The Swedish Data Protection Authority imposes an administrative fine of 200,000 Swedish kronor (approximately 18,700 euro) on the National Government Service Centre for failing to notify affected parties as well as the Data Protection Authority about a personal data breach in due time.
The Data Protection Authority (DPA) initiated an investigation against the National Government Service Centre (NGSC) upon having received a number of personal data breach notifications concerning an error in the IT system for salary administration. The error entailed the possibility of unauthorised access to personal data of both personnel of authorities using the system and of the personnel of the NGSC.
- Our investigation shows that it has taken too long for the NGSC to inform the concerned parties about the error and furthermore that the NGSC has failed to report the personal data breach to the DPA in due time. The documentation of the breach, as required under the GDPR, was also found incomplete with regards to the NGSC’s personnel and their data, says Elin Hallström, legal advisor, who has been leading the DPA’s audit.
The DPA noted that it took almost five months for the NGSC to notify the concerned parties and close to three months before the DPA received a data breach notification.
- When a data breach of this kind is discovered by a processor such as the NGSC in this case, it is important to inform the controllers as soon as possible so that they can report the breach to the DPA and take further actions to mitigate any related risks. The NGSC has failed to act in time.
In its decision the DPA orders the NGSC to introduce internal routines for the documentation of personal data breaches and to verify that those routines are abided by. Together with this order the DPA imposes an administrative fine on the NGSC of in total 200,000 Swedish kronor.
The National Government Service Centre coordinates the administration of government agencies by offering administrative support services to other government agencies. It offers basic services in the areas of salary administration, financial administration and eCommerce.
To read the press release in Swedish, click here
To read the full decision in Swedish, click here
For further information, please contact the Swedish SA: email@example.com
The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.