The Swedish Data Protection Authority imposes an administrative fine of 200,000 Swedish kronor (approximately 18,700 euro) on the National Government Service Centre for failing to notify affected parties as well as the Data Protection Authority about a personal data breach in due time.
The Data Protection Authority (DPA) initiated an investigation against the National Government Service Centre (NGSC) upon having received a number of personal data breach notifications concerning an error in the IT system for salary administration. The error entailed the possibility of unauthorised access to personal data of both personnel of authorities using the system and of the personnel of the NGSC.
- Our investigation shows that it has taken too long for the NGSC to inform the concerned parties about the error and furthermore that the NGSC has failed to report the personal data breach to the DPA in due time. The documentation of the breach, as required under the GDPR, was also found incomplete with regards to the NGSC’s personnel and their data, says Elin Hallström, legal advisor, who has been leading the DPA’s audit.
The DPA noted that it took almost five months for the NGSC to notify the concerned parties and close to three months before the DPA received a data breach notification.
- When a data breach of this kind is discovered by a processor such as the NGSC in this case, it is important to inform the controllers as soon as possible so that they can report the breach to the DPA and take further actions to mitigate any related risks. The NGSC has failed to act in time.
In its decision the DPA orders the NGSC to introduce internal routines for the documentation of personal data breaches and to verify that those routines are abided by. Together with this order the DPA imposes an administrative fine on the NGSC of in total 200,000 Swedish kronor.