It is important that organisations which process personal data have procedures in place that enable them to detect, report and investigate personal data breaches in order to comply with the new obligations set out in the General Data Protection Regulation.
This is what you need to know regarding personal data breaches
What is a personal data breach?
A personal data breach is a breach of security which may involve risks to the rights and freedoms of natural persons. The risks can entail someone losing control of their data or that their rights are restricted. For example:
- discrimination, identity theft, fraud, harmful spreading of rumours
- financial loss
- violation of secrecy and confidentiality.
A personal data breach has occurred e.g. if data relating to one or more data subjects has been subject to destruction, loss or has otherwise fallen into the wrong hands.
When shall a personal data breach be notified to Swedish Authority for Privacy Protection?
If it is likely that the personal data breach will result in a risk to the data subjects, you have to notify Swedish Authority for Privacy Protection. If it is unlikely that a personal data breach will result in risks, you do not need to notify us. You should document all personal data breaches, even those which do not have to be notified to Swedish Authority for Privacy Protection.
Notify the personal data breach within 72 hours after having become aware of it. If all information is not available, it is possible to provide additional information to your notification later. It is important that we receive supplementary information without undue delay. If we don’t receive any supplementary information within four weeks from the day we receive the previously made data breach notification, decisions will be made on existing information. Omission to notify a personal data breach can constitute a violation of the General Data Protection Regulation, which can result in an obligation for your organization to pay administrative fines. The administrative fines can also be combined with other corrective powers granted to Swedish Authority for Privacy Protection.
How shall a personal data breach be notified to Swedish Authority for Privacy Protection?
Use our e-service to notify a personal data breach.
When does a personal data breach need to be communicated to the data subjects?
When the personal data breach is likely to result in a high risk to the rights and freedoms of the data subjects, i.e. the natural persons affected by the personal data breach, you shall communicate the data breach to the data subjects in question without undue delay. For example if there is a risk of identity theft or fraud.
The role of the processor
If your organization engages a processor and the processor becomes aware of a personal data breach occurring on their end, the processor shall notify you of this without undue delay. However, the controller remains legally responsible for notifying personal data breaches to Swedish Authority for Privacy Protection.
Everything you notify to us becomes a so-called public document which can be requested by the public and mass media. If anybody requests the information in a personal data breach notification, we will carry out a confidentiality assessment to determine whether the information shall be deemed public and thus can be disclosed, in its entirety or in part.
If you have any questions regarding personal data breaches, you are welcome to contact Swedish Authority for Privacy Protection by e-mail at firstname.lastname@example.org or by phone on 08-657 61 00. Our phone hours are 9.30 to 11.30 a.m. Monday - Friday, Deviating hours may occur.
Swedish Authority for Privacy Protection is continuously working on updating our website with new information.
Guidelines on personal data incidents
EDPB has adopted new guidelines on personal data incidents that contain examples of incidents that have been received by the supervisory authorities, risk assessments in connection with these and any reporting obligations. The document also contains suggestions on what measures should be taken to reduce the risks of an incident. The guideline complements the EDPB's previous guideline, which you can also read below. The guideline is open for public consultation until 2 March 2021.
Article 29 Working Party's guidelines on Personal data breach notifications:
If the information in other languages are different from the Swedish version, it is the Swedish version that applies.