Sjukhusstyrelsen i Region Uppsala – Violation Found (Sweden, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The Hospital Board of the Region of Uppsala (the controller) is responsible for providing health care at the Uppsala University Hospital and the Enköping Hospital. On 29 November 2022 the DPA received a report about a data breach regarding the controller’s processing of patients’ data. According to the report, personal data of patients (including their personal identity numbers and health data) were processed via insecure emails. The DPA started an ex officio investigation. The investigation found that the controller implemented an email encryption tool (on top of standard, in-transit encryption) in order to secure internal emails. The controller required all its staff to use the tool to encrypt any sensitive data sent via internal emails. However, the staff did not always follow this policy: at least 15 emails were sent unencrypted between 2010 and 2022. The DPA noted that this practice potentially exposed personal data in certain situations: for instance, if a staff member accidentally forwarded an email to an unintended recipient, the recipients would be able to read it. The risk of unintended disclosure was especially high because the controller did not monitor traffic to and from the email accounts of its staff. Additionally, DPA found that the controller used automated messaging system relating to identify number merging. These messages were unencrypted and contained personal data of patients. The DPA held that the controller failed to implement proper security measures, in violation of Article 32(1) GDPR. The DPA issues a warning against the controller but considered a fine to be unnecessary. In this regard, the DPA considered that the controller already took steps to address its lacking security before the decision. In particular, the controller: * carried out a risk and vulnerability analysis; * deleted the emails containing unencrypted sensitive data; * better instructed the staff about its data policy; * changed its automated messaging system; * impleme
GDPR Articles Cited
The Hospital Board of the Region of Uppsala (the controller) is responsible for providing health care at the Uppsala University Hospital and the Enköping Hospital. On 29 November 2022 the DPA received a report about a data breach regarding the controller’s processing of patients’ data. According to the report, personal data of patients (including their personal identity numbers and health data) were processed via insecure emails. The DPA started an ex officio investigation. The investigation found that the controller implemented an email encryption tool (on top of standard, in-transit encryption) in order to secure internal emails. The controller required all its staff to use the tool to encrypt any sensitive data sent via internal emails. However, the staff did not always follow this policy: at least 15 emails were sent unencrypted between 2010 and 2022. The DPA noted that this practice potentially exposed personal data in certain situations: for instance, if a staff member accidentally forwarded an email to an unintended recipient, the recipients would be able to read it. The risk of unintended disclosure was especially high because the controller did not monitor traffic to and from the email accounts of its staff. Additionally, DPA found that the controller used automated messaging system relating to identify number merging. These messages were unencrypted and contained personal data of patients. The DPA held that the controller failed to implement proper security measures, in violation of Article 32(1) GDPR. The DPA issues a warning against the controller but considered a fine to be unnecessary. In this regard, the DPA considered that the controller already took steps to address its lacking security before the decision. In particular, the controller: * carried out a risk and vulnerability analysis; * deleted the emails containing unencrypted sensitive data; * better instructed the staff about its data policy; * changed its automated messaging system; * impleme
Outcome
Violation Found
The DPA found a violation but did not impose a fine.
Related Enforcement Actions (0)
No other enforcement actions found for Sjukhusstyrelsen i Region Uppsala in SE
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Sjukhusstyrelsen i Region Uppsala - Sweden (2025). Retrieved from cookiefines.eu
Last updated: