadeförsäkring AB sent sensitive personal data in an email without end-to-end encryption.
Who was affected
Customers who received emails containing sensitive health information from If Skadeförsäkring AB.
What the authority found
The Swedish DPA determined that If Skadeförsäkring AB did not use adequate security measures to protect sensitive personal data during email transmission.
Why this matters
This decision stresses the need for businesses to implement robust security measures, like end-to-end encryption, when transmitting sensitive data. Companies should regularly review and update their security practices to comply with GDPR and protect customer information.
GDPR Articles Cited
Following a complaint, the Swedish DPA investigated whether an insurance company – If Skadeförsäkring AB – (the controller) had ensured an appropriate level of security pursuant to Article 32 GDPR when sending an email containing sensitive personal data. The e-mail in question contained the controller’s decision on a claims settlement and a medical assessment on which the decision was based. The data subject complained about the fact that they received an email including personal data on their health by the controller via e-mail that was not end-to-end encrypted. It was stated by the controller that the e-mail was encrypted with so-called Enforced Transport Layer Encryption (Enforced TLS-encryption). The controller argued that this implied that the message was encrypted from the controller’s servers to the recipient’s e-mail server. In the course of the investigation, the controller presented to the DPA that it has increased its security by, among other things, developing and launching a new communication solution for emails that are sent to the company’s customers. With the new solution a notification is sent to the customer by e-mail or text message informing the customer that the customer has received a message from the controller that can be read on a specific site “My pages”. In order to log in to “Mypages”, the customer needs to authenticate with the Swedish e-identification “BankID”. The DPA established that the controller is responsible for the security of the processing pursuant to Article 32 GDPR. Therefore, the controller must assess the risks associated with the processing and take appropriate technical and organisational measures to address those identified risks. In this particular case, the DPA identified that the issue is the transfer of sensitive personal data over an open network (internet). The technical and organisational measures to be taken by the controller are subject to enhanced requirements when processing sensitive personal data pursu
Outcome
Complaint Upheld
A data subject complaint that was upheld by the DPA.
Related Enforcement Actions (0)
No other enforcement actions found for If Skadeförsäkring AB in SE
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. If Skadeförsäkring AB - Sweden (2023). Retrieved from cookiefines.eu
Last updated: