It is important that organizations which process personal data have procedures in place that enable them to detect, report and investigate personal data breaches in order to comply with the new obligations set out in the General Data Protection Regulation.
This is what you need to know regarding personal data breaches
What is a personal data breach?
A personal data breach is a breach of security which may involve risks to the rights and freedoms of natural persons. The risks can entail someone losing control of their data or that their rights are restricted. For example:
- discrimination, identity theft, fraud, harmful spreading of rumours
- financial loss
- violation of secrecy and confidentiality.
A personal data breach has occurred e.g. if data relating to one or more data subjects has been subject to destruction, loss or has otherwise fallen into the wrong hands.
When shall a personal data breach be notified to the Swedish Data Protection Authority?
If it is likely that the personal data breach will result in a risk to the data subjects, you have to notify the Swedish Data Protection Authority. If it is unlikely that a personal data breach will result in risks, you do not need to notify us. You should document all personal data breaches, even those which do not have to be notified to the Swedish Data Protection Authority.
Notify the personal data breach within 72 hours after having become aware of it. If all information is not available, it is possible to provide additional information to your notification at a later stage, however no later than two weeks after your notification. Omission to notify a personal data breach can constitute a violation of the General Data Protection Regulation, which can result in an obligation for your organization to pay administrative fines. The administrative fines can also be combined with other corrective powers granted to the Swedish Data Protection Authority.
How shall a personal data breach be notified to the Swedish Data Protection Authority?
The Swedish Data Protection Authority is in the process of developing an online service with an authentication solution to enable you to notify personal data breaches to us. Until then, notifications are made by filling out our PDF-form and sending it to us by mail. If you make the assessment that it is necessary, you can send the notification with registered mail. We will take into account the amount of time it takes for the letter to reach us.
Address the envelope:
104 20 Stockholm
When a personal data breach relates to several Member States, the "Form for Notification of cross-border personal data breach" shall be filled out. The form will help you decide which supervisory authority that will become your lead supervisory authority.
When does a personal data breach need to be communicated to the data subjects?
When the personal data breach is likely to result in a high risk to the rights and freedoms of the data subjects, i.e. the natural persons affected by the personal data breach, you shall communicate the data breach to the data subjects in question without undue delay. For example if there is a risk of identity theft or fraud.
The role of the processor
If your organization engages a processor and the processor becomes aware of a personal data breach occurring on their end, the processor shall notify you of this without undue delay. However, the controller remains legally responsible for notifying personal data breaches to the Swedish Data Protection Authority.
Everything you notify to us becomes a so-called public document which can be requested by the public and mass media. If anybody requests the information in a personal data breach notification, we will carry out a confidentiality assessment to determine whether the information shall be deemed public and thus can be disclosed, in its entirety or in part.
If you have any questions regarding personal data breaches, you are welcome to contact the Swedish Data Protection Authority by e-mail at email@example.com or by phone on 08-657 61 00. Our phone hours are 9 to 11 a.m. on Monday, Tuesday, Thursday and Friday, and 9.30 to 11.30 a.m. on Wednesday. Deviating hours may occur.
The Swedish Data Protection Authority is continuously working on updating our website with new information.
Feel free to read the Article 29 Working Party's guidelines on Personal data breach notifications:
If the information in other languages are different from the Swedish version, it is the Swedish version that applies.