THE SWEDISH DATA PROTECTION AUTHORITY FINES THE NATIONAL GOVERNMENT SERVICE CENTRE

30 April 2020

The European Data Protection Board (“EDPB”) announced on 30.04.2020 that the Swedish Data Protection Authority (“DPA”) fined the National Government Service Centre (“NGSC”) 200,000 Swedish kronor (approximately 18,700 euro) for failing to notify concerned parties and the DPA about a personal data breach in due time.

The NGSC coordinates the management of government agencies by providing administrative support services to other government agencies. It offers basic services in the areas of salary management, financial management, and e-commerce.

The DPA launched an investigation against the NGSC after receiving a series of personal data breach notifications about a bug in the IT system for salary administration. The error required the possibility of unauthorized access to the personal data of the personnel of the authorities using the system and NGSC personnel.

The DPA stated after the investigation that the NGSC had failed to notify interested parties and the DPA about the error and the personal data breach promptly. It took almost five months for the NGSC to notify interested parties, and about three months for DPA to receive a data breach notification. Whereas the NGSC has to inform the interested parties and the DPA as soon as the data breach is detected, and take further action to reduce the associated risks. The NGSC was unable to act on time.

As a result, the DPA ordered the NGSC to provide internal routines for documenting personal data breaches and verify that these routines have been followed. With this order, the DPA has imposed an administrative fine of 200,000 Swedish kroner to the NGSC.

You can find the text of the EDPB statement here.

Should you have any queries and/or remarks, please do not hesitate to contact us. 

Kind regards,

Zumbul Attorneys-at-Law

info@zumbul.av.tr