Administrative Fine for Data Collection Without Security

IMY News (Sweden DPA)

Filed May 12th, 2025

Detected February 11th, 2026

Summary

The Swedish Privacy Protection Authority (IMY) has issued an administrative fine of SEK 100,000 against the Equality Ombudsman (DO) for insufficient security measures during personal data collection via a web form. The incident led to the inadvertent disclosure of approximately 500 tips and complaints.

View original document View source feed page

What changed

The Swedish Privacy Protection Authority (IMY) has imposed an administrative fine of SEK 100,000 on the Equality Ombudsman (DO) following a supervision of a personal data incident. The DO failed to implement sufficiently effective security measures for its web form used to collect tips and complaints, resulting in the inadvertent disclosure of personal data, potentially including sensitive information, to a data processor. Approximately 500 submissions were affected by this breach, which occurred over a year before being discovered and reported.

This enforcement action highlights the critical need for continuous and systematic work with data security to identify and rectify insufficient measures promptly. Regulated entities, particularly government agencies handling personal data, must ensure robust security protocols are in place and regularly reviewed to prevent data breaches and avoid potential fines. The DO has since closed the affected web form.

What to do next

Review data collection web forms for adequate security measures.
Ensure continuous and systematic monitoring of data security protocols.
Verify that data processors have appropriate security agreements in place.

Penalties

SEK 100,000 administrative fine

Source document (simplified)

Svensk version Listen

Administrative fine against the Equality Ombudsman when personal data was collected via a web form

Published: 12 May 2025 The Swedish Privacy Protection Authority (IMY) has done a supervision of a personal data incident at the Equality Ombudsman (DO). IMY concludes that the DO did not take sufficiently effective security measures and issues an administrative fine of SEK 100,000. The reason for the supervision is a personal data breach that DO reported to the IMY in the fall of 2021. The incident concerned the DO's web form for collecting tips and complaints about discrimination. During the supervision, it emerged that the DO had taken a security measure intended to protect the personal data collected via the web form so that the data would not be included in usage analyses of the DO's website.

However, the security measure did not work as intended, which lead to some data, potentially sensitive personal data, being inadvertently disclosed to the personal data processor that the DO had hired to conduct the analyses. It is estimated that approximately 500 tips and complaints have been affected.

As soon as DO became aware of the incident, the authority closed the web form.

– The incident lasted for a year and shows the importance of working continuously and systematically with security in order to be able to discover insufficient security measures earlier, says Petter Flink, IT and information security specialist at IMY.

The decision in Swedish is published on the Swedish version of this site.

Latest update: 12 May 2025 Print Page labels Data protection, Tillsyn