Swedish Authority for Privacy Protection (IMY) fines Region Uppsala for breaches in its security

21 February 2022

Background information

Date of final decision: 2022-01-26
Cross-border case or national case: National case
Controller: The regional board and the hospital board of Region Uppsala (hereinafter called the region)
Legal Reference: Security of processing (Article 32)
Decision: Administrative fine of SEK 1.9 million


Summary of the Decision

Origin of the case

The Swedish Authority for Privacy Protection (IMY) has received two personal data breach notifications from Region Uppsala. The data breaches concern sensitive personal data sent without encryption to recipients in and outside Sweden.

Following the data breach notifications, IMY has initiated investigations of the region (both the regional board and the hospital board). One of the investigations concerns sensitive personal data and social security numbers sent via e-mail. This concerns e-mails with patient data that have been sent automatically to the relevant healthcare administrations within the region, and partly e-mails with patient data that have been sent manually to researchers and doctors within the region. The other investigation concerns how the University Hospital in Uppsala sends e-mails with patient data to patients and referrers in third countries, i.e. countries outside the EU.

Key Findings

FindingsThe Swedish DPA states in its two decisions that the region has not taken sufficient technical and organizational measures to ensure a security level that is appropriate in relation to the risks involved in the personal data processing. The processing of personal data in both cases took place in violation of the region's own guidelines


For the identified shortcomings in these investigations, the Swedish DPA issues an administrative fine of SEK 1.9 million against Region Uppsala.

For further information: https://www.imy.se/globalassets/dokument/beslut/2022/beslut-regionstyrelsen-region-uppsala.pdf


The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.