Notification of a personal data breach according to the Criminal Data Act
Are you wondering which organisations are covered by the Criminal Data Act?
Personal data within law enforcement
Do not report breaches according to the General Data Protection Regulation (GDPR) here
Do you need to notify a personal data breach according to the GDPR? Then you should use our e-service for notification of a personal data breach
Notification of a personal data breach according to the GDPR
Do not report breaches according to the Protective Security Act here
Do not report breaches that must be reported according to the Protective Security Act (2018:585) and associated ordinance and regulations here.
What constitutes a personal data breach?
A personal data breach is a breach of security that leads to the accidental or unlawful destruction, loss, alteration, or unauthorised disclosure of, or unauthorised access to, personal data. It does not matter whether it has occurred intentionally or not. A personal data breach could, for example, involve:
- personal data has been sent to the wrong recipient
- access to personal data has been lost
- data equipment that stores personal data has been lost or stolen
- someone within or outside the organisation has access to information they are not authorised to.
A personal data breach can entail risks to the rights or freedoms of the data subject and lead to physical, material, or immaterial harm, for example through:
- discrimination, identity theft, identity fraud
- damaged reputation
- financial loss
- breach of confidentiality or professional secrecy.
Requirements for routines
In order to comply with the obligations under the Criminal Data Act, it is important to have routines for detecting, handling, investigating and reporting personal data breaches and for documenting them.
If a personal data breach occurs at a processor, the processor must immediately notify the controller. As a controller, make sure to have clear instructions for your processor(s) on how to report a personal data breach to you.
When a personal data breach has occurred
When a personal data breach has occurred, you as a data controller must first determine the severity and the risk to people's rights and freedoms. If the personal data breach is likely to result in a risk to data subjects, you must notify the Swedish Authority for Privacy Protection (IMY). If a personal data breach is unlikely to result in risks, you do not need to notify us.
For example, there is no need to notify IMY if the personal data breach has affected a limited number of personal data that are not of a sensitive nature, or if the protection of the personal data has been affected for such a short time that unauthorised access has not been possible.
When should you send a notification of a personal data breach?
First, you need to decide whether the personal data breach relates to personal data processing covered by the Criminal Data Act.
Notify IMY of the personal data breach within 72 hours of its discovery. If possible, all information should be provided at the same time. If not all the information is available within 72 hours, you may provide supplementary information later.
Even if the personal data breach has occurred at a processor, it is your responsibility as the controller to notify IMY. The responsibility for notifying the personal data breach always remains with the controller.
How to notify of a personal data breach according to the Criminal Data Act
- Save the form on your computer.
- Open it in Adobe Reader.
- Fill in all fields in the form carefully, save it, and print it out.
- Send the form to us by mail. If you believe it is necessary, you may send the notification as a registered letter. Do not send by email.
Send to:
Integritetsskyddsmyndigheten
Box 8114
104 20 Stockholm
Please note that the form is only available in Swedish.
Form for notification (in Swedish) (pdf, 649 kB)
According to the Criminal Data Act, a personal data breach should normally be reported within 72 hours of discovery. As the notification is sent to us by physical mail, we consider the time it takes for the mail to reach us.