On November 8, 2023, the Swedish Authority for Privacy Protection (IMY) published its Decision No. DI-2021-3422, as issued on November 7, 2023, in which it imposed a fine SEK 500,000 (approx. $45,980) for violation of the General Data Protection Regulation (GDPR), following customer complaints.

Background to the decision

In particular, IMY highlighted that it received customer complaints that Indecap, on January 20, 2021, sent an incorrect email containing a file with personal data containing customer's finances to other customers.

Findings of IMY

Following its investigation, IMY clarified that in the current case, an employee saved a file containing personal data with a similar name to the general report provided to clients. The file containing customers' personal data was then also sent via email to customers alongside the intended general report on the performance of customers' funds. The personal information contained in the file included the customers' names, social security numbers, bank details, and the value of the customers' funds. The incorrect file included the personal data of 52,364 registrants and the email was sent to 2,813 people.

Notably, though IMY conceded that Indecap had introduced special control risks, it noted that Indecap deviated from control routines which allowed other employees to access customer personal data without taking compensatory protective measures. Accordingly, IMY determined that owing to the high risk to the freedoms and rights of data subjects, including the loss of confidentiality for information worthy of protection, Indecap violated Article 32(1) of the GDPR.

Outcomes

Therefore, IMY imposed the abovementioned fine on Indecap for violating the GDPR.

You can read the press release here and the decision here, both only available in Swedish.