https://gdprhub.eu/api.php?action=feedcontributions&user=Elisavet+Dravalou&feedformat=atomGDPRhub - User contributions [en]2024-03-28T15:36:17ZUser contributionsMediaWiki 1.39.6https://gdprhub.eu/index.php?title=IMY_(Sweden)_-_DI-2019-4062&diff=25128IMY (Sweden) - DI-2019-40622022-04-05T22:20:05Z<p>Elisavet Dravalou: Created page with "{{DPAdecisionBOX |Jurisdiction=Sweden |DPA-BG-Color= |DPAlogo=LogoSE.png |DPA_Abbrevation=IMY (Sweden) |DPA_With_Country=IMY (Sweden) |Case_Number_Name=DI-2019-4062 |ECLI=..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Sweden<br />
|DPA-BG-Color=<br />
|DPAlogo=LogoSE.png<br />
|DPA_Abbrevation=IMY (Sweden)<br />
|DPA_With_Country=IMY (Sweden)<br />
<br />
|Case_Number_Name=DI-2019-4062<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=IMY's website<br />
|Original_Source_Link_1=https://www.imy.se/globalassets/dokument/beslut/2022/beslut-tillsyn-klarna.pdf<br />
|Original_Source_Language_1=Swedish<br />
|Original_Source_Language__Code_1=SV<br />
<br />
|Type=Investigation<br />
|Outcome=Violation Found<br />
|Date_Started=27.03.2019<br />
|Date_Decided=28.03.2022<br />
|Date_Published=28.03.2022<br />
|Year=2022<br />
|Fine=7500000<br />
|Currency=SEK<br />
<br />
|GDPR_Article_1=Article 5(1)(a) GDPR<br />
|GDPR_Article_Link_1=Article 5 GDPR#1a<br />
|GDPR_Article_2=Article 5(2) GDPR<br />
|GDPR_Article_Link_2=Article 5 GDPR#2<br />
|GDPR_Article_3=Article 12(1) GDPR<br />
|GDPR_Article_Link_3=Article 12 GDPR#1<br />
|GDPR_Article_4=Article 13(1)(f) GDPR<br />
|GDPR_Article_Link_4=Article 13 GDPR#1f<br />
|GDPR_Article_5=Article 13(1)(c) GDPR<br />
|GDPR_Article_Link_5=Article 13 GDPR#1c<br />
|GDPR_Article_6=Article 13(1)(e) GDPR<br />
|GDPR_Article_Link_6=Article 13 GDPR#1e<br />
|GDPR_Article_7=Article 13(2)(a) GDPR<br />
|GDPR_Article_Link_7=Article 13 GDPR#2a<br />
|GDPR_Article_8=Article 13(2)(b) GDPR<br />
|GDPR_Article_Link_8=Article 13 GDPR#2b<br />
|GDPR_Article_9=Article 13(2)(f) GDPR<br />
|GDPR_Article_Link_9=Article 13 GDPR#2f<br />
|GDPR_Article_10=Article 14(2)(g) GDPR<br />
|GDPR_Article_Link_10=Article 14 GDPR#2g<br />
<br />
<br />
<br />
|Party_Name_1=Klarna Bank AB<br />
|Party_Link_1=https://www.klarna.com/se/<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Elisavet Dravalou<br />
|<br />
}}<br />
<br />
The Swedish DPA investigated and fined Klarna Bank AB for SEK 7.5 m. for not providing concise and clear information to data subjects through their privacy notice.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
After the Swedish DPA's (IMY) investigation which was initiated in March 2019, Klarna Bank AB was found to not provide concise and clear information to data subjects through Klarna's privacy notice on their website regarding the service offered via Klarna's App called "My economy", and fined Klarna for SEK 7,5 million (approximately €720.000).<br />
<br />
=== Holding ===<br />
According to IMY, the privacy notice did not meet the following requirements:<br />
1. Description of purposes: after examining the also the terms of service, IMY held that the purposes of processing regarding the service "My economy" are not clear.<br />
2. Recipients of personal data: IMY held that information about recipients of personal data (credit report companies) is misleading as it is not clear if it concerns Swedish or foreign recipients.<br />
3.Transfers of personal data: IMY held that a mere statement that personal data will be transferred to third countries, without naming the exact countries of destination, is not adequate information for data subjects.<br />
4. Retention time: IMY held that Klarna did not provide adequate information regarding how long the personal data will be stored, neither provided information about the criteria used to decide such retention times. IMY considered that the retention policy contains further purposes of processing, not named in the relevant section, such as recording of phone calls for quality and security check purposes.<br />
5. Data subject rights: IMY considered that this section was not summarised properly (e.g. "Right to access: You can request a copy of your personal data if you want to know which information we hold about you. This information can be sent through a machine readable format (the so-called "data portability)), or it did not include the exact circumastance under which an individual can exercise those rights.<br />
6. More specifically, regarding automated decision making, IMY held that adequate information regarding the logic behind the automated decision making is not provided to individuals, such as whether Klarna has developed its own scoring system or which types of personal data have a decisive role in the automated decision making process.<br />
<br />
<br />
== Comment ==<br />
Klarna stated that they will appeal the decision. IMY cited the A29WP guidelines on transparency many times in their decision and if you follow these guidelines by letter, a data controller that is involved in complex processing activities will end up with a complex, lengthy and non-reader friendly privacy notice, which is the exact oposite of what the GDPR requires. The question that raises here is where does the balance lay between too little or too much information?<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.<br />
<br />
<pre><br />
1 (25)<br />
<br />
<br />
<br />
<br />
<br />
<br />
Klarna Bank AB<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Record number:<br />
DI-2019-4062 Decision after supervision according to<br />
<br />
Data Protection Regulation - Klarna<br />
<br />
Date: Bank AB<br />
2022-03-28<br />
<br />
<br />
<br />
<br />
Content<br />
<br />
<br />
The decision of the Integrity Protection Authority ................................................ ........................... 2<br />
<br />
1 Report on the supervisory matter .............................................. ..................................... 3<br />
<br />
2 Motivation for decision .............................................. .................................................. .... 4<br />
2.1 Applicable provisions ............................................... ............................... 4<br />
<br />
2.2 IMY's assessment of whether Klarnas Data Protection Information meets the requirements in<br />
Articles 5 (1) (a), 5 (2), 12, 13 and 14 of the Data Protection Regulation ............................ 7<br />
<br />
2.2.1 IMY's assessment of Klarna's information pursuant to Article 13 (1) (c) ......... 7<br />
<br />
2.2.2 IMY's assessment of Klarna's information pursuant to Article 13 (1) (e) ......... 9<br />
<br />
2.2.3. IMY's assessment of Klarna's information pursuant to Article 13 (1) (f) ........ 11<br />
<br />
2.2.4. IMY's assessment of Klarna's information pursuant to Article 13 (2) (a) ....... 12<br />
2.2.5. IMY's assessment of Klarna's information pursuant to Article 13 (2) (b) ....... 14<br />
<br />
2.2.6 IMY's assessment of Klarna's information pursuant to Article 13 (2) (f) and<br />
14.2 g ................................................ .................................................. .... 18<br />
<br />
3 Choice of intervention .............................................. .................................................. ....... 22<br />
<br />
3.1 Legal regulation ............................................... ........................................... 22<br />
<br />
3.2 Penalty fee ................................................ ........................................... 23<br />
<br />
How to appeal............................................... .................................................. ..... 25<br />
<br />
<br />
<br />
<br />
<br />
Postal address:<br />
Box 8114<br />
104 20 Stockholm<br />
<br />
Website:<br />
www.imy.se<br />
E-mail:<br />
imy@imy.se<br />
<br />
Phone:<br />
08-657 61 00, Integrity Protection Authority Record number: DI-2019-4062 2 (25)<br />
Date: 2022-03-28<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
The decision of the Integrity Protection Authority<br />
<br />
<br />
The Privacy Protection Authority (IMY) states that Klarna Bank AB (Klarna) during<br />
<br />
the period from 17 March 2020 to 26 June 2020 did not provide information on for which<br />
purpose and on the basis of the legal basis for the processing of personal data<br />
regarding the service "My Finance" took place. Klarna thus processed personal data<br />
<br />
in violation of Articles 5 (1) (a), 5 (2), 12 (1) and 13 (1) (c) of the Data Protection Regulation.<br />
<br />
<br />
IMY notes that Klarna left during the period March 17 to June 26, 2020<br />
incomplete and misleading information about who were the recipients of various<br />
<br />
categories of personal data when such were shared with Swedish and foreign respectively<br />
credit reporting companies. Klarna thus processed personal data in violation of<br />
Articles 5 (1) (a), 5 (2), 12 (1) and 13 (1) (e) of the Data Protection Regulation.<br />
<br />
<br />
IMY notes that Klarna during the period March 17 to June 26, 2020 will not<br />
<br />
provided information on to which countries outside the EU / EEA personal data<br />
transferred and where and how the individual could access or obtain documents<br />
concerning the safeguard measures applicable to the transfer to a third country. Klarna<br />
<br />
thereby processed personal data in breach of Articles 5 (1) (a), 5 (2), 12 (1) and 13 (1) (f)<br />
the Data Protection Regulation.<br />
<br />
<br />
IMY notes that Klarna left during the period March 17 to June 26, 2020<br />
incomplete information about the periods during which personal data would be<br />
<br />
stored and the criteria used to determine these periods. Klarna<br />
thereby processed personal data in breach of Articles 5 (1) (a), 5 (2), 12 (1) and 13 (2) (a) i<br />
<br />
the Data Protection Regulation.<br />
<br />
IMY notes that Klarna left during the period March 17 to June 26, 2020<br />
<br />
insufficient information regarding the data subjects' rights as follows.<br />
<br />
<br />
the information provided about the right of the personal data controller<br />
<br />
request the deletion of personal data in accordance with Article 17 of the Data Protection Regulation<br />
<br />
did not comply with the requirement of transparency<br />
<br />
<br />
the information provided about the right of the personal data controller<br />
<br />
request a limitation of the processing of the data subject under Article 18 i<br />
the Data Protection Regulation did not comply with the requirement of transparency<br />
<br />
<br />
<br />
the information provided on the right to data portability in accordance with Article 20 i<br />
<br />
the Data Protection Regulation did not comply with the requirement of transparency<br />
<br />
<br />
information provided on the right to object to the processing of<br />
<br />
personal data under Article 21 of the Data Protection Regulation did not comply with the requirement<br />
<br />
on transparency.<br />
<br />
<br />
<br />
<br />
<br />
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with<br />
concerning the processing of personal data and on the free movement of such data and on the repeal of<br />
Directive 95/46 / EC (General Data Protection Regulation)., Integrity Protection Authority Registration number: DI-2019-4062 3 (25)<br />
Date: 2022-03-28<br />
<br />
<br />
<br />
<br />
<br />
<br />
Klarna thus processed personal data in violation of Articles 5.1 a, 5.2, 12.1 and<br />
<br />
13.2 b of the Data Protection Regulation.<br />
<br />
IMY states that Klarnas Data Protection Information during the period March 17 to<br />
<br />
on June 26, 2020 lacked meaningful information about the logic behind and the meaning<br />
and the foreseeable consequences of automated decision-making, including profiling,<br />
pursuant to Article 22 (1) of the Data Protection Regulation. Klarna thus treated<br />
<br />
personal data in breach of Articles 5.1 (a), 5 (2), 12 (1), 13 (2) (f) and 14 (2) (g) i<br />
the Data Protection Regulation.<br />
<br />
<br />
IMY decides on the basis of Articles 58 (2) and 83 of the Data Protection Regulation that Klarna<br />
Bank AB must pay an administrative penalty fee of 7,500,000<br />
<br />
(seven million five hundred thousand) kroner.<br />
<br />
<br />
1 Report on the supervisory matter<br />
<br />
<br />
Klarna provides services that involve lending, as well as payment services such as<br />
does not include lending, including payment initiation services and<br />
<br />
account information services. IMY has read Klarnas Dataskyddsinformation som<br />
is published on the company's Swedish website (https://www.klarna.com/se/). IMY has<br />
in connection with this, it has been established that there is uncertainty about, among other things, for whom<br />
<br />
purpose personal data is collected and processed and how the data thereafter<br />
gallras.<br />
<br />
<br />
Article 5 (1) (a) of the Data Protection Regulation states, inter alia, that personal data shall:<br />
treated in an open manner in relation to the data subject (the principle of transparency).<br />
It further follows from Article 5 (2) that the data controller shall be responsible for and<br />
<br />
be able to show that the principles set out in 5.1 are complied with (the principle of liability).<br />
IMY has initiated supervision of Klarna to investigate the extent to which Klarnas<br />
<br />
Data protection information meets these requirements. Within the framework of supervision, IMY has audited<br />
how Klarna complies with the provisions on clear and unambiguous information and<br />
communication under Article 12 (1) and the right to information of personal data under<br />
<br />
Articles 13 and 14 and the right to information on the right to object under<br />
Article 21.4. IMY has not taken a position on Klarna's personal data processing in<br />
otherwise complies with the Data Protection Regulation.<br />
<br />
<br />
Supervision has taken place through correspondence. The inspection began on March 27, 2019 through<br />
that IMY sent a letter to Klarna with questions about the company<br />
<br />
personal data processing. The questions were based on the information provided by Klarna<br />
provided about its processing of personal data in the one published at that time<br />
<br />
The data protection information on the company's Swedish website. Klarna came in with one<br />
opinion on 26 April 2019. An annex with a summary was attached to the opinion<br />
over the purposes for which each category of personal data was processed<br />
<br />
indication of the applicable retention period. Klarna then revised his<br />
Data protection information as of 19 July 2019. Due to Klarna's opinion and<br />
the company's revised Data Protection Information asked IMY supplementary questions<br />
<br />
the company in a letter dated 1 August 2019. Klarna subsequently submitted an opinion on<br />
September 27, 2019. Klarna subsequently revised its Data Protection Information as of the 17th<br />
March 2020. Klarna again revised its Data Protection Information on 26 June 2020.<br />
<br />
IMY has also obtained the terms of service for the account information service "My Finances"<br />
as Klarna in its first statement to the IMY stated that the consumer accepts<br />
<br />
"Special conditions" for this service. IMY's assessment refers to Klarnas<br />
Data protection information as it was designed from 17 March 2020 to 26 June, Privacy Protection Agency Record number: DI-2019-4062 4 (25)<br />
Date: 2022-03-28<br />
<br />
<br />
<br />
<br />
<br />
<br />
2020, Appendix 1, and Klarnas Terms of Use as they were drafted on April 2, 2020,<br />
<br />
Appendix 2. IMY describes what Klarna has stated in its opinions in relevant parts below<br />
the reasons for the decision below.<br />
<br />
<br />
2 Grounds for the decision<br />
<br />
<br />
2.1 Applicable provisions<br />
<br />
<br />
Article 5 (1) (a) of the Data Protection Regulation states, inter alia, that the data shall:<br />
processed in a legal, correct and transparent manner in relation to the data subject<br />
<br />
(legality, correctness and transparency).<br />
<br />
It further follows from Article 5 (2) that the data controller shall be responsible for and<br />
<br />
be able to show that the principles listed in 5.1 are complied with (liability).<br />
<br />
It follows from Article 12 (1) of the Data Protection Regulation that the controller shall:<br />
<br />
take appropriate measures to provide the data subject with all information that:<br />
referred to in Articles 13 and 14 and all communications pursuant to Articles 15 to 22 and 34<br />
<br />
which refers to treatment in a concise, clear and distinct, comprehensible and easily accessible form,<br />
using clear and unambiguous language, in particular for information that is specific<br />
aimed at children. The information must be provided in writing, or in some other form,<br />
<br />
including, where appropriate, in electronic form. If the data subject requests it may<br />
the information is provided orally, provided that the identity of the data subject has been proven<br />
in other ways.<br />
<br />
<br />
Article 13 of the Data Protection Regulation stipulates the information to be provided<br />
if the personal data is collected from the data subject. Article 13 (1) states this<br />
<br />
that if personal data concerning a registered person is collected from the data subject,<br />
the person responsible for personal data shall, when the personal data is obtained, to the data subject<br />
<br />
provide information as set out in Article 13 (1) (a) to (f). It follows from Article 13 (2) that it<br />
person responsible for personal data in the collection of personal data, in addition to the information<br />
referred to in paragraph 1, shall provide the data subject with additional information in accordance with 13.2 a-f,<br />
<br />
which is required to ensure fair and transparent treatment. According to Article 13 (3)<br />
in addition, the person responsible for personal data, if he intends to process<br />
personal data for a purpose other than that for which they were collected, before that<br />
<br />
further processing provide the registered information about this second purpose as well<br />
additional relevant information pursuant to paragraph 2. Article 13 (4) states that paragraphs 1, 2<br />
and 3 shall not apply if and to the extent that the data subject already has<br />
<br />
the information.<br />
<br />
<br />
It follows from recital 39 that any processing of personal data must be lawful and fair.<br />
It should be clear to natural persons how personal data concerns them<br />
collected, used, consulted or otherwise treated and in which<br />
<br />
the extent to which personal data is processed or will be processed.<br />
The principle of openness requires that all information and communication in connection with<br />
the processing of this personal data is easily accessible and easy to understand and that a<br />
<br />
clear language is used. This principle applies above all to the information to<br />
registered about the identity of the data controller and the purpose of the processing<br />
<br />
as well as additional information to ensure fair and open treatment for those concerned<br />
natural persons and their right to receive confirmation and notification of which<br />
personal data concerning those processed. Natural people should be made aware<br />
<br />
on risks, rules, protective measures and rights in connection with the processing of, The Swedish Data Protection Agency Record number: DI-2019-4062 5 (25)<br />
Date: 2022-03-28<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
personal data and how they can exercise their rights with respect to<br />
the treatment.<br />
<br />
<br />
Recital 60 states that the principles of fair and transparent treatment require that<br />
data subjects are informed that treatment is taking place and the purpose of it. The<br />
<br />
personal data controller should provide the data subject with all additional information such as<br />
required to ensure fair and transparent treatment, taking into account<br />
the specific circumstances and context of personal data processing. In addition<br />
<br />
the data subject should be informed of the existence of profiling and of<br />
the consequences of such profiling. If the personal data is collected from it<br />
<br />
registered, he should also be informed if he or she is obliged to provide<br />
personal data and the consequences if he or she does not provide them. This<br />
information may be provided combined with standardized symbols to provide one<br />
<br />
clear, comprehensible, easy-to-read and meaningful overview of the planned<br />
the treatment. If such symbols are displayed electronically, they should be machine-readable.<br />
<br />
<br />
It follows from recital 61, inter alia, that information on the processing of personal data concerning<br />
the data subject should be provided to him or her at that time<br />
<br />
the personal data is collected from the data subject or, if the personal data is obtained<br />
directly from another source, within a reasonable period, depending on the circumstances of<br />
<br />
the case. If personal data can be legitimately disclosed to another recipient, they should<br />
registered persons are informed the first time the personal data is disclosed to this<br />
receiver.<br />
<br />
<br />
As regards the concept of profiling, this is defined in Article 4 (4) as any form of profiling<br />
automatic processing of personal data consisting of that personal data<br />
<br />
used to assess certain personal characteristics of a natural person, in particular<br />
to analyze or predict the work performance of this natural person, financial<br />
<br />
situation, health, personal preferences, interests, reliability, behavior, whereabouts<br />
or transfers,<br />
<br />
<br />
Article 22 regulates automated individual decision-making, including profiling. Of<br />
the provision states that the data subject shall have the right not to be the subject of a decision<br />
<br />
based solely on automated processing, including profiling, which has<br />
legal consequences for him or her or similarly significantly affect<br />
him or her. Examples of such decisions are given in recital 71, among others<br />
<br />
automated rejection of an online credit application. Exceptions to this prohibition apply if<br />
the decision is necessary for the conclusion or performance of an agreement between it<br />
<br />
registered and the data controller, such decisions are permitted under Union law<br />
or the national law of a Member State to which the controller is subject<br />
and which lays down appropriate measures to protect the data subject's rights, freedoms<br />
<br />
and legitimate interests, or is based on the express consent of the data subject.<br />
If an exception may be made in connection with an agreement or due to consent, it shall<br />
<br />
personal data controllers implement appropriate measures to ensure this<br />
registered rights, freedoms and legal interests, at least the right to personal<br />
contact with the personal data controller to be able to express their opinion and dispute<br />
<br />
the decision.<br />
<br />
<br />
Finally, the former so-called Article 29 Working Party has developed guidelines on<br />
partly openness, WP260 rev.01 (WP260), partly about automated individually<br />
decision-making and profiling, WP251 rev.01 (WP251), which are described in relevant<br />
<br />
parts under the IMY assessments below. The European Data Protection Board, EDPB, has<br />
endorsed these guidelines. Initially, however, the following can be highlighted. Article, Integrity Protection Authority Record number: DI-2019-4062 6 (25)<br />
Date: 2022-03-28<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
The 29 Working Group emphasizes in WP260 that transparency is an overarching obligation<br />
according to the Data Protection Regulation which applies to three key areas; i) how they<br />
data subjects may be informed about fair processing; ii) how the data controllers<br />
<br />
communicate with the data subjects in relation to their rights under<br />
the Data Protection Regulation, and (iii) how the data controllers facilitate the<br />
<br />
exercised their rights. Openness is also an expression of it<br />
principle of fairness in the processing of personal data set out in Article 8 of the EU Charter<br />
on fundamental rights.<br />
<br />
<br />
Article 12 stipulates the form of information provided to the data subject;<br />
<br />
namely, in a concise, clear and distinct, comprehensible and easily accessible form, with use<br />
of clear and distinct language, in particular for information specifically aimed at children.<br />
The information shall be provided in writing, or in some other form, including, where applicable<br />
<br />
is appropriate, in electronic form. If the data subject requests it, he will receive the information<br />
provided orally, provided that the identity of the data subject has been proven in other ways.<br />
<br />
<br />
Article 13 of the Data Protection Regulation sets requirements for what information it contains<br />
the person responsible for personal data must provide the data subject if the personal data is collected<br />
<br />
from the data subject and when the information is to be provided, namely when<br />
the personal data is obtained from the data subject.<br />
<br />
<br />
However, neither Article 12 nor 13 regulates in detail the form or location of the information<br />
submitted to the data subject. WP260 states that the information should be published in<br />
<br />
for example, a data protection information made available on it<br />
website of the data controller. Furthermore, it appears that on each side of<br />
the website should have a clearly visible direct link to the data protection information that should<br />
<br />
have been provided with an appropriate heading (eg "Privacy", "Privacy Policy" or<br />
"Data protection message"). The Article 29 Working Party therefore recommends a<br />
<br />
best practice which means that a link to the data protection information is provided or that such<br />
information is provided on the same page as the personal data is obtained from, when<br />
personal data is collected online. Furthermore, the Article 29 Working Party considers that a stratified<br />
<br />
data protection information should be used if the data controller has one<br />
website so that visitors to the website can navigate to specific parts of<br />
<br />
the data protection information that is of greatest interest to them. All the information that<br />
addressed to the data subjects should, however, also be available to them on one and the same<br />
place or in a complete document (in digital or paper format), as they<br />
<br />
Registered users can easily access if they want to read all the information addressed to them.<br />
<br />
<br />
The following also appears from the above-mentioned guideline, pp. 7-9:<br />
<br />
“The requirement that information provided or communicated to the data subjects shall<br />
<br />
being in a "concise, clear and distinct" form means that those responsible for personal data should<br />
present the information / communicate in an effective and concise way to avoid<br />
<br />
information exhaustion. The information should be clearly distinguished from other information such as<br />
does not relate to privacy, such as contractual terms or general terms of use. IN<br />
Internet contexts, layered privacy policies / privacy notices can do that<br />
<br />
possible for the data subjects to go directly to a certain part of<br />
the privacy policy / privacy statement they want to read, instead of scrolling through<br />
<br />
large amounts of text to find the part in question.<br />
<br />
The requirement that the information must be "comprehensible" means that it should be understandable by one<br />
<br />
average member of the intended target group. Comprehensibility is closely linked to<br />
the requirement of a clear and distinct language. A person responsible for personal data will receive knowledge, The Swedish Data Protection Agency Record number: DI-2019-4062 7 (25)<br />
Date: 2022-03-28<br />
<br />
<br />
<br />
<br />
<br />
<br />
about the persons about whom they collect information and can use it to<br />
<br />
determine what would probably be understandable to the target group […]<br />
<br />
An important aspect of the principle of transparency described in these provisions is that they<br />
<br />
registered in advance should be able to determine the purpose and consequences of<br />
treatment and that it should not come as a surprise to them at a later date<br />
stage how their personal data has been used. This is also an important aspect of<br />
<br />
the principle of fairness under Article 5 (1) of the Data Protection Regulation, where there is in fact a<br />
linked to recital 39, which states that natural persons “should be made aware of risks,<br />
<br />
rules, safeguards and rights in connection with the processing of<br />
personal data ”. In the case of complex, technical or unexpected data processing<br />
In particular, the Article 29 Working Party considers that data controllers are not the only ones<br />
<br />
should provide the information set out in Articles 13 and 14 (which<br />
dealt with later in these guidelines), without them even having to specify, in a separate section and<br />
in an unambiguous language, the most significant consequences of the treatment, with<br />
<br />
in other words, how the special treatment specified in a privacy policy / one<br />
privacy notice will actually affect the data subjects. In line with<br />
<br />
the principle of liability and recital 39, the data controllers should assess whether<br />
there are special risks for natural persons whose personal data are processed in one<br />
in such a way that the data subjects should be given attention. That way you can get one<br />
<br />
an overview of the types of treatments that could have the greatest impact on them<br />
registered fundamental rights and freedoms with regard to their protection<br />
personal data.<br />
<br />
<br />
"Easily accessible" means that the data subjects do not have to look for the information;<br />
it should be immediately clear to them where and how they can access the information;<br />
<br />
for example by giving the information directly or linking to the data subjects, by<br />
clear guidance or in response to a question from a natural person (eg in a<br />
<br />
privacy policy / a privacy statement in several layers online, in "Frequently asked questions", via<br />
contextual pop-ups that are activated when the registrants fill in one<br />
online form or in an interactive digital context via a chatbot interface etc [...]<br />
<br />
<br />
The requirement for a clear and distinct language means that the information should be provided in such a simple way<br />
as possible and that complicated sentences and language structures should be avoided.<br />
<br />
The information should be concrete and accurate, and it should not be abstract or ambiguous<br />
or can be interpreted in different ways. Above all, the purposes and legal bases should<br />
for the processing of personal data be clear. "<br />
<br />
<br />
In the following, the IMY assesses whether the requirements for transparency and information are met in different ways<br />
<br />
parts through Klarnas Data Protection Information as it was designed during the period 17<br />
March to 26 June 2020.<br />
<br />
<br />
2.2 IMY's assessment of Klarnas Data Protection Information<br />
meets the requirements of Articles 5 (1) (a), 5, 2, 12, 13 and 14 (i)<br />
<br />
the Data Protection Regulation<br />
<br />
<br />
2.2.1 IMY's assessment of Klarna's information pursuant to Article 13 (1) (c)<br />
<br />
<br />
<br />
Pursuant to Article 13 (1) (c) of the Data Protection Regulation, information on the purposes must be provided<br />
with the processing for which the personal data is intended as well as the legal<br />
basis for the treatment., Integrity Protection Authority Record number: DI-2019-4062 8 (25)<br />
Date: 2022-03-28<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Klarnas Data Protection Information<br />
<br />
Section 2 of Klarnas Data Protection Information is entitled “What personal data<br />
<br />
do we use? ”. Section 2.2 is entitled "Information we collect about you" and of it<br />
the introductory paragraph follows “Depending on which Services you choose to use, we can<br />
<br />
will collect the following information about you, either yourself or through third parties<br />
(for example, credit bureaus, anti-fraud agencies, shops or<br />
public databases) ”. This is followed by an enumeration of what information it "can"<br />
<br />
move about. The last point in the list shows “Service-specific<br />
personal data - within the framework of some of our Services, we may collect and process<br />
<br />
additional personal data not covered by the categories above. See Section 4 below for<br />
to find out what these additional personal data are for each Service. ”.<br />
<br />
<br />
Section 3 of the Data Protection Information is entitled “What personal data do we process,<br />
for what purpose, and on what legal basis? " and of the introductory paragraph<br />
<br />
states “Depending on which Services you use, Klarna may process your<br />
personal data for the purposes listed below, based on the legal bases<br />
which is accounted for at each purpose. You can see more specific information about how your<br />
<br />
personal data is processed in some of our Services in Section 4 below. ”. Thereafter follows<br />
a table with three columns, where the first column indicates the purpose of the treatment,<br />
<br />
the second column the personal data processed and the third column legal<br />
basis for the treatment.<br />
<br />
<br />
Section 4 of the Data Protection Information is entitled “In particular<br />
processing of personal data in some of Klarnas Tjänster ”and of the introductory paragraph<br />
appears “This section describes certain processing of your personal data that is<br />
<br />
specific to a particular Service. To get more information about our Services and theirs<br />
functionality, see the terms of use for each Service. ”.<br />
<br />
<br />
IMY's assessment<br />
<br />
<br />
IMY notes that the Data Protection Information Section 4 regarding the service “Min<br />
economy ”lacks clear information about the purposes of the treatments for which<br />
<br />
the personal data are intended as well as the legal basis for the processing in violation<br />
with the requirement of Article 13 (1) (c) of the Data Protection Regulation. The service "My Finance" is mentioned in<br />
Section 4.4 of the Data Protection Information, which is entitled “Clear<br />
<br />
user experience provided in accordance with Klarna's Terms of Use ”. It appears below<br />
the subheading “Klarna app” that “If you use the Klarna app, will<br />
<br />
personal data to be processed in order to provide the Services you choose to use<br />
inside the App, such as: […] ”, followed by a list of different services in a bulleted list.<br />
One of these services is the "My Finances" service:<br />
<br />
<br />
“Your affiliated bank accounts (My Finance Service): Through this Service get<br />
<br />
you an overview of your entire finances, not just your transactions with Klarna,<br />
but also over connected accounts. When you choose to use this Service comes<br />
Able to process information about the bank accounts and other accounts (such as<br />
<br />
card accounts) you choose to connect, and collect information such as account number, bank,<br />
historical transactions from connected accounts, as well as balances and assets. Based on<br />
<br />
that information will Klarna visualize and give you tools to control your<br />
finances, using offers tailored to your specific situation (which<br />
may involve profiling as described in Section 6). This is done by comparing yours<br />
<br />
expenses with expenses from other users of the Service. Based on the comparison, we can ,, The Swedish Data Protection Agency Record number: DI-2019-4062 9 (25)<br />
Date: 2022-03-28<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
together with partners to us, offer ways to minimize your fasting and<br />
variable costs."<br />
<br />
<br />
There is no information regarding the legal basis<br />
the processing of personal data regarding the service "My Finances" takes place. In addition<br />
<br />
it is not clear from the information contained in the enumeration in Section<br />
4.4 in the Data Protection Information above, which specific personal data is processed<br />
within the framework of the service or the specific purposes of the treatment for which<br />
<br />
the personal data is intended. IMY further states that the service "My Finance" does not<br />
is mentioned in Klarnas' terms of use, which are generally available on Klarnas<br />
<br />
Swedish website, see Appendix 2 (Klarna's terms of use updated on 2 April<br />
2020). Some separate terms or separate data protection information regarding the service,<br />
is also not generally available on Klarna's Swedish website. This notwithstanding that<br />
<br />
Klarna, on page 9 in its first statement to IMY, dated 26 April 2019, has stated that<br />
The "My Finances" service is an account information service that is available in the Klarna app<br />
<br />
after acceptance of "Klarnas Terms of Use" and that the consumer also<br />
accepts "special terms" for the service.<br />
<br />
<br />
The special conditions, "Terms of service for the My Finance service", may be taken by the consumer<br />
part of when the service is accepted. Regarding information about personal data processing<br />
<br />
according to the data protection regulation, the special conditions only refer back to<br />
The data protection information. The additional information provided in Section 4 of the<br />
The data protection information must appear in the special conditions is thus missing.<br />
<br />
<br />
IMY believes that the information that Klarna provides about the purposes of the treatment<br />
and the legal basis for the treatment does not meet the requirements of Article 13 (1) (c) (i)<br />
<br />
the Data Protection Regulation. The information is not concise, clear and distinct nor<br />
easily accessible. It therefore does not meet the requirements of Article 12 (1).<br />
<br />
<br />
The IMY considers that the infringement of Article 13 (1) (c) of the Data Protection Regulation, with<br />
account has also been taken of other infringements of Articles 13 and 14 set out in<br />
<br />
this decision, is so serious that it also infringes Articles 5 (1)<br />
a and 5.2.<br />
<br />
<br />
IMY therefore finds that Klarna violates Articles 5 (1) (a), 5 (2), 12 (1) and 13 (1) (c) i<br />
the Data Protection Regulation.<br />
<br />
<br />
2.2.2. IMY's assessment of Klarna's information pursuant to Article 13 (1) (e)<br />
<br />
<br />
<br />
Pursuant to Article 13 (1) (e), information shall be provided on the recipients or categories of<br />
<br />
recipients who are to access the personal data, where applicable.<br />
<br />
<br />
Klarnas Data Protection Information<br />
<br />
In section 7 The data protection information informs Klarna about which stakeholders it is<br />
<br />
data subjects' personal data may be shared with. Section 7.4 describes<br />
how information is shared with credit reporting companies. Paragraph one states the following:<br />
<br />
<br />
7.4 Credit Information Agencies<br />
<br />
<br />
If you are applying to use a Service that involves providing credit (see Section<br />
4.1 above regarding which Services include credit), your personal data may come, Privacy Protection Agency Record number: DI-2019-4062 10 (25)<br />
Date: 2022-03-28<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
to be shared with credit bureaus, for the following purposes: To assess your<br />
creditworthiness in connection with your application for one of Klarna's payment methods, that<br />
confirm your identity and contact information, as well as protect you and other customers from<br />
<br />
fraud. Your phone number and address may also be shared<br />
credit bureaus to enable them to send a notification to a<br />
<br />
credit report performed on you. Depending on the rules of the country where you live will be sent<br />
a physical letter with information that a credit report has been made on you to you,<br />
or the letter is sent electronically. Your payment behavior may<br />
<br />
reported back to the credit bureaus by Klarna, which may<br />
affect your future credit rating. When a credit bureau receives an inquiry<br />
<br />
credit information from us, they may place a listing on your profile, which may<br />
seen by other companies providing credit. Credit bureaus may<br />
share your information with other organizations. The credit bureaus we<br />
<br />
collaborates with in Sweden you see here.<br />
<br />
<br />
On pages 21-22 in their second statement to IMY, Klarna dated 27 September<br />
2019 specified the meaning of the information.<br />
<br />
<br />
Klarna states, regarding information relating to identification, which information is shared<br />
with credit reporting companies for the purposes set out in paragraph one varies depending on<br />
<br />
whether the consumer is shopping in a country that has a social security number or not. In countries there<br />
social security numbers are available parts Klarna only the consumer's social security number with<br />
credit reporting companies for the purposes requested (identification). Klarna does not have to<br />
<br />
share personal information such as address and phone number with credit reporting companies in<br />
Sweden to identify the registered person. In countries where social security numbers do not exist<br />
Klarna usually needs to share the consumer's name, address, date of birth and<br />
<br />
telephone numbers with credit reporting companies for specified purposes.<br />
<br />
<br />
With regard to the disclosure of information about the data subject's payment behavior states<br />
Clear that information about payment behavior is not reported in Swedish<br />
credit reporting companies. If, and to what extent, Klarna reports back<br />
<br />
payment behaviors to credit reporting companies in other countries where Klarna offers<br />
their services vary depending on each country's legislation and the agreement as Klarna<br />
<br />
has with the respective credit information company.<br />
<br />
IMY's assessment<br />
<br />
<br />
IMY states that the information in the Data Protection Information refers to the disclosure of<br />
<br />
personal data to both Swedish and foreign credit information companies. Which type<br />
of information provided to Swedish and foreign<br />
credit reporting companies are not listed.<br />
<br />
<br />
IMY believes that the information that Klarna provides about how information is shared<br />
<br />
credit reporting companies do not meet the requirement of transparency. The information is<br />
incomplete and does not explain what information is provided to Swedish respectively<br />
foreign credit reporting companies. The registered person may, among other things, be led to believe that<br />
<br />
information on payment behavior at Klarna is disclosed to, and registered by, Swedish<br />
credit reporting companies. This is directly misleading.<br />
<br />
<br />
IMY considers that the information that Klarna provides about the categories of recipients that<br />
shall not have access to the personal data does not meet the requirements of Article 13 (1) (e) (i)<br />
<br />
the Data Protection Regulation. The information is not concise, clear and distinct nor<br />
easily accessible. It therefore does not meet the requirements of Article 12 (1), the Privacy Protection Authority Record number: DI-2019-4062 11 (25)<br />
Date: 2022-03-28<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
The IMY considers that the infringement of Article 13 (1) (e) of the Data Protection Regulation, with<br />
account has also been taken of other infringements of Articles 13 and 14 set out in<br />
this decision, is so serious that it also constitutes a breach of 5.1 a and 5.2.<br />
<br />
<br />
IMY therefore finds that Klarna violates Articles 5 (1) (a), 5 (2), 12 (1) and 13 (1) (e) i<br />
<br />
the Data Protection Regulation.<br />
<br />
2.2.3. IMY's assessment of Klarna's information pursuant to Article 13 (1) (f)<br />
<br />
<br />
<br />
<br />
According to Article 13 (1) (f), information must be provided that the data controller refers to<br />
to transfer personal data to a third country or an international organization; and<br />
whether or not a decision by the Commission on the adequate level of protection exists<br />
<br />
or, in the case of the transfers referred to in Article 46, 47 or other Article 49 (1)<br />
paragraph, reference to appropriate or appropriate protective measures and how a copy of<br />
<br />
they can be obtained or where these have been made available.<br />
<br />
Klarnas Data Protection Information<br />
<br />
<br />
Section 8 of the Data Protection Information is entitled “Where do we process yours<br />
<br />
personal data? ” and from this it follows:<br />
<br />
“We always strive to process your personal data within the EU / EEA. In some<br />
<br />
situations, such as when we share your information within the Klarna Group or with one<br />
supplier or subcontractor with operations outside the EU / EEA, can your<br />
<br />
personal data will, however, be processed outside the EU / EEA. About the store you shop<br />
at are outside the EU / EEA, our sharing with the store will also mean that yours<br />
data are transferred outside the EU / EEA.<br />
<br />
<br />
We ensure that an adequate level of protection exists, and that appropriate<br />
<br />
safeguards are taken in accordance with applicable data protection requirements, such as the GDPR,<br />
when we transfer your data outside the EU / EEA. These protective measures consist of ensuring<br />
that the third country to which the data is transmitted is the subject of a<br />
<br />
the Commission that there is an adequate level of protection, that the European Commission<br />
standard clauses have been entered into between Klarna and the recipient, or that the recipient is<br />
registered under the so-called US Privacy Shield procedure. "<br />
<br />
<br />
IMY's assessment<br />
<br />
<br />
Of the comments of the Article 29 Working Party on the information requirement in the Guideline on<br />
transparency, pages 39-40 of WP260, states the following regarding Article 13 (1) (f):<br />
<br />
<br />
"Information should be provided on the relevant article of the Data Protection Regulation for transmission and<br />
<br />
associated mechanism (eg decision on adequate level of protection under Article 45 / binding<br />
company rules in accordance with Article 47 / standardized data protection rules<br />
pursuant to Article 46 (2) / derogations and safeguard measures pursuant to Article 49, etc.). Furthermore,<br />
<br />
information is provided on where and how to access or obtain the document in question,<br />
for example by linking to the mechanism used. According to the principle of justice, it should<br />
<br />
information provided on transfers to third countries be as meaningful as possible<br />
the registered. This generally means that the names of third countries must be indicated. "<br />
<br />
<br />
IMY states that Klarnas Data Protection Information lacks information on where and how<br />
the individual can access or receive documents regarding the protection measures for, The Privacy Protection Agency Record number: DI-2019-4062 12 (25)<br />
Date: 2022-03-28<br />
<br />
<br />
<br />
<br />
<br />
<br />
transmission as described in the Data Protection Information. Furthermore, information on<br />
countries outside the EU / EEA to which personal data are transferred, in accordance with Article 29<br />
<br />
working group recommendation above.<br />
<br />
<br />
IMY considers that the information that Klarna provides about the personal data controller<br />
intends to transfer personal data to a third country and whether a decision of<br />
the Commission whether or not there is an adequate level of protection or, in the case of<br />
<br />
transfers referred to in Article 46, 47 or the second subparagraph of Article 49 (1),<br />
appropriate or appropriate safeguards and how a copy of them can be obtained or where<br />
these have been made available do not meet the requirements of Article 13 (1) (e) (i)<br />
<br />
the Data Protection Regulation. The information is not concise, clear and distinct nor<br />
easily accessible. It therefore does not meet the requirements of Article 12 (1).<br />
<br />
<br />
The IMY considers that the infringement of Article 13 (1) (f) of the Data Protection Regulation, taking into account<br />
also taken to other infringements of Articles 13 and 14 set out therein<br />
decision, is so serious that it also infringes Articles 5 (1) (a) and<br />
<br />
5.2.<br />
<br />
IMY therefore finds that Klarna violates Articles 5 (1) (a), 5 (2), 12 (1) and 13 (1) (f) i<br />
<br />
the Data Protection Regulation.<br />
<br />
<br />
2.2.4. IMY's assessment of Klarna's information pursuant to Article 13 (2) (a)<br />
<br />
<br />
<br />
According to Article 13 (2) (a), information shall be provided on the period during which<br />
personal data will be stored or, if this is not possible, the criteria set by<br />
used to determine this period.<br />
<br />
<br />
Klarnas Data Protection Information<br />
<br />
<br />
Section 9 of the Data Protection Information is entitled “How long do we save yours<br />
personal data? ” and this shows the following:<br />
<br />
<br />
“We will process your personal data for the period of time needed to<br />
pursue the respective purpose of our treatment. These purposes are presented in this<br />
Data protection information. This means that when we stop processing your personal data<br />
<br />
for a specific purpose, we may still retain the data for as long as<br />
the data are needed for other purposes, but then only for processing in accordance with the<br />
<br />
remaining purposes. Especially:<br />
<br />
As long as you have accepted Klarna's Terms of Use and until you have resigned<br />
<br />
these (by contacting us or by instructing us to remove<br />
your personal data through a request to be deleted) we will<br />
<br />
process the personal data we need to provide our Services<br />
to you, which includes information about your previous purchases.<br />
<br />
We process personal data in credit information for the purpose of re-processing<br />
Assess your credit rating for up to 90 days from that<br />
<br />
the credit report was taken.<br />
We process information about debts for the purpose of assessing yours<br />
<br />
creditworthiness for a period of three (3) years after the debt has been settled -<br />
which takes place either through payment of the debt or that the debt is written off<br />
<br />
of or sold., Integrity Protection Authority Record number: DI-2019-4062 13 (25)<br />
Date: 2022-03-28<br />
<br />
<br />
<br />
<br />
<br />
<br />
We process recorded telephone calls to Klarna's customer service for up to 90<br />
days from the day of recording.<br />
<br />
We process personal data for the purpose of complying with applicable<br />
legislation, such as consumer law, banking and<br />
<br />
money laundering legislation, and accounting rules. Depending on which<br />
applicable law, your personal data may be stored in<br />
<br />
up to ten years after the termination of the customer relationship. "<br />
<br />
<br />
<br />
IMY's assessment<br />
<br />
<br />
Of the comments of the Article 29 Working Party on the information requirement in the Guideline on<br />
transparency, page 40 of WP260, states the following regarding Article 13 (2) (a):<br />
<br />
<br />
"This is related to the requirement for data minimization in Article 5 (1) (c) and on<br />
storage limitation in Article 5 (1) (e). The shelf life (or the criteria used to:<br />
determine this) may be governed by factors such as statutory requirements or guidelines within<br />
<br />
industry, but it should be stated in such a way that it registered, based on its own<br />
situation, can assess the storage time for specific tasks / purposes. It is not enough that<br />
the person responsible for personal data generally states that the personal data is retained for that long<br />
<br />
necessary for the legitimate purposes of the treatment. In relevant cases<br />
different storage times should be specified for different categories of personal data and / or different<br />
processing purposes, including filing time where appropriate. "<br />
<br />
<br />
Klarna has, on page 13 in its first statement to IMY, dated April 26, 2019, stated<br />
that the purposes for which each category of personal data is processed, with<br />
<br />
applicable storage period, is reported in an appendix that has been submitted to IMY. The appendix consists of<br />
a table with three columns, where the left column shows the purposes of<br />
<br />
the treatment based on the (at the current time) description in<br />
The data protection information, the column in the middle reports the time for which Klarna<br />
processes the current category of personal data for the current purpose, ie.<br />
<br />
storage time, and the right-hand column reports comments aimed at whether<br />
special conditions for the treatment for more specific purposes or more specific<br />
personal data is available. Here it appears that Klarna processes and stores<br />
<br />
personal data for more purposes than what appears from section 9 of Klarnas<br />
data protection information. It appears, among other things, that personal data is processed and<br />
stored for research purposes for two years.<br />
<br />
<br />
Furthermore, Klarna has, on pages 13-14 in the above-mentioned opinion, stated that, in addition<br />
the purposes set out in the said appendix, Klarna processes personal data<br />
<br />
within the framework of Klarna's customer service as follows:<br />
<br />
“Incoming telephone calls are recorded for quality and security reasons.<br />
<br />
The recordings are saved for this purpose for 3 months, after which they are deleted.<br />
Incoming and outgoing e-mails are retained for 7 years from<br />
<br />
the time the message was received or sent.<br />
Information that an individual consumer has chosen to block himself from using<br />
<br />
Klarna's credit products are saved to handle the block until<br />
the consumer himself announces that he wishes to lift the block (ie.<br />
<br />
as a starting point for the time being)., The Swedish Data Protection Agency Record number: DI-2019-4062 14 (25)<br />
Date: 2022-03-28<br />
<br />
<br />
<br />
<br />
<br />
<br />
Notes relating to a dispute or other types of disputes are kept in<br />
<br />
10 years from the time of closing the case. The reason for this is that one<br />
consumer at a later stage may contact Klarna in the same<br />
<br />
or similar matters. The time period is based on the limitation period<br />
according to the statute of limitations (1981: 130).<br />
<br />
Notes of other kinds than above are preserved for 5 years from the time of<br />
the registration, ie. from the time the note was made. The reason for this is that one<br />
<br />
consumer at a later stage may contact Klarna in the same<br />
or similar matters. "<br />
<br />
<br />
<br />
<br />
Of these purposes and retention periods, only the preservation information of<br />
incoming phone calls for quality and safety reasons for three months that are found<br />
in section 9 of Klarnas Data Protection Information.<br />
<br />
<br />
In light of the above, IMY considers the information in Klarnas<br />
<br />
Data protection information does not comply with the requirement of Article 13 (2) (a) of the Data Protection Regulation<br />
that information must be provided about the period during which the personal data comes<br />
to be stored or the criteria used to determine this period when Klarnas<br />
<br />
opinion and appendix mentioned above clearly show that Klarna processes personal data<br />
for more purposes and has more detailed storage times, and in addition criteria such as<br />
used to determine these periods, which are not set out in section 9 of<br />
<br />
The data protection information.<br />
<br />
IMY considers that the information that Klarna provides about the period during which<br />
<br />
personal data will be stored or, if this is not possible, the criteria set by<br />
used to determine this period does not meet the requirements of Article 13 (2) (a).<br />
<br />
The information is not concise, clear and distinct, nor is it easily accessible. It meets<br />
thus not the requirements of Article 12 (1).<br />
<br />
<br />
The IMY considers that the infringement of Article 13 (2) (a) of the Data Protection Regulation, with<br />
account has also been taken of other infringements of Articles 13 and 14 set out in<br />
this decision, is so serious that it also infringes Articles 5 (1)<br />
<br />
a and 5.2.<br />
<br />
<br />
IMY therefore finds that Klarna violates Articles 5 (1) (a), 5 (2), 12 (1) and 13 (2) (a) i<br />
the Data Protection Regulation.<br />
<br />
<br />
2.2.5. IMY's assessment of Klarna's information pursuant to Article 13 (2) (b)<br />
<br />
<br />
<br />
Pursuant to Article 13 (2) (b), information shall be provided that there is a right to it<br />
personal data controller request access to and correction or deletion of<br />
personal data or restriction of processing concerning the data subject or that<br />
<br />
object to processing and the right to data portability.<br />
<br />
<br />
It follows from the Article 29 Working Party's Guideline on Transparency WP260 (pp. 27-28) that<br />
Transparency entails three obligations for the person responsible for personal data regarding them<br />
data subjects' rights:<br />
<br />
<br />
"• To inform data subjects of their rights (in accordance with the requirements of Article 13 (2) (b)<br />
and 14.2 c)., Integrity Protection Authority Record number: DI-2019-4062 15 (25)<br />
Date: 2022-03-28<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
• To observe the principle of transparency (ie in terms of the quality of communication according to the article<br />
12.1) in communicating with data subjects about their rights under Articles 15 to<br />
22 and Article 34.<br />
<br />
<br />
• To facilitate the exercise of data subjects' rights in accordance with Articles 15 to<br />
<br />
22.<br />
<br />
The requirements of the Data Protection Regulation regarding the exercise of these rights and the<br />
<br />
type of information required is intended to give the data subjects a significant opportunity<br />
to assert their rights and hold the data controllers accountable<br />
<br />
the processing of their personal data. Recital 59 emphasizes that procedures should:<br />
"which makes it easier for data subjects to exercise their rights" and that it<br />
personal data controllers should also “provide aids for electronically submitted<br />
<br />
requests, especially in cases where personal data are processed electronically '. That procedure<br />
which a personal data controller determines for the data subjects to be able to exercise their<br />
<br />
rights should be appropriate to the scope and type of the relationship and the<br />
interaction that exists between the data controller and the data subject. One<br />
The controller may therefore wish to establish one or more different procedures for<br />
<br />
the exercise of rights which reflect the different ways in which they registered<br />
interacts with the personal data controller. "<br />
<br />
<br />
In addition, the Article 29 Working Party makes the following comments on the information requirement in<br />
Guideline WP260 (pp.40-41), concerning Article 13 (2) (b):<br />
<br />
<br />
"This information should be specific to the treatment in question and include one<br />
summary of what the right entails, how the data subject can proceed to<br />
<br />
exercise it and the limitations to which the right may be subject (see paragraph 68)<br />
above). In particular, the right to object to treatment must be expressly notified to it<br />
<br />
registered at the latest at the first communication with the registered and<br />
be reported clearly, clearly and separately from any other information. […] "<br />
<br />
<br />
IMY notes that there is a special section in the Data Protection Information, Section 10,<br />
which is entitled "Your rights in relation to your personal data", which in turn<br />
<br />
to some extent refers to other sections of the Data Protection Information. However, IMY believes that<br />
The data protection information provides incomplete information regarding the data subjects<br />
rights, in violation of Article 13 (2) (b) of the Data Protection Regulation, as follows.<br />
<br />
<br />
The right to delete<br />
<br />
<br />
Regarding the right to deletion (Article 17), follows from Section 10 of the Data Protection Information<br />
“The right to be deleted. You have the right to request deletion of your personal data<br />
<br />
example when it is no longer necessary to process the data for the purpose they<br />
were collected, or if you withdraw your consent. As described in Sections 3 and 9<br />
<br />
above, however, Klarna needs to follow certain laws that prevent us from deleting immediately<br />
certain information. "<br />
<br />
<br />
IMY considers that this wording does not summarize the meaning of the right in an open manner<br />
way. According to Article 17 of the Data Protection Regulation, the data subject has the right to receive his<br />
<br />
personal data deleted by the personal data controller, which, however, is not one<br />
absolute right. On the one hand, there is an enumeration in the mentioned article regarding in which<br />
case the personal data controller is obliged to delete personal data without unnecessary<br />
<br />
delay, and there are certain exceptions to this obligation for necessary<br />
treatment in some cases. It is not clear how this right relates to the right to, Integrity Protection Authority Record number: DI-2019-4062 16 (25)<br />
Date: 2022-03-28<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
object in accordance with Article 21. As the information is worded in<br />
The data protection information regarding this right gives it a difficult picture<br />
of what the right entails and in which cases it applies. That it refers to the general ones<br />
<br />
Sections 3 and 9 of the Data Protection Information make it even less clear. IMY assesses<br />
that the infringement of Article 13 (2) (b) with regard to the requirement to provide information on the right to<br />
<br />
deletion, taking into account also other infringements of Articles 13 and 14 which<br />
is apparent from this decision, is so serious that it also constitutes a breach of<br />
Articles 5.1 (a) and 5.2. IMY further believes that Klarna also does not meet the requirements for completion<br />
<br />
and clear information as set out in Article 12 (1).<br />
<br />
<br />
IMY therefore considers that the information in this part of the Data Protection Information does not<br />
complies with the requirement of transparency, in particular in the light of the above statements in the guidelines<br />
on transparency and thus finds that Klarna violates Articles 5.1 a, 5.2, 12.1<br />
<br />
and 13.2 b of the Data Protection Regulation.<br />
<br />
<br />
The right to restriction<br />
<br />
Regarding the right of restriction (Article 18), the IMY finds that it is missing<br />
<br />
information about this right in the Data Protection Information. In Section 10 i<br />
However, the data protection information contains the following information “Right to oppose you<br />
<br />
processing of your personal data or objecting to our processing. If you<br />
considers that your personal data is incorrect or has been processed in violation of applicable law<br />
you have the right to ask us to stop the treatment. You can also object to ours<br />
<br />
treatment when you consider that there are circumstances that prevent the treatment<br />
carried out in accordance with applicable rules. Furthermore, you can always object to us using<br />
your marketing information. "<br />
<br />
<br />
IMY considers that the information provided is both incorrect and incomplete in relation<br />
<br />
how the right is reflected in Article 18 of the Data Protection Regulation. It summarizes<br />
thus not the right in a way that enables the data subjects to understand what<br />
it means. This in turn makes it difficult for data subjects to exercise their rights.<br />
<br />
In addition to the information being incomplete, it also involves the right to object<br />
certain treatment (marketing), without further developing what this right entails<br />
<br />
or in which situations it may be invoked (cf. Article 18 (1) (d) and<br />
the reference to Article 21 (1)). The IMY considers that the infringement of Article 13 (2) (b) what<br />
applies to the requirement for information on the right to restriction, taking into account also<br />
<br />
other infringements of Articles 13 and 14 set out in this Decision are as follows<br />
serious that it also infringes Articles 5 (1) (a) and 5 (2). IMY consider<br />
<br />
further that Klarna also does not meet the requirements for clear and distinct information that appear<br />
of Article 12.1.<br />
<br />
<br />
IMY therefore considers that the information on the right to restriction does not comply with the requirement<br />
transparency, in particular in the light of the statements made by the Article 29 Working Party above, and<br />
<br />
thus finds that Klarna violates Articles 5.1 a, 5.2, 12.1 and 13.2 b i<br />
the Data Protection Regulation.<br />
<br />
<br />
The right to data portability<br />
<br />
<br />
Regarding the right to data portability (Article 20), follows from Section 10 of the<br />
Data protection information “Right to access your data. You can request a copy of<br />
your personal information if you want to know what information we have about you. This copy can<br />
<br />
also transmitted in a machine-readable format (so-called “data portability”). ”., the Swedish Data Protection Authority.<br />
Date: 2022-03-28<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
IMY does not consider that information about the right has been provided in a transparent manner, then it partly<br />
has been included under the right of access even though data portability is a separate right<br />
under Article 20 of the Data Protection Regulation, partly because it has not been summarized in one<br />
<br />
clear way that enables the data subjects to understand what the right entails.<br />
According to Article 20, the right is aimed at the data subject being entitled to receive them<br />
<br />
personal data relating to him or her in a structured, widely used and<br />
machine-readable format, and has the right to transfer these to another<br />
personal data controller under certain conditions. IMY assesses that the violation of<br />
<br />
Article 13 (2) (b) as regards the requirement for information on the right to data portability, with<br />
account has also been taken of other infringements of Articles 13 and 14 set out in<br />
<br />
this decision, is so serious that it also infringes Articles 5 (1)<br />
a and 5.2. IMY further believes that Klarna also does not meet the requirements for clear and distinct<br />
information provided for in Article 12 (1).<br />
<br />
<br />
IMY therefore considers that the information regarding the right to data portability does not<br />
<br />
complies with the requirement of transparency, in particular in the light of the Article 29 Working Party<br />
statements above, and notes that Klarna violates Articles 5.1 a, 5.2, 12.1 and<br />
13.2 b of the Data Protection Regulation.<br />
<br />
<br />
The right to object<br />
<br />
<br />
With regard to the right to object (Article 21), the IMY states that it is missing<br />
complete information about this right in the Data Protection Information. In Section 10 i<br />
<br />
The data protection information contains the following information inserted in the above<br />
the information on “Right to oppose the processing of your personal data or<br />
object to our treatment ”:“ You can also object to our treatment when you<br />
<br />
considers that there are circumstances which mean that the treatment is not carried out in accordance with<br />
applicable rules.". The following information is also available in Section 10 of<br />
<br />
Data protection information “Right to object to an automated decision. You are right<br />
to object to an automated decision made by Klarna if this decision entails<br />
legal consequences or constitutes a decision which in a similar way significantly affects<br />
<br />
you. See Section 6 above on how Klarna uses this form of automatic decision. ”.<br />
<br />
<br />
In addition, the following information is available in Section 3 of the Data Protection Information,<br />
for the purpose of processing personal data for the purpose of performing<br />
customer satisfaction surveys about Klarna's services, “You can object to this at any time<br />
<br />
preferably. You will also receive information on how to unsubscribe from this each<br />
once you are contacted for this purpose. ". The following information is also available in Section 6,<br />
<br />
regarding Klarna's profiling and automated decision-making, “Predict which<br />
marketing that may be of interest to you. You can always object to this and<br />
unsubscribe from marketing and this profiling, by contacting us.<br />
<br />
For more information about our processing of personal data to provide<br />
marketing see Section 3 above; ”, and“ You always have the right to object to one<br />
<br />
automated decisions with legal consequences or decisions that are similarly significant<br />
degree affects you (along with the coherent profiling) by<br />
contact us at the e-mail address in Section 13. An employee at Klarna will come in<br />
<br />
such cases to look at your case. ”.<br />
<br />
<br />
Under Article 21, the data subject has the right to object in several different situations.<br />
It follows from Article 21 (1) that the data subject has the right to object at any time<br />
against the processing of personal data relating to him or her on which it is based<br />
<br />
Article 6 (1) (e) (public interest) or f (legitimate interest / balancing of interests), including<br />
profiling based on these provisions. The person responsible for personal data receives, The Swedish Data Protection Agency Record number: DI-2019-4062 18 (25)<br />
Date: 2022-03-28<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
then no longer process the personal data, unless he can prove compelling<br />
legitimate reasons for the processing which outweigh the interests of the data subject;<br />
rights and freedoms, or whether it is for the determination, exercise or defense of<br />
<br />
legal claims.<br />
<br />
<br />
IMY states that the Data Protection Information in its entirety lacks information about the law<br />
to object to the processing of personal data based on article<br />
6.1 (f) of the Data Protection Regulation, including profiling based on it<br />
<br />
provision, despite the fact that Klarna for several different treatments, which are described in i<br />
Section 3 of the Data Protection Information, states that this is one of the legal bases that<br />
<br />
applied and that profiling takes place. The profiling is developed in more detail in Section 6 in<br />
The data protection information, but even there there is no information about the right to object<br />
pursuant to Article 21 (1). The IMY considers that the infringement of Article 13 (2) (b) with regard to the requirement of<br />
<br />
information on the right to object, taking into account others as well<br />
infringements of Articles 13 and 14 set out in this Decision are so serious<br />
<br />
that it also infringes Articles 5 (1) (a) and 5 (2). IMY further considers that<br />
Klarna also does not meet the requirements for clear and unambiguous information set out in the article<br />
12.1.<br />
<br />
<br />
IMY therefore considers that the information regarding the right to object in<br />
<br />
The data protection information does not comply with the requirement of transparency and thus states<br />
that Klarna violates Articles 5.1 a, 5.2, 12.1 and 13.2 b of the Data Protection Regulation.<br />
<br />
<br />
2.2.6. IMY's assessment of Klarna's information pursuant to Article 13 (2) (f) and (2) (g)<br />
<br />
<br />
<br />
According to Articles 13 (2) (f) and 14 (2) (g), information shall be provided on the existence of<br />
automated decision-making, including profiling in accordance with Article 22 (1) and (4), whereby<br />
<br />
at least in these cases, meaningful information about the logic behind it should be provided as well<br />
the significance and the foreseeable consequences of such processing for the data subject.<br />
<br />
<br />
Applicable regulation<br />
<br />
<br />
The Article 29 Working Party's guide WP260 (pp. 22-23) states that information on<br />
the existence of automated decision-making, including profiling, in accordance with Article 22 (1)<br />
and 22.4, as well as meaningful information about the logic behind and the meaning and those<br />
<br />
the foreseeable consequences of the processing for the data subject, form part of it<br />
mandatory information that must be provided to the data subject in accordance with Article 13 (2) (f)<br />
<br />
and 14.2 g. The Article 29 Working Party has in the guidelines WP251 on automated<br />
individual decision-making and profiling described how openness should be applied precisely in<br />
question about profiling. WP251 (p. 10) emphasizes the following:<br />
<br />
<br />
The profiling process is usually not visible to the registered person. The process is done in this way<br />
<br />
that derived or derived data is created about individuals. These are "new"<br />
personal data that has not been provided directly by the data subjects. Individuals have different degrees<br />
of understanding how the process goes and can have a hard time understanding the complex techniques<br />
<br />
used in profiling and automated decision making.<br />
<br />
<br />
According to Article 12 (1), the controller shall provide the data subjects<br />
concise, clear and unambiguous, comprehensible and easily accessible information on the treatment of<br />
their personal data., Integrity Protection Authority Record number: DI-2019-4062 19 (25)<br />
Date: 2022-03-28<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
According to Article 22 (1), the data subject shall have the right not to be the subject of a decision which:<br />
based solely on automated processing, including profiling which has legal<br />
consequences for him or her or similarly significantly affect him or her<br />
<br />
or her. Such automated decision-making is only allowed if one of them<br />
exceptions provided for in Article 22 (2) exist. Exceptions are made in that case<br />
<br />
decision-making is necessary for the conclusion or performance of an agreement between it<br />
registered and the data controller or permitted under Union law or a<br />
national law of the Member State to which the controller is subject and which<br />
<br />
lays down appropriate measures to protect the data subject's rights, freedoms and<br />
legitimate interests or is based on the express consent of the data subject.<br />
<br />
<br />
The following is emphasized in WP251 (p. 17):<br />
<br />
<br />
Given that the central principle behind the Data Protection Regulation is transparency<br />
personal data controllers must ensure that they explain in a clear and unambiguous manner<br />
<br />
individual how profiling or automated decision making works.<br />
<br />
Especially if the treatment involves decision-making based on profiling<br />
<br />
(whether or not the treatment is subject to the provisions of Article 22)<br />
clarify to the data subject that the processing concerns both a) profiling and b)<br />
<br />
decision-making based on the profile created.<br />
<br />
Recital 60 states that the provision of profiling information is included in it<br />
<br />
the transparency obligations of the controller pursuant to Article 5 (1) (a). The data subject<br />
has the right to information from the personal data controller about "profiling", and in some<br />
case the right to object to "profiling", regardless of whether it is only automated<br />
<br />
individual decision-making based on profiling.<br />
<br />
<br />
The data subject's right to information under Articles 13 (2) (f) and 14 (2) (g) is dealt with in<br />
WP251 (p. 26):<br />
<br />
<br />
Given the potential risks to data subjects' rights and the conclusions<br />
which can be deduced from the profiling covered by Article 22 should<br />
<br />
personal data controllers pay special attention to their obligation to ensure<br />
transparency in treatment. According to Articles 13 (2) (f) and 14 (2) (g), personal data controllers shall:<br />
provide readily available information on established automated decision-making<br />
<br />
only on automated processing, including profiling, which has legal or on<br />
similarly significant consequences. If the person responsible for personal data understands<br />
<br />
automated decisions under Article 22 (1), he must<br />
<br />
tell the data subject that they apply this method;<br />
<br />
provide meaningful information about the underlying logic and<br />
explain the significance and the foreseen consequences of the treatment.<br />
<br />
<br />
The provision of this information also helps data controllers to<br />
ensure that they comply with some of the mandatory safeguards set out in<br />
Article 22 (3) and recital 71.<br />
<br />
<br />
If the automated decision-making and profiling is not covered by the definition<br />
<br />
in Article 22 (1), it is nevertheless good practice to provide the above information. In which<br />
In any case, the controller must provide sufficient information<br />
to the data subject so that the processing is considered fair and fulfills all others<br />
<br />
information requirements in Articles 13 and 14., Integrity Protection Authority Record number: DI-2019-4062 20 (25)<br />
Date: 2022-03-28<br />
<br />
<br />
<br />
<br />
<br />
<br />
…<br />
<br />
<br />
The data controller should try to explain in a simple way the logic behind,<br />
or the criteria for arriving at, the decision. In the Data Protection Ordinance, it is imposed<br />
<br />
personal data controller to provide meaningful information about the logic behind<br />
processing, not necessarily a complex explanation of the algorithms used<br />
or to disclose the complete algorithm. The information provided should<br />
<br />
however, be comprehensive enough for the data subject to understand the reasons for<br />
the decision.<br />
<br />
<br />
Klarnas Data Protection Information<br />
<br />
Section 6 of Klarnas Data Protection Information states the following:<br />
<br />
<br />
Decisions with legal consequences or decisions that in a similar way significantly affect<br />
you<br />
<br />
<br />
Automated decisions with legal consequences or automated decisions as on<br />
similar ways significantly affect you means that certain decisions in our Services<br />
<br />
exclusively taken automatically, without the involvement of our employees, and may have<br />
significant effect on you as a customer, comparable to legal consequences. By grasping<br />
such decisions automatically increase Klarna objectivity and transparency in decisions when we<br />
<br />
offers these Services.<br />
<br />
<br />
We use this type of automated decision making when we:<br />
<br />
Decides to approve your application to use a Service such as<br />
<br />
includes credit;<br />
Decides not to approve your application to use a Service as<br />
<br />
includes credit;<br />
Decides whether you pose a fraud or money laundering risk, if ours<br />
<br />
treatment shows that your behavior indicates money laundering or fraudulent<br />
behavior, that your behavior is not consistent with previous use<br />
<br />
of our Services, or that you have attempted to conceal your true identity. IN<br />
relevant cases, Klarna also investigates whether specific customers are listed on<br />
<br />
sanction lists.<br />
<br />
<br />
See Section 3 for more information on which categories of personal data are processed<br />
<br />
for these purposes.<br />
<br />
Section 3 provides the following information regarding the data protection information<br />
<br />
credit assessment (purpose, categories of data, basis for personal data processing):<br />
<br />
<br />
Perform credit check before credit Follow the law, when the credit<br />
Contact and in question are regulated by law.<br />
granted (See Section 4.1 on Klarna's identification information, For those cases the credit<br />
Services that involve credit<br />
provided and Section 7.4 on how we financial information and is not regulated by law<br />
information on how to perform the treatment<br />
collaborates with interacts with Klarna. to be able to fulfill<br />
credit bureaus).<br />
credit agreement., Integrity Protection Authority Record number: DI-2019-4062 21 (25)<br />
Date: 2022-03-28<br />
<br />
<br />
<br />
<br />
<br />
<br />
In its reply to IMY on 26 April 2019, Klarna has specified which categories of information<br />
processed in connection with automated decisions, including profiling for<br />
credit review purposes:<br />
<br />
<br />
Information collected from the consumer himself or generated by Klarna<br />
<br />
<br />
Personal and contact information (such as name, address,<br />
social security number / date of birth and e-mail address) Source: provided<br />
<br />
consumer when buying.<br />
Information about how the consumer has interacted with Klarna (for example<br />
<br />
outstanding debt, if the consumer has chosen to block himself from Klarnas<br />
services or have been suspended due to abuse). Source: Consumer<br />
<br />
previous relationship with Klarna.<br />
Klarna's internal credit score (which is reported in answer 4 above).<br />
<br />
Confirmation from Klarna's internal fraud check (i.e. "yes", "no" or<br />
"Additional verification required"). Source: The consumer's previous relationship with<br />
Clear, information provided by consumers at the time of purchase, or collected by<br />
<br />
Clear in connection with these.<br />
<br />
<br />
<br />
Data collected from external suppliers<br />
<br />
<br />
Personal and contact information (external verification of the consumer and<br />
his address, as well as external information about the owner of the telephone number as<br />
<br />
provided). Source: External supplier<br />
Financial information (external credit information, such as income,<br />
<br />
payment remarks or debt restructuring) Source: External supplier.<br />
Confirmation from Klarna's internal fraud check (i.e. "yes", "no" or<br />
<br />
"Additional verification required"). Source: External supplier.<br />
<br />
<br />
<br />
IMY's assessment<br />
<br />
<br />
IMY states that Klarnas Dataskyddsinformation lacks meaningful information about<br />
the logic behind as well as the significance and the anticipated consequences of such treatment for<br />
the registered. The Data Protection Information only shows that certain types of<br />
information is used in connection with the automated decision (Contact and<br />
<br />
identification information, financial information and information on how to interact<br />
with Klarna).<br />
<br />
<br />
It is not clear that Klarna uses its own internal scoring model based on<br />
other on both internal and external financial information or the types of information<br />
included in the financial information, for example information on debts of others<br />
<br />
lender. No information is given about what circumstances may be of<br />
crucial for a negative credit decision.<br />
<br />
<br />
IMY believes that the requirement to provide meaningful information about the logic behind one<br />
automated credit decision includes information about which categories of information are of<br />
crucial in the context of an internal scoring model and the possible existence of<br />
<br />
conditions that always lead to a rejection decision within the framework of the decision support it<br />
personal data controller uses., Integrity Protection Authority Record number: DI-2019-4062 22 (25)<br />
Date: 2022-03-28<br />
<br />
<br />
<br />
<br />
<br />
<br />
IMY does not consider that the information on automated credit decisions is provided in one<br />
easily accessible way. The individual consumer should be provided with this type of<br />
<br />
difficult-to-understand information in one context instead of disseminated in different places in<br />
The data protection information.<br />
<br />
<br />
IMY believes that the information that Klarna provides about the existence of automated<br />
decision-making, including profiling in accordance with Article 22 (1) and (4) (i)<br />
<br />
the Data Protection Regulation, making it meaningful at least in these cases<br />
information about the logic behind it and the significance and the anticipated consequences of such<br />
processing for the data subject does not meet the requirements of Articles 13 (2) (f) and 14 (2) (g).<br />
<br />
The information is not concise, clear and distinct, nor is it easily accessible. It meets<br />
thus not the requirements of Article 12 (1).<br />
<br />
<br />
The IMY considers that the infringement of Articles 13 (2) (f) and 14 (2) (g), taking into account<br />
to other infringements of Articles 13 and 14 set out in this Decision, is so<br />
serious that it also infringes Articles 5 (1) (a) and 5 (2).<br />
<br />
<br />
IMY therefore finds that Klarna violates Articles 5.1 a, 5.2, 12.1, 13.2 f and 14.2<br />
g of the Data Protection Regulation.<br />
<br />
<br />
<br />
3 Choice of intervention<br />
<br />
<br />
3.1 Legal regulation<br />
<br />
In the event of violations of the Data Protection Regulation, the IMY has a number of corrections<br />
<br />
powers, including reprimand, injunction and penalty fees. It follows<br />
Article 58 (2) (a) to (j) of the Data Protection Regulation.<br />
<br />
<br />
IMY shall impose penalty fees in addition to or in lieu of other corrective actions<br />
referred to in Article 58 (2), depending on the circumstances of each case.<br />
<br />
<br />
If a personal data controller or a personal data assistant, with respect to a<br />
and the same or interconnected data processing, intentionally or by<br />
negligence violates several of the provisions of this Regulation may it<br />
<br />
the total amount of the administrative penalty fee does not exceed the amount determined<br />
for the most serious infringement. It is clear from Article 83 (3) (i)<br />
the Data Protection Regulation.<br />
<br />
<br />
Each supervisory authority shall ensure that the imposition of administrative<br />
penalty fees in each individual case are effective, proportionate and dissuasive. The<br />
<br />
provided for in Article 83 (1) of the Data Protection Regulation.<br />
<br />
<br />
Article 83 (2) sets out the factors to be taken into account when deciding on an administrative<br />
penalty fee shall be imposed, but also what shall affect the penalty fee<br />
size.<br />
<br />
<br />
3.2 Penalty fee<br />
<br />
<br />
Klarna provides payment solutions to about 90 million consumers and more than<br />
200,000 stores in 17 countries. Klarna provides several different services that are important for<br />
the financial system, such as direct payment, various forms of “try first and pay<br />
<br />
later ”services and installments. To be able to provide these services must<br />
Ready to process a very large amount of personal data. IMY has above assessed that, The Swedish Privacy Protection Agency Record number: DI-2019-4062 23 (25)<br />
Date: 2022-03-28<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Klarna has not fulfilled the basic principle of openness and they<br />
data rights of data subjects. Klarna has violated Articles 5 (1) (a),<br />
5.2, 12.1, 13.1 c, e-f and 13.2 a-b, f and 14.2 g in the Data Protection Regulation. IMY consider<br />
<br />
not that it is a question of less serious infringements. Klarna must therefore be applied<br />
administrative penalty fees for the said infringements.<br />
<br />
<br />
IMY believes that the disclosure of information takes place via Klarnas<br />
Data protection information is one and the same data processing and that a common<br />
<br />
sanction amounts shall be determined for these. IMY states that Klarna has violated several<br />
articles covered by Article 83 (5), which means that a higher penalty amount can<br />
<br />
applied.<br />
<br />
As regards the calculation of the amount, Article 83 (5) of the Data Protection Regulation states<br />
<br />
that companies that commit infringements on which the relevant ones can be fined<br />
up to twenty million euros or four percent of total global annual sales<br />
<br />
during the previous financial year, whichever is higher.<br />
<br />
When determining the maximum amount for a penalty fee to be imposed on a company<br />
<br />
the definition of the term company used by the European Court of Justice should be used<br />
application of Articles 101 and 102 of the TFEU (see recital 150 i<br />
<br />
the Data Protection Regulation). It is clear from the case - law of the Court that this covers every unit<br />
engaging in economic activities, regardless of the legal form of the entity and the manner in which it operates<br />
financing and even if the entity in the legal sense consists of several physical or<br />
<br />
legal entities.<br />
<br />
IMY assesses that the company's turnover is to be used as a basis for calculating the<br />
<br />
administrative sanction fees that can be imposed on Klarna are Klarna's parent company<br />
Klarna Holding AB. Klarna Holding AB's annual report for the year 2020 states that<br />
<br />
annual sales in 2020 were approximately SEK 10,093,659,000. The highest penalty amount<br />
which can be determined in the case is four percent of this amount, that is to say approx<br />
SEK 404,000,000.<br />
<br />
<br />
In determining the size of the penalty fee, IMY takes into account that Klarna is one<br />
<br />
multinational company that processes personal data of a large number of registrants.<br />
Klarna processes many different categories of personal data where the data in some cases<br />
refers to financial circumstances and the creditworthiness of the data subject. IMY believes that<br />
<br />
high demands must be placed on a large company with such a comprehensive and privacy-sensitive<br />
personal data processing to provide information that is concise, clear and distinct,<br />
<br />
comprehensible and in easily accessible form.<br />
<br />
In aggravating direction speaks that there have been violations concerning articles that are<br />
<br />
central so that the data subject has the opportunity to exercise his or her rights<br />
under the Data Protection Regulation and that the information provided in<br />
<br />
The data protection information concerns a very large number of registered and that<br />
the infringement has been going on for a long time.<br />
<br />
<br />
As a mitigating circumstance, it is taken into account that Klarna has changed during the supervision<br />
and improved the information in the Data Protection Information.<br />
<br />
<br />
In view of the seriousness of the infringements and the administrative penalty fee<br />
shall be effective, proportionate and dissuasive, the IMY determines the administrative<br />
<br />
the sanction fee for Klarna Bank AB to SEK 7,500,000., The Swedish Data Protection Agency Record number: DI-2019-4062 24 (25)<br />
<br />
Date: 2022-03-28<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
This decision was made by Director General Lena Lindgren Schelin after the presentation<br />
by the department director Hans Kärnlöf. At the final processing has also<br />
<br />
Chief Justice David Törngren and Head of Unit Catharina Fernquist participated.<br />
<br />
<br />
<br />
<br />
<br />
Lena Lindgren Schelin, 2022-03-28 (This is an electronic signature)<br />
<br />
Appendices<br />
<br />
Appendix 1 - Klarnas Data Protection Information<br />
Appendix 2 - Klarnas Terms of Use, Integrity Protection Authority Registration number: DI-2019-4062 25 (25)<br />
Date: 2022-03-28<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
How to appeal<br />
<br />
If you want to appeal the decision, you must write to the Privacy Protection Authority. Enter i<br />
<br />
the letter which decision you are appealing and the change you are requesting. The appeal shall<br />
have been received by the Privacy Protection Authority no later than three weeks from the day you received<br />
<br />
part of the decision. If the appeal has been received in time, send<br />
The Integrity Protection Authority forwards it to the Administrative Court in Stockholm<br />
examination.<br />
<br />
<br />
You can e-mail the appeal to the Privacy Protection Authority if it does not contain<br />
any privacy-sensitive personal data or data that may be covered by<br />
<br />
secrecy. The authority's contact information can be found on the first page of the decision.<br />
<br />
You can e-mail the appeal to the Privacy Protection Authority if it does not contain<br />
<br />
any privacy-sensitive personal data or data that may be covered by<br />
secrecy. The authority's contact information can be found on the first page of the decision.<br />
</pre></div>Elisavet Dravalouhttps://gdprhub.eu/index.php?title=IMY_(Sweden)_-_DI-2019-9457&diff=24586IMY (Sweden) - DI-2019-94572022-03-13T20:28:02Z<p>Elisavet Dravalou: Created page with "{{DPAdecisionBOX |Jurisdiction=Sweden |DPA-BG-Color= |DPAlogo=LogoSE.png |DPA_Abbrevation=IMY (Sweden) |DPA_With_Country=IMY (Sweden) |Case_Number_Name=DI-2019-9457 |ECLI=..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Sweden<br />
|DPA-BG-Color=<br />
|DPAlogo=LogoSE.png<br />
|DPA_Abbrevation=IMY (Sweden)<br />
|DPA_With_Country=IMY (Sweden)<br />
<br />
|Case_Number_Name=DI-2019-9457<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=IMY<br />
|Original_Source_Link_1=https://www.imy.se/globalassets/dokument/beslut/2022/beslut-regionstyrelsen-region-uppsala.pdf<br />
|Original_Source_Language_1=Swedish<br />
|Original_Source_Language__Code_1=SV<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Started=<br />
|Date_Decided=<br />
|Date_Published=26.01.2022<br />
|Year=<br />
|Fine=300000<br />
|Currency=SEK<br />
<br />
|GDPR_Article_1=Article 32(1) GDPR<br />
|GDPR_Article_Link_1=Article 32 GDPR#1<br />
<br />
<br />
<br />
|Party_Name_1=Municipality of Uppsala<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Not appealed<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Elisavet Dravalou<br />
|<br />
}}<br />
<br />
The investigation on the first data breach concerns sensitive personal data and social security numbers sent via e-mail, despite that, according to the internal governance policy, sensitive personal data shall not be communicated via email. The actual transmission of the e-mail was encrypted but not the information in the e-mails. This concerns e-mails with patient data that have been sent automatically to the relevant healthcare administrations within the region. The second data breach concerns e-mails with patient data that have been sent manually to researchers and doctors within the region. <br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The municipality of Uppsala reported two (2) personal data breaches on 7 May 2019 and as a result the Swedish Data Protection Authority (IMY)investigated the municipality Uppsala, the regional board and the hospital board.<br />
<br />
<br />
=== Holding ===<br />
IMY has examined whether the personal data processing in the e-mail meets the requirements for<br />
security provided for in Article 32 of the GDPR. IMY issued a fine of 300.000 SEK <br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.<br />
<br />
<pre><br />
1 (10)<br />
<br />
<br />
<br />
<br />
<br />
<br />
The Regional Board of the Uppsala Region<br />
751 85 Uppsala<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Record number:<br />
DI-2019-9457 Decision after supervision according to<br />
<br />
Date: the Data Protection Regulation against<br />
2022-01-26<br />
<br />
The Regional Board of the Uppsala Region<br />
<br />
<br />
<br />
<br />
<br />
Table of Contents<br />
<br />
The decision of the Integrity Protection Authority ................................................ ........................... 2<br />
<br />
Report on the supervisory matter ............................................... ....................................... 2<br />
<br />
The starting point for the supervision ............................................... ................................. 2<br />
<br />
Information from the regional board ............................................... ............................... 2<br />
<br />
The first category of personal data processing - e-mail as<br />
was sent automatically ................................................ ........................... 3<br />
<br />
The second category of personal data processing - e-mail as<br />
sent manually ................................................ ................................... 3<br />
<br />
Information relating to both personal data processing ......................... 4<br />
<br />
Grounds for the decision ............................................... .................................................. ... 5<br />
<br />
Applicable rules................................................ .................................................. .. 5<br />
The responsibility of the personal data controller ............................................... ...... 5<br />
<br />
The requirement for security in the processing of personal data, etc ..................... 5<br />
<br />
IMY's assessment .............................................. .................................................. 6<br />
<br />
Personal data responsibility ................................................. .............................. 6<br />
<br />
Sensitive personal data has been sent unencrypted within the region .............. 6<br />
Choice of intervention ............................................... .................................................. 7<br />
<br />
Legal regulation ................................................ ....................................... 7<br />
<br />
Imposition of a penalty fee ............................................... ..................... 7<br />
<br />
How to appeal............................................... .................................................. ..... 10<br />
Postal address:<br />
Box 8114<br />
104 20 Stockholm<br />
Website:<br />
<br />
www.imy.se<br />
E-mail:<br />
imy@imy.se<br />
<br />
Phone:<br />
08-657 61 00<br />
<br />
<br />
Page 1 of 10, Integrity Protection Authority Record number: DI-2019-9457 2 (10)<br />
Date: 2022-01-26<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
The decision of the Integrity Protection Authority<br />
<br />
<br />
The Integrity Protection Authority (IMY) states that the Regional Board in the Uppsala Region<br />
<br />
(regional board) as the person responsible for personal data, during the period from 25 May 2018<br />
until 7 May 2019, processed personal data in violation of Article 32 (1) of<br />
the Data Protection Regulation. This has been done by the regional board within the region<br />
<br />
sent sensitive personal data and social security numbers via e-mail. The transmission of e-<br />
the mail was encrypted but not the information in the emails. The treatment has<br />
<br />
also occurred in violation of Region Uppsala's own guidelines. This means that the regional board<br />
have not taken appropriate technical and organizational measures to ensure a<br />
<br />
level of safety appropriate to the risk of treatment.<br />
<br />
<br />
The IMY decides on the basis of Articles 58 (2) and 83 of the Data Protection Ordinance and Chapter 6.<br />
§ 2 of the Data Protection Act that the regional board, for violation of Article 32 (1) i<br />
<br />
the Data Protection Regulation, shall pay an administrative penalty fee of 300,000<br />
(three hundred thousand) kronor.<br />
<br />
<br />
<br />
Report on the supervisory matter<br />
<br />
<br />
The starting point for supervision<br />
<br />
IMY decided to initiate an investigation against the regional board after a report of<br />
<br />
personal data incident from the regional board on 7 May 2019.<br />
<br />
<br />
IMY's review covers two categories of personal data processing.<br />
<br />
The first category refers to emails with patient information sent<br />
<br />
automated to relevant care administrations within the Uppsala Region for, among other things<br />
administration and quality assurance.<br />
<br />
<br />
The second category refers to emails with patient information sent<br />
<br />
manually to researchers and doctors within the Uppsala Region for, among other things, research and<br />
quality monitoring.<br />
<br />
<br />
IMY has examined whether the personal data processing in the e-mail meets the requirements<br />
security provided for in Article 32 of the Data Protection Regulation.<br />
<br />
<br />
The Data Protection Ordinance came into force on 25 May 2018. IMY's supervision covers<br />
therefore the period from 25 May 2018 to 7 May 2019 (when notification was received). IMY has<br />
has not reviewed the measures that the regional board has stated that it has taken after the 7th<br />
<br />
May 2019.<br />
<br />
<br />
Information from the regional board<br />
<br />
<br />
The Regional Board has stated, among other things, the following.<br />
<br />
<br />
<br />
<br />
<br />
<br />
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with<br />
concerning the processing of personal data and on the free movement of such data and on the repeal of<br />
Directive 95/46 / EC (General Data Protection Regulation).<br />
2The Act (2018: 218) with supplementary provisions to the EU Data Protection Regulation.<br />
<br />
<br />
<br />
Page 2 of 10, Integrity Protection Authority Record number: DI-2019-9457 3 (10)<br />
Date: 2022-01-26<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
The first category of personal data processing - e-mail sent<br />
automated<br />
The statistical database Cosmic Intelligence retrieved personal data from<br />
<br />
the main journal system Cosmic. The personal information was then retrieved by Business<br />
Objects that put the information in an excel file. The transfers took place automatically each<br />
<br />
month. Business Objects then sent the Excel files to the relevant healthcare administrations<br />
within the Uppsala Region, such as the University Hospital and the Hospital in Enköping. E-<br />
the mail messages were sent automatically every month to Region Uppsala's e-mail<br />
<br />
postal domains. The emails were sent only to authorized persons within it<br />
administration that was concerned within the Uppsala Region.<br />
<br />
<br />
The current excel files could contain all the information from the patient record,<br />
in addition to the running text from the patient record's free text field. Depending on the type of<br />
<br />
report, other information could also be included, such as waiting times and patient category.<br />
The Excel files also contained information about social security number, name, care unit and<br />
<br />
contact date.<br />
<br />
About 25 emails were sent each month to about a hundred recipients within<br />
<br />
The academic hospital's area of activity. Hundreds of transmitters and receivers within<br />
The Uppsala region had access to the personal data.<br />
<br />
<br />
The overall purpose of the processing of personal data has been administration,<br />
for example, to correct errors in the operations and to rectify them. In addition,<br />
<br />
the purpose has been to develop and ensure the quality of the business.<br />
<br />
<br />
The processing of personal data has been ongoing since 2015 until the Regional Board<br />
notification of the incident to IMY on May 7, 2019. The treatment was stopped completely in<br />
in connection with the discovery of the incident.<br />
<br />
<br />
The second category of personal data processing - e-mail sent<br />
<br />
manually<br />
The statistical database Cosmic Intelligence retrieved personal data from<br />
the main journal system Cosmic. The Diver output system then retrieved personal data<br />
<br />
from Cosmic Intelligence and the patient administration systems IMX and PAS. Socket<br />
of personal data was then done manually from Diver to Excel files. The manual<br />
<br />
the withdrawals were made by, among others, the system developer and the administrator at<br />
the regional office. These excel files were then sent to doctors when they had requested<br />
information for quality monitoring purposes and to researchers when requested<br />
<br />
research data. The emails were sent only to recipients who were<br />
employees within Region Uppsala, ie only to Region Uppsala's e-<br />
<br />
postal domains. This means that the emails were not sent to email addresses<br />
affiliated with Uppsala University.<br />
<br />
<br />
The Excel files could, among other things, contain information about social security numbers, diagnostic codes,<br />
contact date, area of activity, age, county, action code and department. The Excel files<br />
<br />
did not contain name information. The Excel files only concerned patients who were being treated<br />
at the Academic Hospital.<br />
<br />
<br />
Approximately 200−250 emails were sent per year. Hundreds of transmitters and<br />
recipients within the Uppsala Region had access to the personal data.<br />
<br />
<br />
The personal data was processed for administrative purposes and to develop and secure<br />
the quality of the business and for research purposes.<br />
<br />
<br />
<br />
<br />
Page 3 of 10, Integrity Protection Authority Record number: DI-2019-9457 4 (10)<br />
Date: 2022-01-26<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
The processing of personal data lasted from September 2014 until the regional board's notification<br />
about the incident to IMY on May 7, 2019. The treatment was stopped completely in connection with<br />
that the incident was discovered and work began to develop a solution for<br />
<br />
email encryption.<br />
<br />
<br />
Information concerning both personal data processing<br />
Personal data responsibility<br />
<br />
<br />
The Regional Board is responsible for personal data for the personal data processing that concerns<br />
compilation of data in Business Objects and for the processing that takes place at<br />
<br />
automatic transmission by e-mail. The processing takes place at the administration regional office,<br />
which is placed under the board's regional board. This assessment is made against<br />
given that the regional board is an independent administrative authority which<br />
<br />
determines the purpose and means of the processing of personal data.<br />
<br />
<br />
The Regional Board is also responsible for personal data for the processing that takes place in Diver<br />
and for the processing that takes place via the manual transmission via e-mail.<br />
<br />
<br />
The Regional Board has attached the documents Regulations for boards and committees in<br />
Uppsala Region and the Regional Board's delegation procedure.<br />
<br />
<br />
Control document<br />
<br />
<br />
According to Region Uppsala's governing document on handling mail and e-mail gets sensitive<br />
personal data is not communicated via e-mail.<br />
<br />
<br />
Categories of registered<br />
<br />
<br />
Categories of registered are employees, patients, children and persons with protection<br />
identity. In the case of employees, information about them only appears in sending and<br />
<br />
receiving e-mail addresses.<br />
<br />
The personal data processing affects a total of between 100,000 and 500,000 individuals<br />
<br />
for the period 2015−2019.<br />
<br />
Categories of users<br />
<br />
<br />
The categories of users who have access to the personal data are administrative<br />
<br />
personnel with access to source systems and storage areas.<br />
<br />
Encryption<br />
<br />
<br />
The transport (transmission) of e-mail within the region was encrypted though<br />
<br />
the information in the excel files was not protected by encryption.<br />
<br />
The transport of the e-mail was sent encrypted with the cryptographic<br />
<br />
the communication protocol TLS1.2 to recipients within the Uppsala Region.<br />
In the first processing of personal data, the Regional Board used a local e-<br />
<br />
mail server when transporting e-mail between Business Objects and recipients within<br />
the region. In the second reading, the Regional Board used Microsoft's Outlook for e-<br />
the mail.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Page 4 of 10, Integrity Protection Authority Record number: DI-2019-9457 5 (10)<br />
Date: 2022-01-26<br />
<br />
<br />
<br />
<br />
<br />
<br />
There were no technical protection measures to prevent reading and modification of<br />
<br />
the information in the excel files. There were also no protective measures in place to prevent that<br />
unauthorized persons took part in the information.<br />
<br />
<br />
Justification of the decision<br />
<br />
<br />
Applicable rules<br />
<br />
<br />
The responsibility of the personal data controller<br />
He who alone or together with others decides the purposes and means for<br />
<br />
the processing of personal data is the person responsible for personal data. It is stated in Article 4 (7)<br />
in the Data Protection Regulation.<br />
<br />
<br />
The person responsible for personal data is responsible for and must be able to show that the basics<br />
the principles of Article 5 of the Data Protection Regulation are complied with (Article 5 (2) of the Regulation).<br />
<br />
<br />
The person responsible for personal data is responsible for implementing appropriate technical and<br />
organizational measures to ensure and be able to demonstrate that the treatment is carried out in<br />
<br />
in accordance with the Data Protection Regulation. The measures shall be implemented taking into account<br />
the nature, scope, context and purpose of the treatment and the risks, of<br />
varying degrees of probability and seriousness, for the freedoms and rights of natural persons.<br />
<br />
The measures must be reviewed and updated as necessary. It is stated in Article 24 (1) (i)<br />
the Data Protection Regulation.<br />
<br />
<br />
The requirement for security in the processing of personal data, etc.<br />
Health information constitutes so-called sensitive personal data. It is forbidden to<br />
<br />
process such personal data in accordance with Article 9 (1) of the Data Protection Regulation, unless<br />
the treatment is not covered by any of the exceptions in Article 9 (2) of the Regulation.<br />
<br />
<br />
It follows from Article 32 of the Data Protection Regulation that the controller and<br />
the personal data assistant shall take appropriate technical and organizational measures to:<br />
<br />
ensure a level of safety that is appropriate in relation to the risk of the treatment.<br />
This must be done taking into account the latest developments, the implementation costs<br />
and the nature, scope, context and purpose of the treatment and the risks, of<br />
<br />
varying degrees of probability and seriousness, for the rights and freedoms of natural persons.<br />
<br />
In assessing the appropriate level of safety, special consideration shall be given to the risks involved<br />
<br />
the treatment entails, in particular from accidental or unlawful destruction, loss or<br />
change or to unauthorized disclosure of or unauthorized access to the personal data that<br />
transferred, stored or otherwise processed. It is clear from Article 32 (2) (i)<br />
<br />
the Data Protection Regulation.<br />
<br />
<br />
Recital 75 of the Data Protection Regulation sets out factors that must be taken into account in the assessment<br />
of the risk to the rights and freedoms of natural persons. Among other things, the loss of<br />
confidentiality of personal data covered by the obligation of professional secrecy and whether<br />
<br />
the treatment concerns information about health or sexual life. Furthermore, if<br />
the processing concerns personal data about vulnerable natural persons, in particular children,<br />
or if the processing involves a large number of personal data and applies to a large<br />
<br />
number of registered.<br />
<br />
Recitals 39 and 83 also provide guidance on the more detailed meaning of<br />
<br />
the requirements of the Data Protection Regulation on security when processing personal data.<br />
<br />
<br />
<br />
<br />
Page 5 of 10, Integrity Protection Authority Record number: DI-2019-9457 6 (10)<br />
Date: 2022-01-26<br />
<br />
<br />
<br />
<br />
<br />
<br />
IMY's assessment<br />
<br />
<br />
<br />
Personal data responsibility<br />
The Regional Board has stated that it is responsible for personal data for the e-<br />
mail transfers described in the case, which is supported by the investigation in the case. IMY<br />
<br />
therefore assesses that the regional board is responsible for personal data for those concerned<br />
the treatments.<br />
<br />
<br />
Sensitive personal data has been sent unencrypted within the region<br />
<br />
The Regional Board has sent excel files with patient information within the region via e-mail.<br />
In the case of the first category of personal data processing, about 25 e-mails were sent<br />
<br />
mail messages automatically every month and for the second category<br />
about 200-250 emails were sent manually per year. The transmission of e-<br />
<br />
the entry within the region was encrypted but not the information in the excel files.<br />
<br />
<br />
The Regional Board has stated that sensitive personal data may not be communicated via e-<br />
mail according to Region Uppsala's governing document on handling mail and e-mail.<br />
<br />
<br />
As the person responsible for personal data, the regional board shall take appropriate technical and<br />
<br />
organizational measures to ensure an appropriate level of security in<br />
relation to the risks (Article 32 of the Data Protection Regulation). The personal data as<br />
<br />
treated must, for example, be protected against unauthorized disclosure or unauthorized access.<br />
<br />
What is the appropriate level of security varies in relation to, among other things, the risks for<br />
<br />
the rights and freedoms of natural persons arising from the treatment and<br />
the nature, scope, context and purpose of the treatment. In the assessment must<br />
<br />
it is taken into account, for example, what type of personal data is processed, to<br />
for example, in the case of health information. 3<br />
<br />
<br />
The current Excel files contained personal health information that is sensitive<br />
<br />
personal data. Processing of sensitive personal data can mean significant<br />
risks to privacy. In addition, the excel files contained social security numbers<br />
4<br />
which are considered to be particularly personal data. The information in e-<br />
the mail messages were therefore of such a nature that they required strong protection.<br />
<br />
<br />
The transmission of the e-mail from the regional board was encrypted but not the information in<br />
<br />
the emails. This meant that the information in the excel files could not be intercepted<br />
(read) during the actual transfer. However, the information could be read in clear text by<br />
both authorized and unauthorized recipients after the transfer. At an automated<br />
<br />
transmission, there is a certain risk that data will fall into the wrong hands if the system<br />
would be updated incorrectly. In the case of a manual transfer of personal data, there is one more<br />
<br />
higher risk of the data falling into the wrong hands compared to an automated one<br />
transfer. This is because the person sending the information could write one<br />
<br />
incorrect recipient address. According to IMY's assessment, the regional board should have taken action<br />
technical measures, for example in the form of encryption, to protect the information in the<br />
<br />
automated and the manual e-mails against unauthorized disclosure or<br />
unauthorized access and thereby ensure an appropriate level of protection.<br />
<br />
<br />
According to the regional board, Region Uppsala's governing document on handling mail states<br />
<br />
and e-mail that sensitive personal data may not be communicated via e-mail.<br />
<br />
3<br />
4See recitals 75 and 76 of the Data Protection Regulation.<br />
See Article 87 of the Data Protection Ordinance and Chapter 3. Section 10 of the Data Protection Act.<br />
5See the Swedish Data Inspectorate's report Reported personal data incidents 2019 (report 2020: 2).<br />
<br />
<br />
Page 6 of 10, Integrity Protection Authority Record number: DI-2019-9457 7 (10)<br />
Date: 2022-01-26<br />
<br />
<br />
<br />
<br />
<br />
<br />
The Regional Board has thus identified the risks that the treatment of sensitive<br />
<br />
personal data in e-mail entails but has not taken sufficient measures to comply<br />
guidelines. IMY thus finds that the regional board has not taken the appropriate ones<br />
<br />
organizational measures required to ensure the safety of treatment.<br />
<br />
Overall, IMY finds that the Regional Board has not taken appropriate technical and<br />
<br />
organizational measures to ensure an appropriate level of security in<br />
in relation to the risk of the treatment. The Regional Board has therefore considered<br />
personal data in breach of Article 32 (1) of the Data Protection Regulation.<br />
<br />
<br />
Choice of intervention<br />
<br />
<br />
Legal regulation<br />
<br />
In the event of violations of the Data Protection Regulation, the IMY has a number of corrections<br />
powers available under Article 58 (2) (a) to (j) of the Data Protection Regulation, inter alia<br />
reprimand, injunction and penalty fees.<br />
<br />
<br />
IMY shall impose penalty fees in addition to or in lieu of other corrective actions<br />
referred to in Article 58 (2) of the Data Protection Regulation, depending on the circumstances of<br />
<br />
each individual case.<br />
<br />
<br />
Member States may lay down rules on whether and to what extent administrative<br />
penalty fees can be imposed on public authorities. It is clear from Article 83 (7) (i)<br />
Regulation. Sweden has accordingly decided that the supervisory authority shall receive<br />
<br />
charge sanction fees by authorities. For infringements of, inter alia, Article 32,<br />
the fee amounts to a maximum of SEK 5,000,000. It appears from ch. 6 Section 2 of the Data Protection Act<br />
<br />
and Article 83 (4) of the Data Protection Regulation.<br />
<br />
If a personal data controller or a personal data assistant, with respect to a<br />
<br />
and the same or interconnected data processing, intentionally or by<br />
negligence violates several of the provisions of this Regulation may it<br />
the total amount of the administrative penalty fee does not exceed the amount determined<br />
<br />
for the most serious infringement. It is clear from Article 83 (3) (i)<br />
the Data Protection Regulation.<br />
<br />
<br />
Each supervisory authority shall ensure that the imposition of administrative<br />
penalty fees in each individual case are effective, proportionate and dissuasive. The<br />
<br />
provided for in Article 83 (1) of the Data Protection Regulation.<br />
<br />
Article 83 (2) of the Data Protection Regulation sets out the factors to be taken into account in order to:<br />
<br />
decide whether to impose an administrative penalty fee, but also at<br />
determining the amount of the penalty fee. If it is a question of a smaller<br />
<br />
infringement may IMY as set out in recital 148 instead of imposing a<br />
issue a reprimand in accordance with Article 58 (2) (b) of the Regulation. Consideration shall<br />
taken to aggravating and mitigating circumstances in the case, such as the infringement<br />
<br />
character, degree of difficulty and duration as well as previous violations of relevance.<br />
<br />
<br />
Imposition of a penalty fee<br />
IMY has above assessed that the regional board has violated Article 32 (1) i<br />
the Data Protection Regulation. Infringements of that provision may, as stated above,<br />
<br />
give rise to penalty fees.<br />
<br />
<br />
<br />
<br />
<br />
<br />
Page 7 of 10, Integrity Protection Authority Record number: DI-2019-9457 8 (10)<br />
Date: 2022-01-26<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
The violations have taken place because the regional board has sent a large amount<br />
unencrypted patient data within the region via encrypted email.<br />
The personal information in the e-mail included sensitive personal information and<br />
<br />
social security number, which entailed a high risk to the data subjects' freedoms and rights.<br />
The treatments have taken place systematically and for a long time. The treatments have<br />
<br />
also occurred in violation of Region Uppsala's own guidelines. These factors mean<br />
overall that a penalty fee should be imposed.<br />
<br />
<br />
IMY states that the manual and the automatic transmission of e-mail<br />
constitute interconnected data processing within the meaning of Article 83 (3) (i)<br />
<br />
the Data Protection Regulation. This is because the treatments concern patient data such as<br />
was retrieved from the main journal system Cosmic for similar purposes such as<br />
administration and quality assurance. In addition, it is a matter of violation of<br />
<br />
the same provision, ie Article 32 (1) of the Regulation.<br />
<br />
<br />
In determining the size of the penalty fee, the IMY shall take into account both aggravating and<br />
mitigating circumstances and that the administrative penalty fee should be<br />
effective, proportionate and dissuasive.<br />
<br />
<br />
It is aggravating that the personal data processing has been going on for a long time,<br />
<br />
that is, during the period under review from 25 May 2018 to 7 May 2019,<br />
and that they have taken place systematically. It is also aggravating that the treatments included<br />
a large amount of health information that unauthorized persons have been able to access after the transfer.<br />
<br />
As for the first category of personal data processing, it has been about<br />
about 25 emails per month that unauthorized persons have been able to access and<br />
in the case of the second category, it has been around 200−250 e-<br />
<br />
mail messages per year. The Regional Board estimates that<br />
the personal data processing has in total touched between 100,000 and 500,000<br />
<br />
individuals for the period 2015−2019. It is thus a question of a large number of registered<br />
during a year. Through the data processed, the data subjects can be identified directly<br />
through, for example, names, social security numbers and health information. IMY therefore considers that<br />
<br />
the nature, scope of the data and the dependency of the data subjects<br />
the regional board has a special responsibility to ensure appropriate protection for<br />
<br />
personal data, which did not happen.<br />
<br />
It is also aggravating that the treatments took place in violation of Region Uppsala's own<br />
<br />
guidelines that sensitive personal data should not be sent by e-mail.<br />
<br />
<br />
As mitigating circumstances, IMY considers that the transmission of the e-mail was<br />
encrypted and that the e-mail was sent internally within the region. This means that<br />
the regional board has taken certain measures in order to comply with the requirements and reduce them<br />
<br />
the risks of the treatments. IMY also considers that the regional board stopped<br />
the processing in connection with the notification of a personal data incident to IMY on 7 May<br />
<br />
2019.<br />
<br />
IMY decides on the basis of an overall assessment that the regional board must pay one<br />
<br />
administrative sanction fee of SEK 300,000 (three hundred thousand).<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Page 8 of 10, Integrity Protection Authority Record number: DI-2019-9457 9 (10)<br />
Date: 2022-01-26<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
This decision was made by Director General Lena Lindgren Schelin after the presentation<br />
by lawyer Linda Hamidi. At the final hearing, the Chief Justice also has David<br />
<br />
Törngren, unit manager Malin Blixt and IT security specialist Ulrika Sundling<br />
participated.<br />
<br />
<br />
<br />
<br />
<br />
Lena Lindgren Schelin, 2022-01-26 (This is an electronic signature)<br />
<br />
<br />
<br />
<br />
Appendix<br />
<br />
Information on payment of penalty fee.<br />
<br />
Copy to<br />
<br />
The Data Protection Officer.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Page 9 of 10, Integrity Protection Authority Record number: DI-2019-9457 10 (10)<br />
Date: 2022-01-26<br />
<br />
<br />
<br />
<br />
<br />
<br />
How to appeal<br />
<br />
<br />
If you want to appeal the decision, you must write to the Privacy Protection Authority. Enter i<br />
<br />
the letter which decision you are appealing and the change you are requesting. The appeal shall<br />
have been received by the Privacy Protection Authority no later than three weeks from the date of the decision<br />
was announced. If the appeal has been received in time, send<br />
<br />
The Integrity Protection Authority forwards it to the Administrative Court in Stockholm<br />
examination.<br />
<br />
<br />
You can e-mail the appeal to the Privacy Protection Authority if it does not contain<br />
any privacy-sensitive personal data or data that may be covered by<br />
secrecy. The authority's contact information can be found on the first page of the decision.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Page 10 of 10<br />
</pre></div>Elisavet Dravalouhttps://gdprhub.eu/index.php?title=HDPA_(Greece)_-_48/2021&diff=21366HDPA (Greece) - 48/20212021-11-22T21:43:42Z<p>Elisavet Dravalou: /* Facts */</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Greece<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoGR.jpg<br />
|DPA_Abbrevation=HDPA (Greece)<br />
|DPA_With_Country=HDPA (Greece)<br />
<br />
|Case_Number_Name=2322/14-10-2021<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Greek's DPA website<br />
|Original_Source_Link_1=https://www.dpa.gr/el/enimerwtiko/prakseisArxis/mi-nomimi-hrisi-stoiheion-pelaton-gia-proothitiko-skopo-kai-mi<br />
|Original_Source_Language_1=Greek<br />
|Original_Source_Language__Code_1=EL<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Decided=14.10.2021<br />
|Date_Published=14.10.2021<br />
|Year=2021<br />
|Fine=20000<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 4(11) GDPR<br />
|GDPR_Article_Link_1=Article 4 GDPR#11<br />
|GDPR_Article_2=Article 4(12) GDPR<br />
|GDPR_Article_Link_2=Article 4 GDPR#12<br />
|GDPR_Article_3=Article 5(2) GDPR<br />
|GDPR_Article_Link_3=Article 5 GDPR#2<br />
|GDPR_Article_4=Article 6(1)(f) GDPR<br />
|GDPR_Article_Link_4=Article 6 GDPR#1f<br />
|GDPR_Article_5=Article 6(1)(a) GDPR<br />
|GDPR_Article_Link_5=Article 6 GDPR#1a<br />
|GDPR_Article_6=Article 6(4) GDPR<br />
|GDPR_Article_Link_6=Article 6 GDPR#4<br />
|GDPR_Article_7=Article 7 GDPR<br />
|GDPR_Article_Link_7=Article 7 GDPR<br />
|GDPR_Article_8=Article 21 GDPR<br />
|GDPR_Article_Link_8=Article 21 GDPR<br />
<br />
<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Elisavet Dravalou<br />
|<br />
}}<br />
<br />
A company that conducts phone sales, processed customer personal data to promote its products and services to the customers, whose personal data was collected during the purchase of products. The controller held that consent was obtained but was unable to prove it and did not respect the data subject's opt-out requests. <br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
Three data subjects filed complains with the Greek DPA against a marketing agency for processing their personal data for a purpose other than it was collected in first place. The personal data was collected during purchases of goods. The data subjects claimed that the marketing agency was contacting them in order to promote its products without respecting their opt-out requests while the marketing agency was claiming that they contacted the data subject for a customer satisfaction survey after having obtained their consent.<br />
<br />
<br />
=== Holding ===<br />
The Greek DPA held that this processing constitutes use of personal data for a purpose other than that for which the personal data was originally collected, therefore the criteria of Article 6 (4) GDPR must be fulfilled and article 5 GDPR principles must be respected. In this case, it was found that the data subjects were not properly informed during the data collection stage that their personal data will be used for an additional different purpose, that their objections were not respected and the identity of the controller was not clear to the data subjects. Also, in relation to the application of the right of objection, the controller did not respect the data subject's opt-out requests and did not provide appropriate documents or instructions to prove that he was able to respond to such requests. The Authority imposed a fine of 20,000 euros for the violations found, taken into consideration the duration and the intensity of the violations.<br />
<br />
== Comment ==<br />
What is interesting in this case is that the controller claimed that they processed personal data for marketing purposes (promotion of products) based on data subjects' oral consent obtained during the purchase of products. The DPA couldn't find evidence to suggest that consent was given. Therefore, in the absence of evidence, it cannot be accepted that consent is accepted as the legal basis of this processing. The DPA stated that it could accept legitimate interest as a legal basis, given the soft opt-in exception. Given though that the processing was carried out for a purpose different that the one for which the personal data was collected in first place, the Greek DPA held that article 6(4) and 5 of the GDPR must be respected. In this specific case at least appropriate information should have been provided to data subject at the data collection stage so that data subjects know that their personal data will be used for an additional purpose, while at the same time providing them with the opportunity to express their objections. <br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.<br />
<br />
<pre><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Category<br />
Decision<br />
<br />
<br />
<br />
Date<br />
14/10/2021<br />
<br />
<br />
<br />
<br />
Transaction number<br />
48<br />
<br />
<br />
<br />
Thematic unit<br />
<br />
09. Promotion of products and services<br />
<br />
<br />
<br />
<br />
Applicable provisions<br />
<br />
Article 4.11: Consent (definition)<br />
Article 4.12: Violation of personal data (definition)<br />
Article 5.2: Principle of accountability<br />
Article 6.1.a: Legal basis of consent<br />
Article 6.1.f: Legal basis of overriding legal interest<br />
Article 6.4: Compatibility of processing for another purpose<br />
Article 7: Conditions for consent<br />
Article 21: Right of objection<br />
Article 11.2: Register - Article 11<br />
<br />
<br />
<br />
<br />
Summary<br />
A company that conducts long distance telephone sales, used to promote its products and services the customer data, which it collected during the purchase of products. This processing is the use of personal data for a purpose other than that for which the data were originally collected, therefore the criteria of Article 6 par. In this case, it was found that the data subject was not properly informed during the data collection stage, so that he knows that his data will be used for an additional different purpose, that customer objections were not respected and it was not clear to the data subjects the identity of the controller. Also, in relation to the satisfaction of the right of objection, the controller did not provide appropriate documents or instructions to prove that he was able to respond to such requests. The Authority imposed a fine of 20,000 euros for the violations found.<br />
<br />
<br />
<br />
<br />
PDF Decision<br />
48_2021anonym.pdf299.82 KB<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Category<br />
Decision<br />
<br />
<br />
<br />
Date<br />
14/10/2021<br />
<br />
<br />
<br />
<br />
Transaction number<br />
48<br />
<br />
<br />
<br />
Thematic unit<br />
<br />
09. Promotion of products and services<br />
<br />
<br />
<br />
<br />
Applicable provisions<br />
<br />
Article 4.11: Consent (definition)<br />
Article 4.12: Violation of personal data (definition)<br />
Article 5.2: Principle of accountability<br />
Article 6.1.a: Legal basis of consent<br />
Article 6.1.f: Legal basis of overriding legal interest<br />
Article 6.4: Compatibility of processing for another purpose<br />
Article 7: Conditions for consent<br />
Article 21: Right of objection<br />
Article 11.2: Register - Article 11<br />
<br />
<br />
<br />
<br />
Summary<br />
A company that conducts long distance telephone sales, used to promote its products and services the customer data, which it collected during the purchase of products. This processing is the use of personal data for a purpose other than that for which the data were originally collected, therefore the criteria of Article 6 par. In this case, it was found that the data subject was not properly informed during the data collection stage, so that he knows that his data will be used for an additional different purpose, that customer objections were not respected and it was not clear to the data subjects the identity of the controller. Also, in relation to the satisfaction of the right of objection, the controller did not provide appropriate documents or instructions to prove that he was able to respond to such requests. The Authority imposed a fine of 20,000 euros for the violations found.<br />
<br />
<br />
<br />
<br />
PDF Decision<br />
48_2021anonym.pdf299.82 KB<br />
<br />
<br />
<br />
</pre></div>Elisavet Dravalouhttps://gdprhub.eu/index.php?title=HDPA_(Greece)_-_48/2021&diff=21365HDPA (Greece) - 48/20212021-11-22T21:41:52Z<p>Elisavet Dravalou: Created page with "{{DPAdecisionBOX |Jurisdiction=Greece |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoGR.jpg |DPA_Abbrevation=HDPA (Greece) |DPA_With_Country=HDPA (Greece) |Case_Number..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Greece<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoGR.jpg<br />
|DPA_Abbrevation=HDPA (Greece)<br />
|DPA_With_Country=HDPA (Greece)<br />
<br />
|Case_Number_Name=2322/14-10-2021<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Greek's DPA website<br />
|Original_Source_Link_1=https://www.dpa.gr/el/enimerwtiko/prakseisArxis/mi-nomimi-hrisi-stoiheion-pelaton-gia-proothitiko-skopo-kai-mi<br />
|Original_Source_Language_1=Greek<br />
|Original_Source_Language__Code_1=EL<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Decided=14.10.2021<br />
|Date_Published=14.10.2021<br />
|Year=2021<br />
|Fine=20000<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 4(11) GDPR<br />
|GDPR_Article_Link_1=Article 4 GDPR#11<br />
|GDPR_Article_2=Article 4(12) GDPR<br />
|GDPR_Article_Link_2=Article 4 GDPR#12<br />
|GDPR_Article_3=Article 5(2) GDPR<br />
|GDPR_Article_Link_3=Article 5 GDPR#2<br />
|GDPR_Article_4=Article 6(1)(f) GDPR<br />
|GDPR_Article_Link_4=Article 6 GDPR#1f<br />
|GDPR_Article_5=Article 6(1)(a) GDPR<br />
|GDPR_Article_Link_5=Article 6 GDPR#1a<br />
|GDPR_Article_6=Article 6(4) GDPR<br />
|GDPR_Article_Link_6=Article 6 GDPR#4<br />
|GDPR_Article_7=Article 7 GDPR<br />
|GDPR_Article_Link_7=Article 7 GDPR<br />
|GDPR_Article_8=Article 21 GDPR<br />
|GDPR_Article_Link_8=Article 21 GDPR<br />
<br />
<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Elisavet Dravalou<br />
|<br />
}}<br />
<br />
A company that conducts phone sales, processed customer personal data to promote its products and services to the customers, whose personal data was collected during the purchase of products. The controller held that consent was obtained but was unable to prove it and did not respect the data subject's opt-out requests. <br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
Three data subjects filed complains with the Greek DPA against a marketing agency for processing their personal data for a purpose other than it was collected in first place. The data subjects claimed that the marketing agency was contacting them in order to promote its products without respecting their opt-out requests while the marketing agency was claiming that they contacted the data subject (being existing clients) for a customer satisfaction survey after having obtained their consent.<br />
<br />
<br />
=== Holding ===<br />
The Greek DPA held that this processing constitutes use of personal data for a purpose other than that for which the personal data was originally collected, therefore the criteria of Article 6 (4) GDPR must be fulfilled and article 5 GDPR principles must be respected. In this case, it was found that the data subjects were not properly informed during the data collection stage that their personal data will be used for an additional different purpose, that their objections were not respected and the identity of the controller was not clear to the data subjects. Also, in relation to the application of the right of objection, the controller did not respect the data subject's opt-out requests and did not provide appropriate documents or instructions to prove that he was able to respond to such requests. The Authority imposed a fine of 20,000 euros for the violations found, taken into consideration the duration and the intensity of the violations.<br />
<br />
== Comment ==<br />
What is interesting in this case is that the controller claimed that they processed personal data for marketing purposes (promotion of products) based on data subjects' oral consent obtained during the purchase of products. The DPA couldn't find evidence to suggest that consent was given. Therefore, in the absence of evidence, it cannot be accepted that consent is accepted as the legal basis of this processing. The DPA stated that it could accept legitimate interest as a legal basis, given the soft opt-in exception. Given though that the processing was carried out for a purpose different that the one for which the personal data was collected in first place, the Greek DPA held that article 6(4) and 5 of the GDPR must be respected. In this specific case at least appropriate information should have been provided to data subject at the data collection stage so that data subjects know that their personal data will be used for an additional purpose, while at the same time providing them with the opportunity to express their objections. <br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.<br />
<br />
<pre><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Category<br />
Decision<br />
<br />
<br />
<br />
Date<br />
14/10/2021<br />
<br />
<br />
<br />
<br />
Transaction number<br />
48<br />
<br />
<br />
<br />
Thematic unit<br />
<br />
09. Promotion of products and services<br />
<br />
<br />
<br />
<br />
Applicable provisions<br />
<br />
Article 4.11: Consent (definition)<br />
Article 4.12: Violation of personal data (definition)<br />
Article 5.2: Principle of accountability<br />
Article 6.1.a: Legal basis of consent<br />
Article 6.1.f: Legal basis of overriding legal interest<br />
Article 6.4: Compatibility of processing for another purpose<br />
Article 7: Conditions for consent<br />
Article 21: Right of objection<br />
Article 11.2: Register - Article 11<br />
<br />
<br />
<br />
<br />
Summary<br />
A company that conducts long distance telephone sales, used to promote its products and services the customer data, which it collected during the purchase of products. This processing is the use of personal data for a purpose other than that for which the data were originally collected, therefore the criteria of Article 6 par. In this case, it was found that the data subject was not properly informed during the data collection stage, so that he knows that his data will be used for an additional different purpose, that customer objections were not respected and it was not clear to the data subjects the identity of the controller. Also, in relation to the satisfaction of the right of objection, the controller did not provide appropriate documents or instructions to prove that he was able to respond to such requests. The Authority imposed a fine of 20,000 euros for the violations found.<br />
<br />
<br />
<br />
<br />
PDF Decision<br />
48_2021anonym.pdf299.82 KB<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Category<br />
Decision<br />
<br />
<br />
<br />
Date<br />
14/10/2021<br />
<br />
<br />
<br />
<br />
Transaction number<br />
48<br />
<br />
<br />
<br />
Thematic unit<br />
<br />
09. Promotion of products and services<br />
<br />
<br />
<br />
<br />
Applicable provisions<br />
<br />
Article 4.11: Consent (definition)<br />
Article 4.12: Violation of personal data (definition)<br />
Article 5.2: Principle of accountability<br />
Article 6.1.a: Legal basis of consent<br />
Article 6.1.f: Legal basis of overriding legal interest<br />
Article 6.4: Compatibility of processing for another purpose<br />
Article 7: Conditions for consent<br />
Article 21: Right of objection<br />
Article 11.2: Register - Article 11<br />
<br />
<br />
<br />
<br />
Summary<br />
A company that conducts long distance telephone sales, used to promote its products and services the customer data, which it collected during the purchase of products. This processing is the use of personal data for a purpose other than that for which the data were originally collected, therefore the criteria of Article 6 par. In this case, it was found that the data subject was not properly informed during the data collection stage, so that he knows that his data will be used for an additional different purpose, that customer objections were not respected and it was not clear to the data subjects the identity of the controller. Also, in relation to the satisfaction of the right of objection, the controller did not provide appropriate documents or instructions to prove that he was able to respond to such requests. The Authority imposed a fine of 20,000 euros for the violations found.<br />
<br />
<br />
<br />
<br />
PDF Decision<br />
48_2021anonym.pdf299.82 KB<br />
<br />
<br />
<br />
</pre></div>Elisavet Dravalouhttps://gdprhub.eu/index.php?title=Commissioner_(Cyprus)_-_11.17.001.008.029&diff=14250Commissioner (Cyprus) - 11.17.001.008.0292021-03-23T19:05:28Z<p>Elisavet Dravalou: Created page with "{{DPAdecisionBOX |Jurisdiction=Cyprus |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoCY.jpg |DPA_Abbrevation=Commissioner |DPA_With_Country=Commissioner (Cyprus) |Case..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Cyprus<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoCY.jpg<br />
|DPA_Abbrevation=Commissioner<br />
|DPA_With_Country=Commissioner (Cyprus)<br />
<br />
|Case_Number_Name= 11.17.001.008.029<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Office of the Commissioner for Personal Data Protection<br />
|Original_Source_Link_1=http://www.dataprotection.gov.cy/dataprotection/dataprotection.nsf/all/B0CED3EDDC2EE5EDC225868D0037E7A4/$file/%CE%91%CE%A0%CE%9F%CE%A6%CE%91%CE%A3%CE%97%20(%CE%91%CE%BD)%20%CE%A4%CE%B1%CE%BC%CE%B5%CE%AF%CE%BF%20%CE%95%CF%85%CE%B7%CE%BC%CE%B5%CF%81%CE%AF%CE%B1%CF%82%20%CE%A5%CF%80%CE%B1%CE%BB%CE%BB%CE%AE%CE%BB%CF%89%CE%BD%20%CE%91%CE%A4%CE%97%CE%9A.pdf?openelement<br />
|Original_Source_Language_1=Greek<br />
|Original_Source_Language__Code_1=EL<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Decided=14.10.2020<br />
|Date_Published=14.10.2020<br />
|Year=2020<br />
|Fine=None<br />
|Currency=<br />
<br />
|GDPR_Article_1=Article 5(1) GDPR<br />
|GDPR_Article_Link_1=Article 5 GDPR#1<br />
|GDPR_Article_2=Article 24(1) GDPR<br />
|GDPR_Article_Link_2=Article 24 GDPR#1<br />
|GDPR_Article_3=Article 24(2) GDPR<br />
|GDPR_Article_Link_3=Article 24 GDPR#2<br />
|GDPR_Article_4=Article 25(1) GDPR<br />
|GDPR_Article_Link_4=Article 25 GDPR#1<br />
|GDPR_Article_5=Article 25(2) GDPR<br />
|GDPR_Article_Link_5=Article 25 GDPR#2<br />
|GDPR_Article_6=Article 32(1) GDPR<br />
|GDPR_Article_Link_6=Article 32 GDPR#1<br />
|GDPR_Article_7=Article 32(2) GDPR<br />
|GDPR_Article_Link_7=Article 32 GDPR#2<br />
<br />
<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Elisavet Dravalou<br />
|<br />
}}<br />
<br />
A member of the Cyprus Telecommunications Authority Employees Welfare Association (TEY-CYTA) Association has submitted a data subject request and requested a copy of her personal data. The TEY-CYTA due to the fact that they couldn't separate the databases for employees and for members, was not able to respond as they should. The Commissioner found that the controller violated articles 5 (1), 24 (1) and (2), 25 (1) and (2) and 32 of the GDPR.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
It was found that the TEY-CYTA Association (Cyprus Telecommunications Authority Employees Welfare Fund) had access to personal data, more than was needed to satisfy the purposes, such as the photo of its members. <br />
<br />
=== Dispute ===<br />
<br />
<br />
=== Holding ===<br />
The Commissioner held that CYTA violated articles 5 (1), 24 (1) and (2), 25 (1) and (2) and 32 of the GDPR and instructed CYTA to establish such security measures and practices, so that TEY-CYTA no longer has access to data disproportionate to the purpose, excluding access to the photo of its members. In this case, no fine was imposed.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.<br />
<br />
<pre><br />
<br />
</pre></div>Elisavet Dravalouhttps://gdprhub.eu/index.php?title=IMY_(Sweden)_-_DI-2020-10538&diff=13521IMY (Sweden) - DI-2020-105382021-02-01T22:53:08Z<p>Elisavet Dravalou: Created page with "{{DPAdecisionBOX |Jurisdiction=Sweden |DPA-BG-Color= |DPAlogo=LogoSK.png |DPA_Abbrevation=Datainspektionen |DPA_With_Country=Datainspektionen (Sweden) |Case_Number_Name=DI-2..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Sweden<br />
|DPA-BG-Color=<br />
|DPAlogo=LogoSK.png<br />
|DPA_Abbrevation=Datainspektionen<br />
|DPA_With_Country=Datainspektionen (Sweden)<br />
<br />
|Case_Number_Name=DI-2020-10538<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Integritetsskyddsmyndigheten<br />
|Original_Source_Link_1=https://www.imy.se/globalassets/dokument/beslut/2021-01-22-beslut-tillsyn-maginteractive.pdf<br />
|Original_Source_Language_1=Swedish<br />
|Original_Source_Language__Code_1=SV<br />
<br />
|Type=Complaint<br />
|Outcome=Partly Upheld<br />
|Date_Decided=22.01.2021<br />
|Date_Published=22.01.2021<br />
|Year=2021<br />
|Fine=None<br />
|Currency=<br />
<br />
|GDPR_Article_1=Article 12(3) GDPR<br />
|GDPR_Article_Link_1=Article 12 GDPR#3<br />
<br />
<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Elisavet Dravalou<br />
|<br />
}}<br />
<br />
The Swedish DPA held that MAG Interactive AB (controller) has violated article 12.3 GDPR, because, although they complied with an erasure request, they did not notify the data subject by negligence. <br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
A data subject made an erasure request at MAG Interactive AB on the 29th of November 2018. Since the request came from an email address that wasn't linked with the data subject's account, the controller asked for proof of identity. The data subject provided proof of identity on the 29th of May 2019. MAG Interactive AB complied with the request and deleted the personal data concerned 16 days upon the reception of the request, but out of negligence, they did not informed the data subject regarding the action taken. The reason why the data subject wasn't notified was that the second request with the proof of identity came by regular post and MAG Interactive AB normally handles requests in a system where notifications of actions taken are sent automatically.<br />
<br />
=== Dispute ===<br />
<br />
<br />
=== Holding ===<br />
The Swedish DPA held that MAG Interactive AB in first place, had the right to verify the identity of the data subject. Upon the reception of the proof of the data subject's identity, MAG Interactive AB deleted the personal data concerned in compliance with article 17 GDPR. Despite that, they did not notify the data subject about the action taken (deletion of his personal data) and therefore they violated article 12.3. <br />
As MAG Interactive AB reassured the DPA that they will take appropriate organisational measures to ensure that this will not occur again, the DPA closed the case and no fine was issued.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.<br />
<br />
<pre><br />
1 (3)<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
MAG Interactive AB<br />
Org.nr: 556804-3524<br />
Drottninggatan 95A<br />
113 60 Stockholm<br />
<br />
<br />
<br />
<br />
<br />
<br />
Record number:<br />
DI-2020-10538 Decision after supervision according to<br />
<br />
Date: Data Protection Regulation - MAG<br />
2021-01-22<br />
<br />
Interactive AB<br />
<br />
<br />
<br />
<br />
<br />
The decision of the Integrity Protection Authority<br />
<br />
<br />
The Privacy Protection Authority states that MAG Interactive AB has processed<br />
personal data in breach of Article 12 (3) of the Data Protection Regulation by not without<br />
<br />
unnecessary delay informed the complainant of the outcome of the complainant's request for<br />
deletion pursuant to Article 17 of 29 May 2019 until 6 November 2020.<br />
<br />
<br />
The case is closed without action.<br />
<br />
<br />
Report on the supervisory matter<br />
<br />
<br />
The Privacy Protection Authority (IMY) has initiated supervision regarding MAG Interactive AB<br />
(the company) in connection with a complaint. The complaint has been submitted to IMY, i<br />
as the supervisory authority responsible for the company's activities in accordance with Article 56<br />
<br />
the Data Protection Regulation, from the supervisory authority of the country where the complainant has left<br />
lodged its complaint in accordance with the provisions of the Regulation on cooperation in<br />
cross-border cases.<br />
<br />
<br />
The complaint alleges that the company has not handled the complainant's request<br />
deletion of the complainant's personal data in accordance with Article 17 of the Data Protection Regulation.<br />
<br />
<br />
MAG Interactive AB has mainly stated the following. The company first received a request<br />
on deletion of the complainant's account on the company's services on 29 November 2018 (on<br />
<br />
first request). Because the request came from a different email address than the one that<br />
linked to the account, the company requested that the complainant return with evidence to<br />
proof of his identity, which the complainant did not do. On May 29, 2019, a new one was added<br />
<br />
request for deletion of the complainant's account, but then by post and with the required<br />
evidence to prove the identity of the complainant (the second request). The company deleted<br />
Postal address: the complainant's information manually on 15 June 2019 in accordance with the request, except those<br />
Box 8114<br />
information needed to show that the request has been processed. Due to oversight<br />
104 20 Stockholm, however, the complainant was not informed of the outcome of the request in connection with that<br />
Website:<br />
www.imy.se<br />
<br />
E-mail:<br />
imy@imy.se REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of<br />
Telephone: natural persons with regard to the processing of personal data and on the free movement of such data and on<br />
08-657 61 00 Repeal of Directive 95/46 / EC (General Data Protection Regulation). Integrity Protection Authority Record number: DI-2020-10538 2 (3)<br />
Date: 2021-01-22<br />
<br />
<br />
<br />
<br />
<br />
<br />
request was processed. Instead, it took place only in connection with a review before answers in<br />
this supervisory matter, ie on 6 November 2020.<br />
<br />
<br />
The processing has taken place through correspondence. Given that it applies to one<br />
<br />
cross-border complaints, the IMY has used the mechanisms of cooperation<br />
and uniformity contained in Chapter VII of the Data Protection Regulation. Affected<br />
regulators have been the data protection authorities in Norway, Ireland, France,<br />
<br />
Austria, Denmark, Poland and Germany.<br />
<br />
<br />
Justification of decision<br />
<br />
<br />
Applicable regulations<br />
<br />
According to Article 12 (3) of the Data Protection Regulation, the controller shall:<br />
<br />
request without undue delay and in any case no later than one month after<br />
to have received the request to provide the data subject with information on the measures taken<br />
taken in accordance with Article 17. This period may, if necessary, be extended by a further two<br />
<br />
months, taking into account the complexity of the request and the number received<br />
requests. The personal data controller shall notify the data subject of a<br />
such extension within one month of receipt of the request and state the reasons<br />
<br />
to the delay.<br />
<br />
<br />
According to Article 12 (6), the controller may, if he has reasonable grounds for:<br />
question the identity of the natural person submitting a request under Article 17;<br />
request additional information necessary to confirm the data subject's<br />
<br />
identity is provided.<br />
<br />
According to Article 17 (1) (a), the data subject shall have the right to be informed by the controller<br />
<br />
without undue delay have their personal data deleted and it<br />
the person responsible for personal data shall be obliged to delete without undue delay<br />
personal data if the personal data are no longer necessary for the purposes for which<br />
<br />
which they have collected or otherwise treated. According to Article 17 (3) (b), this shall not be the case<br />
apply to the extent that the processing is necessary to comply with a legal<br />
obligation requiring treatment under Union law.<br />
<br />
<br />
Pursuant to Article 57 (1) (f), each supervisory authority in its territory shall be responsible for:<br />
process complaints from a data subject and, where appropriate, investigate the matter<br />
<br />
to which the complaint relates.<br />
<br />
<br />
The Integrity Protection Authority's assessment<br />
<br />
Regarding the first request, IMY states that MAG Interactive AB was reasonable<br />
<br />
reasons to doubt the identity of the appellant and thus justifiable to request that the appellant<br />
provided additional evidence, which the appellant did not do. IMY considers against this<br />
background that the company has not been obliged to take any further measures<br />
<br />
due to that request.<br />
<br />
With regard to the second request, IMY notes that the company deleted the complainant's<br />
<br />
information, in addition to the information required to demonstrate that the request has been processed, within<br />
16 days from the company receiving the request on May 29, 2019. IMY believes that the company has<br />
deleted the complainant's information without undue delay within the meaning of Article<br />
<br />
17 Data Protection Regulation. Furthermore, the company has been justified in retaining the information. The Privacy Protection Agency Record number: DI-2020-10538 3 (3)<br />
Date: 2021-01-22<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
needed to demonstrate that the request has been processed in accordance with<br />
the Data Protection Regulation.<br />
<br />
<br />
However, the company first informed the complainant of the outcome of the second request<br />
6 November 2020. Since the data controller pursuant to Article 12 (3) without<br />
<br />
unnecessary delay and in any case no later than one month after receipt<br />
request, with no exception here, shall inform the data subject of the<br />
measures taken pursuant to Article 17, MAG Interactive AB has violated Article 12 (3)<br />
<br />
the Data Protection Regulation.<br />
<br />
<br />
The company has stated that the reason why the complainant was not informed of the result<br />
of the request was due to an oversight. According to the company, this was mainly caused by<br />
that the request was handled manually because it was received by mail and that the company normally<br />
<br />
handles requests in a system where notifications of actions taken are sent<br />
automatically. Due to what happened, the company has stated that it will see<br />
<br />
over their routines so that what happened is not repeated. The company will, among other things, put<br />
set up a separate log for manual cases to ensure that all steps are followed, including<br />
that the user is notified in the manner he has requested.<br />
<br />
<br />
IMY states that it is of course important that the person responsible for personal data notifies<br />
<br />
the data subject on what measures have been taken in connection with his<br />
request, even in cases where the request is fully complied with to the extent that may be required.<br />
<br />
<br />
In light of the circumstances regarding the infringement that the company has highlighted<br />
- and the measures that the company has stated that it has taken and will take - considers<br />
however, IMY that the substance of the complaint has been investigated to the extent appropriate<br />
<br />
Article 57 (1) (f) of the Data Protection Regulation.<br />
<br />
<br />
Against this background, the case is closed without action.<br />
<br />
<br />
<br />
<br />
This decision has been made by Catharina Fernquist, Head of Unit, after a presentation by<br />
<br />
lawyer Olle Pettersson.<br />
<br />
Catharina Fernquist, 2021-01-22 (This is an electronic signature)<br />
</pre></div>Elisavet Dravalouhttps://gdprhub.eu/index.php?title=Datainspektionen_-_DI-2019-3844&diff=12920Datainspektionen - DI-2019-38442020-12-14T10:47:39Z<p>Elisavet Dravalou: </p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Sweden<br />
|DPA-BG-Color=<br />
|DPAlogo=LogoSK.png<br />
|DPA_Abbrevation=Datainspektionen<br />
|DPA_With_Country=Datainspektionen (Sweden)<br />
<br />
|Case_Number_Name=DI-2019-3844<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Datainspektionen<br />
|Original_Source_Link_1=https://www.datainspektionen.se/globalassets/dokument/beslut/beslut-tillsyn-aleris-sjukvard-di-2019-3844.pdf<br />
|Original_Source_Language_1=Swedish<br />
|Original_Source_Language__Code_1=SV<br />
<br />
|Type=Investigation<br />
|Outcome=Violation Found<br />
|Date_Decided=02.12.2020<br />
|Date_Published=02.12.2020<br />
|Year=2020<br />
|Fine=15000000<br />
|Currency=SEK<br />
<br />
|GDPR_Article_1=Article 5(1)(f) GDPR<br />
|GDPR_Article_Link_1=Article 5 GDPR#1f<br />
|GDPR_Article_2=Article 5(2) GDPR<br />
|GDPR_Article_Link_2=Article 5 GDPR#2<br />
|GDPR_Article_3=Article 32(1) GDPR<br />
|GDPR_Article_Link_3=Article 32 GDPR#1<br />
|GDPR_Article_4=Article 32(2) GDPR<br />
|GDPR_Article_Link_4=Article 32 GDPR#2<br />
<br />
<br />
|National_Law_Name_1= Patientdatalagen (2008:355)<br />
|National_Law_Link_1=https://www.riksdagen.se/sv/dokument-lagar/dokument/svensk-forfattningssamling/patientdatalag-2008355_sfs-2008-355<br />
<br />
|Party_Name_1=Aleris Sjukvård AB<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Elisavet Dravalou<br />
|<br />
}}<br />
<br />
The Swedish DPA help that the healthcare provider "Aleris Sjukvård AB" did not carry out the risk assessments required by the Patient Data Act and that by granting access to all personal in the patients' journal system, was breaching article 32 of the GDPR.<br />
<br />
==English Summary==<br />
<br />
===Facts===<br />
The audit to Aleris Sjukvård AB from the Swedish DPA was initiated in May 2019. Aleris is a healthcare provider and uses a system named "TakeCare" as the main journal keeping system where they store and maintain the patients' journals. According to the Patient Data Act, a caregiver must conduct a needs and risk analysis before allocating access rights in the patients' journals. <br />
<br />
===Dispute===<br />
<br />
<br />
===Holding===<br />
The DPA found that Aleris Sjukvård AB did not carry out these assessments and it has granted access to patients' journal to all employees apart from the technicians. By doing so, Aleris Sjukvård AB breached the obligation to apply appropriate technical and organisational measures to ensure the security of the personal data, imposed to controllers by Article 32 of the GDPR. The DPA imposed a fine of 15 millions SEK (approximately €1466000).<br />
<br />
==Comment==<br />
''Share your comments here!''<br />
<br />
==Further Resources==<br />
''Share blogs or news articles here!''<br />
<br />
==English Machine Translation of the Decision==<br />
The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.<br />
<br />
<pre><br />
Decision Diary No. 1 (30)<br />
2020-12-02 DI-2019-3844<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Aleris Sjukvård AB<br />
c / o Aleris Specialist Care Sabbatsberg<br />
<br />
Box 6401<br />
113 82 Stockholm<br />
<br />
Stockholm County<br />
<br />
<br />
Supervision under the Data Protection Regulation and<br />
<br />
Patient Data Act- needs and risk analysis and<br />
<br />
questions about access in journal systems<br />
<br />
<br />
Table of Contents<br />
<br />
The Data Inspectorate's decision ................................................ ..................................... 2<br />
Report on the supervisory matter ............................................... .............................. 3<br />
<br />
What has emerged in the case ............................................. .......................... 3<br />
<br />
Internal privacy ................................................ .................................................. ... 5<br />
<br />
Consolidated record keeping ................................................ ............................ 8<br />
<br />
Documentation of access (logs) ............................................ ............... 9<br />
<br />
Aleris opinion on the Data Inspectorate's letter .......................................... 9<br />
<br />
Motivation for decision ............................................... ............................................. 10<br />
<br />
Applicable rules................................................ ........................................... 10<br />
<br />
The Data Inspectorate's assessment ................................................ ....................... 15<br />
<br />
Choice of intervention ............................................... .............................................. 23<br />
<br />
Appendix ................................................. .................................................. ............. 29<br />
Copy for knowledge of .............................................. ................................... 29<br />
<br />
How to appeal............................................... ........................................... 29<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Postal address: Box 8114, 104 20 Stockholm E-mail: datainspektionen@datainspektionen.se<br />
Website: www.datainspektionen.se Phone: 08-657 61 00<br />
Page 1 of 30Datainspektionen DI-2019-3844 2 (30)<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
The Data Inspectorate's decision<br />
<br />
During a review on April 8, 2019, the Data Inspectorate has established that Aleris<br />
Sjukvård AB processes personal data in violation of Article 5 (1) (f) and (2) and<br />
<br />
Article 32 (1) and (2) of the Data Protection Regulation by<br />
<br />
<br />
1. Aleris Sjukvård AB has not carried out a needs and risk analysis<br />
<br />
before the allocation of permissions takes place in the journal system TakeCare, i<br />
in accordance with ch. 4 § 2 and ch. 6 Section 7 of the Patient Data Act (2008: 355)<br />
<br />
and ch. 4 Section 2 The National Board of Health and Welfare's regulations and general advice on<br />
record keeping and processing of personal data in health and<br />
<br />
healthcare (HSLF-FS 2016: 40). This means that Aleris Sjukvård AB<br />
have not taken appropriate organizational measures to be able to<br />
<br />
ensure and be able to show that the processing of personal data has<br />
a security that is appropriate in relation to the risks.<br />
<br />
<br />
2. Aleris Sjukvård AB does not limit users' permissions for<br />
<br />
access to the TakeCare journal system for what is only needed for<br />
that the user should be able to fulfill his tasks in the health<br />
<br />
and healthcare according to ch. 4 § 2 and ch. 6 Section 7 of the Patient Data Act and 4<br />
Cape. 2 § HSLF-FS 2016: 40. This means that Aleris Sjukvård AB does not have<br />
<br />
taken measures to be able to ensure and be able to show a suitable<br />
<br />
security of personal data.<br />
<br />
<br />
The Data Inspectorate decides on the basis of Articles 58 (2) and 83 i<br />
the Data Protection Ordinance to Aleris Sjukvård AB, for violation of<br />
<br />
Article 5 (1) (f) and (2) and Article 32 (1) and (2) of the Data Protection Regulation;<br />
shall pay an administrative penalty fee of 15,000,000 (fifteen<br />
<br />
million).<br />
<br />
<br />
The Data Inspectorate submits pursuant to Article 58 (2) (d) i<br />
data protection ordinance Aleris Sjukvård AB to implement and document<br />
<br />
required needs and risk analysis for the TakeCare medical record system and that<br />
then, based on the needs and risk analysis, assign each user<br />
<br />
<br />
<br />
1 REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016<br />
<br />
on the protection of individuals with regard to the processing of personal data and on that<br />
free flow of such data and repealing Directive 95/46 / EC (General<br />
Data Protection Regulation).<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Page 2 of 30Datainspektionen DI-2019-3844 3 (30)<br />
<br />
<br />
<br />
<br />
<br />
<br />
individual access to personal data restricted to<br />
<br />
only what is needed for the individual to be able to fulfill his<br />
duties in health care, in accordance with Article 5 (1) (f) and<br />
<br />
Article 32 (1) and (2) of the Data Protection Ordinance, Chapter 4 § 2 and ch. 6 § 7<br />
the Patient Data Act and Chapter 4 2 § HSLF-FS 2016: 40.<br />
<br />
<br />
<br />
<br />
Report on the supervisory matter<br />
The Data Inspectorate's inspection began with an inspection letter on 22 March<br />
<br />
2019 and has taken place both in writing and through on-site inspection on April 8<br />
2019. The audit has been intended to control whether Aleris Sjukvård AB's (hereinafter referred to as<br />
<br />
Aleris) decision on the allocation of authorizations has been preceded by a need and<br />
risk analysis. The supervision has also included how Aleris has granted authorizations<br />
<br />
for access to the TakeCare master journal system, and which<br />
access opportunities the granted privileges provide within both the framework of<br />
<br />
the internal secrecy according to ch. the Patient Data Act, as the cohesive one<br />
record keeping according to ch. 6 patient data law. In addition to this has<br />
<br />
The Data Inspectorate examined which documentation of access (logs) as<br />
is in the journal system.<br />
<br />
<br />
The Data Inspectorate has only examined the user's access to<br />
<br />
the journal system, i.e. what care documentation the user can actually take<br />
part of and read. The supervision has not included which functions were included in<br />
<br />
the competence, ie. what the user can actually do in the journal system<br />
(eg issuing prescriptions, writing referrals, etc.).<br />
<br />
<br />
The inspection is one of several inspections within the framework of a self-initiated<br />
supervisory project at the Swedish Data Inspectorate, where i.a. Karolinska<br />
<br />
The university hospital has been included. Due to what has emerged about<br />
Aleri's view on the technical possibilities to limit<br />
<br />
readability for its users in TakeCare, Aleris was asked in particular<br />
comment on an opinion from Karolinska University Hospital, which also<br />
<br />
uses TakeCare, where the technical possibilities regarding TakeCare<br />
was described.<br />
<br />
<br />
What has emerged in the case<br />
<br />
Aleris has essentially stated the following.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Page 3 of 30Datainspektionen DI-2019-3844 4 (30)<br />
<br />
<br />
<br />
<br />
<br />
<br />
Personal data responsibility<br />
<br />
Aleris is the care provider and personal data manager.<br />
<br />
<br />
The business<br />
Aleri's ownership structure has changed after the Data Inspectorate's review<br />
<br />
initiated. Aleris 'new ownership structure is shown in Aleris' supplement from 16<br />
November 2020. The supplement states, among other things, the following.<br />
<br />
<br />
Aleris has been part of the newly formed Group Parent Company since October 1, 2019,<br />
<br />
Aleris Group AB (corporate identity number 559210-7550), and is a subsidiary of Aleris<br />
Healthcare AB (org.nr. 556598–6782). Aleris Group AB is owned by Triton.<br />
<br />
<br />
Group sales for Aleris Group AB amounted to SEK 1,215,385,000<br />
between October 1, 2019 and December 31, 2019. Since Aleris Group<br />
<br />
AB was formed in connection with the change of ownership when Aleris Healthcare AB joined<br />
subsidiaries were acquired, only turnover figures are available for this<br />
<br />
period.<br />
<br />
<br />
The annual turnover for Aleris Healthcare AB amounted to SEK 30,223,866<br />
during 2019.<br />
<br />
<br />
Journal system<br />
<br />
Aleris has been using TakeCare as its main record system since 28 May 2012<br />
for internal secrecy and within the framework of the cohesive<br />
<br />
record keeping.<br />
<br />
<br />
Federation Collaboration TakeCare (FSTC) is the customer of the medical record system<br />
TakeCare and CompuGroup Medical (CGM) are suppliers of the medical record system<br />
<br />
and is responsible for the functions that the system has to control permissions.<br />
<br />
<br />
All functions in the journal system are created by CGM, but it is Aleris who<br />
chooses which functions a certain staff category should have access to among<br />
the functions that are entered. Aleris has no technical possibilities to do<br />
<br />
changes in TakeCare because Aleris has no control over<br />
the journal system. Aleris is only a user of the system.<br />
<br />
<br />
Aleris has not been able to make any demands on CGM in the procurement of<br />
<br />
the journal system. The company has, for example, pointed out that there have been problems<br />
with the record system consisting of, as far as the allocation of competences is concerned, that<br />
<br />
<br />
<br />
<br />
<br />
<br />
Page 4 of 30Datainspektionen DI-2019-3844 5 (30)<br />
<br />
<br />
<br />
<br />
<br />
<br />
the system cannot separate read and print permissions for a read function.<br />
<br />
CGM has not been interested in changing this despite comments from<br />
Aleris.<br />
<br />
<br />
It is FSTC that can order changes to the functions and that is then<br />
<br />
up to CGM if they want to make the changes or not. Aleris has one<br />
representative in FSTC who can express Aleri's wishes. However, Aleris has not<br />
<br />
received some hearing for the company's views.<br />
<br />
<br />
Number of patients and employees<br />
Aleris had 796,350 unique patients in TakeCare as of May 20, 2019. How<br />
<br />
however, many of those who died could not be retrieved.<br />
<br />
In May 2019, there were 1,058 active users, 807 active accounts and 63<br />
<br />
units in the journal system TakeCare. The number of active users (ie employees<br />
and consultants who may have access to TakeCare) have been calculated by<br />
<br />
calculate the number of active AD accounts at relevant cost centers.<br />
<br />
<br />
Internal secrecy<br />
<br />
Aleris has essentially stated the following.<br />
<br />
<br />
Needs and risk analysis<br />
Aleris has stated that needs and risk analyzes aimed at TakeCare are performed<br />
by a designated risk analysis team for the purpose of reviewing the applicable authorization allocation<br />
<br />
and possibly determine new conditions for granting eligibility. Permissions<br />
is always limited to what is needed for the employee to be able to perform<br />
<br />
their work and contribute to safe care. The need versus the risk of improperness<br />
access is always weighed against each other before permissions are granted. General<br />
<br />
authorization profiles are available, specific authorizations are assigned if necessary. The<br />
later examined in particular in the subsequent analysis of the designated risk analysis team. What<br />
<br />
What is especially considered are the risks that can arise if an employee has<br />
too broad eligibility versus too low eligibility and thus not access to<br />
<br />
relevant patient information. The result from the needs and risk analysis is<br />
then the basis for selecting the authorization profile used in the assignment<br />
<br />
of competencies within Aleris.<br />
<br />
<br />
Eligibility for TakeCare is ordered by the responsible manager, as stated in<br />
the document, “TakeCare Authorization Management”. The document also states<br />
<br />
that the competence is personal and that its scope is based on<br />
<br />
<br />
<br />
<br />
<br />
Page 5 of 30Datainspektionen DI-2019-3844 6 (30)<br />
<br />
<br />
<br />
<br />
<br />
<br />
the user's professional role and organizational domicile. Furthermore, it appears that<br />
<br />
the care provider must ensure that the authority for access to patient data<br />
limited to what a user needs to be able to perform their<br />
<br />
tasks in health care.<br />
<br />
<br />
Aleris has a document called "Needs and Risk Analysis-TakeCare".<br />
The document has looked like it does today since May 28, 2012 when TakeCare<br />
<br />
was introduced and applies both to internal secrecy and within its framework<br />
coherent record keeping. The document shows the different profiles,<br />
<br />
so-called authority groups. The document shows, among other things<br />
the reading rights and the writing rights for each authority group.<br />
<br />
All profiles except technicians have been granted read access to the data in<br />
TakeCare. The eligibility for each group has been justified. The doctors are going to<br />
examples be able to perform their duties and are responsible for<br />
<br />
patient information, while the system administrator must be able to troubleshoot,<br />
manage and set up users, systems and local administrators.<br />
<br />
Under the heading "Risk of restricted access" it is stated that the user "cannot<br />
perform their duties in full ”. This justification is stated for all<br />
<br />
profiles (except for the local administrators where the motivation is “Can not<br />
manage permissions and implement corrective actions ”). During<br />
<br />
The heading “Risk of extensive access” states, among other things, that “There is one<br />
risk of disclosure of patient information '. Similar justification is given for everyone<br />
<br />
profiles.<br />
<br />
<br />
Authorization of access to personal data about patients<br />
Aleris has stated that it is the system administrator who has the highest<br />
<br />
the level of competence, ie full authorization, in TakeCare. The local<br />
the administrator has access to his own device and is the one who assigns<br />
<br />
permissions within the device. What privileges an administrator imposes<br />
a user depends on the business to which the user belongs and on<br />
<br />
the user's tasks. All users get the “minimum they should have<br />
to cope ”in terms of accessibility. Access can, however<br />
expanded if necessary. There are basic profiles for, for example, assistant nurses,<br />
<br />
who are given the qualifications needed to carry out their duties<br />
tasks. If the manager considers that the assistant nurses need one<br />
<br />
extended privileges, local administrators ensure that privileges<br />
"Hangs up" the basic profile. If the extended authorization is not needed, it can be taken<br />
<br />
away from the basic profile.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Page 6 of 30Datainspektionen DI-2019-3844 7 (30)<br />
<br />
<br />
<br />
<br />
<br />
<br />
Aleris has stated that all accounts within Aleris are individual and that<br />
<br />
authorizations are granted on the basis of the document, ‘Needs and risk analysis<br />
TakeCare ”. As previously mentioned, it appears from the document that everyone<br />
<br />
professional profiles in addition to technicians have been granted reading access to the data in<br />
TakeCare.<br />
<br />
<br />
However, Aleris has stated that all users have different read permissions in<br />
<br />
the journal system based on which system functions they have access to<br />
Aleris. According to Aleris, it is possible to steer away access opportunities to TakeCare<br />
<br />
by giving different staff access to different functions. Each<br />
staff category only gets access to the functions they need for<br />
<br />
to be able to perform their work. Technicians, for example, have limited qualifications<br />
depending on what they are going to do in the system. They only get reading permission if they<br />
need it in their work. Another example concerns users who only<br />
<br />
will be at the checkout and thus do not need a reading license.<br />
There is no staff that only has the task of managing the cash register<br />
<br />
the current situation.<br />
<br />
<br />
By choosing different functions for different users, a difference is made in<br />
what different users can do in the system, e.g. as regards verify, sign,<br />
<br />
etc. In total, there are 640 different system functions that you can choose to provide<br />
authority to. Among these features, Aleris has selected the features that<br />
<br />
different staff categories need to have access to in order to operate safely<br />
patient work. The document "Profiles and permissions" shows the different ones<br />
<br />
permissions that each category of staff has been assigned in TakeCare, e.g.<br />
dictate audio files, read activities, sign, read emergency information, read journal text,<br />
<br />
vidimering, read referral, administer drug prescription, read scanned<br />
documents and approve care sessions. The document states, among other things<br />
<br />
that all profiles ie. doctors, nurses, assistant nurses,<br />
paramedics, secretaries, "administrative", students and "Receptionist<br />
<br />
Rehab "has the authority to" read journal text "and that everyone except<br />
"Receptionist Rehab" is authorized to "read scanned documents" in<br />
TakeCare. It also appears that only doctors are authorized to “read<br />
<br />
emergency tasks ”and that all profiles except assistant nurse and<br />
"Administrative" can "read diagnoses" in TakeCare.<br />
<br />
<br />
Aleris has stated that the starting point is that one user on one device only<br />
<br />
has read access to the patient records available on the device. One<br />
users who need to read journal entries from another device must<br />
<br />
<br />
<br />
<br />
<br />
<br />
Page 7 of 30Datainspektionen DI-2019-3844 8 (30)<br />
<br />
<br />
<br />
<br />
<br />
<br />
make an active choice in the system. By active choices is meant that the user is allowed to do<br />
<br />
a number of "clicks" and select the current device (this function is called<br />
journal filter). Authorization to be able to use the journal filter is given to them<br />
<br />
users who need this to be able to perform their work.<br />
The user can never accidentally read one patient record from another<br />
<br />
unit.<br />
<br />
<br />
Aleris has stated that there are features in TakeCare to a caregiver<br />
should be able to "isolate" one care unit and thereby "shut out" others<br />
<br />
caregivers 'and care units' access possibilities to the unit's<br />
care documentation, so-called protected units. However, Aleris does not operate<br />
<br />
any activity that requires protected devices and has therefore not used<br />
of this function.<br />
<br />
<br />
Coherent record keeping<br />
<br />
Aleris has essentially stated the following.<br />
<br />
<br />
Needs and risk analysis<br />
The document “Needs and risk analysis - TakeCare” also applies to the system for<br />
<br />
coherent record keeping.<br />
<br />
<br />
Authorization of access to personal data about patients<br />
The allocation of authority takes place in the same way as within the framework of the internal<br />
secrecy.<br />
<br />
<br />
Within the framework of coherent record keeping in TakeCare, users can take<br />
<br />
part of all care documentation with other care providers included in the system.<br />
The user can initially see if a patient is current with other care providers,<br />
<br />
but not which. To be able to see who these caregivers are, the user must<br />
click on in the system, ie. make active choices. The user must then<br />
<br />
click in the box "consent" or "emergency access" to access it<br />
specific caregiver records.<br />
<br />
<br />
Aleris has stated the following due to Karolinska<br />
<br />
The University Hospital in a statement has stated that there are opportunities to<br />
restrict access in TakeCare.<br />
<br />
<br />
There is a function to "isolate" a care unit and thereby close<br />
<br />
access to other care providers and care units (so-called<br />
<br />
<br />
<br />
<br />
<br />
Page 8 of 30Datainspektionen DI-2019-3844 9 (30)<br />
<br />
<br />
<br />
<br />
<br />
<br />
protected devices). A care provider can thus from a technical perspective<br />
<br />
restrict other care providers' access to their own care documentation.<br />
However, Aleris has assessed that the company does not conduct any business as<br />
<br />
need to be blocked and that it is more patient safe to let the patient information<br />
at Aleri's units be available to other care providers. According to Aleris, it is<br />
<br />
moreover, not allowed to implement such restrictions if one<br />
caregivers use the TakeCare medical record system and at the same time are part of<br />
<br />
coherent record keeping. This following a decision from the Stockholm Region. The<br />
means that all users of Aleris have access to all patient data<br />
<br />
at the other care providers in TakeCare, except when patients have requested to<br />
get their information blocked (a so-called caregiver block).<br />
<br />
<br />
According to Aleris, from a patient safety perspective, this is not practically possible<br />
<br />
to opt out of individual care providers' access to their own care documentation<br />
in TakeCare (except for protected devices). Either is the caregiver<br />
<br />
included in the system for coherent record keeping or not. It is not possible to<br />
restrict access for competent persons to the information of other care providers<br />
<br />
and at the same time in a meaningful way participate in coherent record keeping.<br />
According to Aleris, it is not possible to determine in advance which data are in one<br />
<br />
certain cases may be important for patient-safe care. Aleris has therefore decided<br />
not to actively block other caregivers' records. However, such as<br />
<br />
mentioned, a caregiver himself blocks other caregivers' access to TakeCare there<br />
these have made the assessment that their patients' medical records should not be<br />
<br />
available to other caregivers. These devices are marked in TakeCare<br />
with an asterisk. In this way, a selection of care units has already been made<br />
<br />
Aleri's staff do not have access to.<br />
<br />
<br />
Documentation of access (logs)<br />
<br />
Aleri's log documentation states, among other things: the user's and<br />
patient's identity, care unit, date, time, information to the user<br />
<br />
has documented in the journal during the last 18 months as well as information<br />
that the patient has had contact with the care unit during the last 18<br />
<br />
months.<br />
<br />
<br />
Aleris has the ability to perform targeted log checks. That means Aleris<br />
can see exactly what a user has done in the system. About the patient or Aleris<br />
<br />
suspects data breaches, Aleris can also perform an in-depth log check.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Page 9 of 30Data Inspectorate DI-2019-3844 1 0 (30)<br />
<br />
<br />
<br />
<br />
<br />
<br />
Also all activities that take place within the framework of coherent record keeping<br />
<br />
logged in the system. It also means that all active selections are logged in the system. If<br />
the user, for example, has selected "consent" or "emergency access" to be able to take<br />
<br />
part of a patient's information to another care provider, this will be<br />
appear from the log documentation.<br />
<br />
<br />
Aleri's opinion on the Data Inspectorate's letter<br />
<br />
Aleris has in comments on the letter Final communication before decision as<br />
received by the Swedish Data Inspectorate on 20 March 2020 stated the following, among other things.<br />
<br />
The Data Inspectorate should take into account the figures for the economic unit where they<br />
The alleged shortcomings have taken place, ie Aleris Sjukvård AB.<br />
<br />
<br />
Aleris has actively worked to continuously strengthen the interior and exterior<br />
<br />
confidentiality, including the functionality of TakeCare. When Aleris took over<br />
adequate measures to strengthen, through FSTC, the integrity of TakeCare<br />
<br />
actual deficiencies in TakeCare should not be considered to be Aleris' fault.<br />
<br />
<br />
<br />
Justification of decision<br />
<br />
<br />
Applicable rules<br />
<br />
<br />
The Data Protection Regulation is the primary source of law<br />
<br />
The Data Protection Regulation, often abbreviated GDPR, was introduced on 25 May 2018 and<br />
is the primary legal regulation in the processing of personal data. This<br />
<br />
also applies to health care.<br />
<br />
<br />
The basic principles for the processing of personal data are set out in<br />
Article 5 of the Data Protection Regulation. A basic principle is the requirement<br />
<br />
security pursuant to Article 5 (1) (f), which states that personal data shall be processed<br />
in a way that ensures adequate security for personal data,<br />
<br />
including protection against unauthorized or unauthorized treatment and against loss,<br />
destruction or damage by accident, using appropriate<br />
<br />
technical or organizational measures.<br />
<br />
<br />
Article 5 (2) states the so-called liability, ie. that it<br />
“Personal data controllers must be responsible for and be able to show that they<br />
<br />
the basic principles of paragraph 1 are complied with ".<br />
<br />
<br />
<br />
<br />
<br />
<br />
Page 10 of 30Datainspektionen DI-2019-3844 1 1 (30)<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Article 24 deals with the responsibility of the controller. Of Article 24 (1)<br />
it appears that the person responsible for personal data is responsible for implementing appropriate<br />
<br />
technical and organizational measures to ensure and demonstrate that<br />
the processing is performed in accordance with the Data Protection Regulation. The measures shall<br />
<br />
carried out taking into account the nature, scope, context of the treatment<br />
and purposes and the risks, of varying degrees of probability and severity, for<br />
<br />
freedoms and rights of natural persons. The measures must be reviewed and updated<br />
if necessary.<br />
<br />
<br />
Article 32 regulates the security associated with the processing. According to paragraph 1<br />
<br />
the personal data controller and the personal data assistant shall take into account<br />
of the latest developments, implementation costs and treatment<br />
nature, scope, context and purpose as well as the risks, of varying<br />
<br />
probability and seriousness, for the rights and freedoms of natural persons shall<br />
the personal data controller and the personal data assistant take appropriate<br />
<br />
technical and organizational measures to ensure a level of security<br />
which is appropriate in relation to the risk (…). According to paragraph 2, at<br />
<br />
the assessment of the appropriate level of safety, special consideration shall be given to the risks involved<br />
the treatment entails, in particular from accidental or unlawful destruction,<br />
<br />
loss or alteration or to unauthorized disclosure of or unauthorized access to<br />
the personal data transferred, stored or otherwise processed.<br />
<br />
<br />
Recital 75 states that in assessing the risk to natural persons<br />
<br />
rights and freedoms, various factors must be taken into account. Among other things mentioned<br />
personal data covered by professional secrecy, health data or<br />
<br />
sexual life, if the processing of personal data concerning vulnerable physical persons takes place<br />
persons, especially children, or if the treatment involves a large number<br />
<br />
personal data and applies to a large number of registered persons.<br />
<br />
<br />
Furthermore, it follows from recital 76 that the probable and serious risk of it<br />
data subjects' rights and freedoms should be determined on the basis of processing<br />
nature, scope, context and purpose. The risk should be evaluated on<br />
<br />
on the basis of an objective assessment, which determines whether<br />
the data processing involves a risk or a high risk.<br />
<br />
<br />
Recitals 39 and 83 also contain writings that provide guidance on it<br />
<br />
the meaning of the data protection regulation's requirements for security in<br />
Processing of personal data.<br />
<br />
<br />
<br />
<br />
<br />
<br />
Page 11 of 30Datainspektionen DI-2019-3844 1 2 (30)<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
The Data Protection Regulation and the relationship with complementary national<br />
provisions<br />
<br />
According to Article 5 (1). a in the Data Protection Regulation, the personal data shall<br />
treated in a lawful manner. In order for the treatment to be considered legal, it is required<br />
<br />
legal basis by fulfilling at least one of the conditions of Article 6 (1).<br />
The provision of health care is one such task of general<br />
<br />
interest referred to in Article 6 (1) (e).<br />
<br />
<br />
In health care, the legal bases can also be legal<br />
obligation pursuant to Article 6 (1) (c) and exercise of authority under Article 6 (1) (e)<br />
<br />
updated.<br />
<br />
When it comes to the legal bases legal obligation, in general<br />
<br />
interest or exercise of authority by the Member States, in accordance with Article<br />
6.2, maintain or introduce more specific provisions for adaptation<br />
<br />
the application of the provisions of the Regulation to national circumstances.<br />
National law may specify specific requirements for the processing of data<br />
<br />
and other measures to ensure legal and equitable treatment. But<br />
there is not only one possibility to introduce national rules but also one<br />
<br />
duty; Article 6 (3) states that the basis for the treatment referred to in<br />
paragraph 1 (c) and (e) shall be determined in accordance with Union law or<br />
<br />
national law of the Member States. The legal basis may also include<br />
specific provisions to adapt the application of the provisions of<br />
<br />
the Data Protection Regulation. Union law or the national law of the Member States<br />
law must fulfill an objective of general interest and be proportionate to it<br />
<br />
legitimate goals pursued.<br />
<br />
<br />
Article 9 states that the treatment of specific categories of<br />
personal data (so-called sensitive personal data) is prohibited. Sensitive<br />
<br />
personal data includes data on health. Article 9 (2) states<br />
except when sensitive personal data may still be processed.<br />
<br />
<br />
Article 9 (2) (h) states that the processing of sensitive personal data may be repeated<br />
the treatment is necessary for reasons related to, among other things<br />
<br />
the provision of health care on the basis of Union law or<br />
national law of the Member States or in accordance with agreements with professionals in<br />
<br />
the field of health and provided that the conditions and protective measures provided for in<br />
referred to in paragraph 3 are met. Article 9 (3) imposes a regulated duty of confidentiality.<br />
<br />
<br />
<br />
<br />
<br />
<br />
Page 12 of 30Datainspektionen DI-2019-3844 1 3 (30)<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
This means that both the legal bases of general interest,<br />
exercise of authority and legal obligation in the treatment of the vulnerable<br />
<br />
personal data under the exemption in Article 9 (2) (h)<br />
supplementary rules.<br />
<br />
<br />
Supplementary national regulations<br />
<br />
In the case of Sweden, both the basis for the treatment and those<br />
special conditions for the processing of personal data in the field of health and<br />
<br />
healthcare regulated in the Patient Data Act (2008: 355) and<br />
the Patient Data Ordinance (2008: 360). I 1 kap. Section 4 of the Patient Data Act states that<br />
<br />
the law complements the data protection regulation.<br />
<br />
The purpose of the Patient Data Act is to provide information in health and<br />
<br />
healthcare must be organized so as to meet patient safety and<br />
good quality and promotes cost efficiency. Its purpose is also to<br />
<br />
personal data shall be designed and otherwise processed so that patients and<br />
the privacy of other data subjects is respected. In addition, must be documented<br />
<br />
personal data is handled and stored so that unauthorized persons do not have access to it<br />
them (Chapter 1, Section 2 of the Patient Data Act).<br />
<br />
<br />
The supplementary provisions in the Patient Data Act aim to:<br />
<br />
take care of both privacy protection and patient safety. The legislator has<br />
thus through the regulation made a balance as to how<br />
<br />
the information must be processed to meet both the requirements for patient safety<br />
as the right to privacy in the processing of personal data.<br />
<br />
<br />
The National Board of Health and Welfare has, with the support of the Patient Data Ordinance, issued regulations<br />
<br />
and general advice on record keeping and processing of personal data in<br />
health care (HSLF-FS 2016: 40). The regulations constitute such<br />
<br />
supplementary rules, which shall be applied in the care provider's treatment of<br />
personal data in health care, see chap. Section 1 of the Patient Data Act.<br />
<br />
<br />
National provisions supplementing the requirements of the Data Protection Regulation<br />
safety can be found in Chapters 4 and 6. the Patient Data Act and Chapters 3 and 4 HSLF-FS<br />
<br />
2016: 40.<br />
<br />
<br />
Requirement to make a needs and risk analysis<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Page 13 of 30Datainspektionen DI-2019-3844 1 4 (30)<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
According to ch. 4, the care provider must § 2 HSLF-FS 2016: 40 make a needs and<br />
<br />
risk analysis, before the allocation of authorizations in the system takes place.<br />
<br />
<br />
That the analysis requires both the needs and the risks is clear from the preparatory work<br />
<br />
to the Patient Data Act, prop. 2007/08: 126 pp. 148-149, as follows.<br />
<br />
<br />
Authorization for staff's electronic access to patient information shall be restricted to<br />
what the executive needs to be able to perform his duties in health and<br />
<br />
healthcare. This includes that authorizations must be followed up and changed or restricted accordingly<br />
hand as changes in the tasks of the individual executive give rise to it.<br />
The provision corresponds in principle to section 8 of the Health Care Register Act. The purpose of the provision is to<br />
<br />
imprint the obligation of the responsible caregiver to make active and individual<br />
eligibility assignments based on analyzes of which details are different<br />
<br />
staff categories and different types of activities need. But it's not just needed<br />
needs analyzes. Risk analyzes must also be done where different types of risks are taken into account, such as<br />
may be associated with an overly availability of certain types of information.<br />
<br />
Protected personal data that is classified, information about publicly known persons,<br />
data from certain clinics or medical specialties are examples of categories such as<br />
<br />
may require special risk assessments.<br />
<br />
In general, it can be said that the more comprehensive an information system is, the greater the amount<br />
<br />
there must be different levels of authorization. Decisive for decisions on eligibility for e.g. various<br />
categories of healthcare professionals for electronic access to data in<br />
patient records should be that the authority should be limited to what the executive needs<br />
<br />
for the purpose a good and safe patient care. A more extensive or coarse-meshed<br />
competence allocation should - even if it has points from the point of view of efficiency -<br />
<br />
is considered an unjustified dissemination of journal information within a business and should as such<br />
not accepted.<br />
<br />
<br />
Furthermore, data should be stored in different layers so that more sensitive data require active choices or<br />
otherwise not as easily accessible to staff as less sensitive tasks. When it<br />
applies to personnel who work with business follow-up, statistics production, central<br />
<br />
financial administration and similar activities that are not individual-oriented, it should be<br />
most executives have enough access to information that can only be indirectly derived<br />
<br />
to individual patients. Electronic access to code keys, social security numbers and others<br />
data that directly point out individual patients should be able to be strong in this area<br />
limited to individuals.<br />
<br />
<br />
<br />
Internal secrecy<br />
The provisions in ch. 4 The Patient Data Act concerns internal confidentiality, ie.<br />
<br />
regulates how privacy protection is to be handled within a care provider's business<br />
<br />
and in particular employees' opportunities to prepare for access to<br />
personal data that is electronically available in a healthcare provider<br />
<br />
organisation.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Page 14 of 30Datainspektionen DI-2019-3844 1 5 (30)<br />
<br />
<br />
<br />
<br />
<br />
<br />
It appears from ch. Section 2 of the Patient Data Act, that the care provider shall decide<br />
<br />
conditions for granting access to such data<br />
patients who are fully or partially automated. Such authorization shall<br />
<br />
limited to what is needed for the individual to be able to fulfill theirs<br />
tasks in health care.<br />
<br />
<br />
Of ch. 4 § 2 HSLF-FS 2016: 40 follows that the care provider shall be responsible for each<br />
<br />
users are assigned an individual privilege to access<br />
personal data. The caregiver's decision on the allocation of eligibility shall<br />
<br />
preceded by a needs and risk analysis.<br />
<br />
<br />
Coherent record keeping<br />
The provisions in ch. 6 the Patient Data Act concerns cohesive record keeping,<br />
which means that a care provider - under the conditions specified in § 2 the same<br />
<br />
chapter of that law - may have direct access to personal data that is processed<br />
by other care providers for purposes related to care documentation. The access to<br />
<br />
information is provided by a healthcare provider making the information about a patient<br />
which the care provider registers if the patient is available to other care providers<br />
<br />
which participates in the cohesive record keeping system (see Bill 2007/08: 126<br />
p. 247).<br />
<br />
<br />
Of ch. 6 Section 7 of the Patient Data Act follows that the provisions in Chapter 4 §§ 2 and 3 -<br />
also applies to authorization allocation and access control at cohesion<br />
<br />
record keeping. The requirement that the care provider must perform a needs and risk analysis<br />
before the allocation of permissions in the system takes place, thus also applies in systems<br />
<br />
for coherent record keeping.<br />
<br />
<br />
Documentation of access (logs)<br />
Of ch. 4 Section 3 of the Patient Data Act states that a care provider must ensure that<br />
<br />
access to such data on patients who are kept in whole or in part<br />
automatically documented and systematically checked.<br />
<br />
<br />
According to ch. 4 Section 9 HSLF-FS 2016: 40, the care provider shall be responsible for that<br />
<br />
1. it appears from the documentation of the access (logs) which<br />
measures taken with information on a patient,<br />
<br />
2. it appears from the logs at which care unit or care process<br />
measures have been taken,<br />
<br />
3. the logs indicate the time at which the measures were taken;<br />
4. the identity of the user and the patient is stated in the logs.<br />
<br />
<br />
<br />
<br />
<br />
<br />
Page 15 of 30Datainspektionen DI-2019-3844 1 6 (30)<br />
<br />
<br />
<br />
<br />
<br />
<br />
The Data Inspectorate's assessment<br />
<br />
<br />
Personal data controller's responsibility for security<br />
<br />
As previously described, Article 24 (1) of the Data Protection Regulation provides a<br />
general requirement for the personal data controller to take appropriate technical<br />
<br />
and organizational measures. The requirement is partly to ensure that<br />
the processing of personal data is carried out in accordance with<br />
<br />
the Data Protection Ordinance, and that the data controller must be able to<br />
demonstrate that the processing of personal data is carried out in accordance with<br />
<br />
the Data Protection Regulation.<br />
<br />
<br />
The safety associated with the treatment is regulated more specifically in the articles<br />
5.1 f and 32 of the Data Protection Regulation.<br />
<br />
<br />
Article 32 (1) states that the appropriate measures shall be both technical and<br />
<br />
organizational and they must ensure a level of security that is appropriate in<br />
in relation to the risks to the rights and freedoms of natural persons which<br />
the treatment entails. It is therefore necessary to identify the possible ones<br />
<br />
the risks to the data subjects' rights and freedoms and assess<br />
the probability of the risks occurring and the severity if they occur.<br />
<br />
What is appropriate varies not only in relation to the risks but also<br />
based on the nature, scope, context and purpose of the treatment. It has<br />
<br />
thus the significance of what personal data is processed, how many<br />
data, it is a question of how many people process the data, etc.<br />
<br />
<br />
The health service has a great need for information in its operations.<br />
<br />
It is therefore natural that the possibilities of digitalisation are utilized so much<br />
as possible in healthcare. Since the Patient Data Act was written, one has a lot<br />
<br />
extensive digitization has taken place in healthcare. Both the data collections<br />
size as the number of people sharing information with each other has increased<br />
<br />
substantially. At the same time, this increase means that the demands on it increase<br />
personal data controller, as the assessment of what is an appropriate<br />
<br />
safety is affected by the extent of the treatment.<br />
<br />
<br />
It is also a question of sensitive personal data and the data concerns<br />
people who are in a situation of dependence when they are in need of care.<br />
It is also often a question of a lot of personal information about each of these<br />
<br />
people and that the data over time may be processed by very<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Page 16 of 30Datainspektionen DI-2019-3844 1 7 (30)<br />
<br />
<br />
<br />
<br />
<br />
<br />
many people in healthcare. All in all, this places great demands on it<br />
<br />
personal data controllers.<br />
The data processed must be protected from outside actors as well<br />
<br />
the business as against unauthorized access from within the business. It can<br />
It should be noted that Article 32 (2) states that the controller, at<br />
<br />
assessment of the appropriate level of safety, in particular taking into account the risks of<br />
unintentional or unlawful destruction, loss or unauthorized disclosure or<br />
<br />
unauthorized access. To be able to know what is an unauthorized access must<br />
the data controller must be clear about what an authorized access is.<br />
<br />
<br />
Needs and risk analysis<br />
<br />
I 4 kap. Section 2 of the National Board of Health and Welfare's regulations (HSLF-FS 2016: 40), which supplement<br />
the Patient Data Act, it is stated that the care provider must make a needs and<br />
risk analysis before the allocation of authorizations in the system takes place. This means that<br />
<br />
national law prescribes requirements for an appropriate organizational measure that shall:<br />
taken before the allocation of authorizations to journal systems takes place.<br />
<br />
<br />
A needs and risk analysis must include an analysis of the needs and a<br />
<br />
analysis of the risks from an integrity perspective that may be associated<br />
with an overly allotment of access to personal data<br />
<br />
about patients. Both the needs and the risks must be assessed on the basis of them<br />
tasks that need to be processed in the business, what processes it is<br />
<br />
the question of whether and what risks to the privacy of the individual exist.<br />
<br />
<br />
The assessments of the risks need to be made on the basis of organizational level, there<br />
for example, a certain business part or task may be more<br />
<br />
privacy sensitive than another, but also based on the individual level, if it is<br />
the issue of special circumstances that need to be taken into account, such as<br />
<br />
that it is a question of protected personal data, publicly known persons or<br />
otherwise particularly vulnerable persons. The size of the system also affects<br />
<br />
the risk assessment. The preparatory work for the Patient Data Act shows that the more<br />
comprehensive an information system is, the greater the variety<br />
eligibility levels must exist (Bill 2007/08: 126 p. 149). It is thus<br />
<br />
the question of a strategic analysis at the strategic level, which should provide one<br />
authorization structure that is adapted to the business and this must be maintained<br />
<br />
updated.<br />
<br />
<br />
In summary, the regulation requires that the risk analysis identifies<br />
different categories of tasks,<br />
<br />
<br />
<br />
<br />
<br />
<br />
Page 17 of 30Datainspektionen DI-2019-3844 1 8 (30)<br />
<br />
<br />
<br />
<br />
<br />
<br />
Categories of data subjects (eg vulnerable natural persons and<br />
<br />
children), or<br />
the scope (eg number of personal data and registered)<br />
<br />
negative consequences for data subjects (eg injuries,<br />
significant social or economic disadvantage, deprivation of rights<br />
<br />
and freedoms),<br />
<br />
<br />
and how they affect the risk to the rights and freedoms of natural persons<br />
Processing of personal data. This applies both within internal secrecy<br />
<br />
as in coherent record keeping.<br />
<br />
<br />
The risk analysis must also include special risk assessments, for example<br />
based on whether there is protected personal data that is<br />
<br />
classified, information on public figures, information from<br />
certain clinics or medical specialties (Bill 2007/08: 126 p. 148-<br />
<br />
149).<br />
<br />
<br />
The risk analysis must also include an assessment of how probable and serious<br />
the risk to the data subjects' rights and freedoms is based on<br />
the nature, scope, context and purpose of the treatment (recital 76).<br />
<br />
<br />
It is thus through the needs and risk analysis that it<br />
<br />
personal data controller finds out who needs access, which<br />
information the accessibility shall include, at what times and at what<br />
<br />
context access is needed, while analyzing the risks to it<br />
the freedoms and rights of the individual that the treatment may lead to. The result should<br />
<br />
then lead to the technical and organizational measures needed to<br />
ensure that no one other than the one who needs and<br />
<br />
the risk analysis shows that it should be justified.<br />
<br />
<br />
When a needs and risk analysis is missing prior to the allocation of qualifications in<br />
system, lacks the basis for the personal data controller on a legal<br />
<br />
be able to assign their users a correct authorization. The<br />
the data controller is responsible for, and shall have control over, the<br />
<br />
personal data processing that takes place within the framework of the business. To<br />
assign users a when accessing journal system, without this being founded<br />
<br />
on a performed needs and risk analysis, means that the person responsible for personal data<br />
does not have sufficient control over the personal data processing that takes place in<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Page 18 of 30Datainspektionen DI-2019-3844 1 9 (30)<br />
<br />
<br />
<br />
<br />
<br />
<br />
the journal system and also can not show that he has the control that<br />
<br />
required.<br />
<br />
<br />
Aleris has stated that the authorizations are granted on the basis of the document, “<br />
and risk analysis-TakeCare ”. The document states that all<br />
<br />
authorization profiles in addition to technicians have been assigned permission to read in the system,<br />
and that the risk with restricted access is that the user cannot perform his<br />
<br />
tasks in full. This justification is stated for all users.<br />
It is further stated that the only risk in the event of extensive access is to the user<br />
<br />
sees information that he / she does not have the right to see which may involve disclosure<br />
of patient information. Similar justification is given for all profiles. The<br />
<br />
means that Aleris makes the same assessment for all profiles regardless<br />
the user's task and needs.<br />
<br />
<br />
The Data Inspectorate can state that the document, “Needs and risk analysis<br />
TakeCare ”does not contain any analysis of the different profiles' needs<br />
<br />
access to patients' data. Aleris has only stated what respectively<br />
profile "must be able to perform" in the journal system and thus not analyzed which<br />
<br />
information as it is a question of or what the needs look like in the various<br />
the business components and for different professional roles. The document also lacks one<br />
<br />
analysis of the risks to the individual's freedoms and rights as an excessive<br />
eligibility may entail. The needs and risk analysis must be done in a strategic manner<br />
<br />
level that should provide an authorization structure that is adapted to the business.<br />
<br />
<br />
The information in the document "Needs and risk analysis - TakeCare" is too<br />
deficient in relation to the information required for a correct<br />
<br />
needs and risk analysis must be able to be performed. As stated above, in a<br />
needs and risk analysis both the needs and the risks are assessed on the basis of them<br />
<br />
tasks that need to be processed in the business, what processes it is<br />
the question of whether and what risks to the individual's integrity exist as well<br />
<br />
organizational as well as individual level.<br />
<br />
In its analysis, Aleris has not taken into account the negative consequences for<br />
<br />
registered, different categories of data, categories of registered or<br />
the extent of the number of personal data and registered affects the risk of<br />
<br />
the rights and freedoms of natural persons in the treatment of Aleris by<br />
personal information in TakeCare. There are also no special risk assessments<br />
<br />
based on whether there is, for example, protected personal data that is<br />
classified, information on public figures, information from<br />
<br />
<br />
<br />
<br />
<br />
<br />
Page 19 of 30Datainspektionen DI-2019-3844 2 0 (30)<br />
<br />
<br />
<br />
<br />
<br />
<br />
certain clinics or medical specialties or other factors such as<br />
<br />
requires special protective measures. There is also no assessment of how<br />
probable and serious risk to the data subjects' rights and freedoms<br />
<br />
is considered to be.<br />
<br />
<br />
In the light of the above, the Data Inspectorate can state that<br />
the document “Needs and risk analysis- TakeCare” does not meet the requirements<br />
<br />
put on a needs and risk analysis and that Aleris has not been able to show that<br />
the company has carried out a needs and risk analysis within the meaning of 4<br />
<br />
Cape. § 2 HSLF-FS 2016: 40, neither within the framework of internal secrecy<br />
according to ch. 4 the Patient Data Act or within the framework of the cohesive<br />
<br />
record keeping according to ch. 6 Section 7 of the Patient Data Act. That means Aleris does not<br />
have taken appropriate organizational measures in accordance with Article 5 (1) (f) and<br />
Article 32 (1) and (2) in order to ensure and, in accordance with Article 5 (2),<br />
<br />
be able to show that the processing of personal data has a security that is<br />
appropriate in relation to the risks.<br />
<br />
<br />
Authorization of access to personal data about patients<br />
<br />
As reported above, a caregiver may have a legitimate interest in having<br />
a comprehensive processing of data on the health of individuals. Notwithstanding this shall<br />
<br />
access to personal data about patients may be limited to<br />
what is needed for the individual to be able to fulfill his or her duties.<br />
<br />
<br />
With regard to the allocation of authorization for electronic access according to ch.<br />
<br />
§ 2 and ch. 6 Section 7 of the Patient Data Act states that in the preparatory work, Bill.<br />
2007/08: 126 pp. 148-149, i.a. that there should be different eligibility categories in<br />
<br />
the journal system and that the permissions should be limited to what the user<br />
need to provide the patient with good and safe care. It also appears that “a<br />
<br />
more extensive or coarse-grained eligibility should be considered as one<br />
unauthorized dissemination of journal information within a business and should as<br />
<br />
such is not accepted. "<br />
<br />
In health care, it is the person who needs the information in their work<br />
<br />
who may be authorized to access them. This applies both within a<br />
caregivers as between caregivers. It is, as already mentioned, through<br />
<br />
the needs and risk analysis that the person responsible for personal data finds out who<br />
who need access, what information the access should include, at which<br />
<br />
times and in which contexts access is needed, and at the same time<br />
analyzes the risks to the individual's freedoms and rights<br />
<br />
<br />
<br />
<br />
<br />
<br />
Page 20 of 30Datainspektionen DI-2019-3844 2 1 (30)<br />
<br />
<br />
<br />
<br />
<br />
<br />
the treatment can lead to. The result should then lead to the technical and<br />
<br />
organizational measures needed to ensure no allocation<br />
of eligibility provides further access opportunities than the one that needs and<br />
<br />
the risk analysis shows is justified. An important organizational measure is to provide<br />
instruction to those who have the authority to assign authorizations on how this<br />
<br />
should go to and what should be considered so that it, with the needs and risk analysis<br />
as a basis, becomes a correct authorization allocation in each individual case.<br />
<br />
<br />
Aleris has stated that there are restrictions regarding users<br />
<br />
access options in TakeCare then the company by choosing different functions<br />
for different users can steer away users' access capabilities in<br />
<br />
the journal system.<br />
<br />
According to Aleris, all users have different read permissions in the journal system<br />
<br />
depending on the system features they have access to. Of the document<br />
However, “Needs and risk analysis - TakeCare” states that all professional profiles<br />
<br />
in addition to technicians, read access has been assigned to the tasks in TakeCare.<br />
Furthermore, the document "Profiles and Permissions" states that all<br />
<br />
occupational profiles, ie. doctors, nurses, assistant nurses, paramedics,<br />
secretary, administrative, student and receptionist Rehab has<br />
<br />
authority to "read journal text". This means that virtually all professional profiles<br />
has access to Aleri's personal data about patients in TakeCare. The<br />
<br />
limitation that has been introduced is that different professional profiles have different<br />
reading privileges, for example, doctors, nurses, paramedics can read<br />
<br />
diagnoses ”or“ read prescriptions ”while other professional profiles, for example<br />
"Administratively" do not have those powers. It also appears that doctors are<br />
<br />
the only ones who have the authority to "read emergency information".<br />
<br />
<br />
The Data Inspectorate considers it positive that Aleris has allocated different<br />
read permissions in the system, but that it is not enough because all<br />
<br />
professional profiles still have access to the journal texts in TakeCare.<br />
In addition, the division is rough as it is only a division from the outside<br />
occupational categories and not based on, for example, which organizational<br />
<br />
affiliation, which tasks the user has or which patients<br />
personal data that the user needs to access at different times<br />
<br />
to. Because different users have different tasks within different<br />
work areas, users need access to personal data about<br />
<br />
patients in TakeCare are limited to reflect this.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Page 21 of 30Datainspektionen DI-2019-3844 2 2 (30)<br />
<br />
<br />
<br />
<br />
<br />
<br />
Against this background, the Data Inspectorate can state that Aleris does not have<br />
<br />
restricted users 'permissions to access patients'<br />
personal data in the journal system TakeCare. This in turn means that one<br />
<br />
majority of the users have had actual access to the care documentation<br />
about a large number of patients in TakeCare.<br />
<br />
<br />
The review also shows that Aleris uses so-called active choices<br />
<br />
for access to personal data about patients and the record filter function.<br />
<br />
<br />
The fact that Aleris uses active choices does not mean that the access option to<br />
personal data in the system has been restricted to the user, without the data<br />
<br />
are still electronically accessible. This means that the active choices are not<br />
such an access restriction as referred to in ch. 4 Section 2 of the Patient Data Act,<br />
as this provision requires that jurisdiction be limited to what<br />
<br />
necessary for the individual to be able to fulfill his duties within<br />
health care and that only those who need the information should have<br />
<br />
access. The Data Inspectorate thus considers that Aleri's use of active choices<br />
is an integrity enhancing measure but that it does not affect the actual<br />
<br />
access possibilities.<br />
<br />
<br />
Aleris has further stated that there are features in TakeCare for that one<br />
care providers must be able to "isolate" a care unit and thereby "shut out"<br />
<br />
other care providers 'and care units' access to the unit<br />
care documentation, so-called protected units. However, Aleris believes that<br />
<br />
the company does not conduct any business that requires protected entities and<br />
have therefore not used this function.<br />
<br />
<br />
As for the unified record keeping, all users at Aleris have<br />
<br />
access to all personal data about patients at the other care providers in<br />
TakeCare, except when patients have requested that their data be blocked.<br />
<br />
It appears from the review that the care provider has an opportunity to actively<br />
block the records of other caregivers, but that Aleris has chosen not to do so<br />
because the company does not conduct any business that needs to be blocked. Aleris<br />
<br />
considers it safer to leave the data at Aleri's units<br />
available to other caregivers.<br />
<br />
<br />
That the allocation of authorizations has not been preceded by a need and<br />
<br />
risk analysis means that Aleris has not analyzed users' needs for<br />
access to the data, the risks that such access may entail and<br />
<br />
<br />
<br />
<br />
<br />
<br />
Page 22 of 30Datainspektionen DI-2019-3844 2 3 (30)<br />
<br />
<br />
<br />
<br />
<br />
<br />
thus also not identifying which access is justified for the users<br />
<br />
based on such an analysis. Aleris has thus not used suitable<br />
measures, in accordance with Article 32, to restrict users' access to<br />
<br />
patients' data in the medical record system. This in turn has meant that<br />
there has been a risk of unauthorized access and unauthorized distribution of<br />
<br />
personal data partly within the framework of internal secrecy, partly within the framework<br />
for the unified record keeping.<br />
<br />
<br />
Aleris has further stated that the company has no technical possibilities to<br />
<br />
make changes to TakeCare because Aleris has no control over it<br />
the journal system. It also appears that Aleris, within the framework of it<br />
<br />
coherent record keeping, may not implement certain restrictions<br />
with reference to a decision from the Stockholm Region.<br />
<br />
<br />
The basis of the Data Protection Ordinance is that the person responsible for personal data<br />
has a responsibility to comply with the obligations set out in the Regulation in order to:<br />
<br />
be allowed to process personal data in their activities at all. To take<br />
appropriate technical and organizational measures to ensure an appropriate<br />
<br />
security is such an obligation (see Articles 5, 24 and 32 of<br />
the Data Protection Regulation). The Data Inspectorate thus considers that Aleris in<br />
<br />
capacity as personal data controller can not waive the responsibility to<br />
take the technical and organizational measures required by the above<br />
<br />
articles.<br />
<br />
<br />
In light of the above, the Swedish Data Inspectorate can state that Aleris<br />
has processed personal data in breach of Article 5 (1) (f) and Article 32 (1) and<br />
<br />
32.2 of the Data Protection Regulation in that Aleris has not restricted<br />
users' permissions for accessing the TakeCare journal system to what<br />
<br />
which is only needed for the user to be able to fulfill his<br />
tasks in health care according to ch. 4 § 2 and ch. 6 § 7<br />
<br />
the Patient Data Act and Chapter 4 2 § HSLF-FS 2016: 40. That means Aleris does not<br />
have taken steps to ensure and, in accordance with Article 5 (2) (i)<br />
the Data Protection Regulation, be able to demonstrate appropriate security for<br />
<br />
personal data.<br />
<br />
<br />
Documentation of access (logs)<br />
Of the documentation of access (logs) that arose due to<br />
<br />
The Data Inspectorate's inspection is as follows: date, time,<br />
the identity of the user and the patient, the measures taken and<br />
<br />
<br />
<br />
<br />
<br />
<br />
Page 23 of 30Datainspektionen DI-2019-3844 2 4 (30)<br />
<br />
<br />
<br />
<br />
<br />
<br />
care unit. The same documentation appears when the user takes part<br />
<br />
tasks within the framework of coherent record keeping.<br />
<br />
<br />
The Data Inspectorate has nothing to recall in this part, because<br />
the documentation of the access (logs) in TakeCare is in accordance<br />
<br />
with the requirements set out in Chapter 4. 9 § HSLF-FS 2016: 40. Aleris has thus<br />
have taken appropriate technical measures in accordance with Article 32 i<br />
<br />
the Data Protection Regulation.<br />
<br />
<br />
Choice of intervention<br />
<br />
<br />
Legal regulation<br />
If there has been a violation of the Data Protection Regulation<br />
<br />
The Data Inspectorate a number of corrective powers available under the article<br />
58.2 a-j of the Data Protection Regulation. The supervisory authority can, among other things<br />
<br />
instruct the data controller to ensure that the processing takes place in<br />
in accordance with the Regulation and if required in a specific way and within a<br />
<br />
specific period.<br />
<br />
<br />
It follows from Article 58 (2) of the Data Protection Regulation that the Data Inspectorate in<br />
in accordance with Article 83 shall impose penalty charges in addition to or in lieu of<br />
<br />
other corrective measures referred to in Article 58 (2),<br />
the circumstances of each individual case.<br />
<br />
<br />
Article 83 (2) sets out the factors to be taken into account in determining whether a<br />
administrative penalty fee shall be imposed, but also what shall affect<br />
<br />
the size of the penalty fee. Of central importance for the assessment of<br />
the seriousness of the infringement is its nature, severity and duration. If<br />
<br />
in the case of a minor infringement, the supervisory authority may, according to recitals<br />
148 of the Data Protection Regulation, issue a reprimand instead of imposing one<br />
<br />
penalty fee.<br />
<br />
<br />
Order<br />
The health service has a great need for information in its operations. The<br />
<br />
It is therefore natural that the possibilities of digitalisation are utilized as much as<br />
possible in healthcare. Since the Patient Data Act was written, one has a lot<br />
<br />
extensive digitization has taken place in healthcare. Both the data collections<br />
size as the number of people sharing information with each other has increased<br />
<br />
substantially. At the same time, this increase means that the demands on it increase<br />
<br />
<br />
<br />
<br />
<br />
Page 24 of 30Datainspektionen DI-2019-3844 2 5 (30)<br />
<br />
<br />
<br />
<br />
<br />
<br />
personal data controller, as the assessment of what is an appropriate<br />
<br />
safety is affected by the extent of the treatment.<br />
<br />
<br />
In this context, it means that a great deal of responsibility rests on it<br />
personal data controller to protect the data from unauthorized access,<br />
<br />
among other things by having an authorization allocation that is even more<br />
comminuted. It is therefore essential that there is a real analysis of the needs<br />
<br />
based on different activities and different executives. Equally important is that<br />
there is an actual analysis of the risks from an integrity perspective<br />
<br />
may occur in the event of an override of access rights. From<br />
this analysis must then restrict the access of the individual executive.<br />
<br />
This authority must then be followed up and changed or restricted accordingly<br />
hand that changes in the tasks of the individual executive provide<br />
reason for it.<br />
<br />
<br />
The Data Inspectorate's inspection has shown that Aleris has failed to take appropriate action<br />
<br />
security measures to provide protection for the personal data in the record system<br />
TakeCare by not complying with the requirements set out in the Patient Data Act and<br />
<br />
The National Board of Health and Welfare's regulations regarding the implementation of needs and<br />
risk analysis, before the allocation of authorizations in the system takes place and that not<br />
<br />
restrict the right of access to what is needed to the individual<br />
must be able to fulfill their duties in health care. The<br />
<br />
means that Aleris has also failed to comply with the requirements of Article 5 (1) (f) and Article<br />
32.1 and 32.2 of the Data Protection Regulation. Failure includes it as well<br />
<br />
internal secrecy according to ch. 4 the Patient Data Act as the cohesive one<br />
record keeping according to ch. 6 patient data law.<br />
<br />
<br />
The Data Inspectorate therefore submits pursuant to Article 58 (2) (d) i<br />
<br />
data protection ordinance Aleris Sjukvård AB to implement and document<br />
required needs and risk analysis for the TakeCare medical record system and that<br />
<br />
then, based on the needs and risk analysis, assign each user<br />
individual access to personal data restricted to<br />
only what is needed for the individual to be able to fulfill his<br />
<br />
duties in health care, in accordance with Article 5 (1) (f) and<br />
Article 32 (1) and (2) of the Data Protection Ordinance, Chapter 4 § 2 and ch. 6 § 7<br />
<br />
the Patient Data Act and Chapter 4 2 § HSLF-FS 2016: 40.<br />
<br />
<br />
Penalty fee<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Page 25 of 30Datainspektionen DI-2019-3844 2 6 (30)<br />
<br />
<br />
<br />
<br />
<br />
<br />
The Data Inspectorate can state that the infringements basically concern Aleris<br />
<br />
obligation to take appropriate security measures to provide protection to<br />
personal data in accordance with the Data Protection Regulation.<br />
<br />
<br />
In this case, it is a matter of large data collections with sensitive<br />
<br />
personal data and extensive powers. The caregiver needs to be involved<br />
necessity to have a comprehensive processing of data on the health of individuals.<br />
<br />
However, it must not be unrestricted but should be based on what individual<br />
employees need to be able to perform their tasks. The Data Inspectorate<br />
<br />
notes that this is information that includes direct identification<br />
by the individual through both name, contact information and social security number,<br />
<br />
health information, but it may also be other private information about<br />
for example, family relationships, sexual life and lifestyle. The patient is addicted<br />
of receiving care and is thus in a vulnerable situation. The nature of the data,<br />
<br />
scope and the patients' position of dependence give caregivers a special<br />
responsibility to ensure patients' right to adequate protection for their<br />
<br />
personal data.<br />
<br />
<br />
Additional aggravating circumstances are the treatment of<br />
personal data about patients in the main medical record system belongs to the core of a<br />
<br />
the activities of caregivers, that the treatment covers many patients and<br />
the possibility of access refers to a large proportion of the employees. In this case, stir<br />
<br />
there are almost 800,000 patients and just over 1,000 active users in<br />
the journal system.<br />
<br />
<br />
It is a central task for the person responsible for personal data to take measures<br />
<br />
to ensure an appropriate level of safety in relation to the risk. At<br />
the assessment of the appropriate level of safety, special consideration shall be given to those risks<br />
<br />
which the treatment entails, in particular from accidental or unlawful destruction,<br />
loss or alteration or to unauthorized disclosure of or unauthorized access to<br />
<br />
the personal data transferred, stored or otherwise processed,<br />
pursuant to Article 32 (2) of the Data Protection Regulation. The requirements for health and<br />
the healthcare area, regarding current security measures, has been specified in<br />
<br />
the Patient Data Act and in the National Board of Health and Welfare regulations. Of the preparatory work for<br />
The Patient Data Act clearly states that requirements are placed on both strategic analysis and<br />
<br />
that eligibility is assigned individually and adapted to the current one<br />
the situation. That large amounts of sensitive personal data are processed without<br />
<br />
basic regulations in the field are followed means that the procedure is assessed as<br />
more serious.<br />
<br />
<br />
<br />
<br />
<br />
<br />
Page 26 of 30Datainspektionen DI-2019-3844 2 7 (30)<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
The Data Inspectorate also takes into account that Aleris has not chosen to restrict<br />
access in the context of coherent record keeping. According to Aleris<br />
<br />
is it more patient safe to leave the data at Aleri's units<br />
available to other caregivers. This means that Aleris has given priority away<br />
<br />
the protection of privacy within the coherent record keeping in favor of<br />
patient safety, which is particularly serious.<br />
<br />
<br />
The Data Inspectorate has also taken into account that Aleris has used some<br />
<br />
integrity enhancement measures, performed certain restrictions regarding<br />
occupational categories' reading qualifications and documented access to one<br />
<br />
correct way.<br />
<br />
In determining the seriousness of the infringements, it can also be stated that<br />
<br />
the infringements also cover the basic principles set out in Article 5 (i)<br />
the Data Protection Regulation, which belongs to the categories of more serious<br />
<br />
infringements which may give rise to a higher penalty under Article 83 (5) (i)<br />
the Data Protection Regulation.<br />
<br />
<br />
Taken together, these factors mean that the infringements, not to implement<br />
<br />
a needs and risk analysis and not to limit users' permissions<br />
to only what is needed for the user to be able to fulfill theirs<br />
<br />
tasks in health care, is not to be judged as minor<br />
infringements without infringements that should lead to an administrative<br />
<br />
penalty fee.<br />
<br />
<br />
The Data Inspectorate considers that these violations are closely related to<br />
each other. That assessment is based on the need and risk analysis<br />
<br />
form the basis for the allocation of the authorizations. The Data Inspectorate<br />
therefore considers that these infringements are so closely linked<br />
<br />
that they constitute interconnected data processing within the meaning of Article 83 (3) (i)<br />
the Data Protection Regulation. The Data Inspectorate therefore decides on a joint<br />
penalty fee for these infringements.<br />
<br />
<br />
According to Article 83 (3), the administrative penalty fee may not exceed<br />
<br />
the amount of the most serious infringement in the case of one or the same<br />
data processing or interconnected data processing.<br />
<br />
The administrative penalty fee shall be effective, proportionate and<br />
deterrent. This means that the amount must be determined so that it<br />
<br />
<br />
<br />
<br />
<br />
<br />
Page 27 of 30Datainspektionen DI-2019-3844 2 8 (30)<br />
<br />
<br />
<br />
<br />
<br />
<br />
the administrative penalty fee leads to correction, that it provides a preventive<br />
<br />
effect and that it is also proportional in relation to both current<br />
violations as to the ability of the supervised entity to pay.<br />
<br />
<br />
As regards the calculation of the amount, Article 83 (5) (i)<br />
<br />
the Data Protection Regulation that companies that commit infringements are the ones in question<br />
may be subject to penalty fees of up to EUR 20 million or four<br />
<br />
percent of total global annual sales in the previous financial year,<br />
depending on which value is highest.<br />
<br />
<br />
The term company includes all companies that conduct a financial<br />
<br />
activity, regardless of the legal status of the entity or the manner in which it operates<br />
financed. A company can therefore consist of an individual company in the sentence one<br />
legal person, but also by several natural persons or companies. Thus<br />
<br />
there are situations where an entire group is treated as a company and its<br />
total annual turnover shall be used to calculate the amount of a<br />
<br />
infringement of the Data Protection Regulation by one of its companies.<br />
<br />
<br />
Recital 150 in the Data Protection Ordinance states, among other things<br />
following. […] If the administrative penalty fees are imposed on a company,<br />
<br />
a company for that purpose should be considered a company within the meaning of<br />
Articles 101 and 102 of the TFEU […]. This means that the assessment of<br />
<br />
what constitutes a company must be based on the definitions of competition law.<br />
The rules for group liability in EU competition law revolve around<br />
<br />
the concept of economic unit. A parent company and a subsidiary are considered<br />
as part of the same economic entity when the parent company exercises one<br />
<br />
decisive influence over the subsidiary. The Data Inspectorate therefore adds<br />
as a starting point, the turnover for Aleris Group AB as a basis for<br />
<br />
the calculation of the size of the penalty fee.<br />
<br />
<br />
Aleris Group AB was formed at the end of 2019. Some turnover figures for the whole<br />
2019 is thus not available. There is therefore no information on the annual<br />
turnover for determining the amount of the penalty fee. Aleris has<br />
<br />
stated that the group turnover for Aleris Group AB amounted to just over 1.2<br />
billion between 1 October 2019 and 31 December 2019.<br />
<br />
Recalculated for an entire year, this would correspond to a turnover of approximately 4.9<br />
billion.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Page 28 of 30Datainspektionen DI-2019-3844 2 9 (30)<br />
<br />
<br />
<br />
<br />
<br />
<br />
The Data Inspectorate states that the actual annual sales for Aleris<br />
<br />
Group AB this year will be significantly higher.<br />
<br />
<br />
In the current case, the Data Inspectorate applies a precautionary principle and<br />
therefore appreciates that the company's annual turnover at least corresponds to that of<br />
<br />
the period October - December 2019 recalculated for full year, ie approximately 4.9<br />
billion. The maximum sanction amount that can be determined in the current<br />
<br />
case is EUR 20,000,000, which is just over four percent of the company's estimated<br />
revenue.<br />
<br />
<br />
Given the seriousness of the infringements and that the administrative<br />
<br />
the penalty fee must be effective, proportionate and dissuasive<br />
the Data Inspectorate determines the administrative sanction fee for<br />
<br />
Aleris Sjukvård AB to SEK 15,000,000 (fifteen million).<br />
<br />
<br />
<br />
<br />
<br />
This decision was made by Director General Lena Lindgren Schelin after<br />
presentation by the IT security specialist Magnus Bergström. At the final<br />
<br />
The case is also handled by the General Counsel Hans-Olof Lindblom, the unit managers<br />
Katarina Tullstedt and Malin Blixt and the lawyer Linda Hamidi participated.<br />
<br />
<br />
<br />
<br />
Lena Lindgren Schelin, 2020-12-02 (This is an electronic signature)<br />
<br />
<br />
<br />
<br />
<br />
Appendix<br />
<br />
How to pay penalty fee<br />
<br />
<br />
Copy for information to<br />
The Data Protection Officer<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Page 29 of 30Datainspektionen DI-2019-3844 3 0 (30)<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
How to appeal<br />
<br />
If you want to appeal the decision, you must write to the Data Inspectorate. Enter i<br />
the letter which decision you are appealing and the change you are requesting.<br />
<br />
The appeal must have been received by the Data Inspectorate no later than three weeks from<br />
the day you received the decision. If the appeal has been received in due time<br />
<br />
the Data Inspectorate forwards it to the Administrative Court in Stockholm<br />
examination.<br />
<br />
<br />
You can e-mail the appeal to the Data Inspectorate if it does not contain<br />
<br />
any privacy-sensitive personal data or data that may be covered by<br />
secrecy. The authority's contact information can be found on the first page of the decision.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Page 30 of 30<br />
</pre></div>Elisavet Dravalouhttps://gdprhub.eu/index.php?title=Datainspektionen_-_DI-2019-3844&diff=12919Datainspektionen - DI-2019-38442020-12-14T10:47:03Z<p>Elisavet Dravalou: Created page with "{{DPAdecisionBOX |Jurisdiction=Sweden |DPA-BG-Color= |DPAlogo=LogoSK.png |DPA_Abbrevation=Datainspektionen |DPA_With_Country=Datainspektionen (Sweden) |Case_Number_Name=DI-2..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Sweden<br />
|DPA-BG-Color=<br />
|DPAlogo=LogoSK.png<br />
|DPA_Abbrevation=Datainspektionen<br />
|DPA_With_Country=Datainspektionen (Sweden)<br />
<br />
|Case_Number_Name=DI-2019-3844<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Datainspektionen<br />
|Original_Source_Link_1=https://www.datainspektionen.se/globalassets/dokument/beslut/beslut-tillsyn-aleris-sjukvard-di-2019-3844.pdf<br />
|Original_Source_Language_1=Swedish<br />
|Original_Source_Language__Code_1=SV<br />
<br />
|Type=Investigation<br />
|Outcome=Violation Found<br />
|Date_Decided=02.12.2020<br />
|Date_Published=02.12.2020<br />
|Year=2020<br />
|Fine=15000000<br />
|Currency=SEK<br />
<br />
|GDPR_Article_1=Article 5(1)(f) GDPR<br />
|GDPR_Article_Link_1=Article 5 GDPR#1f<br />
|GDPR_Article_2=Article 5(2) GDPR<br />
|GDPR_Article_Link_2=Article 5 GDPR#2<br />
|GDPR_Article_3=Article 32(1) GDPR<br />
|GDPR_Article_Link_3=Article 32 GDPR#1<br />
|GDPR_Article_4=Article 32(2) GDPR<br />
|GDPR_Article_Link_4=Article 32 GDPR#2<br />
<br />
<br />
|National_Law_Name_1= Patientdatalagen (2008:355)<br />
|National_Law_Link_1=https://www.riksdagen.se/sv/dokument-lagar/dokument/svensk-forfattningssamling/patientdatalag-2008355_sfs-2008-355<br />
<br />
|Party_Name_1=Aleris Sjukvård AB<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Elisavet Dravalou<br />
|<br />
}}<br />
<br />
The Swedish DPA help that the healthcare provider "Aleris" did not carry out the risk assessments required by the Patient Data Act and that by granting access to all personal in the patients' journal system, was breaching article 32 of the GDPR.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The audit to Aleris Sjukvård AB from the Swedish DPA was initiated in May 2019. Aleris is a healthcare provider and uses a system named "TakeCare" as the main journal keeping system where they store and maintain the patients' journals. According to the Patient Data Act, a caregiver must conduct a needs and risk analysis before allocating access rights in the patients' journals. <br />
<br />
=== Dispute ===<br />
<br />
<br />
=== Holding ===<br />
The DPA found that Aleris Sjukvård AB did not carry out these assessments and it has granted access to patients' journal to all employees apart from the technicians. By doing so, Aleris Sjukvård AB breached the obligation to apply appropriate technical and organisational measures to ensure the security of the personal data, imposed to controllers by Article 32 of the GDPR. The DPA imposed a fine of 15 millions SEK (approximately €1466000).<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.<br />
<br />
<pre><br />
Decision Diary No. 1 (30)<br />
2020-12-02 DI-2019-3844<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Aleris Sjukvård AB<br />
c / o Aleris Specialist Care Sabbatsberg<br />
<br />
Box 6401<br />
113 82 Stockholm<br />
<br />
Stockholm County<br />
<br />
<br />
Supervision under the Data Protection Regulation and<br />
<br />
Patient Data Act- needs and risk analysis and<br />
<br />
questions about access in journal systems<br />
<br />
<br />
Table of Contents<br />
<br />
The Data Inspectorate's decision ................................................ ..................................... 2<br />
Report on the supervisory matter ............................................... .............................. 3<br />
<br />
What has emerged in the case ............................................. .......................... 3<br />
<br />
Internal privacy ................................................ .................................................. ... 5<br />
<br />
Consolidated record keeping ................................................ ............................ 8<br />
<br />
Documentation of access (logs) ............................................ ............... 9<br />
<br />
Aleris opinion on the Data Inspectorate's letter .......................................... 9<br />
<br />
Motivation for decision ............................................... ............................................. 10<br />
<br />
Applicable rules................................................ ........................................... 10<br />
<br />
The Data Inspectorate's assessment ................................................ ....................... 15<br />
<br />
Choice of intervention ............................................... .............................................. 23<br />
<br />
Appendix ................................................. .................................................. ............. 29<br />
Copy for knowledge of .............................................. ................................... 29<br />
<br />
How to appeal............................................... ........................................... 29<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Postal address: Box 8114, 104 20 Stockholm E-mail: datainspektionen@datainspektionen.se<br />
Website: www.datainspektionen.se Phone: 08-657 61 00<br />
Page 1 of 30Datainspektionen DI-2019-3844 2 (30)<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
The Data Inspectorate's decision<br />
<br />
During a review on April 8, 2019, the Data Inspectorate has established that Aleris<br />
Sjukvård AB processes personal data in violation of Article 5 (1) (f) and (2) and<br />
<br />
Article 32 (1) and (2) of the Data Protection Regulation by<br />
<br />
<br />
1. Aleris Sjukvård AB has not carried out a needs and risk analysis<br />
<br />
before the allocation of permissions takes place in the journal system TakeCare, i<br />
in accordance with ch. 4 § 2 and ch. 6 Section 7 of the Patient Data Act (2008: 355)<br />
<br />
and ch. 4 Section 2 The National Board of Health and Welfare's regulations and general advice on<br />
record keeping and processing of personal data in health and<br />
<br />
healthcare (HSLF-FS 2016: 40). This means that Aleris Sjukvård AB<br />
have not taken appropriate organizational measures to be able to<br />
<br />
ensure and be able to show that the processing of personal data has<br />
a security that is appropriate in relation to the risks.<br />
<br />
<br />
2. Aleris Sjukvård AB does not limit users' permissions for<br />
<br />
access to the TakeCare journal system for what is only needed for<br />
that the user should be able to fulfill his tasks in the health<br />
<br />
and healthcare according to ch. 4 § 2 and ch. 6 Section 7 of the Patient Data Act and 4<br />
Cape. 2 § HSLF-FS 2016: 40. This means that Aleris Sjukvård AB does not have<br />
<br />
taken measures to be able to ensure and be able to show a suitable<br />
<br />
security of personal data.<br />
<br />
<br />
The Data Inspectorate decides on the basis of Articles 58 (2) and 83 i<br />
the Data Protection Ordinance to Aleris Sjukvård AB, for violation of<br />
<br />
Article 5 (1) (f) and (2) and Article 32 (1) and (2) of the Data Protection Regulation;<br />
shall pay an administrative penalty fee of 15,000,000 (fifteen<br />
<br />
million).<br />
<br />
<br />
The Data Inspectorate submits pursuant to Article 58 (2) (d) i<br />
data protection ordinance Aleris Sjukvård AB to implement and document<br />
<br />
required needs and risk analysis for the TakeCare medical record system and that<br />
then, based on the needs and risk analysis, assign each user<br />
<br />
<br />
<br />
1 REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016<br />
<br />
on the protection of individuals with regard to the processing of personal data and on that<br />
free flow of such data and repealing Directive 95/46 / EC (General<br />
Data Protection Regulation).<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Page 2 of 30Datainspektionen DI-2019-3844 3 (30)<br />
<br />
<br />
<br />
<br />
<br />
<br />
individual access to personal data restricted to<br />
<br />
only what is needed for the individual to be able to fulfill his<br />
duties in health care, in accordance with Article 5 (1) (f) and<br />
<br />
Article 32 (1) and (2) of the Data Protection Ordinance, Chapter 4 § 2 and ch. 6 § 7<br />
the Patient Data Act and Chapter 4 2 § HSLF-FS 2016: 40.<br />
<br />
<br />
<br />
<br />
Report on the supervisory matter<br />
The Data Inspectorate's inspection began with an inspection letter on 22 March<br />
<br />
2019 and has taken place both in writing and through on-site inspection on April 8<br />
2019. The audit has been intended to control whether Aleris Sjukvård AB's (hereinafter referred to as<br />
<br />
Aleris) decision on the allocation of authorizations has been preceded by a need and<br />
risk analysis. The supervision has also included how Aleris has granted authorizations<br />
<br />
for access to the TakeCare master journal system, and which<br />
access opportunities the granted privileges provide within both the framework of<br />
<br />
the internal secrecy according to ch. the Patient Data Act, as the cohesive one<br />
record keeping according to ch. 6 patient data law. In addition to this has<br />
<br />
The Data Inspectorate examined which documentation of access (logs) as<br />
is in the journal system.<br />
<br />
<br />
The Data Inspectorate has only examined the user's access to<br />
<br />
the journal system, i.e. what care documentation the user can actually take<br />
part of and read. The supervision has not included which functions were included in<br />
<br />
the competence, ie. what the user can actually do in the journal system<br />
(eg issuing prescriptions, writing referrals, etc.).<br />
<br />
<br />
The inspection is one of several inspections within the framework of a self-initiated<br />
supervisory project at the Swedish Data Inspectorate, where i.a. Karolinska<br />
<br />
The university hospital has been included. Due to what has emerged about<br />
Aleri's view on the technical possibilities to limit<br />
<br />
readability for its users in TakeCare, Aleris was asked in particular<br />
comment on an opinion from Karolinska University Hospital, which also<br />
<br />
uses TakeCare, where the technical possibilities regarding TakeCare<br />
was described.<br />
<br />
<br />
What has emerged in the case<br />
<br />
Aleris has essentially stated the following.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Page 3 of 30Datainspektionen DI-2019-3844 4 (30)<br />
<br />
<br />
<br />
<br />
<br />
<br />
Personal data responsibility<br />
<br />
Aleris is the care provider and personal data manager.<br />
<br />
<br />
The business<br />
Aleri's ownership structure has changed after the Data Inspectorate's review<br />
<br />
initiated. Aleris 'new ownership structure is shown in Aleris' supplement from 16<br />
November 2020. The supplement states, among other things, the following.<br />
<br />
<br />
Aleris has been part of the newly formed Group Parent Company since October 1, 2019,<br />
<br />
Aleris Group AB (corporate identity number 559210-7550), and is a subsidiary of Aleris<br />
Healthcare AB (org.nr. 556598–6782). Aleris Group AB is owned by Triton.<br />
<br />
<br />
Group sales for Aleris Group AB amounted to SEK 1,215,385,000<br />
between October 1, 2019 and December 31, 2019. Since Aleris Group<br />
<br />
AB was formed in connection with the change of ownership when Aleris Healthcare AB joined<br />
subsidiaries were acquired, only turnover figures are available for this<br />
<br />
period.<br />
<br />
<br />
The annual turnover for Aleris Healthcare AB amounted to SEK 30,223,866<br />
during 2019.<br />
<br />
<br />
Journal system<br />
<br />
Aleris has been using TakeCare as its main record system since 28 May 2012<br />
for internal secrecy and within the framework of the cohesive<br />
<br />
record keeping.<br />
<br />
<br />
Federation Collaboration TakeCare (FSTC) is the customer of the medical record system<br />
TakeCare and CompuGroup Medical (CGM) are suppliers of the medical record system<br />
<br />
and is responsible for the functions that the system has to control permissions.<br />
<br />
<br />
All functions in the journal system are created by CGM, but it is Aleris who<br />
chooses which functions a certain staff category should have access to among<br />
the functions that are entered. Aleris has no technical possibilities to do<br />
<br />
changes in TakeCare because Aleris has no control over<br />
the journal system. Aleris is only a user of the system.<br />
<br />
<br />
Aleris has not been able to make any demands on CGM in the procurement of<br />
<br />
the journal system. The company has, for example, pointed out that there have been problems<br />
with the record system consisting of, as far as the allocation of competences is concerned, that<br />
<br />
<br />
<br />
<br />
<br />
<br />
Page 4 of 30Datainspektionen DI-2019-3844 5 (30)<br />
<br />
<br />
<br />
<br />
<br />
<br />
the system cannot separate read and print permissions for a read function.<br />
<br />
CGM has not been interested in changing this despite comments from<br />
Aleris.<br />
<br />
<br />
It is FSTC that can order changes to the functions and that is then<br />
<br />
up to CGM if they want to make the changes or not. Aleris has one<br />
representative in FSTC who can express Aleri's wishes. However, Aleris has not<br />
<br />
received some hearing for the company's views.<br />
<br />
<br />
Number of patients and employees<br />
Aleris had 796,350 unique patients in TakeCare as of May 20, 2019. How<br />
<br />
however, many of those who died could not be retrieved.<br />
<br />
In May 2019, there were 1,058 active users, 807 active accounts and 63<br />
<br />
units in the journal system TakeCare. The number of active users (ie employees<br />
and consultants who may have access to TakeCare) have been calculated by<br />
<br />
calculate the number of active AD accounts at relevant cost centers.<br />
<br />
<br />
Internal secrecy<br />
<br />
Aleris has essentially stated the following.<br />
<br />
<br />
Needs and risk analysis<br />
Aleris has stated that needs and risk analyzes aimed at TakeCare are performed<br />
by a designated risk analysis team for the purpose of reviewing the applicable authorization allocation<br />
<br />
and possibly determine new conditions for granting eligibility. Permissions<br />
is always limited to what is needed for the employee to be able to perform<br />
<br />
their work and contribute to safe care. The need versus the risk of improperness<br />
access is always weighed against each other before permissions are granted. General<br />
<br />
authorization profiles are available, specific authorizations are assigned if necessary. The<br />
later examined in particular in the subsequent analysis of the designated risk analysis team. What<br />
<br />
What is especially considered are the risks that can arise if an employee has<br />
too broad eligibility versus too low eligibility and thus not access to<br />
<br />
relevant patient information. The result from the needs and risk analysis is<br />
then the basis for selecting the authorization profile used in the assignment<br />
<br />
of competencies within Aleris.<br />
<br />
<br />
Eligibility for TakeCare is ordered by the responsible manager, as stated in<br />
the document, “TakeCare Authorization Management”. The document also states<br />
<br />
that the competence is personal and that its scope is based on<br />
<br />
<br />
<br />
<br />
<br />
Page 5 of 30Datainspektionen DI-2019-3844 6 (30)<br />
<br />
<br />
<br />
<br />
<br />
<br />
the user's professional role and organizational domicile. Furthermore, it appears that<br />
<br />
the care provider must ensure that the authority for access to patient data<br />
limited to what a user needs to be able to perform their<br />
<br />
tasks in health care.<br />
<br />
<br />
Aleris has a document called "Needs and Risk Analysis-TakeCare".<br />
The document has looked like it does today since May 28, 2012 when TakeCare<br />
<br />
was introduced and applies both to internal secrecy and within its framework<br />
coherent record keeping. The document shows the different profiles,<br />
<br />
so-called authority groups. The document shows, among other things<br />
the reading rights and the writing rights for each authority group.<br />
<br />
All profiles except technicians have been granted read access to the data in<br />
TakeCare. The eligibility for each group has been justified. The doctors are going to<br />
examples be able to perform their duties and are responsible for<br />
<br />
patient information, while the system administrator must be able to troubleshoot,<br />
manage and set up users, systems and local administrators.<br />
<br />
Under the heading "Risk of restricted access" it is stated that the user "cannot<br />
perform their duties in full ”. This justification is stated for all<br />
<br />
profiles (except for the local administrators where the motivation is “Can not<br />
manage permissions and implement corrective actions ”). During<br />
<br />
The heading “Risk of extensive access” states, among other things, that “There is one<br />
risk of disclosure of patient information '. Similar justification is given for everyone<br />
<br />
profiles.<br />
<br />
<br />
Authorization of access to personal data about patients<br />
Aleris has stated that it is the system administrator who has the highest<br />
<br />
the level of competence, ie full authorization, in TakeCare. The local<br />
the administrator has access to his own device and is the one who assigns<br />
<br />
permissions within the device. What privileges an administrator imposes<br />
a user depends on the business to which the user belongs and on<br />
<br />
the user's tasks. All users get the “minimum they should have<br />
to cope ”in terms of accessibility. Access can, however<br />
expanded if necessary. There are basic profiles for, for example, assistant nurses,<br />
<br />
who are given the qualifications needed to carry out their duties<br />
tasks. If the manager considers that the assistant nurses need one<br />
<br />
extended privileges, local administrators ensure that privileges<br />
"Hangs up" the basic profile. If the extended authorization is not needed, it can be taken<br />
<br />
away from the basic profile.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Page 6 of 30Datainspektionen DI-2019-3844 7 (30)<br />
<br />
<br />
<br />
<br />
<br />
<br />
Aleris has stated that all accounts within Aleris are individual and that<br />
<br />
authorizations are granted on the basis of the document, ‘Needs and risk analysis<br />
TakeCare ”. As previously mentioned, it appears from the document that everyone<br />
<br />
professional profiles in addition to technicians have been granted reading access to the data in<br />
TakeCare.<br />
<br />
<br />
However, Aleris has stated that all users have different read permissions in<br />
<br />
the journal system based on which system functions they have access to<br />
Aleris. According to Aleris, it is possible to steer away access opportunities to TakeCare<br />
<br />
by giving different staff access to different functions. Each<br />
staff category only gets access to the functions they need for<br />
<br />
to be able to perform their work. Technicians, for example, have limited qualifications<br />
depending on what they are going to do in the system. They only get reading permission if they<br />
need it in their work. Another example concerns users who only<br />
<br />
will be at the checkout and thus do not need a reading license.<br />
There is no staff that only has the task of managing the cash register<br />
<br />
the current situation.<br />
<br />
<br />
By choosing different functions for different users, a difference is made in<br />
what different users can do in the system, e.g. as regards verify, sign,<br />
<br />
etc. In total, there are 640 different system functions that you can choose to provide<br />
authority to. Among these features, Aleris has selected the features that<br />
<br />
different staff categories need to have access to in order to operate safely<br />
patient work. The document "Profiles and permissions" shows the different ones<br />
<br />
permissions that each category of staff has been assigned in TakeCare, e.g.<br />
dictate audio files, read activities, sign, read emergency information, read journal text,<br />
<br />
vidimering, read referral, administer drug prescription, read scanned<br />
documents and approve care sessions. The document states, among other things<br />
<br />
that all profiles ie. doctors, nurses, assistant nurses,<br />
paramedics, secretaries, "administrative", students and "Receptionist<br />
<br />
Rehab "has the authority to" read journal text "and that everyone except<br />
"Receptionist Rehab" is authorized to "read scanned documents" in<br />
TakeCare. It also appears that only doctors are authorized to “read<br />
<br />
emergency tasks ”and that all profiles except assistant nurse and<br />
"Administrative" can "read diagnoses" in TakeCare.<br />
<br />
<br />
Aleris has stated that the starting point is that one user on one device only<br />
<br />
has read access to the patient records available on the device. One<br />
users who need to read journal entries from another device must<br />
<br />
<br />
<br />
<br />
<br />
<br />
Page 7 of 30Datainspektionen DI-2019-3844 8 (30)<br />
<br />
<br />
<br />
<br />
<br />
<br />
make an active choice in the system. By active choices is meant that the user is allowed to do<br />
<br />
a number of "clicks" and select the current device (this function is called<br />
journal filter). Authorization to be able to use the journal filter is given to them<br />
<br />
users who need this to be able to perform their work.<br />
The user can never accidentally read one patient record from another<br />
<br />
unit.<br />
<br />
<br />
Aleris has stated that there are features in TakeCare to a caregiver<br />
should be able to "isolate" one care unit and thereby "shut out" others<br />
<br />
caregivers 'and care units' access possibilities to the unit's<br />
care documentation, so-called protected units. However, Aleris does not operate<br />
<br />
any activity that requires protected devices and has therefore not used<br />
of this function.<br />
<br />
<br />
Coherent record keeping<br />
<br />
Aleris has essentially stated the following.<br />
<br />
<br />
Needs and risk analysis<br />
The document “Needs and risk analysis - TakeCare” also applies to the system for<br />
<br />
coherent record keeping.<br />
<br />
<br />
Authorization of access to personal data about patients<br />
The allocation of authority takes place in the same way as within the framework of the internal<br />
secrecy.<br />
<br />
<br />
Within the framework of coherent record keeping in TakeCare, users can take<br />
<br />
part of all care documentation with other care providers included in the system.<br />
The user can initially see if a patient is current with other care providers,<br />
<br />
but not which. To be able to see who these caregivers are, the user must<br />
click on in the system, ie. make active choices. The user must then<br />
<br />
click in the box "consent" or "emergency access" to access it<br />
specific caregiver records.<br />
<br />
<br />
Aleris has stated the following due to Karolinska<br />
<br />
The University Hospital in a statement has stated that there are opportunities to<br />
restrict access in TakeCare.<br />
<br />
<br />
There is a function to "isolate" a care unit and thereby close<br />
<br />
access to other care providers and care units (so-called<br />
<br />
<br />
<br />
<br />
<br />
Page 8 of 30Datainspektionen DI-2019-3844 9 (30)<br />
<br />
<br />
<br />
<br />
<br />
<br />
protected devices). A care provider can thus from a technical perspective<br />
<br />
restrict other care providers' access to their own care documentation.<br />
However, Aleris has assessed that the company does not conduct any business as<br />
<br />
need to be blocked and that it is more patient safe to let the patient information<br />
at Aleri's units be available to other care providers. According to Aleris, it is<br />
<br />
moreover, not allowed to implement such restrictions if one<br />
caregivers use the TakeCare medical record system and at the same time are part of<br />
<br />
coherent record keeping. This following a decision from the Stockholm Region. The<br />
means that all users of Aleris have access to all patient data<br />
<br />
at the other care providers in TakeCare, except when patients have requested to<br />
get their information blocked (a so-called caregiver block).<br />
<br />
<br />
According to Aleris, from a patient safety perspective, this is not practically possible<br />
<br />
to opt out of individual care providers' access to their own care documentation<br />
in TakeCare (except for protected devices). Either is the caregiver<br />
<br />
included in the system for coherent record keeping or not. It is not possible to<br />
restrict access for competent persons to the information of other care providers<br />
<br />
and at the same time in a meaningful way participate in coherent record keeping.<br />
According to Aleris, it is not possible to determine in advance which data are in one<br />
<br />
certain cases may be important for patient-safe care. Aleris has therefore decided<br />
not to actively block other caregivers' records. However, such as<br />
<br />
mentioned, a caregiver himself blocks other caregivers' access to TakeCare there<br />
these have made the assessment that their patients' medical records should not be<br />
<br />
available to other caregivers. These devices are marked in TakeCare<br />
with an asterisk. In this way, a selection of care units has already been made<br />
<br />
Aleri's staff do not have access to.<br />
<br />
<br />
Documentation of access (logs)<br />
<br />
Aleri's log documentation states, among other things: the user's and<br />
patient's identity, care unit, date, time, information to the user<br />
<br />
has documented in the journal during the last 18 months as well as information<br />
that the patient has had contact with the care unit during the last 18<br />
<br />
months.<br />
<br />
<br />
Aleris has the ability to perform targeted log checks. That means Aleris<br />
can see exactly what a user has done in the system. About the patient or Aleris<br />
<br />
suspects data breaches, Aleris can also perform an in-depth log check.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Page 9 of 30Data Inspectorate DI-2019-3844 1 0 (30)<br />
<br />
<br />
<br />
<br />
<br />
<br />
Also all activities that take place within the framework of coherent record keeping<br />
<br />
logged in the system. It also means that all active selections are logged in the system. If<br />
the user, for example, has selected "consent" or "emergency access" to be able to take<br />
<br />
part of a patient's information to another care provider, this will be<br />
appear from the log documentation.<br />
<br />
<br />
Aleri's opinion on the Data Inspectorate's letter<br />
<br />
Aleris has in comments on the letter Final communication before decision as<br />
received by the Swedish Data Inspectorate on 20 March 2020 stated the following, among other things.<br />
<br />
The Data Inspectorate should take into account the figures for the economic unit where they<br />
The alleged shortcomings have taken place, ie Aleris Sjukvård AB.<br />
<br />
<br />
Aleris has actively worked to continuously strengthen the interior and exterior<br />
<br />
confidentiality, including the functionality of TakeCare. When Aleris took over<br />
adequate measures to strengthen, through FSTC, the integrity of TakeCare<br />
<br />
actual deficiencies in TakeCare should not be considered to be Aleris' fault.<br />
<br />
<br />
<br />
Justification of decision<br />
<br />
<br />
Applicable rules<br />
<br />
<br />
The Data Protection Regulation is the primary source of law<br />
<br />
The Data Protection Regulation, often abbreviated GDPR, was introduced on 25 May 2018 and<br />
is the primary legal regulation in the processing of personal data. This<br />
<br />
also applies to health care.<br />
<br />
<br />
The basic principles for the processing of personal data are set out in<br />
Article 5 of the Data Protection Regulation. A basic principle is the requirement<br />
<br />
security pursuant to Article 5 (1) (f), which states that personal data shall be processed<br />
in a way that ensures adequate security for personal data,<br />
<br />
including protection against unauthorized or unauthorized treatment and against loss,<br />
destruction or damage by accident, using appropriate<br />
<br />
technical or organizational measures.<br />
<br />
<br />
Article 5 (2) states the so-called liability, ie. that it<br />
“Personal data controllers must be responsible for and be able to show that they<br />
<br />
the basic principles of paragraph 1 are complied with ".<br />
<br />
<br />
<br />
<br />
<br />
<br />
Page 10 of 30Datainspektionen DI-2019-3844 1 1 (30)<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Article 24 deals with the responsibility of the controller. Of Article 24 (1)<br />
it appears that the person responsible for personal data is responsible for implementing appropriate<br />
<br />
technical and organizational measures to ensure and demonstrate that<br />
the processing is performed in accordance with the Data Protection Regulation. The measures shall<br />
<br />
carried out taking into account the nature, scope, context of the treatment<br />
and purposes and the risks, of varying degrees of probability and severity, for<br />
<br />
freedoms and rights of natural persons. The measures must be reviewed and updated<br />
if necessary.<br />
<br />
<br />
Article 32 regulates the security associated with the processing. According to paragraph 1<br />
<br />
the personal data controller and the personal data assistant shall take into account<br />
of the latest developments, implementation costs and treatment<br />
nature, scope, context and purpose as well as the risks, of varying<br />
<br />
probability and seriousness, for the rights and freedoms of natural persons shall<br />
the personal data controller and the personal data assistant take appropriate<br />
<br />
technical and organizational measures to ensure a level of security<br />
which is appropriate in relation to the risk (…). According to paragraph 2, at<br />
<br />
the assessment of the appropriate level of safety, special consideration shall be given to the risks involved<br />
the treatment entails, in particular from accidental or unlawful destruction,<br />
<br />
loss or alteration or to unauthorized disclosure of or unauthorized access to<br />
the personal data transferred, stored or otherwise processed.<br />
<br />
<br />
Recital 75 states that in assessing the risk to natural persons<br />
<br />
rights and freedoms, various factors must be taken into account. Among other things mentioned<br />
personal data covered by professional secrecy, health data or<br />
<br />
sexual life, if the processing of personal data concerning vulnerable physical persons takes place<br />
persons, especially children, or if the treatment involves a large number<br />
<br />
personal data and applies to a large number of registered persons.<br />
<br />
<br />
Furthermore, it follows from recital 76 that the probable and serious risk of it<br />
data subjects' rights and freedoms should be determined on the basis of processing<br />
nature, scope, context and purpose. The risk should be evaluated on<br />
<br />
on the basis of an objective assessment, which determines whether<br />
the data processing involves a risk or a high risk.<br />
<br />
<br />
Recitals 39 and 83 also contain writings that provide guidance on it<br />
<br />
the meaning of the data protection regulation's requirements for security in<br />
Processing of personal data.<br />
<br />
<br />
<br />
<br />
<br />
<br />
Page 11 of 30Datainspektionen DI-2019-3844 1 2 (30)<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
The Data Protection Regulation and the relationship with complementary national<br />
provisions<br />
<br />
According to Article 5 (1). a in the Data Protection Regulation, the personal data shall<br />
treated in a lawful manner. In order for the treatment to be considered legal, it is required<br />
<br />
legal basis by fulfilling at least one of the conditions of Article 6 (1).<br />
The provision of health care is one such task of general<br />
<br />
interest referred to in Article 6 (1) (e).<br />
<br />
<br />
In health care, the legal bases can also be legal<br />
obligation pursuant to Article 6 (1) (c) and exercise of authority under Article 6 (1) (e)<br />
<br />
updated.<br />
<br />
When it comes to the legal bases legal obligation, in general<br />
<br />
interest or exercise of authority by the Member States, in accordance with Article<br />
6.2, maintain or introduce more specific provisions for adaptation<br />
<br />
the application of the provisions of the Regulation to national circumstances.<br />
National law may specify specific requirements for the processing of data<br />
<br />
and other measures to ensure legal and equitable treatment. But<br />
there is not only one possibility to introduce national rules but also one<br />
<br />
duty; Article 6 (3) states that the basis for the treatment referred to in<br />
paragraph 1 (c) and (e) shall be determined in accordance with Union law or<br />
<br />
national law of the Member States. The legal basis may also include<br />
specific provisions to adapt the application of the provisions of<br />
<br />
the Data Protection Regulation. Union law or the national law of the Member States<br />
law must fulfill an objective of general interest and be proportionate to it<br />
<br />
legitimate goals pursued.<br />
<br />
<br />
Article 9 states that the treatment of specific categories of<br />
personal data (so-called sensitive personal data) is prohibited. Sensitive<br />
<br />
personal data includes data on health. Article 9 (2) states<br />
except when sensitive personal data may still be processed.<br />
<br />
<br />
Article 9 (2) (h) states that the processing of sensitive personal data may be repeated<br />
the treatment is necessary for reasons related to, among other things<br />
<br />
the provision of health care on the basis of Union law or<br />
national law of the Member States or in accordance with agreements with professionals in<br />
<br />
the field of health and provided that the conditions and protective measures provided for in<br />
referred to in paragraph 3 are met. Article 9 (3) imposes a regulated duty of confidentiality.<br />
<br />
<br />
<br />
<br />
<br />
<br />
Page 12 of 30Datainspektionen DI-2019-3844 1 3 (30)<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
This means that both the legal bases of general interest,<br />
exercise of authority and legal obligation in the treatment of the vulnerable<br />
<br />
personal data under the exemption in Article 9 (2) (h)<br />
supplementary rules.<br />
<br />
<br />
Supplementary national regulations<br />
<br />
In the case of Sweden, both the basis for the treatment and those<br />
special conditions for the processing of personal data in the field of health and<br />
<br />
healthcare regulated in the Patient Data Act (2008: 355) and<br />
the Patient Data Ordinance (2008: 360). I 1 kap. Section 4 of the Patient Data Act states that<br />
<br />
the law complements the data protection regulation.<br />
<br />
The purpose of the Patient Data Act is to provide information in health and<br />
<br />
healthcare must be organized so as to meet patient safety and<br />
good quality and promotes cost efficiency. Its purpose is also to<br />
<br />
personal data shall be designed and otherwise processed so that patients and<br />
the privacy of other data subjects is respected. In addition, must be documented<br />
<br />
personal data is handled and stored so that unauthorized persons do not have access to it<br />
them (Chapter 1, Section 2 of the Patient Data Act).<br />
<br />
<br />
The supplementary provisions in the Patient Data Act aim to:<br />
<br />
take care of both privacy protection and patient safety. The legislator has<br />
thus through the regulation made a balance as to how<br />
<br />
the information must be processed to meet both the requirements for patient safety<br />
as the right to privacy in the processing of personal data.<br />
<br />
<br />
The National Board of Health and Welfare has, with the support of the Patient Data Ordinance, issued regulations<br />
<br />
and general advice on record keeping and processing of personal data in<br />
health care (HSLF-FS 2016: 40). The regulations constitute such<br />
<br />
supplementary rules, which shall be applied in the care provider's treatment of<br />
personal data in health care, see chap. Section 1 of the Patient Data Act.<br />
<br />
<br />
National provisions supplementing the requirements of the Data Protection Regulation<br />
safety can be found in Chapters 4 and 6. the Patient Data Act and Chapters 3 and 4 HSLF-FS<br />
<br />
2016: 40.<br />
<br />
<br />
Requirement to make a needs and risk analysis<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Page 13 of 30Datainspektionen DI-2019-3844 1 4 (30)<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
According to ch. 4, the care provider must § 2 HSLF-FS 2016: 40 make a needs and<br />
<br />
risk analysis, before the allocation of authorizations in the system takes place.<br />
<br />
<br />
That the analysis requires both the needs and the risks is clear from the preparatory work<br />
<br />
to the Patient Data Act, prop. 2007/08: 126 pp. 148-149, as follows.<br />
<br />
<br />
Authorization for staff's electronic access to patient information shall be restricted to<br />
what the executive needs to be able to perform his duties in health and<br />
<br />
healthcare. This includes that authorizations must be followed up and changed or restricted accordingly<br />
hand as changes in the tasks of the individual executive give rise to it.<br />
The provision corresponds in principle to section 8 of the Health Care Register Act. The purpose of the provision is to<br />
<br />
imprint the obligation of the responsible caregiver to make active and individual<br />
eligibility assignments based on analyzes of which details are different<br />
<br />
staff categories and different types of activities need. But it's not just needed<br />
needs analyzes. Risk analyzes must also be done where different types of risks are taken into account, such as<br />
may be associated with an overly availability of certain types of information.<br />
<br />
Protected personal data that is classified, information about publicly known persons,<br />
data from certain clinics or medical specialties are examples of categories such as<br />
<br />
may require special risk assessments.<br />
<br />
In general, it can be said that the more comprehensive an information system is, the greater the amount<br />
<br />
there must be different levels of authorization. Decisive for decisions on eligibility for e.g. various<br />
categories of healthcare professionals for electronic access to data in<br />
patient records should be that the authority should be limited to what the executive needs<br />
<br />
for the purpose a good and safe patient care. A more extensive or coarse-meshed<br />
competence allocation should - even if it has points from the point of view of efficiency -<br />
<br />
is considered an unjustified dissemination of journal information within a business and should as such<br />
not accepted.<br />
<br />
<br />
Furthermore, data should be stored in different layers so that more sensitive data require active choices or<br />
otherwise not as easily accessible to staff as less sensitive tasks. When it<br />
applies to personnel who work with business follow-up, statistics production, central<br />
<br />
financial administration and similar activities that are not individual-oriented, it should be<br />
most executives have enough access to information that can only be indirectly derived<br />
<br />
to individual patients. Electronic access to code keys, social security numbers and others<br />
data that directly point out individual patients should be able to be strong in this area<br />
limited to individuals.<br />
<br />
<br />
<br />
Internal secrecy<br />
The provisions in ch. 4 The Patient Data Act concerns internal confidentiality, ie.<br />
<br />
regulates how privacy protection is to be handled within a care provider's business<br />
<br />
and in particular employees' opportunities to prepare for access to<br />
personal data that is electronically available in a healthcare provider<br />
<br />
organisation.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Page 14 of 30Datainspektionen DI-2019-3844 1 5 (30)<br />
<br />
<br />
<br />
<br />
<br />
<br />
It appears from ch. Section 2 of the Patient Data Act, that the care provider shall decide<br />
<br />
conditions for granting access to such data<br />
patients who are fully or partially automated. Such authorization shall<br />
<br />
limited to what is needed for the individual to be able to fulfill theirs<br />
tasks in health care.<br />
<br />
<br />
Of ch. 4 § 2 HSLF-FS 2016: 40 follows that the care provider shall be responsible for each<br />
<br />
users are assigned an individual privilege to access<br />
personal data. The caregiver's decision on the allocation of eligibility shall<br />
<br />
preceded by a needs and risk analysis.<br />
<br />
<br />
Coherent record keeping<br />
The provisions in ch. 6 the Patient Data Act concerns cohesive record keeping,<br />
which means that a care provider - under the conditions specified in § 2 the same<br />
<br />
chapter of that law - may have direct access to personal data that is processed<br />
by other care providers for purposes related to care documentation. The access to<br />
<br />
information is provided by a healthcare provider making the information about a patient<br />
which the care provider registers if the patient is available to other care providers<br />
<br />
which participates in the cohesive record keeping system (see Bill 2007/08: 126<br />
p. 247).<br />
<br />
<br />
Of ch. 6 Section 7 of the Patient Data Act follows that the provisions in Chapter 4 §§ 2 and 3 -<br />
also applies to authorization allocation and access control at cohesion<br />
<br />
record keeping. The requirement that the care provider must perform a needs and risk analysis<br />
before the allocation of permissions in the system takes place, thus also applies in systems<br />
<br />
for coherent record keeping.<br />
<br />
<br />
Documentation of access (logs)<br />
Of ch. 4 Section 3 of the Patient Data Act states that a care provider must ensure that<br />
<br />
access to such data on patients who are kept in whole or in part<br />
automatically documented and systematically checked.<br />
<br />
<br />
According to ch. 4 Section 9 HSLF-FS 2016: 40, the care provider shall be responsible for that<br />
<br />
1. it appears from the documentation of the access (logs) which<br />
measures taken with information on a patient,<br />
<br />
2. it appears from the logs at which care unit or care process<br />
measures have been taken,<br />
<br />
3. the logs indicate the time at which the measures were taken;<br />
4. the identity of the user and the patient is stated in the logs.<br />
<br />
<br />
<br />
<br />
<br />
<br />
Page 15 of 30Datainspektionen DI-2019-3844 1 6 (30)<br />
<br />
<br />
<br />
<br />
<br />
<br />
The Data Inspectorate's assessment<br />
<br />
<br />
Personal data controller's responsibility for security<br />
<br />
As previously described, Article 24 (1) of the Data Protection Regulation provides a<br />
general requirement for the personal data controller to take appropriate technical<br />
<br />
and organizational measures. The requirement is partly to ensure that<br />
the processing of personal data is carried out in accordance with<br />
<br />
the Data Protection Ordinance, and that the data controller must be able to<br />
demonstrate that the processing of personal data is carried out in accordance with<br />
<br />
the Data Protection Regulation.<br />
<br />
<br />
The safety associated with the treatment is regulated more specifically in the articles<br />
5.1 f and 32 of the Data Protection Regulation.<br />
<br />
<br />
Article 32 (1) states that the appropriate measures shall be both technical and<br />
<br />
organizational and they must ensure a level of security that is appropriate in<br />
in relation to the risks to the rights and freedoms of natural persons which<br />
the treatment entails. It is therefore necessary to identify the possible ones<br />
<br />
the risks to the data subjects' rights and freedoms and assess<br />
the probability of the risks occurring and the severity if they occur.<br />
<br />
What is appropriate varies not only in relation to the risks but also<br />
based on the nature, scope, context and purpose of the treatment. It has<br />
<br />
thus the significance of what personal data is processed, how many<br />
data, it is a question of how many people process the data, etc.<br />
<br />
<br />
The health service has a great need for information in its operations.<br />
<br />
It is therefore natural that the possibilities of digitalisation are utilized so much<br />
as possible in healthcare. Since the Patient Data Act was written, one has a lot<br />
<br />
extensive digitization has taken place in healthcare. Both the data collections<br />
size as the number of people sharing information with each other has increased<br />
<br />
substantially. At the same time, this increase means that the demands on it increase<br />
personal data controller, as the assessment of what is an appropriate<br />
<br />
safety is affected by the extent of the treatment.<br />
<br />
<br />
It is also a question of sensitive personal data and the data concerns<br />
people who are in a situation of dependence when they are in need of care.<br />
It is also often a question of a lot of personal information about each of these<br />
<br />
people and that the data over time may be processed by very<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Page 16 of 30Datainspektionen DI-2019-3844 1 7 (30)<br />
<br />
<br />
<br />
<br />
<br />
<br />
many people in healthcare. All in all, this places great demands on it<br />
<br />
personal data controllers.<br />
The data processed must be protected from outside actors as well<br />
<br />
the business as against unauthorized access from within the business. It can<br />
It should be noted that Article 32 (2) states that the controller, at<br />
<br />
assessment of the appropriate level of safety, in particular taking into account the risks of<br />
unintentional or unlawful destruction, loss or unauthorized disclosure or<br />
<br />
unauthorized access. To be able to know what is an unauthorized access must<br />
the data controller must be clear about what an authorized access is.<br />
<br />
<br />
Needs and risk analysis<br />
<br />
I 4 kap. Section 2 of the National Board of Health and Welfare's regulations (HSLF-FS 2016: 40), which supplement<br />
the Patient Data Act, it is stated that the care provider must make a needs and<br />
risk analysis before the allocation of authorizations in the system takes place. This means that<br />
<br />
national law prescribes requirements for an appropriate organizational measure that shall:<br />
taken before the allocation of authorizations to journal systems takes place.<br />
<br />
<br />
A needs and risk analysis must include an analysis of the needs and a<br />
<br />
analysis of the risks from an integrity perspective that may be associated<br />
with an overly allotment of access to personal data<br />
<br />
about patients. Both the needs and the risks must be assessed on the basis of them<br />
tasks that need to be processed in the business, what processes it is<br />
<br />
the question of whether and what risks to the privacy of the individual exist.<br />
<br />
<br />
The assessments of the risks need to be made on the basis of organizational level, there<br />
for example, a certain business part or task may be more<br />
<br />
privacy sensitive than another, but also based on the individual level, if it is<br />
the issue of special circumstances that need to be taken into account, such as<br />
<br />
that it is a question of protected personal data, publicly known persons or<br />
otherwise particularly vulnerable persons. The size of the system also affects<br />
<br />
the risk assessment. The preparatory work for the Patient Data Act shows that the more<br />
comprehensive an information system is, the greater the variety<br />
eligibility levels must exist (Bill 2007/08: 126 p. 149). It is thus<br />
<br />
the question of a strategic analysis at the strategic level, which should provide one<br />
authorization structure that is adapted to the business and this must be maintained<br />
<br />
updated.<br />
<br />
<br />
In summary, the regulation requires that the risk analysis identifies<br />
different categories of tasks,<br />
<br />
<br />
<br />
<br />
<br />
<br />
Page 17 of 30Datainspektionen DI-2019-3844 1 8 (30)<br />
<br />
<br />
<br />
<br />
<br />
<br />
Categories of data subjects (eg vulnerable natural persons and<br />
<br />
children), or<br />
the scope (eg number of personal data and registered)<br />
<br />
negative consequences for data subjects (eg injuries,<br />
significant social or economic disadvantage, deprivation of rights<br />
<br />
and freedoms),<br />
<br />
<br />
and how they affect the risk to the rights and freedoms of natural persons<br />
Processing of personal data. This applies both within internal secrecy<br />
<br />
as in coherent record keeping.<br />
<br />
<br />
The risk analysis must also include special risk assessments, for example<br />
based on whether there is protected personal data that is<br />
<br />
classified, information on public figures, information from<br />
certain clinics or medical specialties (Bill 2007/08: 126 p. 148-<br />
<br />
149).<br />
<br />
<br />
The risk analysis must also include an assessment of how probable and serious<br />
the risk to the data subjects' rights and freedoms is based on<br />
the nature, scope, context and purpose of the treatment (recital 76).<br />
<br />
<br />
It is thus through the needs and risk analysis that it<br />
<br />
personal data controller finds out who needs access, which<br />
information the accessibility shall include, at what times and at what<br />
<br />
context access is needed, while analyzing the risks to it<br />
the freedoms and rights of the individual that the treatment may lead to. The result should<br />
<br />
then lead to the technical and organizational measures needed to<br />
ensure that no one other than the one who needs and<br />
<br />
the risk analysis shows that it should be justified.<br />
<br />
<br />
When a needs and risk analysis is missing prior to the allocation of qualifications in<br />
system, lacks the basis for the personal data controller on a legal<br />
<br />
be able to assign their users a correct authorization. The<br />
the data controller is responsible for, and shall have control over, the<br />
<br />
personal data processing that takes place within the framework of the business. To<br />
assign users a when accessing journal system, without this being founded<br />
<br />
on a performed needs and risk analysis, means that the person responsible for personal data<br />
does not have sufficient control over the personal data processing that takes place in<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Page 18 of 30Datainspektionen DI-2019-3844 1 9 (30)<br />
<br />
<br />
<br />
<br />
<br />
<br />
the journal system and also can not show that he has the control that<br />
<br />
required.<br />
<br />
<br />
Aleris has stated that the authorizations are granted on the basis of the document, “<br />
and risk analysis-TakeCare ”. The document states that all<br />
<br />
authorization profiles in addition to technicians have been assigned permission to read in the system,<br />
and that the risk with restricted access is that the user cannot perform his<br />
<br />
tasks in full. This justification is stated for all users.<br />
It is further stated that the only risk in the event of extensive access is to the user<br />
<br />
sees information that he / she does not have the right to see which may involve disclosure<br />
of patient information. Similar justification is given for all profiles. The<br />
<br />
means that Aleris makes the same assessment for all profiles regardless<br />
the user's task and needs.<br />
<br />
<br />
The Data Inspectorate can state that the document, “Needs and risk analysis<br />
TakeCare ”does not contain any analysis of the different profiles' needs<br />
<br />
access to patients' data. Aleris has only stated what respectively<br />
profile "must be able to perform" in the journal system and thus not analyzed which<br />
<br />
information as it is a question of or what the needs look like in the various<br />
the business components and for different professional roles. The document also lacks one<br />
<br />
analysis of the risks to the individual's freedoms and rights as an excessive<br />
eligibility may entail. The needs and risk analysis must be done in a strategic manner<br />
<br />
level that should provide an authorization structure that is adapted to the business.<br />
<br />
<br />
The information in the document "Needs and risk analysis - TakeCare" is too<br />
deficient in relation to the information required for a correct<br />
<br />
needs and risk analysis must be able to be performed. As stated above, in a<br />
needs and risk analysis both the needs and the risks are assessed on the basis of them<br />
<br />
tasks that need to be processed in the business, what processes it is<br />
the question of whether and what risks to the individual's integrity exist as well<br />
<br />
organizational as well as individual level.<br />
<br />
In its analysis, Aleris has not taken into account the negative consequences for<br />
<br />
registered, different categories of data, categories of registered or<br />
the extent of the number of personal data and registered affects the risk of<br />
<br />
the rights and freedoms of natural persons in the treatment of Aleris by<br />
personal information in TakeCare. There are also no special risk assessments<br />
<br />
based on whether there is, for example, protected personal data that is<br />
classified, information on public figures, information from<br />
<br />
<br />
<br />
<br />
<br />
<br />
Page 19 of 30Datainspektionen DI-2019-3844 2 0 (30)<br />
<br />
<br />
<br />
<br />
<br />
<br />
certain clinics or medical specialties or other factors such as<br />
<br />
requires special protective measures. There is also no assessment of how<br />
probable and serious risk to the data subjects' rights and freedoms<br />
<br />
is considered to be.<br />
<br />
<br />
In the light of the above, the Data Inspectorate can state that<br />
the document “Needs and risk analysis- TakeCare” does not meet the requirements<br />
<br />
put on a needs and risk analysis and that Aleris has not been able to show that<br />
the company has carried out a needs and risk analysis within the meaning of 4<br />
<br />
Cape. § 2 HSLF-FS 2016: 40, neither within the framework of internal secrecy<br />
according to ch. 4 the Patient Data Act or within the framework of the cohesive<br />
<br />
record keeping according to ch. 6 Section 7 of the Patient Data Act. That means Aleris does not<br />
have taken appropriate organizational measures in accordance with Article 5 (1) (f) and<br />
Article 32 (1) and (2) in order to ensure and, in accordance with Article 5 (2),<br />
<br />
be able to show that the processing of personal data has a security that is<br />
appropriate in relation to the risks.<br />
<br />
<br />
Authorization of access to personal data about patients<br />
<br />
As reported above, a caregiver may have a legitimate interest in having<br />
a comprehensive processing of data on the health of individuals. Notwithstanding this shall<br />
<br />
access to personal data about patients may be limited to<br />
what is needed for the individual to be able to fulfill his or her duties.<br />
<br />
<br />
With regard to the allocation of authorization for electronic access according to ch.<br />
<br />
§ 2 and ch. 6 Section 7 of the Patient Data Act states that in the preparatory work, Bill.<br />
2007/08: 126 pp. 148-149, i.a. that there should be different eligibility categories in<br />
<br />
the journal system and that the permissions should be limited to what the user<br />
need to provide the patient with good and safe care. It also appears that “a<br />
<br />
more extensive or coarse-grained eligibility should be considered as one<br />
unauthorized dissemination of journal information within a business and should as<br />
<br />
such is not accepted. "<br />
<br />
In health care, it is the person who needs the information in their work<br />
<br />
who may be authorized to access them. This applies both within a<br />
caregivers as between caregivers. It is, as already mentioned, through<br />
<br />
the needs and risk analysis that the person responsible for personal data finds out who<br />
who need access, what information the access should include, at which<br />
<br />
times and in which contexts access is needed, and at the same time<br />
analyzes the risks to the individual's freedoms and rights<br />
<br />
<br />
<br />
<br />
<br />
<br />
Page 20 of 30Datainspektionen DI-2019-3844 2 1 (30)<br />
<br />
<br />
<br />
<br />
<br />
<br />
the treatment can lead to. The result should then lead to the technical and<br />
<br />
organizational measures needed to ensure no allocation<br />
of eligibility provides further access opportunities than the one that needs and<br />
<br />
the risk analysis shows is justified. An important organizational measure is to provide<br />
instruction to those who have the authority to assign authorizations on how this<br />
<br />
should go to and what should be considered so that it, with the needs and risk analysis<br />
as a basis, becomes a correct authorization allocation in each individual case.<br />
<br />
<br />
Aleris has stated that there are restrictions regarding users<br />
<br />
access options in TakeCare then the company by choosing different functions<br />
for different users can steer away users' access capabilities in<br />
<br />
the journal system.<br />
<br />
According to Aleris, all users have different read permissions in the journal system<br />
<br />
depending on the system features they have access to. Of the document<br />
However, “Needs and risk analysis - TakeCare” states that all professional profiles<br />
<br />
in addition to technicians, read access has been assigned to the tasks in TakeCare.<br />
Furthermore, the document "Profiles and Permissions" states that all<br />
<br />
occupational profiles, ie. doctors, nurses, assistant nurses, paramedics,<br />
secretary, administrative, student and receptionist Rehab has<br />
<br />
authority to "read journal text". This means that virtually all professional profiles<br />
has access to Aleri's personal data about patients in TakeCare. The<br />
<br />
limitation that has been introduced is that different professional profiles have different<br />
reading privileges, for example, doctors, nurses, paramedics can read<br />
<br />
diagnoses ”or“ read prescriptions ”while other professional profiles, for example<br />
"Administratively" do not have those powers. It also appears that doctors are<br />
<br />
the only ones who have the authority to "read emergency information".<br />
<br />
<br />
The Data Inspectorate considers it positive that Aleris has allocated different<br />
read permissions in the system, but that it is not enough because all<br />
<br />
professional profiles still have access to the journal texts in TakeCare.<br />
In addition, the division is rough as it is only a division from the outside<br />
occupational categories and not based on, for example, which organizational<br />
<br />
affiliation, which tasks the user has or which patients<br />
personal data that the user needs to access at different times<br />
<br />
to. Because different users have different tasks within different<br />
work areas, users need access to personal data about<br />
<br />
patients in TakeCare are limited to reflect this.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Page 21 of 30Datainspektionen DI-2019-3844 2 2 (30)<br />
<br />
<br />
<br />
<br />
<br />
<br />
Against this background, the Data Inspectorate can state that Aleris does not have<br />
<br />
restricted users 'permissions to access patients'<br />
personal data in the journal system TakeCare. This in turn means that one<br />
<br />
majority of the users have had actual access to the care documentation<br />
about a large number of patients in TakeCare.<br />
<br />
<br />
The review also shows that Aleris uses so-called active choices<br />
<br />
for access to personal data about patients and the record filter function.<br />
<br />
<br />
The fact that Aleris uses active choices does not mean that the access option to<br />
personal data in the system has been restricted to the user, without the data<br />
<br />
are still electronically accessible. This means that the active choices are not<br />
such an access restriction as referred to in ch. 4 Section 2 of the Patient Data Act,<br />
as this provision requires that jurisdiction be limited to what<br />
<br />
necessary for the individual to be able to fulfill his duties within<br />
health care and that only those who need the information should have<br />
<br />
access. The Data Inspectorate thus considers that Aleri's use of active choices<br />
is an integrity enhancing measure but that it does not affect the actual<br />
<br />
access possibilities.<br />
<br />
<br />
Aleris has further stated that there are features in TakeCare for that one<br />
care providers must be able to "isolate" a care unit and thereby "shut out"<br />
<br />
other care providers 'and care units' access to the unit<br />
care documentation, so-called protected units. However, Aleris believes that<br />
<br />
the company does not conduct any business that requires protected entities and<br />
have therefore not used this function.<br />
<br />
<br />
As for the unified record keeping, all users at Aleris have<br />
<br />
access to all personal data about patients at the other care providers in<br />
TakeCare, except when patients have requested that their data be blocked.<br />
<br />
It appears from the review that the care provider has an opportunity to actively<br />
block the records of other caregivers, but that Aleris has chosen not to do so<br />
because the company does not conduct any business that needs to be blocked. Aleris<br />
<br />
considers it safer to leave the data at Aleri's units<br />
available to other caregivers.<br />
<br />
<br />
That the allocation of authorizations has not been preceded by a need and<br />
<br />
risk analysis means that Aleris has not analyzed users' needs for<br />
access to the data, the risks that such access may entail and<br />
<br />
<br />
<br />
<br />
<br />
<br />
Page 22 of 30Datainspektionen DI-2019-3844 2 3 (30)<br />
<br />
<br />
<br />
<br />
<br />
<br />
thus also not identifying which access is justified for the users<br />
<br />
based on such an analysis. Aleris has thus not used suitable<br />
measures, in accordance with Article 32, to restrict users' access to<br />
<br />
patients' data in the medical record system. This in turn has meant that<br />
there has been a risk of unauthorized access and unauthorized distribution of<br />
<br />
personal data partly within the framework of internal secrecy, partly within the framework<br />
for the unified record keeping.<br />
<br />
<br />
Aleris has further stated that the company has no technical possibilities to<br />
<br />
make changes to TakeCare because Aleris has no control over it<br />
the journal system. It also appears that Aleris, within the framework of it<br />
<br />
coherent record keeping, may not implement certain restrictions<br />
with reference to a decision from the Stockholm Region.<br />
<br />
<br />
The basis of the Data Protection Ordinance is that the person responsible for personal data<br />
has a responsibility to comply with the obligations set out in the Regulation in order to:<br />
<br />
be allowed to process personal data in their activities at all. To take<br />
appropriate technical and organizational measures to ensure an appropriate<br />
<br />
security is such an obligation (see Articles 5, 24 and 32 of<br />
the Data Protection Regulation). The Data Inspectorate thus considers that Aleris in<br />
<br />
capacity as personal data controller can not waive the responsibility to<br />
take the technical and organizational measures required by the above<br />
<br />
articles.<br />
<br />
<br />
In light of the above, the Swedish Data Inspectorate can state that Aleris<br />
has processed personal data in breach of Article 5 (1) (f) and Article 32 (1) and<br />
<br />
32.2 of the Data Protection Regulation in that Aleris has not restricted<br />
users' permissions for accessing the TakeCare journal system to what<br />
<br />
which is only needed for the user to be able to fulfill his<br />
tasks in health care according to ch. 4 § 2 and ch. 6 § 7<br />
<br />
the Patient Data Act and Chapter 4 2 § HSLF-FS 2016: 40. That means Aleris does not<br />
have taken steps to ensure and, in accordance with Article 5 (2) (i)<br />
the Data Protection Regulation, be able to demonstrate appropriate security for<br />
<br />
personal data.<br />
<br />
<br />
Documentation of access (logs)<br />
Of the documentation of access (logs) that arose due to<br />
<br />
The Data Inspectorate's inspection is as follows: date, time,<br />
the identity of the user and the patient, the measures taken and<br />
<br />
<br />
<br />
<br />
<br />
<br />
Page 23 of 30Datainspektionen DI-2019-3844 2 4 (30)<br />
<br />
<br />
<br />
<br />
<br />
<br />
care unit. The same documentation appears when the user takes part<br />
<br />
tasks within the framework of coherent record keeping.<br />
<br />
<br />
The Data Inspectorate has nothing to recall in this part, because<br />
the documentation of the access (logs) in TakeCare is in accordance<br />
<br />
with the requirements set out in Chapter 4. 9 § HSLF-FS 2016: 40. Aleris has thus<br />
have taken appropriate technical measures in accordance with Article 32 i<br />
<br />
the Data Protection Regulation.<br />
<br />
<br />
Choice of intervention<br />
<br />
<br />
Legal regulation<br />
If there has been a violation of the Data Protection Regulation<br />
<br />
The Data Inspectorate a number of corrective powers available under the article<br />
58.2 a-j of the Data Protection Regulation. The supervisory authority can, among other things<br />
<br />
instruct the data controller to ensure that the processing takes place in<br />
in accordance with the Regulation and if required in a specific way and within a<br />
<br />
specific period.<br />
<br />
<br />
It follows from Article 58 (2) of the Data Protection Regulation that the Data Inspectorate in<br />
in accordance with Article 83 shall impose penalty charges in addition to or in lieu of<br />
<br />
other corrective measures referred to in Article 58 (2),<br />
the circumstances of each individual case.<br />
<br />
<br />
Article 83 (2) sets out the factors to be taken into account in determining whether a<br />
administrative penalty fee shall be imposed, but also what shall affect<br />
<br />
the size of the penalty fee. Of central importance for the assessment of<br />
the seriousness of the infringement is its nature, severity and duration. If<br />
<br />
in the case of a minor infringement, the supervisory authority may, according to recitals<br />
148 of the Data Protection Regulation, issue a reprimand instead of imposing one<br />
<br />
penalty fee.<br />
<br />
<br />
Order<br />
The health service has a great need for information in its operations. The<br />
<br />
It is therefore natural that the possibilities of digitalisation are utilized as much as<br />
possible in healthcare. Since the Patient Data Act was written, one has a lot<br />
<br />
extensive digitization has taken place in healthcare. Both the data collections<br />
size as the number of people sharing information with each other has increased<br />
<br />
substantially. At the same time, this increase means that the demands on it increase<br />
<br />
<br />
<br />
<br />
<br />
Page 24 of 30Datainspektionen DI-2019-3844 2 5 (30)<br />
<br />
<br />
<br />
<br />
<br />
<br />
personal data controller, as the assessment of what is an appropriate<br />
<br />
safety is affected by the extent of the treatment.<br />
<br />
<br />
In this context, it means that a great deal of responsibility rests on it<br />
personal data controller to protect the data from unauthorized access,<br />
<br />
among other things by having an authorization allocation that is even more<br />
comminuted. It is therefore essential that there is a real analysis of the needs<br />
<br />
based on different activities and different executives. Equally important is that<br />
there is an actual analysis of the risks from an integrity perspective<br />
<br />
may occur in the event of an override of access rights. From<br />
this analysis must then restrict the access of the individual executive.<br />
<br />
This authority must then be followed up and changed or restricted accordingly<br />
hand that changes in the tasks of the individual executive provide<br />
reason for it.<br />
<br />
<br />
The Data Inspectorate's inspection has shown that Aleris has failed to take appropriate action<br />
<br />
security measures to provide protection for the personal data in the record system<br />
TakeCare by not complying with the requirements set out in the Patient Data Act and<br />
<br />
The National Board of Health and Welfare's regulations regarding the implementation of needs and<br />
risk analysis, before the allocation of authorizations in the system takes place and that not<br />
<br />
restrict the right of access to what is needed to the individual<br />
must be able to fulfill their duties in health care. The<br />
<br />
means that Aleris has also failed to comply with the requirements of Article 5 (1) (f) and Article<br />
32.1 and 32.2 of the Data Protection Regulation. Failure includes it as well<br />
<br />
internal secrecy according to ch. 4 the Patient Data Act as the cohesive one<br />
record keeping according to ch. 6 patient data law.<br />
<br />
<br />
The Data Inspectorate therefore submits pursuant to Article 58 (2) (d) i<br />
<br />
data protection ordinance Aleris Sjukvård AB to implement and document<br />
required needs and risk analysis for the TakeCare medical record system and that<br />
<br />
then, based on the needs and risk analysis, assign each user<br />
individual access to personal data restricted to<br />
only what is needed for the individual to be able to fulfill his<br />
<br />
duties in health care, in accordance with Article 5 (1) (f) and<br />
Article 32 (1) and (2) of the Data Protection Ordinance, Chapter 4 § 2 and ch. 6 § 7<br />
<br />
the Patient Data Act and Chapter 4 2 § HSLF-FS 2016: 40.<br />
<br />
<br />
Penalty fee<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Page 25 of 30Datainspektionen DI-2019-3844 2 6 (30)<br />
<br />
<br />
<br />
<br />
<br />
<br />
The Data Inspectorate can state that the infringements basically concern Aleris<br />
<br />
obligation to take appropriate security measures to provide protection to<br />
personal data in accordance with the Data Protection Regulation.<br />
<br />
<br />
In this case, it is a matter of large data collections with sensitive<br />
<br />
personal data and extensive powers. The caregiver needs to be involved<br />
necessity to have a comprehensive processing of data on the health of individuals.<br />
<br />
However, it must not be unrestricted but should be based on what individual<br />
employees need to be able to perform their tasks. The Data Inspectorate<br />
<br />
notes that this is information that includes direct identification<br />
by the individual through both name, contact information and social security number,<br />
<br />
health information, but it may also be other private information about<br />
for example, family relationships, sexual life and lifestyle. The patient is addicted<br />
of receiving care and is thus in a vulnerable situation. The nature of the data,<br />
<br />
scope and the patients' position of dependence give caregivers a special<br />
responsibility to ensure patients' right to adequate protection for their<br />
<br />
personal data.<br />
<br />
<br />
Additional aggravating circumstances are the treatment of<br />
personal data about patients in the main medical record system belongs to the core of a<br />
<br />
the activities of caregivers, that the treatment covers many patients and<br />
the possibility of access refers to a large proportion of the employees. In this case, stir<br />
<br />
there are almost 800,000 patients and just over 1,000 active users in<br />
the journal system.<br />
<br />
<br />
It is a central task for the person responsible for personal data to take measures<br />
<br />
to ensure an appropriate level of safety in relation to the risk. At<br />
the assessment of the appropriate level of safety, special consideration shall be given to those risks<br />
<br />
which the treatment entails, in particular from accidental or unlawful destruction,<br />
loss or alteration or to unauthorized disclosure of or unauthorized access to<br />
<br />
the personal data transferred, stored or otherwise processed,<br />
pursuant to Article 32 (2) of the Data Protection Regulation. The requirements for health and<br />
the healthcare area, regarding current security measures, has been specified in<br />
<br />
the Patient Data Act and in the National Board of Health and Welfare regulations. Of the preparatory work for<br />
The Patient Data Act clearly states that requirements are placed on both strategic analysis and<br />
<br />
that eligibility is assigned individually and adapted to the current one<br />
the situation. That large amounts of sensitive personal data are processed without<br />
<br />
basic regulations in the field are followed means that the procedure is assessed as<br />
more serious.<br />
<br />
<br />
<br />
<br />
<br />
<br />
Page 26 of 30Datainspektionen DI-2019-3844 2 7 (30)<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
The Data Inspectorate also takes into account that Aleris has not chosen to restrict<br />
access in the context of coherent record keeping. According to Aleris<br />
<br />
is it more patient safe to leave the data at Aleri's units<br />
available to other caregivers. This means that Aleris has given priority away<br />
<br />
the protection of privacy within the coherent record keeping in favor of<br />
patient safety, which is particularly serious.<br />
<br />
<br />
The Data Inspectorate has also taken into account that Aleris has used some<br />
<br />
integrity enhancement measures, performed certain restrictions regarding<br />
occupational categories' reading qualifications and documented access to one<br />
<br />
correct way.<br />
<br />
In determining the seriousness of the infringements, it can also be stated that<br />
<br />
the infringements also cover the basic principles set out in Article 5 (i)<br />
the Data Protection Regulation, which belongs to the categories of more serious<br />
<br />
infringements which may give rise to a higher penalty under Article 83 (5) (i)<br />
the Data Protection Regulation.<br />
<br />
<br />
Taken together, these factors mean that the infringements, not to implement<br />
<br />
a needs and risk analysis and not to limit users' permissions<br />
to only what is needed for the user to be able to fulfill theirs<br />
<br />
tasks in health care, is not to be judged as minor<br />
infringements without infringements that should lead to an administrative<br />
<br />
penalty fee.<br />
<br />
<br />
The Data Inspectorate considers that these violations are closely related to<br />
each other. That assessment is based on the need and risk analysis<br />
<br />
form the basis for the allocation of the authorizations. The Data Inspectorate<br />
therefore considers that these infringements are so closely linked<br />
<br />
that they constitute interconnected data processing within the meaning of Article 83 (3) (i)<br />
the Data Protection Regulation. The Data Inspectorate therefore decides on a joint<br />
penalty fee for these infringements.<br />
<br />
<br />
According to Article 83 (3), the administrative penalty fee may not exceed<br />
<br />
the amount of the most serious infringement in the case of one or the same<br />
data processing or interconnected data processing.<br />
<br />
The administrative penalty fee shall be effective, proportionate and<br />
deterrent. This means that the amount must be determined so that it<br />
<br />
<br />
<br />
<br />
<br />
<br />
Page 27 of 30Datainspektionen DI-2019-3844 2 8 (30)<br />
<br />
<br />
<br />
<br />
<br />
<br />
the administrative penalty fee leads to correction, that it provides a preventive<br />
<br />
effect and that it is also proportional in relation to both current<br />
violations as to the ability of the supervised entity to pay.<br />
<br />
<br />
As regards the calculation of the amount, Article 83 (5) (i)<br />
<br />
the Data Protection Regulation that companies that commit infringements are the ones in question<br />
may be subject to penalty fees of up to EUR 20 million or four<br />
<br />
percent of total global annual sales in the previous financial year,<br />
depending on which value is highest.<br />
<br />
<br />
The term company includes all companies that conduct a financial<br />
<br />
activity, regardless of the legal status of the entity or the manner in which it operates<br />
financed. A company can therefore consist of an individual company in the sentence one<br />
legal person, but also by several natural persons or companies. Thus<br />
<br />
there are situations where an entire group is treated as a company and its<br />
total annual turnover shall be used to calculate the amount of a<br />
<br />
infringement of the Data Protection Regulation by one of its companies.<br />
<br />
<br />
Recital 150 in the Data Protection Ordinance states, among other things<br />
following. […] If the administrative penalty fees are imposed on a company,<br />
<br />
a company for that purpose should be considered a company within the meaning of<br />
Articles 101 and 102 of the TFEU […]. This means that the assessment of<br />
<br />
what constitutes a company must be based on the definitions of competition law.<br />
The rules for group liability in EU competition law revolve around<br />
<br />
the concept of economic unit. A parent company and a subsidiary are considered<br />
as part of the same economic entity when the parent company exercises one<br />
<br />
decisive influence over the subsidiary. The Data Inspectorate therefore adds<br />
as a starting point, the turnover for Aleris Group AB as a basis for<br />
<br />
the calculation of the size of the penalty fee.<br />
<br />
<br />
Aleris Group AB was formed at the end of 2019. Some turnover figures for the whole<br />
2019 is thus not available. There is therefore no information on the annual<br />
turnover for determining the amount of the penalty fee. Aleris has<br />
<br />
stated that the group turnover for Aleris Group AB amounted to just over 1.2<br />
billion between 1 October 2019 and 31 December 2019.<br />
<br />
Recalculated for an entire year, this would correspond to a turnover of approximately 4.9<br />
billion.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Page 28 of 30Datainspektionen DI-2019-3844 2 9 (30)<br />
<br />
<br />
<br />
<br />
<br />
<br />
The Data Inspectorate states that the actual annual sales for Aleris<br />
<br />
Group AB this year will be significantly higher.<br />
<br />
<br />
In the current case, the Data Inspectorate applies a precautionary principle and<br />
therefore appreciates that the company's annual turnover at least corresponds to that of<br />
<br />
the period October - December 2019 recalculated for full year, ie approximately 4.9<br />
billion. The maximum sanction amount that can be determined in the current<br />
<br />
case is EUR 20,000,000, which is just over four percent of the company's estimated<br />
revenue.<br />
<br />
<br />
Given the seriousness of the infringements and that the administrative<br />
<br />
the penalty fee must be effective, proportionate and dissuasive<br />
the Data Inspectorate determines the administrative sanction fee for<br />
<br />
Aleris Sjukvård AB to SEK 15,000,000 (fifteen million).<br />
<br />
<br />
<br />
<br />
<br />
This decision was made by Director General Lena Lindgren Schelin after<br />
presentation by the IT security specialist Magnus Bergström. At the final<br />
<br />
The case is also handled by the General Counsel Hans-Olof Lindblom, the unit managers<br />
Katarina Tullstedt and Malin Blixt and the lawyer Linda Hamidi participated.<br />
<br />
<br />
<br />
<br />
Lena Lindgren Schelin, 2020-12-02 (This is an electronic signature)<br />
<br />
<br />
<br />
<br />
<br />
Appendix<br />
<br />
How to pay penalty fee<br />
<br />
<br />
Copy for information to<br />
The Data Protection Officer<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Page 29 of 30Datainspektionen DI-2019-3844 3 0 (30)<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
How to appeal<br />
<br />
If you want to appeal the decision, you must write to the Data Inspectorate. Enter i<br />
the letter which decision you are appealing and the change you are requesting.<br />
<br />
The appeal must have been received by the Data Inspectorate no later than three weeks from<br />
the day you received the decision. If the appeal has been received in due time<br />
<br />
the Data Inspectorate forwards it to the Administrative Court in Stockholm<br />
examination.<br />
<br />
<br />
You can e-mail the appeal to the Data Inspectorate if it does not contain<br />
<br />
any privacy-sensitive personal data or data that may be covered by<br />
secrecy. The authority's contact information can be found on the first page of the decision.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Page 30 of 30<br />
</pre></div>Elisavet Dravalouhttps://gdprhub.eu/index.php?title=Datainspektionen_-_DI-2019-7782&diff=12720Datainspektionen - DI-2019-77822020-12-06T21:21:15Z<p>Elisavet Dravalou: Created page with "{{DPAdecisionBOX |Jurisdiction=Sweden |DPA-BG-Color= |DPAlogo=LogoSK.png |DPA_Abbrevation=Datainspektionen |DPA_With_Country=Datainspektionen (Sweden) |Case_Number_Name=DI-2..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Sweden<br />
|DPA-BG-Color=<br />
|DPAlogo=LogoSK.png<br />
|DPA_Abbrevation=Datainspektionen<br />
|DPA_With_Country=Datainspektionen (Sweden)<br />
<br />
|Case_Number_Name=DI-2019-7782<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Datainspektionen<br />
|Original_Source_Link_1=https://www.datainspektionen.se/globalassets/dokument/beslut/beslut-tillsyn-gnosjo-2020-11-25.pdf<br />
|Original_Source_Language_1=Swedish<br />
|Original_Source_Language__Code_1=SV<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Decided=24.11.2020<br />
|Date_Published=24.11.2020<br />
|Year=2020<br />
|Fine=200000<br />
|Currency=SEK<br />
<br />
|GDPR_Article_1=Article 5(1)(a) GDPR<br />
|GDPR_Article_Link_1=Article 5 GDPR#1a<br />
|GDPR_Article_2=Article 6(1) GDPR<br />
|GDPR_Article_Link_2=Article 6 GDPR#1<br />
|GDPR_Article_3=Article 9(2) GDPR<br />
|GDPR_Article_Link_3=Article 9 GDPR#2<br />
|GDPR_Article_4=Article 13 GDPR<br />
|GDPR_Article_Link_4=Article 13 GDPR<br />
|GDPR_Article_5=Article 35 GDPR<br />
|GDPR_Article_Link_5=Article 35 GDPR<br />
|GDPR_Article_6=Article 36 GDPR<br />
|GDPR_Article_Link_6=Article 36 GDPR<br />
<br />
<br />
|National_Law_Name_1=Kamerabevakningslagen (2018:1200)<br />
|National_Law_Link_1=https://www.riksdagen.se/sv/dokument-lagar/dokument/svensk-forfattningssamling/kamerabevakningslag-20181200_sfs-2018-1200<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Elisavet Dravalou<br />
|<br />
}}<br />
<br />
The Swedish DPA held that the installation of CCTV cameras in the residence of an LSS home (which is housing with special services for adults) breached Articles 5(1)(a), 6(1), 9(2), 13, 35 and<br />
36 of the GDPR and Section 15 of the Camera Surveillance Act and imposed an administrative fine of SEK 200,000.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
On 2 May 2019, the Swedish DPA received a complaint from a relative of the data subject<br />
according to which Gnosjö's Social Affairs Committee (Socialutskott) processes personal data of a resident at one of the municipality's LSS homes (which is housing with special services for adults), through CCTV cameras. The Social Affairs Committee placed the CCTV cameras to increase the security of the resident, as the resident has demonstrated serious self-harming behaviour.<br />
<br />
=== Dispute ===<br />
The complainant stated that the Social Affairs Committee must have stated that CCTV camera surveillance takes place and ask the consent of the resident's family or guardian. <br />
<br />
=== Holding ===<br />
The Swedish DPA held that, although the intention of the Social Affairs Committee was to protect the resident from harming himself, the installation of CCTV cameras in the resident's bedroom is considered a big intrusion of the resident's privacy. This means that the processing of personal data has been disproportionate to the purpose. The<br />
processing of personal data that has taken place through the camera surveillance has<br />
thus not complied with Articles 5 (1)(a)(i), 6, 9 (2), and 13 of the GDPR.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.<br />
<br />
<pre><br />
<br />
</pre></div>Elisavet Dravalouhttps://gdprhub.eu/index.php?title=Datainspektionen_-_DI-2019-7024&diff=12539Datainspektionen - DI-2019-70242020-11-30T20:52:58Z<p>Elisavet Dravalou: Created page with "{{DPAdecisionBOX |Jurisdiction=Sweden |DPA-BG-Color= |DPAlogo=LogoSK.png |DPA_Abbrevation=Datainspektionen |DPA_With_Country=Datainspektionen (Sweden) |Case_Number_Name=DI-2..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Sweden<br />
|DPA-BG-Color=<br />
|DPAlogo=LogoSK.png<br />
|DPA_Abbrevation=Datainspektionen<br />
|DPA_With_Country=Datainspektionen (Sweden)<br />
<br />
|Case_Number_Name=DI-2019-7024<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Datainspektionen<br />
|Original_Source_Link_1=https://www.datainspektionen.se/nyheter/allvarliga-brister-i-skolplattformen-i-stockholm/#:~:text=Granskningen%20visar%20p%C3%A5%20brister%20i,mot%20utbildningsn%C3%A4mnden%20i%20Stockholm%20stad.&text=Datainspektionen%20har%20tagit%20emot%20ett,fr%C3%A5n%20utbildningsn%C3%A4mnden%20i%20Stockholm%20stad.<br />
|Original_Source_Language_1=Swedish<br />
|Original_Source_Language__Code_1=SV<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Decided=24.11.2020<br />
|Date_Published=24.11.2020<br />
|Year=2020<br />
|Fine=4000000<br />
|Currency=SEK<br />
<br />
|GDPR_Article_1=Article 5(1)(f) GDPR<br />
|GDPR_Article_Link_1=Article 5 GDPR#1f<br />
|GDPR_Article_2=Article 32(1) GDPR<br />
|GDPR_Article_Link_2=Article 32 GDPR#1<br />
|GDPR_Article_3=Article 35 GDPR<br />
|GDPR_Article_Link_3=Article 35 GDPR<br />
<br />
<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Elisavet Dravalou<br />
|<br />
}}<br />
<br />
The Swedish DPA (Datainspektionen) has issued a fine of 4 millions SEK at the Educational Board of Stockholm after receiving many complaints that the newly developed IT system "Skolplattformen", used for education administration, has suffered data breaches.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
"Skolplattformen" was developed by the Educational Board of Stockholm to help administrate the students and was used for the last years. In the platform there were being processed personal data of 500000 students, education personnel and students' guardians. In the platform, a lot of special categories of personal data were being processed as well as personal data protected by the Swedish Secrecy Law. Four sub-systems were found to have "weak" protection e.g. guardians could access other students' personal data, even those of students with hidden identity. <br />
<br />
=== Dispute ===<br />
<br />
<br />
=== Holding ===<br />
After receiving many complaints, the Datainspektionen found that the Education Board did not apply adequate technical measures to ensure the security of personal data, which has cause to data breaches and that although the Education Board had carried out DPIAs, these DPIAs did not meet the standards of Article 35 GDPR. <br />
<br />
== Comment ==<br />
Building the IT platform "Skolplattformen" was a big project and the total cost of its development costed 675 millions SEK (around €66 millions) while the operating costs were high as well. The reveal of these data breaches created a lot of frustration among Swedes, some of which see it as a bad investment of public money.<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.<br />
<br />
<pre><br />
<!DOCTYPE html><html lang="en"><head><meta charset="UTF-8"><title>Serious shortcomings in the School Platform in Stockholm - Datainspektionen </title><link rel="icon" type="image/png" href="/Client/dist/images/favicon-32x32.png"><meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no" /><link rel="stylesheet" type="text/css" href="/Client/app/scripts/external/jquery-ui-1.12.1/jquery-ui.min.css"><link rel="stylesheet" type="text/css" href="/ui-cms/css/editmode.css"><link rel="stylesheet" type="text/css" href="/Client/dist/styles/vendor.bundle.min.css"><link rel="stylesheet" type="text/css" href="/Client/dist/styles/global.min.css"><script src="/Client/app/scripts/external/10101_webReader/webReader.js?pids=wr" type="text/javascript"></script><link href="/nyheter/allvarliga-brister-i-skolplattformen-i-stockholm/" rel="canonical" /><meta name="google-site-verification" content="_Lt2mFNRblu6L6_wWFv18SpImT5VvDKKg59lOUKgoos" /><meta name="referrer" content="same-origin"><meta property="og:title" content="The Data Inspectorate" /><meta property="og:image" content="https://www.datainspektionen.se/globalassets/bilder/logotyper/og.png" /><!-- Custom.css --><style type="text/css"><br />
#spalter .venster{width:45%;float:left;margin-right:10px}#spalter .hoger{width:45%;float:left;margin-left:10px}#spalter:after{content:".";display:block;height:0;clear:both;visibility:hidden}.link-arrow:before{margin-right:10px}.area-text a.link-arrow:before{margin-right:10px}.item-link{margin-top:0}.search-result .result-list>.list-item .item-link .link-external{margin-top:10px;margin-bottom:0;font-size:1.125rem}figcaption{margin-top:20px;font-size:18px;line-height:25px}table{font-size:16px;line-height:22px;background-color:#e4ebee;border:2px solid #999;margin-bottom:20px;font-family:FrutigerLTStd-LightCn,Corbel,sans-serif;width:100%}td{padding:12px}.breadcrumb{margin-bottom:30px}.breadcrumb__mini{margin-bottom:0}.teaser-link-text:last-of-type{margin-bottom:30px}.footer-link{font-family:FrutigerLTStd-LightCn,sans-serif;font-size:18px;line-height:25px}.footer .footer-content ul li.content-phone a{color:#43433c}.info-block{font-family:Constantia}.info-block p{margin-bottom:20px}.info-block a.link-arrow:before{background:url(/client/dist/images/arrow.svg) no-repeat}.info-block-red{border-radius:10px;background-color:#e5dfcf;margin-top:30px;margin-bottom:20px;padding:20px}.form a.link-arrow:before{content:"";display:inline-block;background:url(/client/dist/images/arrow.svg) no-repeat;top:5px;width:22px;height:15px;min-width:22px;min-height:15px;margin-top:3px;margin-right:20px}.form p a{font-family:FrutigerLTStd-LightCn}a[href^="mailto:"]{font-family:Constantia}.area-text a.link-arrow{margin-top:0}.right-image{float:right;width:auto!important;margin:5px 0 5px 20px}.vanster-bild{float:left;width:auto!important;margin:0 20px 5px 5px}ol ul,ul ul{list-style-type:disc}h2{margin-bottom:8px}h3{margin-bottom:6px}h4{margin-bottom:4px}.news-list h3{text-align:center}.area-text h2{padding-top:15px}.area-text h3{padding-top:15px}.area-text h4{padding-top:10px}@media (max-width:1200px) and (min-width:769px){.area-text img{width:100%;height:auto}}@media (min-width:992px){h2{font-size:32px;line-height:1.3}h3{font-size:1.65rem;line-height:32px}h4{font-size:20px;line-height:24px}.news-list{margin-bottom:30px}.news-list h3{font-size:1.65rem}}<br />
</style></head><body class="bg-login"><header class="header"><a class="mobile-logo" href="/"><img class="logo-horizontal" alt="logo" src="/client/dist/images/di-logo-liggande.svg" /><img class="logo-vertical" alt="logo" src="/client/dist/images/di-logo-staende.svg" /></a> <div class="global-nav-container d-lg-none"><div role="button" class="global-nav-toggle toggle-fallout" data-toggle="collapse" data-target="#navbarSupportedContent" aria-controls="navbarSupportedContent" aria-expanded="false" aria-label="Toggle navigation"><div class="menu-icon menu-closed"><span class="icon-bar"></span><span class="icon-bar"></span><span class="icon-bar"></span></div></div></div> menu <div class="mobile-nav"><form action="/sok/" class="nav-search" method="get"><input type="text" name="q" class="SearchKeywords" placeholder="Sök frågor och svar, vägledning och regler..."><svg class="search-icon"><use xlink:href="#icon-search" /></svg></form><nav class="nav-main"><ul class="lvl-1"><li class="link-item"><div class="lvl-1-link"> <a href="/aktuellt/" class="">Currently</a> <svg class="icon-plus-white"><use xlink:href="#icon-plus-white" /></svg></div><ul class="lvl-2"><li class="link-item"><div class="lvl-2-link"> <a href="/aktuellt/tillsyn/" class="">Supervision</a></div><ul class="lvl-3"></ul></li><li class="link-item"><div class="lvl-2-link"> <a href="/aktuellt/corona/" class="">Corona</a></div><ul class="lvl-3"></ul></li><li class="link-item"><div class="lvl-2-link"> <a href="/aktuellt/remissvar/" class="">Referral response</a></div><ul class="lvl-3"></ul></li><li class="link-item"><div class="lvl-2-link"> <a href="/aktuellt/personuppgiftsincidenter/" class="">Personal data incidents</a></div><ul class="lvl-3"></ul></li><li class="link-item"><div class="lvl-2-link"> <a href="/aktuellt/publikationer/" class="">Publications</a></div><ul class="lvl-3"></ul></li><li class="link-item"><div class="lvl-2-link"> <a href="/aktuellt/internationellt-arbete/" class="">International work</a></div><ul class="lvl-3"></ul></li></ul></li><li class="link-item"><div class="lvl-1-link"> <a href="/fragor-och-svar/" class="">Questions and answers</a> <svg class="icon-plus-white"><use xlink:href="#icon-plus-white" /></svg></div><ul class="lvl-2"><li class="link-item"><div class="lvl-2-link"> <a href="/fragor-och-svar/gdpr/" class="">Data Protection Regulation</a></div><ul class="lvl-3"></ul></li><li class="link-item"><div class="lvl-2-link"> <a href="/fragor-och-svar/kreditupplysning/" class="">Credit information</a></div><ul class="lvl-3"></ul></li><li class="link-item"><div class="lvl-2-link"> <a href="/fragor-och-svar/inkasso/" class="">Collection</a></div><ul class="lvl-3"></ul></li><li class="link-item"><div class="lvl-2-link"> <a href="/fragor-och-svar/kamera/" class="">Camera surveillance</a></div><ul class="lvl-3"></ul></li></ul></li><li class="link-item"><div class="lvl-1-link"> <a href="/vagledningar/" class="">Guides</a> <svg class="icon-plus-white"><use xlink:href="#icon-plus-white" /></svg></div><ul class="lvl-2"><li class="link-item"><div class="lvl-2-link"> <a href="/vagledningar/en-introduktion-till-dataskyddsforordningen/" class="">An introduction to the Data Protection Ordinance</a> <svg class="icon-circle"><use xlink:href="#icon-circle" /></svg></div><ul class="lvl-3"><li><div class="lvl-3-link"> <a href="/vagledningar/en-introduktion-till-dataskyddsforordningen/vad-ar-en-personuppgift/" class="">What is a personal information</a></div></li><li><div class="lvl-3-link"><a href="/vagledningar/en-introduktion-till-dataskyddsforordningen/kanslig-personuppgift/" class="">Sensitive personal information</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/en-introduktion-till-dataskyddsforordningen/sa-har-hanger-lagarna-ihop/" class="">This is how the laws are connected</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/en-introduktion-till-dataskyddsforordningen/ordforklaringar/" class="">Glossaries</a></div></li></ul></li><li class="link-item"><div class="lvl-2-link"> <a href="/vagledningar/vara-vanligaste-fragor/" class="">common questions and answers</a></div><ul class="lvl-3"></ul></li><li class="link-item"><div class="lvl-2-link"> <a href="/vagledningar/for-dig-som-privatperson/" class="">For you as a private person</a> <svg class="icon-circle"><use xlink:href="#icon-circle" /></svg></div><ul class="lvl-3"><li><div class="lvl-3-link"> <a href="/vagledningar/for-dig-som-privatperson/vad-dataskyddsforordningen-innebar-for-dig-som-privatperson/" class="">The Data Protection Ordinance for you as an individual</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/for-dig-som-privatperson/for-medborgare---dina-rattigheter2/" class="">Your rights</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/for-dig-som-privatperson/utgivningsbevis/" class="">Sites with publishing certificates</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/for-dig-som-privatperson/fa-bort-sokresultat/" class="">The right to have search results removed</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/for-dig-som-privatperson/registerutdrag-och-rattelser/" class="">Registry extracts and corrections</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/for-dig-som-privatperson/personnummer/" class="">Social security number</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/for-dig-som-privatperson/klagomal-och-tips/" class="">Complaints and tips</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/for-dig-som-privatperson/privatpersoners-kamerabevakning/" class="">Private camera surveillance</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/for-dig-som-privatperson/sa-har-begar-du-en-laglighetskontroll/" class="">How to request a legality check</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/for-dig-som-privatperson/for-dig-som-kund/" class="">For you as a customer</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/for-dig-som-privatperson/informationssakerhet-for-dig-som-privatperson/" class="">Information security for you as a private person</a></div></li></ul></li><li class="link-item"><div class="lvl-2-link"> <a href="/vagledningar/kamerabevakning/" class="">Camera surveillance</a> <svg class="icon-circle"><use xlink:href="#icon-circle" /></svg></div><ul class="lvl-3"><li><div class="lvl-3-link"> <a href="/vagledningar/kamerabevakning/privatpersoner/" class="">Private individuals</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/kamerabevakning/offentlig-verksamhet/" class="">Government controlled businesses</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/kamerabevakning/foretag/" class="">Business</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/kamerabevakning/batklubbar-och-hamnar/" class="">Boat clubs and ports</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/kamerabevakning/bostadsrattsforeningar-och-hyresvardar/" class="">Tenancy associations and landlords</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/kamerabevakning/kollektivtrafiken/" class="">Public transport</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/kamerabevakning/informera/" class="">Inform</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/kamerabevakning/anmal-olaglig-kamerabevakning/" class="">Report illegal camera surveillance</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/kamerabevakning/registrerades-rattigheter/" class="">Registered rights during camera surveillance</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/kamerabevakning/ansiktsigenkanning-och-dataskydd/" class="">Face recognition and data protection</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/kamerabevakning/fragor-och-svar/" class="">Questions and answers</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/kamerabevakning/lagringstid-och-behorighet/" class="">Storage time and authorization</a></div></li></ul></li><li class="link-item"><div class="lvl-2-link"> <a href="/vagledningar/oschysst-behandlad-pa-natet/" class="">Cyberbullying</a></div><ul class="lvl-3"></ul></li><li class="link-item"><div class="lvl-2-link"> <a href="/vagledningar/for-dig-som-har-foretag/" class="">For you who have a business</a> <svg class="icon-circle"><use xlink:href="#icon-circle" /></svg></div><ul class="lvl-3"><li><div class="lvl-3-link"> <a href="/vagledningar/for-dig-som-har-foretag/barn-och-ungas-rattigheter/" class="">Children and young people&#39;s rights on digital platforms</a></div></li></ul></li><li class="link-item"><div class="lvl-2-link"> <a href="/vagledningar/for-foreningar-och-sma-organisationer/" class="">Associations and member organizations</a> <svg class="icon-circle"><use xlink:href="#icon-circle" /></svg></div><ul class="lvl-3"><li><div class="lvl-3-link"> <a href="/vagledningar/for-foreningar-och-sma-organisationer/det-har-behover-ni-gora/" class="">This is what you need to do</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/for-foreningar-och-sma-organisationer/det-har-behover-ni-veta/" class="">You need to know this</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/for-foreningar-och-sma-organisationer/fragor-och-svar/" class="">Questions and answers</a></div></li></ul></li><li class="link-item"><div class="lvl-2-link"> <a href="/vagledningar/inkasso/" class="">Collection</a> <svg class="icon-circle"><use xlink:href="#icon-circle" /></svg></div><ul class="lvl-3"><li><div class="lvl-3-link"> <a href="/vagledningar/inkasso/fragor-och-svar/" class="">Questions and answers</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/inkasso/fran-faktura-till-anmarkning/" class="">From invoice to note</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/inkasso/Det-har-gor-vi-inte/" class="">We do not do this</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/inkasso/klagomal-om-inkasso/" class="">Complaints about debt collection</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/inkasso/inkassotillstand/" class="">Debt collection permit</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/inkasso/for-dig-som-bedriver-inkassoverksamhet/" class="">For you who conduct debt collection activities</a></div></li></ul></li><li class="link-item"><div class="lvl-2-link"> <a href="/vagledningar/kreditupplysningar/" class="">Credit information</a> <svg class="icon-circle"><use xlink:href="#icon-circle" /></svg></div><ul class="lvl-3"><li><div class="lvl-3-link"> <a href="/vagledningar/kreditupplysningar/fragor-och-svar/" class="">Questions and answers</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/kreditupplysningar/betalningsanmarkningar/" class="">Payment remarks</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/kreditupplysningar/kreditupplysningslagen/" class="">The Credit Information Act</a></div></li></ul></li><li class="link-item"><div class="lvl-2-link"> <a href="/vagledningar/skolor-och-forskolor/" class="">Schools and preschools</a> <svg class="icon-circle"><use xlink:href="#icon-circle" /></svg></div><ul class="lvl-3"><li><div class="lvl-3-link"> <a href="/vagledningar/skolor-och-forskolor/livesanda-luciatag/" class="">Live Lucia trains during the corona pandemic</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/skolor-och-forskolor/livesanda-skolavslutningar/" class="">Live school graduations during the corona pandemic</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/skolor-och-forskolor/digital-undervisning/" class="">Digital teaching</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/skolor-och-forskolor/for-personuppgiftsansvariga-inom-skola-och-forskola/" class="">For data controllers within school and preschool</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/skolor-och-forskolor/lucia-fotografering/" class="">Lucia photography</a></div></li></ul></li><li class="link-item"><div class="lvl-2-link"> <a href="/vagledningar/personuppgiftsbitraden/" class="">Personal data assistants</a></div><ul class="lvl-3"></ul></li><li class="link-item"><div class="lvl-2-link"> <a href="/vagledningar/for-myndigheter/" class="">For authorities</a></div><ul class="lvl-3"></ul></li><li class="link-item"><div class="lvl-2-link"> <a href="/vagledningar/informationssakerhet/" class="">Information security</a> <svg class="icon-circle"><use xlink:href="#icon-circle" /></svg></div><ul class="lvl-3"><li><div class="lvl-3-link"> <a href="/vagledningar/informationssakerhet/informationssakerhet-for-dig-som-privatperson/" class="">Information security for you as a private person</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/informationssakerhet/informationssakerhet/" class="">Information security and data protection regulation</a></div></li></ul></li><li class="link-item"><div class="lvl-2-link"> <a href="/vagledningar/arbetsliv/" class="">Working life</a> <svg class="icon-circle"><use xlink:href="#icon-circle" /></svg></div><ul class="lvl-3"><li><div class="lvl-3-link"> <a href="/vagledningar/arbetsliv/nar-galler-dataskyddsforordningen/" class="">What about the Data Protection Regulation?</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/arbetsliv/arbetsgivarens-personuppgiftsansvar/" class="">The employer&#39;s personal data responsibility</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/arbetsliv/tillaten-behandling-vilka-krav-galler/" class="">Permitted treatment - what requirements apply?</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/arbetsliv/rekryteringssystem-och-kompetensdatabaser/" class="">Recruitment systems and competence databases</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/arbetsliv/kontroll-och-overvakning/" class="">Control and monitoring of employees</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/arbetsliv/biometri/" class="">Biometrics</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/arbetsliv/tillsyn-sanktionsavgifter-och-skadestand/" class="">Supervision, penalty fees and damages</a></div></li></ul></li></ul></li><li class="link-item"><div class="lvl-1-link"> <a href="/lagar--regler/" class="">Laws and regulations</a> <svg class="icon-plus-white"><use xlink:href="#icon-plus-white" /></svg></div><ul class="lvl-2"><li class="link-item"><div class="lvl-2-link"> <a href="/lagar--regler/dataskyddsforordningen/" class="">Data Protection Regulation</a> <svg class="icon-circle"><use xlink:href="#icon-circle" /></svg></div><ul class="lvl-3"><li><div class="lvl-3-link"> <a href="/lagar--regler/dataskyddsforordningen/dataskyddsombud/" class="">Data Protection Officer</a></div></li><li><div class="lvl-3-link"> <a href="/lagar--regler/dataskyddsforordningen/dataskyddsforordningens-syfte-och-tillampningsomrade/" class="">Purpose and scope of the Data Protection Regulation</a></div></li><li><div class="lvl-3-link"> <a href="/lagar--regler/dataskyddsforordningen/grundlaggande-principer/" class="">Fundamental principals</a></div></li><li><div class="lvl-3-link"> <a href="/lagar--regler/dataskyddsforordningen/rattslig-grund/" class="">Legal basis</a></div></li><li><div class="lvl-3-link"> <a href="/lagar--regler/dataskyddsforordningen/kansliga-personuppgifter/" class="">Sensitive personal data</a></div></li><li><div class="lvl-3-link"> <a href="/lagar--regler/dataskyddsforordningen/de-registrerades-rattigheter/" class="">Rights of data subjects</a></div></li><li><div class="lvl-3-link"> <a href="/lagar--regler/dataskyddsforordningen/personuppgiftsansvariga-och-personuppgiftsbitraden/" class="">Personal data controllers and personal data assistants</a></div></li><li><div class="lvl-3-link"> <a href="/lagar--regler/dataskyddsforordningen/fora-register-over-behandling/" class="">Keep records of treatment</a></div></li><li><div class="lvl-3-link"> <a href="/lagar--regler/dataskyddsforordningen/personuppgiftsincident/" class="">Personal data incidents</a></div></li><li><div class="lvl-3-link"> <a href="/lagar--regler/dataskyddsforordningen/konsekvensbedomningar-och-forhandssamrad/" class="">Impact assessments and prior consultation</a></div></li><li><div class="lvl-3-link"> <a href="/lagar--regler/dataskyddsforordningen/uppforandekoder-och-certifieringar/" class="">Code of conduct and certifications</a></div></li><li><div class="lvl-3-link"> <a href="/lagar--regler/dataskyddsforordningen/informationssakerhet/" class="">Information security</a></div></li><li><div class="lvl-3-link"> <a href="/lagar--regler/dataskyddsforordningen/inbyggt-dataskydd-och-dataskydd-som-standard/" class="">Built-in data protection and data protection as standard</a></div></li><li><div class="lvl-3-link"> <a href="/lagar--regler/dataskyddsforordningen/tredjelandsoverforing/" class="">Third country transfer</a></div></li><li><div class="lvl-3-link"> <a href="/lagar--regler/dataskyddsforordningen/sanktionsavgifter-och-varningar/" class="">Penalty fees and warnings</a></div></li><li><div class="lvl-3-link"> <a href="/lagar--regler/dataskyddsforordningen/gransoverskridande-personuppgiftsbehandling/" class="">Cross-border processing of personal data</a></div></li><li><div class="lvl-3-link"> <a href="/lagar--regler/dataskyddsforordningen/personuppgifter-om-lagovertradelser/" class="">Personal data relating to violations of the law</a></div></li></ul></li><li class="link-item"><div class="lvl-2-link"> <a href="/lagar--regler/kamerabevakningslagen/" class="">The Camera Surveillance Act</a></div><ul class="lvl-3"></ul></li><li class="link-item"><div class="lvl-2-link"> <a href="/lagar--regler/inkassolagen/" class="">Debt collection law</a> <svg class="icon-circle"><use xlink:href="#icon-circle" /></svg></div><ul class="lvl-3"><li><div class="lvl-3-link"> <a href="/lagar--regler/inkassolagen/innehavare-av-datainspektionens-inkassotillstand/" class="">Holders of debt collection permits</a></div></li><li><div class="lvl-3-link"> <a href="/lagar--regler/inkassolagen/ansok-om-inkassotillstand/" class="">Apply for a debt collection permit</a></div></li><li><div class="lvl-3-link"> <a href="/lagar--regler/inkassolagen/for-dig-som-fatt-ett-inkassokrav/" class="">For you who have received a debt collection claim</a></div></li><li><div class="lvl-3-link"> <a href="/lagar--regler/inkassolagen/dataskydd-i-inkassoverksamhet/" class="">Data protection in debt collection operations</a></div></li><li><div class="lvl-3-link"> <a href="/lagar--regler/inkassolagen/digitala-inkassokrav/" class="">Digital debt collection requirements</a></div></li></ul></li><li class="link-item"><div class="lvl-2-link"> <a href="/lagar--regler/kreditupplysningslagen/" class="">The Credit Information Act</a> <svg class="icon-circle"><use xlink:href="#icon-circle" /></svg></div><ul class="lvl-3"><li><div class="lvl-3-link"> <a href="/lagar--regler/kreditupplysningslagen/ansok-om-tillstand/" class="">Apply for a permit</a></div></li></ul></li><li class="link-item"><div class="lvl-2-link"> <a href="/lagar--regler/patientdatalagen/" class="">Patient data layers</a> <svg class="icon-circle"><use xlink:href="#icon-circle" /></svg></div><ul class="lvl-3"><li><div class="lvl-3-link"> <a href="/lagar--regler/patientdatalagen/systematisk-logguppfoljning/" class="">Systematic log follow-up</a></div></li><li><div class="lvl-3-link"> <a href="/lagar--regler/patientdatalagen/hur-forhindrar-man-obefogad-spridning-av-patientuppgifter/" class="">How to prevent unauthorized dissemination of patient data?</a></div></li></ul></li><li class="link-item"><div class="lvl-2-link"> <a href="/lagar--regler/brottsdatalagen/" class="">Criminal Data Act (BdL)</a> <svg class="icon-circle"><use xlink:href="#icon-circle" /></svg></div><ul class="lvl-3"><li><div class="lvl-3-link"> <a href="/lagar--regler/brottsdatalagen/syfte-och-tillampningsomrade/" class="">Purpose and scope</a></div></li><li><div class="lvl-3-link"> <a href="/lagar--regler/brottsdatalagen/granskning-och-kontroll/" class="">Review and control</a></div></li><li><div class="lvl-3-link"> <a href="/lagar--regler/brottsdatalagen/laglighetskontroller/" class="">Legality checks</a></div></li><li><div class="lvl-3-link"> <a href="/lagar--regler/brottsdatalagen/anmala-personuppgiftsincidenter/" class="">Report personal data incident according to the Criminal Data Act</a></div></li><li><div class="lvl-3-link"> <a href="/lagar--regler/brottsdatalagen/forhandssamrad-enligt-brottsdatalagen/" class="">Prior consultation according to the Criminal Data Act</a></div></li><li><div class="lvl-3-link"> <a href="/lagar--regler/brottsdatalagen/forebyggande-och-korrigerande-befogenheter/" class="">Preventive and corrective powers</a></div></li></ul></li><li class="link-item"><div class="lvl-2-link"> <a href="/lagar--regler/datainspektionens-foreskrifter-och-allmanna-rad/" class="">Regulations and general advice</a></div><ul class="lvl-3"></ul></li><li class="link-item"><div class="lvl-2-link"> <a href="/lagar--regler/dataskyddslagen/" class="">The Data Protection Act</a></div><ul class="lvl-3"></ul></li><li class="link-item"><div class="lvl-2-link"> <a href="/lagar--regler/pnr-lagen/" class="">PNR law</a></div><ul class="lvl-3"></ul></li></ul></li><li class="link-item"><div class="lvl-1-link"> <a href="/utbildningar/" class="">Trainings and conferences</a></div></li></ul></nav><div class="nav-aside"> <a href="/om-oss/">About us</a> <a href="/kontakta-oss/">Contact us</a> <a href="/press/">Press</a> <a href="/a-till-o/">A-Ö</a> <a href="/other-lang/">På svenska</a> </div></div></header><svg style="display:none"><symbol id="icon-arrow" viewBox="0 0 22 15"><path d="M13.8392147,0.00589452011 C13.3488775,0.0526378592 12.9299969,0.382299983 12.7698367,0.847272105 C12.607212,1.31470361 12.7328765,1.83133909 13.0901571,2.17084188 L17.1705497,6.24487919 L1.32206805,6.24487919 C1.28264397,6.24241918 1.24321988,6.24241918 1.2037958,6.24487919 C0.50648216,6.27686121 -0.0306706659,6.8673014 0.00136124446,7.56352894 C0.0333931548,8.25975649 0.624754412,8.79607268 1.32206805,8.76409066 L17.1705497,8.76409066 L13.070445,12.838128 C12.5751801,13.3326215 12.5751801,14.1346364 13.070445,14.6291299 C13.5657099,15.1236234 14.3689759,15.1236234 14.8642408,14.6291299 L21.0932461,8.39014521 L22,7.50448492 L21.0932461,6.61882464 L14.8642408,0.379839973 C14.5981283,0.106761228 14.2211356,-0.0310081492 13.8392147,0.00589452011 Z"></path></symbol></svg><div class="icons"><svg style="display:none"><symbol id="icon-arrow" viewBox="0 0 22 15"><path d="M13.8392147,0.00589452011 C13.3488775,0.0526378592 12.9299969,0.382299983 12.7698367,0.847272105 C12.607212,1.31470361 12.7328765,1.83133909 13.0901571,2.17084188 L17.1705497,6.24487919 L1.32206805,6.24487919 C1.28264397,6.24241918 1.24321988,6.24241918 1.2037958,6.24487919 C0.50648216,6.27686121 -0.0306706659,6.8673014 0.00136124446,7.56352894 C0.0333931548,8.25975649 0.624754412,8.79607268 1.32206805,8.76409066 L17.1705497,8.76409066 L13.070445,12.838128 C12.5751801,13.3326215 12.5751801,14.1346364 13.070445,14.6291299 C13.5657099,15.1236234 14.3689759,15.1236234 14.8642408,14.6291299 L21.0932461,8.39014521 L22,7.50448492 L21.0932461,6.61882464 L14.8642408,0.379839973 C14.5981283,0.106761228 14.2211356,-0.0310081492 13.8392147,0.00589452011 Z"></path></symbol></svg><svg style="display:none"><symbol id="icon-plus" viewBox="0 0 34 34"><path d="M17,0 C7.6256087,0 0,7.6256087 0,17 C0,26.3743913 7.6256087,34 17,34 C26.3743913,34 34,26.3743913 34,17 C34,7.6256087 26.3743913,0 17,0 Z M25.8695652,17.7391304 L17.7391304,17.7391304 L17.7391304,25.8695652 L16.2608696,25.8695652 L16.2608696,17.7391304 L8.13043478,17.7391304 L8.13043478,16.2608696 L16.2608696,16.2608696 L16.2608696,8.13043478 L17.7391304,8.13043478 L17.7391304,16.2608696 L25.8695652,16.2608696 L25.8695652,17.7391304 Z" id="Shape"></path></symbol></svg><svg style="display:none"><symbol id="icon-check" viewBox="0 0 21 16"><polygon points="18.5405093 0 7.4613233 11.079186 2.4685571 6.08641975 0.28125 8.27372685 6.36766975 14.3601466 7.4613233 15.40625 8.55497685 14.3601466 20.7278164 2.1873071"></polygon></symbol></svg><svg style="display:none"><symbol id="icon-search" viewBox="0 0 32 33"><path d="M12.7624633,0 C5.70674524,0 0,5.75017946 0,12.8595989 C0,19.969019 5.70674524,25.7191977 12.7624633,25.7191977 C15.2815251,25.7191977 17.6129036,24.9745702 19.5894428,23.7098854 L28.8093842,33 L32,29.7851003 L22.8973607,20.6368195 C24.5337247,18.4738539 25.5249267,15.7937856 25.5249267,12.8595989 C25.5249267,5.75017946 19.8181822,0 12.7624633,0 Z M12.7624633,3.02578797 C18.1671556,3.02578797 22.5219941,7.4137713 22.5219941,12.8595989 C22.5219941,18.3054264 18.1671556,22.6934097 12.7624633,22.6934097 C7.35777107,22.6934097 3.00293255,18.3054264 3.00293255,12.8595989 C3.00293255,7.4137713 7.35777107,3.02578797 12.7624633,3.02578797 Z" id="Shape" transform="translate(16.000000, 16.500000) scale(-1, 1) translate(-16.000000, -16.500000) "></path></symbol></svg><svg style="display:none"><symbol id="icon-doc" viewBox="0 0 34 34"><path d="M9.09939256,0 L0,0 L0,18 L14,18 L14,4.93104639 L9.09939256,0 Z M8.94444444,5.08695652 L8.94444444,0.938519217 L13.0672745,5.08695652 L8.94444444,5.08695652 Z"></path></symbol></svg><svg style="display:none"><symbol id="icon-angle" viewBox="0 0 10 16"><path d="M1.83921466,0.00589452011 C1.34887746,0.0526378592 0.92999688,0.382299983 0.769836698,0.847272105 C0.607212037,1.31470361 0.732876462,1.83133909 1.09015706,2.17084188 L6.5,7.5 L1.07044502,12.838128 C0.575180126,13.3326215 0.575180126,14.1346364 1.07044502,14.6291299 C1.56570992,15.1236234 2.36897594,15.1236234 2.86424083,14.6291299 L9.09324607,8.39014521 L10,7.50448492 L9.09324607,6.61882464 L2.86424083,0.379839973 C2.59812827,0.106761228 2.22113562,-0.0310081492 1.83921466,0.00589452011 Z" id="Shape"></path></symbol></svg><svg style="display:none"><symbol id="icon-circle" viewBox="0 0 34 34"><path d="M17,0 C7.6256087,0 0,7.6256087 0,17 C0,26.3743913 7.6256087,34 17,34 C26.3743913,34 34,26.3743913 34,17 C34,7.6256087 26.3743913,0 17,0 Z M25.8695652,17.7391304 L17.7391304,17.7391304 L17.7391304,25.8695652 L16.2608696,25.8695652 L16.2608696,17.7391304 L8.13043478,17.7391304 L8.13043478,16.2608696 L16.2608696,16.2608696 L16.2608696,8.13043478 L17.7391304,8.13043478 L17.7391304,16.2608696 L25.8695652,16.2608696 L25.8695652,17.7391304 Z" id="Shape"></path></symbol></svg><svg style="display:none"><symbol id="icon-plus-white" viewBox="0 0 13 13"><path d="M3.55178455,2.5245531 L2.55106461,3.52527304 L11.5503447,12.5245531 L12.5510646,11.5238332 L3.55178455,2.5245531 Z M2.55106461,11.6369612 L3.55178455,12.6376811 L12.5510646,3.63840107 L11.5503447,2.63768114 L2.55106461,11.6369612 Z" id="Shape"></path></symbol></svg></div><main><div class="container"><div class="row justify-content-md-center"><div class="col-md-12"><nav class="breadcrumb"><ol class="breadcrumb-list"><li class="list-item"> <a href="/" class="item-link">Start</a></li><li class="list-item"> <a href="/nyheter/" class="item-link">News</a></li><li class="list-item"> <a href="/nyheter/allvarliga-brister-i-skolplattformen-i-stockholm/" class="item-link active">Serious shortcomings in the School Platform in Stockholm</a> </li></ol></nav></div><div class="col-md-8"><article class="content" id="readspeaker-content"><header class="content-header"><time class="item-created"> Published 2020-11-24</time><h1 class="header-text"> Serious shortcomings in the School Platform in Stockholm</h1><p class="header-ingress"> The Data Inspectorate has examined the School Platform, the IT system used for, among other things, student administration of schools in the city of Stockholm. The review shows shortcomings in security that are so serious that the authority issues an administrative sanction fee of SEK 4 million against the Board of Education in the city of Stockholm.</p></header><div class="readspeaker rs_skip rs_preserve"> <a class="readspeaker-activate"><img class="activate-icon" src="/Client/app/images/Ear.svg" /><span class="activate-text">Listen</span></a> <a class="readspeaker-hide"><span class="hide-icon">×</span> <span class="hide-text">Hide player</span></a><div class="readspeaker-app rsbtn" id="readspeaker_button1"> <a rel="nofollow" class="rsbtn_play" accesskey="L" title="Listen to the text of the page with ReadSpeaker webReader" href="//app-eu.readspeaker.com/cgi-bin/rsent?customerid=10101&amp;lang=sv_se&amp;readid=readspeaker-content&amp;url=http%3a%2f%2fwww.datainspektionen.se%2fnyheter%2fallvarliga-brister-i-skolplattformen-i-stockholm%2f"><span class="rsbtn_left rsimg rspart"><span class="rsbtn_text"><span>Listen</span></span></span><span class="rsbtn_right rsimg rsplay rspart"></span></a> </div></div><div class="content-area"><figure class="area-figure"></figure><div class="area-text"><p> The Data Inspectorate has received a number of reports of personal data incidents from the Board of Education in the city of Stockholm. The incidents concern the School Platform, which is the IT system used for, among other things, student administration in Stockholm. The school platform contains information on upwards of 500,000 students, guardians and teachers. The system contains sensitive and privacy-sensitive information as well as information about students and teachers with confidential information or protected identity.</p><p> The authority has examined four subsystems in the School Platform and has found serious deficiencies. In one of the subsystems, shortcomings in the possibility of restricting users&#39; access to the data have meant that large parts of the staff have had the opportunity to access data on students with protected identities. In another subsystem, guardians have been able to access other children&#39;s information on, for example, grades and development interviews in a relatively simple way. Through searches on Google, it has been possible to find links to log in to an administration interface and there come across information about teachers with protected identities.</p><p> - In an IT system like this, large amounts of personal data are handled. Then it is extremely important that the person responsible for personal data has taken sufficient security measures to protect the data and continuously ensures protection, says Ranja Bunni who is a lawyer at the Data Inspectorate and who participated in the review.</p><p> In its decision, the Data Inspectorate states that the Board of Education has not ensured an appropriate security for personal data. The Board has also not taken sufficient appropriate technical and organizational measures to ensure a level of safety that is appropriate in relation to the risk, which includes a procedure for regularly testing, examining and evaluating the effectiveness of the technical safety measures.</p><p> The Data Inspectorate issues a penalty fee of SEK 4 million for the violations that have been established. In Sweden, the maximum limit for sanction fees against authorities is SEK 10 million.</p><p> - According to the Data Protection Regulation, GDPR, penalty fees must be effective, proportionate and dissuasive. In this case, the violations have affected hundreds of thousands of registrants, including children and students, and included shortcomings in the handling of sensitive and privacy-sensitive personal data such as data on persons with protected identities and health data, says Salli Fanaei who also participated in the Data Inspectorate&#39;s audit.</p><p> <a href="/globalassets/dokument/beslut/beslut-tillsyn-stockholms-stad.pdf">Read the Data Inspectorate&#39;s decision in pdf format</a></p><p class="link-arrow"> <a href="/lagar--regler/dataskyddsforordningen/sanktionsavgifter-och-varningar/">Read more about penalty fees</a></p><p class="link-arrow"> <a href="/lagar--regler/dataskyddsforordningen/personuppgiftsincident/">Read more about personal data incidents</a></p><p> <strong>For more information contact</strong></p><p> Lawyer Ranja Bunni, phone 08-657 61 46</p><p> Lawyer Salli Fanaei, phone 08-657 61 45</p><p> IT security specialist Adolf Slama, telephone 08-657 61 12</p><p> The press service, 08-515 15 415 </p></div></div></article></div></div></div></main><section class="pre-footer"><div class="container"><div class="row justify-content-md-center"><div class="col-md-4"><div class="news-list"><h3> Service</h3><h4> For private individuals</h4><ul><li> <a href="/vagledningar/for-dig-som-privatperson/klagomal-och-tips/">Send tips and complaints</a></li><li> <a href="/lagar--regler/brottsdatalagen/laglighetskontroller/">Request a legality check</a></li></ul><h4> For companies and organizations</h4><ul><li> <a href="/lagar--regler/dataskyddsforordningen/dataskyddsombud/">Report data protection officer</a></li><li> <a href="/lagar--regler/dataskyddsforordningen/personuppgiftsincident/anmala-personuppgiftsincident/">Report personal data incident</a></li><li> <a href="/lagar--regler/dataskyddsforordningen/konsekvensbedomningar-och-forhandssamrad/forhandssamrad/">Request prior consultation</a></li><li> <a href="/vagledningar/kamerabevakning/offentlig-verksamhet/behover-ni-soka-tillstand/sok-tillstand-for-kamerabevakning/">Apply for a camera surveillance permit</a> </li></ul></div></div><div class="col-md-4"><div class="news-list-footer"><div class="news-list"><h3> News</h3><div class="list-link"> <a href="/nyheter/datainspektionen-granskar-overforing-av-personuppgifter-till-tredje-land/">The Data Inspectorate examines the transfer of personal data to third countries</a><time> 2020-11-26</time></div><div class="list-link"> <a href="/nyheter/sanktionavgift-for-olaglig-kamerabevakning-pa-lss-boende/">Penalty fee for illegal camera surveillance at LSS accommodation</a><time> 2020-11-25</time></div><div class="list-link"> <a href="/nyheter/gdpr-fine-for-unlawful-video-surveillance-in-an-lss-housing/">GDPR fine for illegal video surveillance in an LSS housing</a><time> 2020-11-25</time></div><br /><ul><li> <a href="/nyheter/">News archive</a> </li></ul></div></div></div></div></div></section><footer class="footer"><div class="container"><div class="footer-wrapper"><div class="footer-content"><h2> Find and contact us</h2><ul><li class="content-phone"><p> Phone</p> <a href="tel:08-657 61 00">08-657 61 00</a></li><li> <a href="/kontakta-oss/">Contact Us</a></li><li> <a href="/press/">Press and media</a></li></ul></div><div class="footer-content"><h2> About the Data Inspectorate</h2><ul><li> <a href="/om-oss/lediga-jobb/">Free jobs</a></li><li> <a href="/om-oss/om-webbplatsen/">About the website</a></li><li> <a href="/om-oss/om-webbplatsen/#cookies">Use of cookies</a></li><li> <a href="/om-oss/information-om-hur-datainspektionen-behandlar-personuppgifter/">Processing of personal data</a></li></ul></div><div class="footer-content"><h2> Common shortcuts</h2><ul><li> <a href="/vagledningar/inkasso/">Have you received a debt collection claim?</a></li><li> <a href="/vagledningar/kreditupplysningar/betalningsanmarkningar/">Have you received a payment remark?</a></li><li> <a href="/vagledningar/kamerabevakning/">Camera surveillance</a></li></ul></div><div class="footer-content"><h2> follow us</h2><ul><li> <a href="http://www.twitter.com/Datainspektion">On Twitter</a></li><li> <a href="https://www.linkedin.com/company/datainspektion/">On Linkedin</a></li><li> <a href="https://www.datainspektionen.se/nyheter/rss.xml">RSS</a></li></ul></div><div class="footer-home"><a href="/"><img src="/client/dist/images/di-logo-staende.svg" alt="Logotype" /></a><p> At datainspektionen.se we use cookies. Read more about cookies on our page <a title="About the website" href="/link/9f36ff08eec74e95971fa8e677833e4d.aspx">About the website</a> . </p></div></div></div></footer><script type="text/javascript" src="/Client/app/scripts/external/epi-util/find.js"></script><script type="text/javascript"><br />
if(FindApi){var api = new FindApi();api.setApplicationUrl('/');api.setServiceApiBaseUrl('/find_v2/');api.processEventFromCurrentUri();api.bindWindowEvents();api.bindAClickEvent();api.sendBufferedEvents();}<br />
</script><script type="text/javascript" src="/client/dist/scripts/vendor.bundle.min.js"></script><script type="text/javascript" src="/client/dist/scripts/app.bundle.min.js"></script><script type="text/javascript" src="/Client/app/scripts/external/jquery-ui-1.12.1/external/jquery/jquery.js"></script><script type="text/javascript" src="/Client/app/scripts/external/jquery-ui-1.12.1/jquery-ui.min.js"></script><script><br />
function closeModal() {<br />
$('.modal-wrapper').remove(".modal-wrapper");<br />
}<br />
</script></body></html><br />
</pre></div>Elisavet Dravalouhttps://gdprhub.eu/index.php?title=Commissioner_(Cyprus)_-_11.17.001.008.001&diff=11909Commissioner (Cyprus) - 11.17.001.008.0012020-10-29T21:31:48Z<p>Elisavet Dravalou: Created page with "{{DPAdecisionBOX |Jurisdiction=Cyprus |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoCY.jpg |DPA_Abbrevation=Comissioner |DPA_With_Country=Comissioner (Cyprus) |Case_N..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Cyprus<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoCY.jpg<br />
|DPA_Abbrevation=Comissioner<br />
|DPA_With_Country=Comissioner (Cyprus)<br />
<br />
|Case_Number_Name=11.17.001.008.001<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Commissioner of Cyprus<br />
|Original_Source_Link_1=http://www.dataprotection.gov.cy/dataprotection/dataprotection.nsf/B64595978C98EFCEC2258606003EC47E/$file/%CE%91%CE%9D%CE%A9%CE%9D%CE%A5%CE%9C%20%CE%91%CE%A0%CE%9F%CE%A6%CE%91%CE%A3%CE%97%20%CE%A4%CE%A1%CE%91%CE%A0%CE%95%CE%96%CE%91%20%CE%9A%CE%A5%CE%A0%CE%A1%CE%9F%CE%A5%20%CE%91%CE%A0%CE%A9%CE%9B%CE%95%CE%99%CE%91%20%CE%95%CE%93%CE%93%CE%A1%CE%91%CE%A6%CE%9F%CE%A5.pdf<br />
|Original_Source_Language_1=Greek<br />
|Original_Source_Language__Code_1=EL<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Decided=17.06.2020<br />
|Date_Published=17.06.2020<br />
|Year=2020<br />
|Fine=15.000<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 5(1)(f) GDPR<br />
|GDPR_Article_Link_1=Article 5 GDPR#1f<br />
|GDPR_Article_2=Article 5(2) GDPR<br />
|GDPR_Article_Link_2=Article 5 GDPR#2<br />
|GDPR_Article_3=Article 15 GDPR<br />
|GDPR_Article_Link_3=Article 15 GDPR<br />
|GDPR_Article_4=Article 32 GDPR<br />
|GDPR_Article_Link_4=Article 32 GDPR<br />
|GDPR_Article_5=Article 33 GDPR<br />
|GDPR_Article_Link_5=Article 33 GDPR<br />
<br />
<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Elisavet Dravalou<br />
|<br />
}}<br />
<br />
Cyprus DPA holds that the inability of the data controller to discover the original contract with the data subject constitutes a violation of the right to access the personal data.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
A data subject made an access request to the Bank of Cyprus and the insurance company Eurolife Ltd, requesting a copy of the original insurance agreement. The Bank of Cyprus had the obligation to store the original agreement. The agreement was signed in 2000 and the Bank of Cyprus was not able to locate the original agreement at her storage. Due to this fact, the Bank of Cyprus offered to cancel the agreement and sign a new one with the data subject.<br />
<br />
=== Dispute ===<br />
Does the unavailability of personal data constitute a data breach?<br />
<br />
=== Holding ===<br />
The Cyprus DPA held that unavailability of personal data constitutes a data breach and that this data breach should be reported to the DPA, according to article 33 of the GDPR as it is likely to cause risk to the rights and freedoms of the data subject. The DPA also held that the Bank of Cyprus failed to implement appropriate technical and organisational measures to ensure the security (confidentiality, integrity and availability) of personal data. Due to the fact that the Bank of Cyprus couldn't locate the original agreement, it failed to comply with the data subject's access request, breaching article 15 of the GDPR and demonstrate accountability.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.<br />
<br />
<pre><br />
<br />
</pre></div>Elisavet Dravalouhttps://gdprhub.eu/index.php?title=HDPA_(Greece)_-_10/2020&diff=10979HDPA (Greece) - 10/20202020-07-29T20:38:16Z<p>Elisavet Dravalou: Created page with "{{DPAdecisionBOX |Jurisdiction=Greece |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoGR.jpg |DPA_Abbrevation=HDPA |DPA_With_Country=HDPA (Greece) |Case_Number_Name=Γ/..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Greece<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoGR.jpg<br />
|DPA_Abbrevation=HDPA<br />
|DPA_With_Country=HDPA (Greece)<br />
<br />
|Case_Number_Name=Γ/ΕΞ/3997/10-06-2020<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Greek DPA<br />
|Original_Source_Link_1=https://www.dpa.gr/portal/page?_pageid=33%2C15453&_dad=portal&_schema=PORTAL&_piref33_15473_33_15453_15453.etos=2020&_piref33_15473_33_15453_15453.arithmosApofasis=&_piref33_15473_33_15453_15453.thematikiEnotita=-1&_piref33_15473_33_15453_15453.ananeosi=%CE%91%CE%BD%CE%B1%CE%BD%CE%AD%CF%89%CF%83%CE%B7<br />
|Original_Source_Language_1=Greek<br />
|Original_Source_Language__Code_1=EL<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Decided=10.06.2020<br />
|Date_Published=10.06.2020<br />
|Year=2020<br />
|Fine=3000<br />
|Currency=EUR<br />
<br />
<br />
|EU_Law_Name_1=Article 13 of ePrivacy Directive<br />
|EU_Law_Link_1=https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32002L0058&from=EN<br />
<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Not appealed<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Elisavet Dravalou<br />
|<br />
}}<br />
<br />
Greek DPA holds that the use of unsolicited electronic communications for the purposes of direct marketing for the promotion of the defendant's candidacy at the parliament elections of 2019 violated Article 13 of the ePrivacy Directive. <br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The DPA received two complaints against the defendant. The first complaint was from a data subject who received an email regarding the candidacy of the defendant in the parliamentary elections of 2019 without giving her prior consent and without any prior relationship with the defendant. The second complaint was from another data subject, about receiving 3 SMSs of the same content, without prior consent and without given the opportunity to object to the receiving of direct marketing communications.<br />
<br />
=== Dispute ===<br />
The defendant stated that she had the contact information of the complainants in her personal contact list which was populated in the context of professional networking during the years, as all the parties are lawyers. The defendant was using this contact list to send news about her trade union action as well as other developments in the legal area and so far no one has objected to that. She used the same contact list to inform her network regarding her candidacy in the EU Parliamentary elections of 2014 and no one objected to that as well. She held that updating her peers of her candidacy was acceptable in the context of her previous communications. Additionally, these communication did not cause any damage to the complainants. Also, the complainants did not contact her regarding their complaints before they file a complaint with the DPA.<br />
<br />
=== Holding ===<br />
The DPA held that article 13 of the ePrivacy Directive requires prior consent for sending unsolicited direct marketing communications via SMS or email. More specifically regarding political communication, candidates in any type of elections (European, national, regional) are controllers since the determine the means and purposes of the processing activities. The DPA held also that the only way that candidates can send direct marketing communications for political purposes without prior consent is when all of the following apply: (a) the contact details were obtained in the context of a previous similar contact with the data subjects, not necessarily political, the data subjects have been informed that they will be contacted for political purposes and they didn't object. Previous similar relationship is not considered lawful if the contact details were obtained in a professional context. (b) data subjects are given the possibility to object in a clear and easy way in every communication message and in every message the controller must indicate clearly his identity as a controller and provide his address. The DPA also made it clear that data subjects do not have the obligation to exercise their rights before the controller prior to filing a complaint with the DPA.<br />
<br />
== Comment ==<br />
During the national and European elections of 2019 I have received many unsolicited direct marketing communications from political candidates myself. In most cases there was not possibility to object and although I was contacting the candidates to inform them that if they don't stop I will file a complaint with the DPA, I continued receiving messages. The fact is that I don't live in Greece for the past 4 years so I have no idea how the found my contact information. In this case, it is remarkable that the defendant was a lawyer herself and at her defence she stated that data protection law is so specific that she couldn't be aware of all the specific requirements. But yet she wanted to be voted as a member of the parliament..<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.<br />
<br />
<pre><br />
<br />
</pre></div>Elisavet Dravalou