Administrative Court Stockholm - Mål nr 1930-23

From GDPRhub
Revision as of 15:53, 20 November 2023 by Sh (talk | contribs) (Created page with "{{COURTdecisionBOX |Jurisdiction=Sweden |Court-BG-Color= |Courtlogo=Courts_logo1.png |Court_Abbrevation=Administrative Court Stockholm |Court_Original_Name=Administrative Court Stockholm |Court_English_Name=Administrative Court Stockholm |Court_With_Country=Administrative Court Stockholm (Sweden) |Case_Number_Name=Mål nr 1930-23 |ECLI= |Original_Source_Name_1=Mål nr 1930-23 |Original_Source_Link_1=https://wiki.noyb.eu/images/1/1b/Stockholm_FR_1930-23_Dom_2023-09-07....")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Administrative Court Stockholm - Mål nr 1930-23
Courts logo1.png
Court: Administrative Court Stockholm (Sweden)
Jurisdiction: Sweden
Relevant Law: Article 32(1) GDPR
Decided:
Published:
Parties: Hälso- och sjukvårdsnämnden i Region Dalarna
Integritetsskyddsmyndigheten
National Case Number/Name: Mål nr 1930-23
European Case Law Identifier:
Appeal from: IMY
IMY-2022-695
Appeal to: Not appealed
Original Language(s): Swedish
Original Source: Mål nr 1930-23 (in Swedish)
Initial Contributor: sh

A Court, upheld the Swedish DPA’s decision to fine the medical board of Region Darlana for breaching Article 32(1) when summoning patients to healthcare appointments by mail.

English Summary

Facts

In January 2023 the Swedish DPA imposed a fine of approximately €1,800 on the medical board of Region Dalarna for failing to implement adequate safety measures to protect special categories of data against unauthorised disclosure when sending written summons to health care visits by mail (IMY-2022-695).

The board appealed this decision to the Swedish First Instance Administrative Court. They argued that an invitation to medical care does not always reveal personal data about a data subject's health. In addition, the board had rectified the damage by changing the postal method and so the penalty fee should be annulled. The Stockholm's first instance administrative court partially upheld the Swedish DPA's original ruling.

Holding

Contrary to the Swedish DPA’s position, the court ruled that not all letters from the three healthcare facilities inviting patients to appointments could be considered health data under Article 4(15) GDPR. While in all three cases it was possible to connect a health facility appointment to the individual, the care at one clinic was too broad to draw conclusions about the state of health which formed the basis of the actual appointment.

However, the court agreed that more care should have been taken under Article 32(1) GDPR to ensure the security of the processing. Information on healthcare visits are often sensitive in nature and it was easy for unauthorised individuals to access information about the appointments simply by coming into contact with the appointment letters. In addition, when the board was informed of the infringement, they changed the postal letter format. This did not incur major costs of implementation which under Article 32(2) GDPR makes a breach of 32(1) GDPR more likely.

Despite the fact that not all data was classified as health data, the court concluded that the prior fine of 20,000 SEK (around €‎1,600) was proportionate to the violation.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.

Page 1 (12)

           ADMINISTRATIVE COURT JUDGMENT Case no

           IN STOCKHOLM 2023-09-07 1930-23
           Section 8 Announced in Stockholm




                       COMPLAINT
                       The Health and Medical Services Board in Region Dalarna


                       COUNTERPART
                       The Swedish Privacy Protection Authority

                       OVERRULED DECISION

                       The Data Protection Authority's decision 2023-01-17, see appendix 1

                       THE THING
                       Processing of personal data

                       _____________________



                       DECISION OF THE ADMINISTRATIVE COURT



                       The administrative court rejects the appeal.
































1
3 Visiting address Opening hours Postal address E-mail
3 Tegeluddsvägen 1 Monday–Friday avd8.fst@dom.se
1 08:00–16:00 115 76 Stockholm
. Phone Website
o 08-561 680 00 www.domstol.se/forvaltningsratten-i-
D Stockholm/ Page 2

         ADMINISTRATIVE COURT JUDGMENT 1930-23
         IN STOCKHOLM



                          CLAIMS, M.M.


                          The Privacy Protection Authority (IMY) has decided that Health and

                          the health care board in Region Dalarna (the board) must pay an administrative fee

                          penalty fee of SEK 200,000. The decision states that the board during the period
                          6 May 2021–6 July 2022 has processed personal data in violation of Article 32.1 of

                          the data protection regulation, by not taking appropriate technical and

                          organizational measures to ensure an appropriate level of protection in connection

                          with the sending of physical invitations to certain care visits within the Dalarna Region.

                          The reasons for the decision appear in Appendix 1.


                          The board demands that the decision on the penalty fee be annulled and puts forward i.a.

                          following. The board has procured current envelope and postal service in

                          in accordance with the standard requested and used by the Swedish

                          the regions. During the procurement, envelopes have been required so that no data
                          can be revealed. IMY believes that the care provided at the relevant care facilities is

                          so specific that a summons to any of them may be considered to provide information about

                          the individual's physical or mental state of health. However, the committee considers that

                          IMY makes an overly generalizing and discretionary assessment. It is not

                          given that a call to care, regardless of which part of it, for a medical
                          assessment reveals information about a person's health. The board questions

                          IMY's view, as the board perceives it, that all care units must

                          send their invitations in completely anonymous envelopes. This without the discretion that it can

                          need to be differentiated based on what the name of the care facility can conceivably be revealed in

                          form of target groups, the diagnosis panorama and the like. With IMY's interpretation
                          it can even be questioned whether Region Dalarna can be written on it

                          the envelope. Given the volume of mailings, IMY's assessment appears to be

                          generalizing and disproportionate. The authority also ignores it



                          1 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of
                          natural persons with regard to the processing of personal data and on the free flow of
                          such data and on the repeal of Directive 95/46/EC (General Data Protection Regulation).






Doc.Id 1637301 Page 3

         ADMINISTRATIVE COURT JUDGMENT 1930-23
         IN STOCKHOLM


                          secrecy that applies to mail forwarding. The size and importance of the issue

                          national level means that the stance taken by IMY is unreasonable. The decision can get

                          far-reaching consequences for other healthcare providers as well. There are three patients
                          who claims damage and the committee has made an incident report. The committee has

                          rectified the damage, which is why the decision on penalty fees must be annulled.


                          IMY considers that the appeal should be rejected and puts forward, among other things, following. According to

                          practice from the European Court of Justice, the special categories of personal data,

                          including information about health, as specified in Article 9.1 of the Data Protection Regulation

                          is given a wide interpretation. The European Court of Justice has judged that not only personal data
                          which directly discloses sensitive information about the data subject is covered by

                          the protection in Article 9.1, but also such information that indirectly reveals sensitive

                          information. In the appealed decision, IMY has only taken a position on how
                          invitations to three specific receptions must be assessed. IMY's view is that

                          whoever is called to a visit at one of these receptions is likely to be in

                          need for example for investigation or treatment for the type of

                          health problems that the reception is focused on. The data thus gives
                          information about the individual's physical or mental state of health.



                          However, IMY believes that the current personal data processing has involved a

                          high risk even if the administrative court were to come to the conclusion that this is not the case
                          about sensitive personal data in the sense of the data protection regulation. Treatment of

                          personal data in healthcare generally means a high risk for

                          the registered freedoms and rights, not least in light of the fact that patients
                          is in a vulnerable position in relation to the caregiver. IMY admits that

                          there has not been an unauthorized disclosure of sensitive personal data i

                          relationship with the person who handles mail. However, the fact remains that

                          the board has not protected the data from unauthorized disclosure because they have been
                          fully visible to everyone else who came into contact with the letter. IMY believes that

                          the board cannot be considered to have taken sufficient security measures only through

                          to set requirements when procuring the service. IMY believes that the board also






Doc.Id 1637301 Page 4

         ADMINISTRATIVE COURT JUDGMENT 1930-23
         IN STOCKHOLM


                          should have checked that the service purchased corresponded to what was requested

                          the need to keep the information hidden, which has not happened. That the committee

                          fulfilled its obligation according to the data protection regulation to notify a
                          personal data incident shall not be seen as a mitigating circumstance at

                          this assessment.


                          THE REASONS FOR THE DECISION



                          The obligation to communicate


                          The board considers that IMY has breached its obligation to communicate and for

                          present the following. The communication contains relatively generally held

                          descriptions with reference to current legislation. IMY does not describe
                          why the events with the envelopes violate current legislation without it

                          appears first in the decision. If it had come to light earlier, the committee would have

                          able to present their attitude already in the communication response.


                          From section 25 of the Administration Act (2017:900), first paragraph, first sentence, it follows that

                          an authority, before making a decision in a case, must notify the person who is

                          party about all material of importance for the decision and give the party the opportunity to within a

                          specified time to comment on the material.


                          The Administrative Court makes the following assessment. By material of importance is meant

                          such circumstances or information that affect the authority's
                          position on the matter to which the decision applies. There is no requirement that

                          a proposal for a decision must be communicated. From the documents it appears that IMY the

                          On 11 November 2022, the board informed that the authority is considering taking

                          out a penalty fee. IMY also informed about the scope of supervision as well as
                          which basis the authority intends to base its decision on. Administrative-

                          the court therefore assesses that IMY informed the board of all material of

                          significance for the decision and notes that the authority subsequently also gave the board






Doc.Id 1637301 Page 5

         ADMINISTRATIVE COURT JUDGMENT 1930-23
         IN STOCKHOLM


                          opportunity to comment on the material within a specified time. Administrative law

                          therefore considers that there is no reason to overturn the appeal decision on

                          due to deficiencies in the communication obligation.


                          As far as the goal is concerned


                          IMY has reviewed the board's mailing of invitations to care visits from Children's and

                          the youth medical clinic Mora, the children and young people's consultation clinic

                          Falun and the Sleep Laboratory in Avesta. In the event of summonses to the care facilities have

                          information sent in digital format from Region Dalarna's journal system to
                          an external actor who mechanically printed, enveloped and sent the invitation to

                          the addressee. The documents show that certain summonses have been sent out in

                          window envelope with information that it is a summons, the patient's name and
                          address and the care facility to which the visit refers have been visible. IMY means

                          that the board has processed personal data in violation of the data protection regulation

                          by not ensuring that the information about the sending care facility has been

                          hidden from anyone other than the recipient of the letter.


                          The first question that the administrative court must decide on is about the board

                          shall be subject to a penalty charge on the grounds invoked by IMY. If

                          the assessment is that the board must be imposed a sanction fee, shall
                          the administrative court also examines the question of the amount of the penalty fee.



                          In addition to what is reported in this judgment, the applicable regulations appear from it
                          appealed the decision, see Appendix 1.



                          Should a penalty fee be imposed?


                          In order for an administrative penalty fee to be imposed, it must be clearly stated

                          that the prerequisites are met and it is IMY that has the burden of proof for this








Doc.Id 1637301 Page 6

         ADMINISTRATIVE COURT JUDGMENT 1930-23
         IN STOCKHOLM



                           (see, among other things, the Court of Appeal in Stockholm's judgment from 16 May 2022 in case no. 4611-
                           21).



                           The Administrative Court initially agrees with IMY's assessment that it is a question

                           about a partially automated processing of personal data covered by
                           the scope of the data protection regulation and that the committee is

                           personal data controller for the current processing.



                           Information about health?


                           Data on health is defined in Article 4.15 of the Data Protection Regulation as

                           personal data relating to the physical or mental health of a natural person,

                           including the provision of health care services, which provide

                           information about his health status. Information about health is a special category

                           of personal data, so-called sensitive personal data, which according to the main rule i
                           Article 9.1 of the Data Protection Regulation may not be processed, unless the processing is not

                           is covered by one of the exceptions in Article 9.2 of the regulation.



                           Recital 35 of the data protection regulation states that personal data about health should

                           include all the data relating to a registered person
                           state of health that provides information about the registrant's past, present

                           or future physical or mental health conditions. In reason 63 is exemplified

                           information about health such as information in medical records with e.g. diagnoses,

                           examination results, assessments by attending physicians and any

                           care treatments or interventions.


                           The European Court of Justice has in a judgment of 6 November 2003 (Lindqvist, C-101/01), which

                           concerned the corresponding concept in the data protection directive, made the assessment that a



                           2Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of
                           individuals with regard to the processing of personal data and on the free flow of
                           such data.






Doc.Id 1637301 Page 7

         ADMINISTRATIVE COURT JUDGMENT 1930-23
         IN STOCKHOLM


                          information that a person injured their foot and was on part-time sick leave constituted one

                          information about health. The European Court of Justice stated in the judgment that the expression "data which

                          relating to health" must be given a broad interpretation in light of the directive's purpose and considered
                          include data relating to all aspects of a person's health, both physical and

                          psychological ones (Lindqvist, point 50). The EU Court of Justice has also in a judgment on 1

                          August 2022 (Vyriausioji tarnybinės etikos komisiya, C‑184/20) stated that
                          data that may indirectly reveal sensitive information is covered by it

                          enhanced protections prescribed in Article 9.1 of the Data Protection Regulation

                          (Vyriausioji tarnybinės etikos komisiya, paragraph 127).


                          In the appealed decision, IMY has assessed that the care provided in the cases in question

                          the care facilities is so specific that a summons to one of these

                          receptions may be considered to provide information about the individual's physical or mental health
                          state of health. The Administrative Court agrees with that assessment as regards

                          invitations to the Avesta Sleep Laboratory and the Children's Conversation Center

                          young Falun. The documents show that the Sleep Laboratory in Avesta is investigating

                          sleep apnea and sleep disorders, including difficulty sleeping, hypersomnia,
                          parasomnia, narcolepsy and circadian rhythm disorder. According to the administrative court

                          sense, it is therefore possible to draw the conclusion from a call that it called

                          the person seeks help for sleep-related health problems. As for

                          The children and young people's reception center Falun states that the reception helps children
                          and young people up to and including 17 years of age with mild to moderate mental illness.

                          The Administrative Court therefore considers that a summons to it provides information that it

                          called the person suffers from mental illness in some form.


                          Regarding the Child and Adolescent Medicine Clinic Mora, the following is stated.

                          The reception offers specialist healthcare for children and young people aged 0–17 and

                          is a county clinic within Child and Adolescent Medicine Dalarna.
                          Specialist healthcare means that the reception takes care of diseases and ill-health

                          which require more specialist knowledge and resources than are normally available

                          health care Center. It is stated that children and young people are usually referred from






Doc.Id 1637301 Page 8

         ADMINISTRATIVE COURT JUDGMENT 1930-23
         IN STOCKHOLM


                          health centre, childcare center and school health care, but reception also takes

                          against children and young people at their own care request.


                          In light of the above, the administrative court can state that the care

                          which is conducted at the Children's and Adolescent Medicine Clinic Mora, of course

                          is specific in that it targets children and young people and that
                          the healthcare that is provided requires more specialist knowledge and resources than what

                          which are normally available at the health centre. With a summons to the reception, it goes

                          however, not to draw any closer conclusions about which state of health lies in it

                          basis for the summons itself, because the care provided at the reception
                          covers a wide range of interventions. The Administrative Court therefore considers that

                          the information that someone is called to the reception gives no concrete information

                          information whether it was called past, present or future physical or
                          mental health conditions. It is therefore not a matter of information about health in it

                          meaning referred to in Article 4.15 of the Data Protection Regulation.


                          Has the committee taken sufficient measures to ensure a suitable

                          security level in connection with the sending of the invitations?


                          IMY has assessed that the dispatches, in order to achieve an appropriate level of security, should have

                          took place in such a way that sensitive personal data was not visible and that

                          has arrived at the committee to ensure before the treatment in question that it
                          the current add-on service for the envelope service met the need to hold

                          information about the current care facility hidden from anyone other than the recipient of the letter.



                          It follows from Article 32.1 of the data protection regulation that the person in charge of personal data
                          shall take appropriate technical and organizational measures to ensure a

                          safety level that is appropriate in relation to the risk of the treatment.

                          This must be done taking into account, among other things, the implementation costs and
                          the nature, scope, context and purpose of the treatment. Of Article 32.2

                          it appears that consideration must be given in particular to the risk of accidental or illegal







Doc.Id 1637301 Page 9

         ADMINISTRATIVE COURT JUDGMENT 1930-23
         IN STOCKHOLM


                          destruction, loss or alteration or to unauthorized disclosure by or unauthorized

                          access to the personal data being processed.


                          In the Patient Data Act (2008:355) there are regulations on care providers' treatment

                          of personal data in the health and medical care that complements

                          the provisions of the data protection regulation. In ch. 1 Section 2 second and third paragraph
                          the Patient Data Act states that personal data must be designed and otherwise processed

                          so that the privacy of patients and other data subjects is respected. Documented

                          personal data must be handled and stored so that unauthorized persons do not gain access

                          them.


                          The Administrative Court considers that information about care visits can often be sensitive

                          nature, even if information about the underlying health condition is not
                          is disclosed, and that it may have negative consequences for the individual

                          the information would be used by someone unauthorized. The starting point should therefore

                          be that a high level of security must be observed when handling such data.

                          Regarding the risks with the current processing of personal data
                          current, it should be taken into account that it applies to shipments by post and that there are

                          rules on confidentiality in postal operations. However, it cannot be ruled out that

                          the information is used by someone unauthorized, e.g. by the one who shares

                          household with the recipient comes into contact with the envelope or that the envelope off
                          mistakenly delivered to the wrong address.



                          The Administrative Court further notes that the current processing includes a
                          large number of invitations sent out. In addition, it has, against the background of

                          the administrative court's assessment above, there was a risk that information about health

                          is revealed in connection with invitations being sent from the Sleep Laboratory in Avesta

                          and the Children and Young People's Reception Center Falun. As for the invitations to
                          The children's and youth medical clinic Mora does not have the envelopes

                          any information about health within the meaning of the Data Protection Ordinance has been disclosed.

                          Caregivers, however, have a responsibility to personal data, such as the information that






Doc.Id 1637301 Page 10

         ADMINISTRATIVE COURT JUDGMENT 1930-23
         IN STOCKHOLM


                           a person is called to a care visit at a specific reception, is handled and

                           stored so that unauthorized persons do not gain access to them. In addition, the calls have

                           intended child, whose information is listed as particularly worthy of protection in the reasons for
                           data protection regulation.



                           As regards the purpose of the processing, the administrative court can state that it is not
                           there seems to be some purpose for the information about a specific care facility to be

                           visible on the envelope with an invitation. During IMY's investigation, the committee also

                           explained that the intention has been to provide information about which clinic/department which

                           sending a summons would not appear from the envelopes. In order to ensure this
                           the committee has stated that it pays for an additional service which means that envelopes

                           with a window, which only shows the addressee's address, should be used. Of

                           however, the documents show that summonses that contained more than five A4 sheets have
                           sent in envelopes with two windows and that in these cases it has been possible to

                           find out which care facility has sent the invitation. In conjunction with

                           the committee received information about this, measures were taken in the form of changes to it

                           template used when sending invitations and the adjustment does not seem to have been
                           combined with some larger implementation costs.



                           According to the assessment of the administrative court, it has, taking into account the

                           considerations that appear above, required that the board ensure a strong
                           protection of personal data in connection with the handling of invitations to them

                           the current healthcare facilities. By not ensuring complete protection for

                           the information that the envelopes contain invitations to the care facilities in question
                           the administrative court considers that the board failed to take appropriate technical and

                           organizational measures in accordance with the requirements that follow from Article 32.1

                           data protection regulation.













Doc.Id 1637301 Page 11

         ADMINISTRATIVE COURT JUDGMENT 1930-23
         IN STOCKHOLM


                          Choice of intervention



                          According to the opinion of the administrative court, it is clear from the documents that
                          the board has not fulfilled its obligations according to Article 32.1 data protection

                          the regulation. The Administrative Court agrees with IMY's assessment of

                          the seriousness of the violation. It concerns a large number of summons where it
                          of the envelope revealed personal data, and where sensitive information about individuals

                          state of health in some cases has been able to be read out. In those cases, sensitive data is not

                          could be read from the envelopes, the handling included information about children, whose

                          information is to be assessed as particularly worthy of protection. The shortcomings have occurred
                          for a longer period and was first discovered in connection with IMY starting one

                          supervisory matter due to a complaint. According to the administrative court

                          meaning, the violation cannot therefore be considered a minor violation
                          even if the risks have been partially limited by the handling taking place within

                          the framework for postal operations. The penalty fee shall therefore not be replaced by one

                          reprimand. That the board itself identified the risks with the handling and

                          taken certain measures is not sufficient in the opinion of the administrative court
                          to assess the violation as less serious. It exists therefore

                          the conditions for imposing a sanction fee on the board.



                          The size of the penalty fee


                          In order to assess the size of the penalty fee, a position must first be taken

                          the seriousness of the violations and then whether there is mitigation or
                          aggravating circumstances. In conclusion, an assessment of whether

                          the penalty fee is effective, proportionate and dissuasive

                          (cf. the Court of Appeal in Stockholm's judgment from 16 September 2022 in case no

                          7837-21).


                          The violation is subject to a maximum sanction fee of SEK 5 million. The

                          circumstances explained under the heading choice of intervention are such






Doc.Id 1637301 Page 12

         ADMINISTRATIVE COURT JUDGMENT 1930-23
         IN STOCKHOLM


                          circumstances which according to Article 83.2 of the data protection regulation must also

                          taken into account when determining the size of the penalty fee. Against the background of those

                          circumstances explained above, the administrative court considers that
                          the seriousness of the violation is such that a sanction fee of SEK 200,000

                          appears to be an effective, proportionate and dissuasive measure. The

                          the incident report made by the committee is considered by the administrative court not to constitute one
                          mitigating circumstance according to Article 83.2 of the Data Protection Regulation. It has

                          nor otherwise have any circumstances come to light that must be taken into account

                          aggravating or mitigating direction. The Administrative Court therefore assesses that

                          the penalty fee decided by IMY is well balanced. The appeal shall
                          thus rejected.



                          HOW TO APPEAL


                          This decision can be appealed. Information on how to appeal can be found in

                          appendix 2 (FR-03).




                          Sofi Nyström

                          Alderman


                          The referees Helen Frenning, Peter Gustafsson and Roland Hansson have

                          also participated in the decision.


                          Administrative law prosecutor Johanna Pellby has been the rapporteur.

















Doc.Id 1637301 Appendix 1



                                                                                                                     1(8)





                                                                                                       ADMINISTRATIVE LAW
                                                                                                       IN STOCKHOLM
                                                                     The Health and Medical Services Board in Directorate 8

                                                                                                       INCOME: 2023-02-01
                                                                                                       TARGET NO: 1930-23
                                                                                                       ACTIVE CAR: 3





Diary number:
IMY-2022-695 Decision after supervision according to

Your diary number: data protection regulation - Health and
HSN 2022/1069

Date: the health care board in Region Dalarna

2023-01-17



                               The Privacy Protection Authority's decision


                               The Swedish Privacy Agency (IMY) notes that the Health and Medical Board i
                               Region Dalarna (the board) from 6 May 2021 to and including 6 July 2022 has
                                                                                                            1
                               processed personal data in violation of article 32.1 of the data protection regulation, by
                               not to take appropriate technical and organizational measures to ensure a
                               appropriate level of protection in connection with the sending of physical invitations to certain healthcare visits

                               within Region Dalarna.

                               IMY decides with the support of ch. 6. Section 2 of the Data Protection Act and Articles 58.2 and 83 i

                               the data protection regulation that the board must pay an administrative sanction fee of
                               200,000 (two hundred thousand) kroner.


                               Account of the supervisory matter


                               IMY has initiated supervision of the board due to information that emerged in one
                               complaint from a person who, on 6 May 2021, received an invitation via letter to a healthcare visit

                               within Region Dalarna. The complaint states that the summons was in a window envelope and that
                               information that it was a summons, the complainant's name and address and the care facility
                               ning the summons was fully visible in the window of the envelope. The purpose of IMY's supervision is to

                               investigate the board's processing of personal data in connection with the use of
                               the current type of window envelope for invitations to healthcare visits meets the requirements for
                               security in connection with the processing according to article 32 of the data protection regulation.

                               Within the framework of the supervisory matter, IMY has only reviewed the committee's mailing of summonses
                               regarding the Child and Adolescent Medical Clinic Mora, Call Center
                               children and young people Falun and the Sleep Laboratory in Avesta.


                               The board has essentially stated the following. The committee is a healthcare provider and personal
Postal address: responsible for the personal data processing that the supervision refers to. Summons from
Box 8114
                               Region Dalarna is sent using Postnord Strålfors AB's (Strålfors) function
104 20 Stockholm e-LETTER. The notices are sent securely in digital format from Region Dalarna's journal system
Website: to Strålfors, which mechanically prints, envelopes and sends the invitation to the addressee.
www.imy.se

E-mail: 1Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with
imy@imy.se regarding the processing of personal data and the free flow of such data and the cancellation of
Telephone: Directive 95/46/EC (General Data Protection Regulation).
08-657 61 00 2The Act (2018:218) with supplementary provisions to the EU's data protection regulation. The Privacy Agency Diary number: IMY-2022-695 2(8)
                               Date: 2023-01-17






                               The board identified the risk of using double windows when the service
                               was procured and therefore bought an additional service which means that envelopes which only

                               contains a window with the recipient's address to be used. On these envelopes is written
                               Region Dalarna's postal address printed where the sender's address is usually placed and
                               the name of the clinic/department that sent the summons is therefore not shown. The board's

                               opinion is that the sending clinic should not appear on the envelope.

                               In a statement to IMY dated 28 April 2022, the committee stated that it had started a

                               investigation together with Strålfors. In an opinion dated 16 June 2022, the board stated i
                               mainly the following. It is unclear when the committee started sending summons where the patient's
                               name and the care facility to which the summons refers appear on the window of the envelope.

                               The investigation shows that the additional service where the sender is hidden only applies to sending
                               of a maximum of five A4 sheets. If the mailing contains more A4 sheets, a larger envelope is required
                               be used and then there are no customer-unique envelopes in the assignment that has been signed

                               eBREV, standard envelopes with two windows are used instead. In the same opinion stated
                               the committee that the investigative work to review the flow regarding the sending of summonses via
                               eBREV and risks linked to these that could generate a personal data

                               incident in progress. In parallel with this, a discussion is being held with Strålfors about the need to
                               renegotiate the customer assignment to ensure that the correct type of envelope, with hidden
                               sender, used for all mailings.


                               In an opinion dated June 16, 2022, the board stated that the treatment that is
                               subject to supervision had not ceased. In a supplement that the board submitted to IMY

                               on July 6, 2022, it was stated that the board, until an agreement is reached
                               with Strålfors, will change the template for invitations to visit the three units
                               (Children's and youth medicine clinic Mora, Children's and youth consultation clinic

                               young Falun and the Sleep Laboratory in Avesta) that have been identified send invitations with
                               attachments exceeding five A4 sheets. The board has attached a picture that shows that
                               the invitations will be sent in an envelope with two windows, where Region Dalarnas

                               postal address appears in one window and information that it is a visit
                               via video link and the patient's name and address in the second.


                               In an opinion dated August 9, 2022, the board stated that previous answers have been deleted
                               from invitations sent through the Take Care IT system. It is about 2,500
                               summons per year, which corresponds to 0.5 percent of the total number of summons sent

                               through the current system.


                               Justification of the decision


                               Applicable regulations

                               Scope of the Data Protection Regulation

                               Article 2.1 of the data protection regulation states that the regulation must be applied to
                               such processing of personal data that is wholly or partially carried out automatically
                               as well as on other than automatic processing of personal data that is part of or will be

                               to be included in a register.

                               In doctrinanges that because the data protection regulation includes partially automated

                               processing of personal data, the regulation is applicable in the case of disclosure on paper of
                               personal data that is in data format. 3 Furthermore, the Chancellor of Justice has assessed that


                               3 See Öhman, Data Protection Regulation (GDPR) etc. (October 13, 2022, Version 2A, JUNO), Comment to article
                               2.1 subheading Automated processing. The Swedish Privacy Agency Diary number: IMY-2022-695 3(8)
                                Date: 2023-01-17






                                the expression "fully or partially automated processing of personal data" in the present
                                the repealed Personal Data Act (1998:204) covered the sending of documents by post

                                when the underlying processing of the personal data was automated. 4


                                Personal data is defined in Article 4.1 of the Data Protection Regulation as any information
                                which refers to an identified or identifiable natural person.


                                Processing is defined in Article 4.2 of the Data Protection Regulation as an action or
                                combination of measures concerning personal data or sets of
                                personal data, regardless of whether it is performed automatically or not, such as collection,

                                registration, organization, structuring, storage, processing or modification,
                                production, reading, use, disclosure by transmission, dissemination or
                                otherwise providing, adjusting or combining, limiting, erasing

                                or destruction.

                                Personal data responsibility and the principle of accountability

                                According to Article 4.7 of the data protection regulation, the person in charge of personal data means a
                                natural or legal person, public authority, institution or other body which
                                alone or together with others determines the purposes and means of treatment

                                ling of personal data. If the purposes and means of the processing are determined by
                                Union law or the national law of the Member States can the personal data controller

                                or the special criteria for how he is to be appointed are prescribed in Union law or in
                                national law of the Member States.


                                According to ch. 2 Section 6 of the Patient Data Act (2008:355), PDL, is a care provider personal data-
                                responsible for the processing of personal data carried out by the care provider. In a region or
                                a municipality is any authority that provides health care personal data-

                                responsible for the processing of personal data carried out by the authority.

                                According to Article 5.2 of the Data Protection Regulation, the person in charge of personal data shall be responsible

                                for and be able to demonstrate that the principles in Article 5.1 are complied with (the principle of
                                liability).


                                The personal data controller is responsible for implementing appropriate technical and
                                organizational measures to ensure and be able to demonstrate that the processing is carried out in
                                in accordance with the data protection regulation. The measures must be implemented taking into account

                                the nature, scope, context and purpose of the processing and the risks, of
                                varying degree of probability and seriousness, for the freedoms and rights of natural persons.

                                The measures must be reviewed and updated if necessary. It appears from Article 24.1 i
                                data protection regulation.


                                Data on health
                                Information about health is defined in Article 4.15 of the Data Protection Regulation as personal
                                data relating to a natural person's physical or mental health, including

                                provision of healthcare services, which provide information about his
                                health status. Information about health constitutes so-called sensitive personal data. It is
                                prohibited to process such personal data according to Article 9.1 of the Data Protection Ordinance

                                ning, unless the processing is covered by one of the exceptions in Article 9.2 i
                                the regulation.





                                4See JK decision 2020-05-18, dnr 3850-19-4.3.2. Data Protection Agency Diary number: IMY-2022-695 4(8)
                                Date: 2023-01-17







                                Recital 35 of the data protection regulation states the following. Personal information about health should
                                include all the information relating to a registered person's state of health which
                                provides information about the data subject's past, present or future physical or

                                mental health conditions. This includes information about the natural person who
                                collected in connection with registration for or provision of health and

                                healthcare services to the natural person according to the European Parliament and the Council
                                directive 2011/24/EU, a number, a symbol or a characteristic such as the physical
                                the person assigned to identify him for health care purposes, data

                                arising from tests or examination of a body part or body substance,
                                including genetic information and biological samples, and other information about, for example

                                disease, disability, risk of disease, medical history, clinical treatment or the
                                recorded physiological or biomedical conditions, regardless of the source, for example
                                show from a doctor or other healthcare professional, a hospital, a medical technician

                                product or an in vitro diagnostic test.


                                In the Lindqvist case (C-101/01, EU:C:2003:596, point 51), the European Court of Justice has determined that
                                information that a person has injured their foot and is on part-time sick leave constitutes a person-
                                information relating to health according to the data protection directive 5 (the directive was repealed by

                                data protection regulation). The European Court of Justice stated in the case that with regard to the purpose of
                                the data protection directive, the expression "data relating to health" should be given a broad interpretation and

                                considered to include data relating to all aspects of a person's health, both physical and
                                psychological ones (see point 50). The European Court of Justice has further in a later ruling
                                Vyriausioji tarnybinės etikos komisiya (C-184/20, EU:C:2022:601) stated that

                                the concept of sensitive personal data according to article 9.1 of the data protection regulation shall
                                interpreted broadly and judged that even personal data that indirectly reveals a physical
                                a person's sexual orientation constitutes sensitive personal data according to the person in question

                                the provision.


                                The European Data Protection Board (EDPB) has stated that the concept of health data
                                according to the data protection regulation must be interpreted broadly against the background of, among other things, EU
                                the court's judgment in the Lindqvist case and as it appears from reason 53 to the data protection

                                the regulation that information about health deserves extensive protection. IMY has in one
                                legal position deemed that information about guardianship according to the parental code

                                are information about health (IMYRS 2022:3).

                                The requirement for security when processing personal data

                                It follows from Article 32.1 of the data protection regulation that the personal data controller and
                                the personal data assistant must take appropriate technical and organizational measures to

                                ensure a level of safety that is appropriate in relation to the risk of the treatment.
                                It must take into account the latest developments, implementation costs
                                and the nature, scope, context and purpose of the processing as well as the risks, of

                                varying degree of probability and seriousness, for the rights and freedoms of natural persons.


                                When assessing the appropriate security level, special consideration must be given to the risks that
                                the processing entails, in particular from accidental or illegal destruction, loss or
                                alteration or unauthorized disclosure of or unauthorized access to personal data which

                                transferred, stored or otherwise processed. It appears from Article 32.2 i
                                data protection regulation.




                                5 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with
                                regarding the processing of personal data and the free flow of such data.
                                6See the EDPB's guidelines 03/2020 on the processing of data on health for scientific research purposes in connection
                                with the covid-19 outbreak, p. 5. The Swedish Privacy Agency Diary number: IMY-2022-695 5(8)
                               Date: 2023-01-17






                               Recital 75 of the data protection regulation states factors that must be taken into account in the assessment
                               of the risk to the rights and freedoms of natural persons. Loss of, among other things, is mentioned
                               confidentiality with regard to personal data subject to confidentiality and whether

                               the processing concerns information about health or sexual life. Further must be taken into account
                               the processing concerns personal data about vulnerable natural persons, especially children,
                               or if the processing involves a large number of personal data and applies to a large

                               number of registrants.

                               In recital 76 of the data protection regulation, it is stated that how likely and serious the risk is to it

                               data subject's rights and freedoms should be determined based on the nature of the processing,
                               scope, context and purpose. The risk should be evaluated on the basis of a
                               objective assessment, through which it is determined whether the data processing includes

                               a risk or high risk.

                               If the personal data controller hires a personal data assistant to carry out a

                               processing, the personal data controller shall only employ personal data assistants who
                               provides sufficient guarantees to implement appropriate technical and organizational
                               measures. It must take place in such a way that the processing meets the requirements of

                               data protection regulation and that the data subject's rights are protected. It appears from
                               article 28.1 and recital 81 of the data protection regulation.


                               The Swedish Privacy Protection Authority's assessment

                               The investigation into the matter shows that the board during the period from 6 May 2021 to and including

                               on 6 July 2022 has used a service for sending physical letters which meant that
                               some invitations to health care visits have been sent out in window envelopes with information that it is
                               a summons, the patient's name and address and the care facility to which the visit relates

                               were fully visible.

                               The Data Protection Regulation is applicable

                               The information in the summons that was visible through the window envelopes refers to
                               identified persons. It is therefore a matter of personal data. The board's
                               processing of the personal data consists of a series of measures where the board's
                               disclosure of personal data by physical mail has been a part. The underlying part

                               of the process, which, among other things, means that invitations are sent in digital format from
                               Region Dalarna's journal system is automated. IMY therefore assesses that it is a question
                               about a partially automated processing of personal data covered by

                               scope of application of the data protection regulation.

                               Personal data responsibility

                               The board has stated that it is the healthcare provider responsible for personal data for that treatment
                               of personal data in the event of invitations to healthcare visits within the Dalarna Region that are subject to
                               supervision, which is supported by the other investigation in the case. IMY therefore assesses that

                               the committee is responsible for personal data for the current processing.

                               The treatment involved a high risk

                               As a personal data controller, the board must, according to Article 32.1 of the Data Protection Ordinance,
                               ning, take appropriate technical and organizational measures to ensure a
                               appropriate level of security in relation to the risks involved in processing personal data. The

                               also applies when personal data is processed by a personal data processor. IMY does
                               the following assessment of the risks of the current treatment. The Swedish Data Protection Agency Diary number: IMY-2022-695 6(8)
                                Date: 2023-01-17






                                According to information from the board, summonses that have shown sender reception have been sent
                                from the Child and Adolescent Medicine Clinic Mora, Children's Call Center

                                and young Falun and the Sleep Laboratory in Avesta. The investigation into the matter shows that
                                the clinics offer care for children and young people aged 0–17 with illnesses and

                                illness that requires more specialist knowledge and resources than is normally available
                                care centre, help for children and young people up to 17 years of age with mild to moderate mental illness
                                respective investigation and treatment of various sleep disorders.


                                IMY states that the concept of health must be interpreted broadly and assesses that the care which
                                given at the care facilities in question is so specific that an invitation to visit someone

                                of these receptions may be considered to provide information about the individual's physical or
                                mental health conditions.


                                Against this background, IMY assesses that the information regarding these care facilities,
                                which were fully visible at the time of dispatch, constitute information about health in the sense referred to in
                                Article 4.15 of the Data Protection Regulation. The data are therefore so-called sensitive

                                personal data covered by the protection according to Article 9.1 of the regulation.

                                The data is also protected within the health and medical care by confidentiality according to

                                25 ch. Section 1 of the Publicity and Confidentiality Act (2009:400). Because two of the concerned
                                the care facilities only provide care for people who are 17 years of age or younger
                                furthermore, it is established that in some cases the information has also referred to children, who are considered special

                                protected according to the data protection regulation 7. It is also a comprehensive
                                treatment that includes approximately 2,500 mailings from several different healthcare facilities.


                                Against this background, IMY assesses that it is a treatment that involved a
                                high risk and that strong protection was therefore required.


                                The board has not taken sufficient security measures
                                IMY states that the mailings with invitations to visits at Children's and Youth Medicine's

                                should the reception Mora, the Children and Young People's Call Reception Falun and
                                The sleep laboratory in Avesta took place in such a way that the sensitive personal data
                                have been fully visible to everyone who came into contact with the letters. The data has been

                                available to, for example, those who work with handling mail, those who share
                                household with the recipient and the person who received a letter that was delivered to the wrong address.


                                In order to achieve an appropriate level of security, the dispatches should, according to IMY's assessment, have
                                took place in such a way that the sensitive personal data was not visible. The committee

                                has thus not been able to ensure the security level required according to Article 32.1
                                in the data protection regulation.


                                It can be stated that the board's opinion is indeed that it should not be apparent from
                                the envelope which reception a summons to a care visit refers to and that the board therefore
                                procured a service for the purpose of concealing sending reception. After IMY started supervision

                                however, the committee carried out an investigation which showed that the service in question only
                                included invitations on a maximum of five A4 sheets and that other invitations were sent in envelopes
                                which showed which clinic the visit was intended for. IMY states that it has arrived at

                                the committee as personal data controller to ensure that before the processing in question, it
                                the current add-on service fulfilled the need to keep the data hidden from others yet
                                the recipient of the letter.




                                7 See recital 38 of the data protection regulation. Privacy Protection Agency Diary number: IMY-2022-695 7(8)
                                Date: 2023-01-17






                                Against this background, IMY assesses that the committee has not taken sufficient measures
                                to ensure a level of security appropriate to the risk involved
                                current treatment. The board has therefore processed personal data in violation of

                                article 32.1 of the data protection regulation.


                                Choice of intervention

                                Applicable regulations

                                In the event of violations of the data protection regulation, IMY has a number of corrective powers
                                called to be available according to Article 58.2 a–j of the data protection regulation, including reprimand,
                                injunction and penalty fees.


                                Article 83.2 of the data protection regulation states that IMY must impose administrative
                                penalty fees in addition to or instead of the other measures referred to in Article 58.2

                                depending on the circumstances of the individual case. Member States may determine
                                rules for whether and to what extent administrative penalty charges can be imposed
                                public authorities. This is apparent from article 83.7 of the data protection regulation. According to
                                6 ch. Section 2 of the Data Protection Act allows IMY to collect penalty fees from authorities at

                                violations referred to in article 83.4, 83.5 and 83.6 of the data protection regulation and that
                                Article 83.1, 83.2 and 83.3 of the regulation shall then be applied.


                                In article 83.2 of the data protection regulation, the factors that must be taken into account when making a decision are stated
                                if administrative penalty fees are to be imposed and when determining the fee
                                size. If it is a question of a minor violation, IMY receives according to reason 148 more

                                data protection regulation to issue a reprimand instead of imposing a penalty fee.

                                The factors specified in Article 83.2 of the Data Protection Regulation must also be taken into account

                                the determination of the amount of the penalty fee. Each supervisory authority must ensure
                                that the imposition of administrative penalty charges is effective in each individual case,
                                proportionate and dissuasive. This is apparent from Article 83.1 of the Data Protection Ordinance.


                                A penalty fee must be imposed
                                IMY has concluded that the committee has processed personal data in violation of Article

                                32.1 of the data protection regulation. IMY finds in an overall assessment of the
                                circumstances described under the heading Amount of the penalty fee that there is
                                reason to impose a penalty fee on the board and that it is therefore not a question of one

                                such a minor violation that there is reason to issue a reprimand instead.

                                The size of the penalty fee

                                For violations of, among other things, Article 32 of the Data Protection Ordinance may
                                the sanction fee for public authorities amounts to a maximum of SEK 5,000,000. The
                                appears from ch. 6. Section 2 of the Data Protection Act and Article 83.4 of the Data Protection Ordinance.


                                In the assessment of the seriousness of the violation, IMY considers in accordance with Article 83.2 g
                                in the data protection regulation that the processing has included sensitive personal data about

                                health and information about children, which are particularly worthy of protection according to data protection
                                the regulation.


                                Furthermore, IMY takes into account what has emerged about the nature and severity of the violation
                                and duration based on what is stated in article 83.2 a of the data protection regulation. Thereby
                                it can be established that the violation has been going on for a longer period of just over a year, from and

                                with May 6, 2021, when the patient who filed the underlying complaint
                                for the supervisory authority received its summons, up to and including July 6, 2022, when the board took Integritetsskyddsmyndigheten Diary number: IMY-2022-695 8(8)
                               Date: 2023-01-17






                               measures to hide the sender's receipt on the envelope when mailing. Against background
                               of the fact that the committee stated that it is about 2,500 summonses per year can also
                               it is established that the violation affects a large number of registered users. Furthermore, it means

                               the fact that the violation has occurred in healthcare - i.e. a business there
                               the registered patient is in a dependent and vulnerable position i
                               relationship with the person in charge of personal data - that there is reason to look more seriously
                               the violation. However, IMY assesses that there are also factors that speak to the contrary

                               direction in the assessment of the seriousness of the infringement. First, it moves
                               if a physical handling and not a digital one which would have involved a risk of greater and
                               faster dissemination of the data. A distribution by regular mail is more

                               limited and controlled than a transfer via the open network. Furthermore, have
                               emerged that the committee identified the risk of exposing those in question
                               the personal data during mailings and therefore took certain measures in order to comply

                               the requirements and reduce the risks of the treatment.

                               IMY decides based on an overall assessment of the circumstances of the case that

                               The health care board in Region Dalarna must pay an administrative fee
                               penalty fee of SEK 200,000.




                               This decision has been taken by the general manager Lena Lindgren Schelin after a presentation
                               by the lawyer Maja Welander. In the final processing of the case has also

                               head of law David Törngren, acting head of unit Linn Sandmark and IT-
                               and information security specialist Magnus Bergström participated.


                               Lena Lindgren Schelin, 2023-01-17 (This is an electronic signature)




                               Copy to
                               The board's data protection officer
                               The appellant




                               How to appeal


                               If you want to appeal the decision, you must write to the Swedish Privacy Agency. Enter in
                               the letter which decision you are appealing and the change you are requesting. The appeal shall
                               have been received by the Privacy Protection Authority no later than three weeks from the date of the decision

                               was announced. If the appeal has been received in time, Privacy Protection sends
                               the authority forwards it to the Administrative Court in Stockholm for review.

                               You can e-mail the appeal to the Privacy Protection Authority if it does not contain

                               any privacy-sensitive personal data or information that may be covered by
                               secrecy. The authority's contact details appear on the first page of the decision. Appendix 2




















             How to appeal FR-03

             ________________________________________________________________



             If you want the decision to be changed in any part, you can raise your appeal (read more about
             you appeal. Here you will find out how it is done. trial permission further down).


                                                                                         3. Talk about what evidence you want to refer to.

             Appeal in writing within 3 weeks Explain what you want to show with each piece of evidence.
                                                                                             Send with written evidence that has not already

             The time is usually counted from the day that you received is in the goal.
             part of the written decision. In some cases count

             the time instead from the date of the decision. It applies to 4. Leave name and social security number or
             if the decision was delivered at an oral organization number.

             negotiation, or about the right at the negotiation Provide current and complete information
             gave notice of the date of the decision.
                                                                                             about where the court can reach you: postal addresses,
                                                                                             email addresses and phone numbers.
             For a party representing the public (to

             for example authorities) the time is always counted from If you have a representative, also leave
- the day the court announced the decision. agent's contact details.
0
•
i Note that the appeal must have arrived 5. Send or submit the appeal to
c administrative law. You can find the address in
t into court when time runs out.
o the decision.
pp
d
ö What day does the time expire?
d The last day for appeals is the same day of the week What happens next?
A
e as time begins to count. For example, if you received
e part of the decision on Monday 2 March the time expires The Administrative Court checks that the appeal-
o Monday, March 23. it came in at the right time. Has it come in for
pp
o If the last day falls on a Saturday, Sunday or late, the court rejects the appeal. The
v means that the decision applies.
a holiday, Midsummer's Eve, Christmas Eve or New Year's
c evening, it is enough that the appeal is received
o next weekday. If the appeal arrived in time, send
P administrative court appeal and all
T
- documents in the case forwarded to the Court of Appeal.
v
in
e How to do it Have you previously received letters through simplified
a service, the Court of Appeal can also send a letter
l 1. Write the name of the administrative court and
e in this way.
Island target number.
–
-
F 2. Explain why you think the decision should
d is changed. Tell us what change you want
g
k and why you think the Court of Appeal should
v
r
r
n
in Page 1 of 2
n
A
                                                                            www.domstol.se Trial permission in the Court of Appeal


               When the appeal comes to the chamber-
               the right, the court first decides whether

               the case must be taken up for consideration.


               The Court of Appeal grants leave to appeal in four

               different cases.


                 • The court considers that there is

                     reason to doubt that administrative
                     the court ruled correctly.


                 • The court considers that it is not possible

                     assess whether the administrative court ruled correctly
                     without addressing the goal.


                 • The court needs to take up the case in order to

                     provide guidance to other courts in legal
                     the application.


                 • The court considers that there is

                     extraordinary reasons to raise the case of someone
                     other reason.


               If you do not receive leave to appeal, it applies

               appealed the decision. Therefore, it is important that i

               the appeal include everything you want to bring forward.



5
0 Do you want to know more?
0
•
n Contact the administrative court if you have
k questions. You can find the address and phone number at
v
s first page of the decision.
t
m
d More information is available at www.domstol.se.
f
d
A
e
e
l
pp
O
D
a
r
u
O
P
T
-
v
d
e
n
g
k
e
ISLAND
–
-
F
d
a
l
e
island
f
a
in
in Page 2 of 2
n
A
                                                                                  www.domstol.se