Privacy Blog
SWEDISH DPA IMPOSES ADMINISTRATIVE FINE ON UNIVERSITY FOR VIOLATION GDPR
16.12.2020
The Swedish Data Protection Authority has imposed fine of SEK 550,000 on Umea University for failure to sufficiently protect sensitive personal data.
In the present case, a research group at the University had requested from the police investigation reports concerning cases of male rape containing information on, among other things, suspicion of crime, name, personal identity number and contact details, as well as sensitive data about sexual life and health. These reports were stored in an American cloud service despite the University having informed via its intranet that special categories of data should not be stored in the cloud service in question.
Besides, the research group sent an e-mail to the police requesting further information by attaching one of the scanned reports as a reference.
In this context, the DPA states that the University has not taken necessary measures to ensure a level of security appropriate in relation to the risk.
You can reach the full text of the press release here.
Should you have any queries and/or remarks, please do not hesitate to contact us.
Kind regards,
Zumbul Attorneys-at-Law