Administrative Court Stockholm - Mål nr 1930-23
From GDPRhub
| Administrative Court Stockholm - Mål nr 1930-23 | |
|---|---|
 | |
| Court: | FiS (Sweden) |
| Jurisdiction: | Sweden |
| Relevant Law: | Article 32(1) GDPR |
| Decided: | |
| Published: | |
| Parties: | Hälso- och sjukvårdsnämnden i Region Dalarna Integritetsskyddsmyndigheten |
| National Case Number/Name: | Mål nr 1930-23 |
| European Case Law Identifier: | |
| Appeal from: | |
| Appeal to: | Not appealed |
| Original Language(s): | Swedish |
| Original Source: | Mål nr 1930-23 (in Swedish) |
| Initial Contributor: | sh |
A Court, upheld the Swedish DPA’s decision to fine the medical board of Region Darlana for breaching Article 32(1) when summoning patients to healthcare appointments by mail.
English Summary
Facts
In January 2023 the Swedish DPA imposed a fine of approximately €1,800 on the medical board of Region Dalarna for failing to implement adequate safety measures to protect special categories of data against unauthorised disclosure when sending written summons to health care visits by mail (IMY-2022-695).
The board appealed this decision to the Swedish First Instance Administrative Court. They argued that an invitation to medical care does not always reveal personal data about a data subject's health. In addition, the board had rectified the damage by changing the postal method and so the penalty fee should be annulled. The Stockholm's first instance administrative court partially upheld the Swedish DPA's original ruling.
Holding
Contrary to the Swedish DPA’s position, the court ruled that not all letters from the three healthcare facilities inviting patients to appointments could be considered health data under Article 4(15) GDPR. While in all three cases it was possible to connect a health facility appointment to the individual, the care at one clinic was too broad to draw conclusions about the state of health which formed the basis of the actual appointment.
However, the court agreed that more care should have been taken under Article 32(1) GDPR to ensure the security of the processing. Information on healthcare visits are often sensitive in nature and it was easy for unauthorised individuals to access information about the appointments simply by coming into contact with the appointment letters. In addition, when the board was informed of the infringement, they changed the postal letter format. This did not incur major costs of implementation which under Article 32(2) GDPR makes a breach of 32(1) GDPR more likely.
Despite the fact that not all data was classified as health data, the court concluded that the prior fine of 20,000 SEK (around €1,600) was proportionate to the violation.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.
Page 1 (12)
ADMINISTRATIVE COURT JUDGMENT Case no
IN STOCKHOLM 2023-09-07 1930-23
Section 8 Announced in Stockholm
COMPLAINT
The Health and Medical Services Board in Region Dalarna
COUNTERPART
The Swedish Privacy Protection Authority
OVERRULED DECISION
The Data Protection Authority's decision 2023-01-17, see appendix 1
THE THING
Processing of personal data
_____________________
DECISION OF THE ADMINISTRATIVE COURT
The administrative court rejects the appeal.
1
3 Visiting address Opening hours Postal address E-mail
3 Tegeluddsvägen 1 Monday–Friday avd8.fst@dom.se
1 08:00–16:00 115 76 Stockholm
. Phone Website
o 08-561 680 00 www.domstol.se/forvaltningsratten-i-
D Stockholm/ Page 2
ADMINISTRATIVE COURT JUDGMENT 1930-23
IN STOCKHOLM
CLAIMS, M.M.
The Privacy Protection Authority (IMY) has decided that Health and
the health care board in Region Dalarna (the board) must pay an administrative fee
penalty fee of SEK 200,000. The decision states that the board during the period
6 May 2021–6 July 2022 has processed personal data in violation of Article 32.1 of
the data protection regulation, by not taking appropriate technical and
organizational measures to ensure an appropriate level of protection in connection
with the sending of physical invitations to certain care visits within the Dalarna Region.
The reasons for the decision appear in Appendix 1.
The board demands that the decision on the penalty fee be annulled and puts forward i.a.
following. The board has procured current envelope and postal service in
in accordance with the standard requested and used by the Swedish
the regions. During the procurement, envelopes have been required so that no data
can be revealed. IMY believes that the care provided at the relevant care facilities is
so specific that a summons to any of them may be considered to provide information about
the individual's physical or mental state of health. However, the committee considers that
IMY makes an overly generalizing and discretionary assessment. It is not
given that a call to care, regardless of which part of it, for a medical
assessment reveals information about a person's health. The board questions
IMY's view, as the board perceives it, that all care units must
send their invitations in completely anonymous envelopes. This without the discretion that it can
need to be differentiated based on what the name of the care facility can conceivably be revealed in
form of target groups, the diagnosis panorama and the like. With IMY's interpretation
it can even be questioned whether Region Dalarna can be written on it
the envelope. Given the volume of mailings, IMY's assessment appears to be
generalizing and disproportionate. The authority also ignores it
1 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of
natural persons with regard to the processing of personal data and on the free flow of
such data and on the repeal of Directive 95/46/EC (General Data Protection Regulation).
Doc.Id 1637301 Page 3
ADMINISTRATIVE COURT JUDGMENT 1930-23
IN STOCKHOLM
secrecy that applies to mail forwarding. The size and importance of the issue
national level means that the stance taken by IMY is unreasonable. The decision can get
far-reaching consequences for other healthcare providers as well. There are three patients
who claims damage and the committee has made an incident report. The committee has
rectified the damage, which is why the decision on penalty fees must be annulled.
IMY considers that the appeal should be rejected and puts forward, among other things, following. According to
practice from the European Court of Justice, the special categories of personal data,
including information about health, as specified in Article 9.1 of the Data Protection Regulation
is given a wide interpretation. The European Court of Justice has judged that not only personal data
which directly discloses sensitive information about the data subject is covered by
the protection in Article 9.1, but also such information that indirectly reveals sensitive
information. In the appealed decision, IMY has only taken a position on how
invitations to three specific receptions must be assessed. IMY's view is that
whoever is called to a visit at one of these receptions is likely to be in
need for example for investigation or treatment for the type of
health problems that the reception is focused on. The data thus gives
information about the individual's physical or mental state of health.
However, IMY believes that the current personal data processing has involved a
high risk even if the administrative court were to come to the conclusion that this is not the case
about sensitive personal data in the sense of the data protection regulation. Treatment of
personal data in healthcare generally means a high risk for
the registered freedoms and rights, not least in light of the fact that patients
is in a vulnerable position in relation to the caregiver. IMY admits that
there has not been an unauthorized disclosure of sensitive personal data i
relationship with the person who handles mail. However, the fact remains that
the board has not protected the data from unauthorized disclosure because they have been
fully visible to everyone else who came into contact with the letter. IMY believes that
the board cannot be considered to have taken sufficient security measures only through
to set requirements when procuring the service. IMY believes that the board also
Doc.Id 1637301 Page 4
ADMINISTRATIVE COURT JUDGMENT 1930-23
IN STOCKHOLM
should have checked that the service purchased corresponded to what was requested
the need to keep the information hidden, which has not happened. That the committee
fulfilled its obligation according to the data protection regulation to notify a
personal data incident shall not be seen as a mitigating circumstance at
this assessment.
THE REASONS FOR THE DECISION
The obligation to communicate
The board considers that IMY has breached its obligation to communicate and for
present the following. The communication contains relatively generally held
descriptions with reference to current legislation. IMY does not describe
why the events with the envelopes violate current legislation without it
appears first in the decision. If it had come to light earlier, the committee would have
able to present their attitude already in the communication response.
From section 25 of the Administration Act (2017:900), first paragraph, first sentence, it follows that
an authority, before making a decision in a case, must notify the person who is
party about all material of importance for the decision and give the party the opportunity to within a
specified time to comment on the material.
The Administrative Court makes the following assessment. By material of importance is meant
such circumstances or information that affect the authority's
position on the matter to which the decision applies. There is no requirement that
a proposal for a decision must be communicated. From the documents it appears that IMY the
On 11 November 2022, the board informed that the authority is considering taking
out a penalty fee. IMY also informed about the scope of supervision as well as
which basis the authority intends to base its decision on. Administrative-
the court therefore assesses that IMY informed the board of all material of
significance for the decision and notes that the authority subsequently also gave the board
Doc.Id 1637301 Page 5
ADMINISTRATIVE COURT JUDGMENT 1930-23
IN STOCKHOLM
opportunity to comment on the material within a specified time. Administrative law
therefore considers that there is no reason to overturn the appeal decision on
due to deficiencies in the communication obligation.
As far as the goal is concerned
IMY has reviewed the board's mailing of invitations to care visits from Children's and
the youth medical clinic Mora, the children and young people's consultation clinic
Falun and the Sleep Laboratory in Avesta. In the event of summonses to the care facilities have
information sent in digital format from Region Dalarna's journal system to
an external actor who mechanically printed, enveloped and sent the invitation to
the addressee. The documents show that certain summonses have been sent out in
window envelope with information that it is a summons, the patient's name and
address and the care facility to which the visit refers have been visible. IMY means
that the board has processed personal data in violation of the data protection regulation
by not ensuring that the information about the sending care facility has been
hidden from anyone other than the recipient of the letter.
The first question that the administrative court must decide on is about the board
shall be subject to a penalty charge on the grounds invoked by IMY. If
the assessment is that the board must be imposed a sanction fee, shall
the administrative court also examines the question of the amount of the penalty fee.
In addition to what is reported in this judgment, the applicable regulations appear from it
appealed the decision, see Appendix 1.
Should a penalty fee be imposed?
In order for an administrative penalty fee to be imposed, it must be clearly stated
that the prerequisites are met and it is IMY that has the burden of proof for this
Doc.Id 1637301 Page 6
ADMINISTRATIVE COURT JUDGMENT 1930-23
IN STOCKHOLM
(see, among other things, the Court of Appeal in Stockholm's judgment from 16 May 2022 in case no. 4611-
21).
The Administrative Court initially agrees with IMY's assessment that it is a question
about a partially automated processing of personal data covered by
the scope of the data protection regulation and that the committee is
personal data controller for the current processing.
Information about health?
Data on health is defined in Article 4.15 of the Data Protection Regulation as
personal data relating to the physical or mental health of a natural person,
including the provision of health care services, which provide
information about his health status. Information about health is a special category
of personal data, so-called sensitive personal data, which according to the main rule i
Article 9.1 of the Data Protection Regulation may not be processed, unless the processing is not
is covered by one of the exceptions in Article 9.2 of the regulation.
Recital 35 of the data protection regulation states that personal data about health should
include all the data relating to a registered person
state of health that provides information about the registrant's past, present
or future physical or mental health conditions. In reason 63 is exemplified
information about health such as information in medical records with e.g. diagnoses,
examination results, assessments by attending physicians and any
care treatments or interventions.
The European Court of Justice has in a judgment of 6 November 2003 (Lindqvist, C-101/01), which
concerned the corresponding concept in the data protection directive, made the assessment that a
2Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of
individuals with regard to the processing of personal data and on the free flow of
such data.
Doc.Id 1637301 Page 7
ADMINISTRATIVE COURT JUDGMENT 1930-23
IN STOCKHOLM
information that a person injured their foot and was on part-time sick leave constituted one
information about health. The European Court of Justice stated in the judgment that the expression "data which
relating to health" must be given a broad interpretation in light of the directive's purpose and considered
include data relating to all aspects of a person's health, both physical and
psychological ones (Lindqvist, point 50). The EU Court of Justice has also in a judgment on 1
August 2022 (Vyriausioji tarnybinės etikos komisiya, C‑184/20) stated that
data that may indirectly reveal sensitive information is covered by it
enhanced protections prescribed in Article 9.1 of the Data Protection Regulation
(Vyriausioji tarnybinės etikos komisiya, paragraph 127).
In the appealed decision, IMY has assessed that the care provided in the cases in question
the care facilities is so specific that a summons to one of these
receptions may be considered to provide information about the individual's physical or mental health
state of health. The Administrative Court agrees with that assessment as regards
invitations to the Avesta Sleep Laboratory and the Children's Conversation Center
young Falun. The documents show that the Sleep Laboratory in Avesta is investigating
sleep apnea and sleep disorders, including difficulty sleeping, hypersomnia,
parasomnia, narcolepsy and circadian rhythm disorder. According to the administrative court
sense, it is therefore possible to draw the conclusion from a call that it called
the person seeks help for sleep-related health problems. As for
The children and young people's reception center Falun states that the reception helps children
and young people up to and including 17 years of age with mild to moderate mental illness.
The Administrative Court therefore considers that a summons to it provides information that it
called the person suffers from mental illness in some form.
Regarding the Child and Adolescent Medicine Clinic Mora, the following is stated.
The reception offers specialist healthcare for children and young people aged 0–17 and
is a county clinic within Child and Adolescent Medicine Dalarna.
Specialist healthcare means that the reception takes care of diseases and ill-health
which require more specialist knowledge and resources than are normally available
health care Center. It is stated that children and young people are usually referred from
Doc.Id 1637301 Page 8
ADMINISTRATIVE COURT JUDGMENT 1930-23
IN STOCKHOLM
health centre, childcare center and school health care, but reception also takes
against children and young people at their own care request.
In light of the above, the administrative court can state that the care
which is conducted at the Children's and Adolescent Medicine Clinic Mora, of course
is specific in that it targets children and young people and that
the healthcare that is provided requires more specialist knowledge and resources than what
which are normally available at the health centre. With a summons to the reception, it goes
however, not to draw any closer conclusions about which state of health lies in it
basis for the summons itself, because the care provided at the reception
covers a wide range of interventions. The Administrative Court therefore considers that
the information that someone is called to the reception gives no concrete information
information whether it was called past, present or future physical or
mental health conditions. It is therefore not a matter of information about health in it
meaning referred to in Article 4.15 of the Data Protection Regulation.
Has the committee taken sufficient measures to ensure a suitable
security level in connection with the sending of the invitations?
IMY has assessed that the dispatches, in order to achieve an appropriate level of security, should have
took place in such a way that sensitive personal data was not visible and that
has arrived at the committee to ensure before the treatment in question that it
the current add-on service for the envelope service met the need to hold
information about the current care facility hidden from anyone other than the recipient of the letter.
It follows from Article 32.1 of the data protection regulation that the person in charge of personal data
shall take appropriate technical and organizational measures to ensure a
safety level that is appropriate in relation to the risk of the treatment.
This must be done taking into account, among other things, the implementation costs and
the nature, scope, context and purpose of the treatment. Of Article 32.2
it appears that consideration must be given in particular to the risk of accidental or illegal
Doc.Id 1637301 Page 9
ADMINISTRATIVE COURT JUDGMENT 1930-23
IN STOCKHOLM
destruction, loss or alteration or to unauthorized disclosure by or unauthorized
access to the personal data being processed.
In the Patient Data Act (2008:355) there are regulations on care providers' treatment
of personal data in the health and medical care that complements
the provisions of the data protection regulation. In ch. 1 Section 2 second and third paragraph
the Patient Data Act states that personal data must be designed and otherwise processed
so that the privacy of patients and other data subjects is respected. Documented
personal data must be handled and stored so that unauthorized persons do not gain access
them.
The Administrative Court considers that information about care visits can often be sensitive
nature, even if information about the underlying health condition is not
is disclosed, and that it may have negative consequences for the individual
the information would be used by someone unauthorized. The starting point should therefore
be that a high level of security must be observed when handling such data.
Regarding the risks with the current processing of personal data
current, it should be taken into account that it applies to shipments by post and that there are
rules on confidentiality in postal operations. However, it cannot be ruled out that
the information is used by someone unauthorized, e.g. by the one who shares
household with the recipient comes into contact with the envelope or that the envelope off
mistakenly delivered to the wrong address.
The Administrative Court further notes that the current processing includes a
large number of invitations sent out. In addition, it has, against the background of
the administrative court's assessment above, there was a risk that information about health
is revealed in connection with invitations being sent from the Sleep Laboratory in Avesta
and the Children and Young People's Reception Center Falun. As for the invitations to
The children's and youth medical clinic Mora does not have the envelopes
any information about health within the meaning of the Data Protection Ordinance has been disclosed.
Caregivers, however, have a responsibility to personal data, such as the information that
Doc.Id 1637301 Page 10
ADMINISTRATIVE COURT JUDGMENT 1930-23
IN STOCKHOLM
a person is called to a care visit at a specific reception, is handled and
stored so that unauthorized persons do not gain access to them. In addition, the calls have
intended child, whose information is listed as particularly worthy of protection in the reasons for
data protection regulation.
As regards the purpose of the processing, the administrative court can state that it is not
there seems to be some purpose for the information about a specific care facility to be
visible on the envelope with an invitation. During IMY's investigation, the committee also
explained that the intention has been to provide information about which clinic/department which
sending a summons would not appear from the envelopes. In order to ensure this
the committee has stated that it pays for an additional service which means that envelopes
with a window, which only shows the addressee's address, should be used. Of
however, the documents show that summonses that contained more than five A4 sheets have
sent in envelopes with two windows and that in these cases it has been possible to
find out which care facility has sent the invitation. In conjunction with
the committee received information about this, measures were taken in the form of changes to it
template used when sending invitations and the adjustment does not seem to have been
combined with some larger implementation costs.
According to the assessment of the administrative court, it has, taking into account the
considerations that appear above, required that the board ensure a strong
protection of personal data in connection with the handling of invitations to them
the current healthcare facilities. By not ensuring complete protection for
the information that the envelopes contain invitations to the care facilities in question
the administrative court considers that the board failed to take appropriate technical and
organizational measures in accordance with the requirements that follow from Article 32.1
data protection regulation.
Doc.Id 1637301 Page 11
ADMINISTRATIVE COURT JUDGMENT 1930-23
IN STOCKHOLM
Choice of intervention
According to the opinion of the administrative court, it is clear from the documents that
the board has not fulfilled its obligations according to Article 32.1 data protection
the regulation. The Administrative Court agrees with IMY's assessment of
the seriousness of the violation. It concerns a large number of summons where it
of the envelope revealed personal data, and where sensitive information about individuals
state of health in some cases has been able to be read out. In those cases, sensitive data is not
could be read from the envelopes, the handling included information about children, whose
information is to be assessed as particularly worthy of protection. The shortcomings have occurred
for a longer period and was first discovered in connection with IMY starting one
supervisory matter due to a complaint. According to the administrative court
meaning, the violation cannot therefore be considered a minor violation
even if the risks have been partially limited by the handling taking place within
the framework for postal operations. The penalty fee shall therefore not be replaced by one
reprimand. That the board itself identified the risks with the handling and
taken certain measures is not sufficient in the opinion of the administrative court
to assess the violation as less serious. It exists therefore
the conditions for imposing a sanction fee on the board.
The size of the penalty fee
In order to assess the size of the penalty fee, a position must first be taken
the seriousness of the violations and then whether there is mitigation or
aggravating circumstances. In conclusion, an assessment of whether
the penalty fee is effective, proportionate and dissuasive
(cf. the Court of Appeal in Stockholm's judgment from 16 September 2022 in case no
7837-21).
The violation is subject to a maximum sanction fee of SEK 5 million. The
circumstances explained under the heading choice of intervention are such
Doc.Id 1637301 Page 12
ADMINISTRATIVE COURT JUDGMENT 1930-23
IN STOCKHOLM
circumstances which according to Article 83.2 of the data protection regulation must also
taken into account when determining the size of the penalty fee. Against the background of those
circumstances explained above, the administrative court considers that
the seriousness of the violation is such that a sanction fee of SEK 200,000
appears to be an effective, proportionate and dissuasive measure. The
the incident report made by the committee is considered by the administrative court not to constitute one
mitigating circumstance according to Article 83.2 of the Data Protection Regulation. It has
nor otherwise have any circumstances come to light that must be taken into account
aggravating or mitigating direction. The Administrative Court therefore assesses that
the penalty fee decided by IMY is well balanced. The appeal shall
thus rejected.
HOW TO APPEAL
This decision can be appealed. Information on how to appeal can be found in
appendix 2 (FR-03).
Sofi Nyström
Alderman
The referees Helen Frenning, Peter Gustafsson and Roland Hansson have
also participated in the decision.
Administrative law prosecutor Johanna Pellby has been the rapporteur.
Doc.Id 1637301 Appendix 1
1(8)
ADMINISTRATIVE LAW
IN STOCKHOLM
The Health and Medical Services Board in Directorate 8
INCOME: 2023-02-01
TARGET NO: 1930-23
ACTIVE CAR: 3
Diary number:
IMY-2022-695 Decision after supervision according to
Your diary number: data protection regulation - Health and
HSN 2022/1069
Date: the health care board in Region Dalarna
2023-01-17
The Privacy Protection Authority's decision
The Swedish Privacy Agency (IMY) notes that the Health and Medical Board i
Region Dalarna (the board) from 6 May 2021 to and including 6 July 2022 has
1
processed personal data in violation of article 32.1 of the data protection regulation, by
not to take appropriate technical and organizational measures to ensure a
appropriate level of protection in connection with the sending of physical invitations to certain healthcare visits
within Region Dalarna.
IMY decides with the support of ch. 6. Section 2 of the Data Protection Act and Articles 58.2 and 83 i
the data protection regulation that the board must pay an administrative sanction fee of
200,000 (two hundred thousand) kroner.
Account of the supervisory matter
IMY has initiated supervision of the board due to information that emerged in one
complaint from a person who, on 6 May 2021, received an invitation via letter to a healthcare visit
within Region Dalarna. The complaint states that the summons was in a window envelope and that
information that it was a summons, the complainant's name and address and the care facility
ning the summons was fully visible in the window of the envelope. The purpose of IMY's supervision is to
investigate the board's processing of personal data in connection with the use of
the current type of window envelope for invitations to healthcare visits meets the requirements for
security in connection with the processing according to article 32 of the data protection regulation.
Within the framework of the supervisory matter, IMY has only reviewed the committee's mailing of summonses
regarding the Child and Adolescent Medical Clinic Mora, Call Center
children and young people Falun and the Sleep Laboratory in Avesta.
The board has essentially stated the following. The committee is a healthcare provider and personal
Postal address: responsible for the personal data processing that the supervision refers to. Summons from
Box 8114
Region Dalarna is sent using Postnord Strålfors AB's (Strålfors) function
104 20 Stockholm e-LETTER. The notices are sent securely in digital format from Region Dalarna's journal system
Website: to Strålfors, which mechanically prints, envelopes and sends the invitation to the addressee.
www.imy.se
E-mail: 1Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with
imy@imy.se regarding the processing of personal data and the free flow of such data and the cancellation of
Telephone: Directive 95/46/EC (General Data Protection Regulation).
08-657 61 00 2The Act (2018:218) with supplementary provisions to the EU's data protection regulation. The Privacy Agency Diary number: IMY-2022-695 2(8)
Date: 2023-01-17
The board identified the risk of using double windows when the service
was procured and therefore bought an additional service which means that envelopes which only
contains a window with the recipient's address to be used. On these envelopes is written
Region Dalarna's postal address printed where the sender's address is usually placed and
the name of the clinic/department that sent the summons is therefore not shown. The board's
opinion is that the sending clinic should not appear on the envelope.
In a statement to IMY dated 28 April 2022, the committee stated that it had started a
investigation together with Strålfors. In an opinion dated 16 June 2022, the board stated i
mainly the following. It is unclear when the committee started sending summons where the patient's
name and the care facility to which the summons refers appear on the window of the envelope.
The investigation shows that the additional service where the sender is hidden only applies to sending
of a maximum of five A4 sheets. If the mailing contains more A4 sheets, a larger envelope is required
be used and then there are no customer-unique envelopes in the assignment that has been signed
eBREV, standard envelopes with two windows are used instead. In the same opinion stated
the committee that the investigative work to review the flow regarding the sending of summonses via
eBREV and risks linked to these that could generate a personal data
incident in progress. In parallel with this, a discussion is being held with Strålfors about the need to
renegotiate the customer assignment to ensure that the correct type of envelope, with hidden
sender, used for all mailings.
In an opinion dated June 16, 2022, the board stated that the treatment that is
subject to supervision had not ceased. In a supplement that the board submitted to IMY
on July 6, 2022, it was stated that the board, until an agreement is reached
with Strålfors, will change the template for invitations to visit the three units
(Children's and youth medicine clinic Mora, Children's and youth consultation clinic
young Falun and the Sleep Laboratory in Avesta) that have been identified send invitations with
attachments exceeding five A4 sheets. The board has attached a picture that shows that
the invitations will be sent in an envelope with two windows, where Region Dalarnas
postal address appears in one window and information that it is a visit
via video link and the patient's name and address in the second.
In an opinion dated August 9, 2022, the board stated that previous answers have been deleted
from invitations sent through the Take Care IT system. It is about 2,500
summons per year, which corresponds to 0.5 percent of the total number of summons sent
through the current system.
Justification of the decision
Applicable regulations
Scope of the Data Protection Regulation
Article 2.1 of the data protection regulation states that the regulation must be applied to
such processing of personal data that is wholly or partially carried out automatically
as well as on other than automatic processing of personal data that is part of or will be
to be included in a register.
In doctrinanges that because the data protection regulation includes partially automated
processing of personal data, the regulation is applicable in the case of disclosure on paper of
personal data that is in data format. 3 Furthermore, the Chancellor of Justice has assessed that
3 See Öhman, Data Protection Regulation (GDPR) etc. (October 13, 2022, Version 2A, JUNO), Comment to article
2.1 subheading Automated processing. The Swedish Privacy Agency Diary number: IMY-2022-695 3(8)
Date: 2023-01-17
the expression "fully or partially automated processing of personal data" in the present
the repealed Personal Data Act (1998:204) covered the sending of documents by post
when the underlying processing of the personal data was automated. 4
Personal data is defined in Article 4.1 of the Data Protection Regulation as any information
which refers to an identified or identifiable natural person.
Processing is defined in Article 4.2 of the Data Protection Regulation as an action or
combination of measures concerning personal data or sets of
personal data, regardless of whether it is performed automatically or not, such as collection,
registration, organization, structuring, storage, processing or modification,
production, reading, use, disclosure by transmission, dissemination or
otherwise providing, adjusting or combining, limiting, erasing
or destruction.
Personal data responsibility and the principle of accountability
According to Article 4.7 of the data protection regulation, the person in charge of personal data means a
natural or legal person, public authority, institution or other body which
alone or together with others determines the purposes and means of treatment
ling of personal data. If the purposes and means of the processing are determined by
Union law or the national law of the Member States can the personal data controller
or the special criteria for how he is to be appointed are prescribed in Union law or in
national law of the Member States.
According to ch. 2 Section 6 of the Patient Data Act (2008:355), PDL, is a care provider personal data-
responsible for the processing of personal data carried out by the care provider. In a region or
a municipality is any authority that provides health care personal data-
responsible for the processing of personal data carried out by the authority.
According to Article 5.2 of the Data Protection Regulation, the person in charge of personal data shall be responsible
for and be able to demonstrate that the principles in Article 5.1 are complied with (the principle of
liability).
The personal data controller is responsible for implementing appropriate technical and
organizational measures to ensure and be able to demonstrate that the processing is carried out in
in accordance with the data protection regulation. The measures must be implemented taking into account
the nature, scope, context and purpose of the processing and the risks, of
varying degree of probability and seriousness, for the freedoms and rights of natural persons.
The measures must be reviewed and updated if necessary. It appears from Article 24.1 i
data protection regulation.
Data on health
Information about health is defined in Article 4.15 of the Data Protection Regulation as personal
data relating to a natural person's physical or mental health, including
provision of healthcare services, which provide information about his
health status. Information about health constitutes so-called sensitive personal data. It is
prohibited to process such personal data according to Article 9.1 of the Data Protection Ordinance
ning, unless the processing is covered by one of the exceptions in Article 9.2 i
the regulation.
4See JK decision 2020-05-18, dnr 3850-19-4.3.2. Data Protection Agency Diary number: IMY-2022-695 4(8)
Date: 2023-01-17
Recital 35 of the data protection regulation states the following. Personal information about health should
include all the information relating to a registered person's state of health which
provides information about the data subject's past, present or future physical or
mental health conditions. This includes information about the natural person who
collected in connection with registration for or provision of health and
healthcare services to the natural person according to the European Parliament and the Council
directive 2011/24/EU, a number, a symbol or a characteristic such as the physical
the person assigned to identify him for health care purposes, data
arising from tests or examination of a body part or body substance,
including genetic information and biological samples, and other information about, for example
disease, disability, risk of disease, medical history, clinical treatment or the
recorded physiological or biomedical conditions, regardless of the source, for example
show from a doctor or other healthcare professional, a hospital, a medical technician
product or an in vitro diagnostic test.
In the Lindqvist case (C-101/01, EU:C:2003:596, point 51), the European Court of Justice has determined that
information that a person has injured their foot and is on part-time sick leave constitutes a person-
information relating to health according to the data protection directive 5 (the directive was repealed by
data protection regulation). The European Court of Justice stated in the case that with regard to the purpose of
the data protection directive, the expression "data relating to health" should be given a broad interpretation and
considered to include data relating to all aspects of a person's health, both physical and
psychological ones (see point 50). The European Court of Justice has further in a later ruling
Vyriausioji tarnybinės etikos komisiya (C-184/20, EU:C:2022:601) stated that
the concept of sensitive personal data according to article 9.1 of the data protection regulation shall
interpreted broadly and judged that even personal data that indirectly reveals a physical
a person's sexual orientation constitutes sensitive personal data according to the person in question
the provision.
The European Data Protection Board (EDPB) has stated that the concept of health data
according to the data protection regulation must be interpreted broadly against the background of, among other things, EU
the court's judgment in the Lindqvist case and as it appears from reason 53 to the data protection
the regulation that information about health deserves extensive protection. IMY has in one
legal position deemed that information about guardianship according to the parental code
are information about health (IMYRS 2022:3).
The requirement for security when processing personal data
It follows from Article 32.1 of the data protection regulation that the personal data controller and
the personal data assistant must take appropriate technical and organizational measures to
ensure a level of safety that is appropriate in relation to the risk of the treatment.
It must take into account the latest developments, implementation costs
and the nature, scope, context and purpose of the processing as well as the risks, of
varying degree of probability and seriousness, for the rights and freedoms of natural persons.
When assessing the appropriate security level, special consideration must be given to the risks that
the processing entails, in particular from accidental or illegal destruction, loss or
alteration or unauthorized disclosure of or unauthorized access to personal data which
transferred, stored or otherwise processed. It appears from Article 32.2 i
data protection regulation.
5 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with
regarding the processing of personal data and the free flow of such data.
6See the EDPB's guidelines 03/2020 on the processing of data on health for scientific research purposes in connection
with the covid-19 outbreak, p. 5. The Swedish Privacy Agency Diary number: IMY-2022-695 5(8)
Date: 2023-01-17
Recital 75 of the data protection regulation states factors that must be taken into account in the assessment
of the risk to the rights and freedoms of natural persons. Loss of, among other things, is mentioned
confidentiality with regard to personal data subject to confidentiality and whether
the processing concerns information about health or sexual life. Further must be taken into account
the processing concerns personal data about vulnerable natural persons, especially children,
or if the processing involves a large number of personal data and applies to a large
number of registrants.
In recital 76 of the data protection regulation, it is stated that how likely and serious the risk is to it
data subject's rights and freedoms should be determined based on the nature of the processing,
scope, context and purpose. The risk should be evaluated on the basis of a
objective assessment, through which it is determined whether the data processing includes
a risk or high risk.
If the personal data controller hires a personal data assistant to carry out a
processing, the personal data controller shall only employ personal data assistants who
provides sufficient guarantees to implement appropriate technical and organizational
measures. It must take place in such a way that the processing meets the requirements of
data protection regulation and that the data subject's rights are protected. It appears from
article 28.1 and recital 81 of the data protection regulation.
The Swedish Privacy Protection Authority's assessment
The investigation into the matter shows that the board during the period from 6 May 2021 to and including
on 6 July 2022 has used a service for sending physical letters which meant that
some invitations to health care visits have been sent out in window envelopes with information that it is
a summons, the patient's name and address and the care facility to which the visit relates
were fully visible.
The Data Protection Regulation is applicable
The information in the summons that was visible through the window envelopes refers to
identified persons. It is therefore a matter of personal data. The board's
processing of the personal data consists of a series of measures where the board's
disclosure of personal data by physical mail has been a part. The underlying part
of the process, which, among other things, means that invitations are sent in digital format from
Region Dalarna's journal system is automated. IMY therefore assesses that it is a question
about a partially automated processing of personal data covered by
scope of application of the data protection regulation.
Personal data responsibility
The board has stated that it is the healthcare provider responsible for personal data for that treatment
of personal data in the event of invitations to healthcare visits within the Dalarna Region that are subject to
supervision, which is supported by the other investigation in the case. IMY therefore assesses that
the committee is responsible for personal data for the current processing.
The treatment involved a high risk
As a personal data controller, the board must, according to Article 32.1 of the Data Protection Ordinance,
ning, take appropriate technical and organizational measures to ensure a
appropriate level of security in relation to the risks involved in processing personal data. The
also applies when personal data is processed by a personal data processor. IMY does
the following assessment of the risks of the current treatment. The Swedish Data Protection Agency Diary number: IMY-2022-695 6(8)
Date: 2023-01-17
According to information from the board, summonses that have shown sender reception have been sent
from the Child and Adolescent Medicine Clinic Mora, Children's Call Center
and young Falun and the Sleep Laboratory in Avesta. The investigation into the matter shows that
the clinics offer care for children and young people aged 0–17 with illnesses and
illness that requires more specialist knowledge and resources than is normally available
care centre, help for children and young people up to 17 years of age with mild to moderate mental illness
respective investigation and treatment of various sleep disorders.
IMY states that the concept of health must be interpreted broadly and assesses that the care which
given at the care facilities in question is so specific that an invitation to visit someone
of these receptions may be considered to provide information about the individual's physical or
mental health conditions.
Against this background, IMY assesses that the information regarding these care facilities,
which were fully visible at the time of dispatch, constitute information about health in the sense referred to in
Article 4.15 of the Data Protection Regulation. The data are therefore so-called sensitive
personal data covered by the protection according to Article 9.1 of the regulation.
The data is also protected within the health and medical care by confidentiality according to
25 ch. Section 1 of the Publicity and Confidentiality Act (2009:400). Because two of the concerned
the care facilities only provide care for people who are 17 years of age or younger
furthermore, it is established that in some cases the information has also referred to children, who are considered special
protected according to the data protection regulation 7. It is also a comprehensive
treatment that includes approximately 2,500 mailings from several different healthcare facilities.
Against this background, IMY assesses that it is a treatment that involved a
high risk and that strong protection was therefore required.
The board has not taken sufficient security measures
IMY states that the mailings with invitations to visits at Children's and Youth Medicine's
should the reception Mora, the Children and Young People's Call Reception Falun and
The sleep laboratory in Avesta took place in such a way that the sensitive personal data
have been fully visible to everyone who came into contact with the letters. The data has been
available to, for example, those who work with handling mail, those who share
household with the recipient and the person who received a letter that was delivered to the wrong address.
In order to achieve an appropriate level of security, the dispatches should, according to IMY's assessment, have
took place in such a way that the sensitive personal data was not visible. The committee
has thus not been able to ensure the security level required according to Article 32.1
in the data protection regulation.
It can be stated that the board's opinion is indeed that it should not be apparent from
the envelope which reception a summons to a care visit refers to and that the board therefore
procured a service for the purpose of concealing sending reception. After IMY started supervision
however, the committee carried out an investigation which showed that the service in question only
included invitations on a maximum of five A4 sheets and that other invitations were sent in envelopes
which showed which clinic the visit was intended for. IMY states that it has arrived at
the committee as personal data controller to ensure that before the processing in question, it
the current add-on service fulfilled the need to keep the data hidden from others yet
the recipient of the letter.
7 See recital 38 of the data protection regulation. Privacy Protection Agency Diary number: IMY-2022-695 7(8)
Date: 2023-01-17
Against this background, IMY assesses that the committee has not taken sufficient measures
to ensure a level of security appropriate to the risk involved
current treatment. The board has therefore processed personal data in violation of
article 32.1 of the data protection regulation.
Choice of intervention
Applicable regulations
In the event of violations of the data protection regulation, IMY has a number of corrective powers
called to be available according to Article 58.2 a–j of the data protection regulation, including reprimand,
injunction and penalty fees.
Article 83.2 of the data protection regulation states that IMY must impose administrative
penalty fees in addition to or instead of the other measures referred to in Article 58.2
depending on the circumstances of the individual case. Member States may determine
rules for whether and to what extent administrative penalty charges can be imposed
public authorities. This is apparent from article 83.7 of the data protection regulation. According to
6 ch. Section 2 of the Data Protection Act allows IMY to collect penalty fees from authorities at
violations referred to in article 83.4, 83.5 and 83.6 of the data protection regulation and that
Article 83.1, 83.2 and 83.3 of the regulation shall then be applied.
In article 83.2 of the data protection regulation, the factors that must be taken into account when making a decision are stated
if administrative penalty fees are to be imposed and when determining the fee
size. If it is a question of a minor violation, IMY receives according to reason 148 more
data protection regulation to issue a reprimand instead of imposing a penalty fee.
The factors specified in Article 83.2 of the Data Protection Regulation must also be taken into account
the determination of the amount of the penalty fee. Each supervisory authority must ensure
that the imposition of administrative penalty charges is effective in each individual case,
proportionate and dissuasive. This is apparent from Article 83.1 of the Data Protection Ordinance.
A penalty fee must be imposed
IMY has concluded that the committee has processed personal data in violation of Article
32.1 of the data protection regulation. IMY finds in an overall assessment of the
circumstances described under the heading Amount of the penalty fee that there is
reason to impose a penalty fee on the board and that it is therefore not a question of one
such a minor violation that there is reason to issue a reprimand instead.
The size of the penalty fee
For violations of, among other things, Article 32 of the Data Protection Ordinance may
the sanction fee for public authorities amounts to a maximum of SEK 5,000,000. The
appears from ch. 6. Section 2 of the Data Protection Act and Article 83.4 of the Data Protection Ordinance.
In the assessment of the seriousness of the violation, IMY considers in accordance with Article 83.2 g
in the data protection regulation that the processing has included sensitive personal data about
health and information about children, which are particularly worthy of protection according to data protection
the regulation.
Furthermore, IMY takes into account what has emerged about the nature and severity of the violation
and duration based on what is stated in article 83.2 a of the data protection regulation. Thereby
it can be established that the violation has been going on for a longer period of just over a year, from and
with May 6, 2021, when the patient who filed the underlying complaint
for the supervisory authority received its summons, up to and including July 6, 2022, when the board took Integritetsskyddsmyndigheten Diary number: IMY-2022-695 8(8)
Date: 2023-01-17
measures to hide the sender's receipt on the envelope when mailing. Against background
of the fact that the committee stated that it is about 2,500 summonses per year can also
it is established that the violation affects a large number of registered users. Furthermore, it means
the fact that the violation has occurred in healthcare - i.e. a business there
the registered patient is in a dependent and vulnerable position i
relationship with the person in charge of personal data - that there is reason to look more seriously
the violation. However, IMY assesses that there are also factors that speak to the contrary
direction in the assessment of the seriousness of the infringement. First, it moves
if a physical handling and not a digital one which would have involved a risk of greater and
faster dissemination of the data. A distribution by regular mail is more
limited and controlled than a transfer via the open network. Furthermore, have
emerged that the committee identified the risk of exposing those in question
the personal data during mailings and therefore took certain measures in order to comply
the requirements and reduce the risks of the treatment.
IMY decides based on an overall assessment of the circumstances of the case that
The health care board in Region Dalarna must pay an administrative fee
penalty fee of SEK 200,000.
This decision has been taken by the general manager Lena Lindgren Schelin after a presentation
by the lawyer Maja Welander. In the final processing of the case has also
head of law David Törngren, acting head of unit Linn Sandmark and IT-
and information security specialist Magnus Bergström participated.
Lena Lindgren Schelin, 2023-01-17 (This is an electronic signature)
Copy to
The board's data protection officer
The appellant
How to appeal
If you want to appeal the decision, you must write to the Swedish Privacy Agency. Enter in
the letter which decision you are appealing and the change you are requesting. The appeal shall
have been received by the Privacy Protection Authority no later than three weeks from the date of the decision
was announced. If the appeal has been received in time, Privacy Protection sends
the authority forwards it to the Administrative Court in Stockholm for review.
You can e-mail the appeal to the Privacy Protection Authority if it does not contain
any privacy-sensitive personal data or information that may be covered by
secrecy. The authority's contact details appear on the first page of the decision. Appendix 2
How to appeal FR-03
________________________________________________________________
If you want the decision to be changed in any part, you can raise your appeal (read more about
you appeal. Here you will find out how it is done. trial permission further down).
3. Talk about what evidence you want to refer to.
Appeal in writing within 3 weeks Explain what you want to show with each piece of evidence.
Send with written evidence that has not already
The time is usually counted from the day that you received is in the goal.
part of the written decision. In some cases count
the time instead from the date of the decision. It applies to 4. Leave name and social security number or
if the decision was delivered at an oral organization number.
negotiation, or about the right at the negotiation Provide current and complete information
gave notice of the date of the decision.
about where the court can reach you: postal addresses,
email addresses and phone numbers.
For a party representing the public (to
for example authorities) the time is always counted from If you have a representative, also leave
- the day the court announced the decision. agent's contact details.
0
•
i Note that the appeal must have arrived 5. Send or submit the appeal to
c administrative law. You can find the address in
t into court when time runs out.
o the decision.
pp
d
ö What day does the time expire?
d The last day for appeals is the same day of the week What happens next?
A
e as time begins to count. For example, if you received
e part of the decision on Monday 2 March the time expires The Administrative Court checks that the appeal-
o Monday, March 23. it came in at the right time. Has it come in for
pp
o If the last day falls on a Saturday, Sunday or late, the court rejects the appeal. The
v means that the decision applies.
a holiday, Midsummer's Eve, Christmas Eve or New Year's
c evening, it is enough that the appeal is received
o next weekday. If the appeal arrived in time, send
P administrative court appeal and all
T
- documents in the case forwarded to the Court of Appeal.
v
in
e How to do it Have you previously received letters through simplified
a service, the Court of Appeal can also send a letter
l 1. Write the name of the administrative court and
e in this way.
Island target number.
–
-
F 2. Explain why you think the decision should
d is changed. Tell us what change you want
g
k and why you think the Court of Appeal should
v
r
r
n
in Page 1 of 2
n
A
www.domstol.se Trial permission in the Court of Appeal
When the appeal comes to the chamber-
the right, the court first decides whether
the case must be taken up for consideration.
The Court of Appeal grants leave to appeal in four
different cases.
• The court considers that there is
reason to doubt that administrative
the court ruled correctly.
• The court considers that it is not possible
assess whether the administrative court ruled correctly
without addressing the goal.
• The court needs to take up the case in order to
provide guidance to other courts in legal
the application.
• The court considers that there is
extraordinary reasons to raise the case of someone
other reason.
If you do not receive leave to appeal, it applies
appealed the decision. Therefore, it is important that i
the appeal include everything you want to bring forward.
5
0 Do you want to know more?
0
•
n Contact the administrative court if you have
k questions. You can find the address and phone number at
v
s first page of the decision.
t
m
d More information is available at www.domstol.se.
f
d
A
e
e
l
pp
O
D
a
r
u
O
P
T
-
v
d
e
n
g
k
e
ISLAND
–
-
F
d
a
l
e
island
f
a
in
in Page 2 of 2
n
A
www.domstol.se
