Notification of a personal data breach

This information is addressed to controllers who need to notify a personal data breach to Swedish Authority for Privacy Protection (IMY).

You should notify the personal data breach within 72 hours after having become aware of it. If all information is not available, you may provide supplementary information within four weeks.

The information in the report will become an official document

Everything you report will become an official document. This means that anyone can request access to the document, and the document might have to be disclosed depending on the outcome of an assessment of whether secrecy applies. The decision whether a document can be disclosed or not is always ultimately made by Swedish Authority for Privacy Protection.

Therefore, we recommend that you only reply to the questions asked not providing more information than necessary in free text. Should you nevertheless choose to provide what you consider is confidential information, the free text field at the end of the form should be used to describe which information this applies to.

Make a notification

Use the web browsers Chrome or Edge when using our e-service. After you have filled out and submitted the form, you will be able to download a copy through your browser.

Please choose one of the links below to notify a personal data breach according to GDPR:

Report a new personal data breach >>

Give supplementary information regarding a previously made personal data breach notification >>

Do you have questions?

If you have any questions about personal data breaches, you can contact Swedish Authority for Privacy Protection at or call + 46(0) 8-657 61 00. Our telephone hours are 9.30 AM – 11.30 AM on Monday - Friday. Deviating hours may occur.