On August 30, 2023, the Swedish data protection authority (IMY) published its Decision No. DI-2021-1905, as issued on August 28, 2023, in which it imposed a fine of SEK 35 million (approx. €2,915,316) on Trygg-Hansa, a branch of Tryg Forsikring A/S, for violation of the General Data Protection Regulation (GDPR), following a complaint.

Background to the decision

In particular, the IMY highlighted that it received a complaint in December 2020 that Trygg-Hansa had enabled access by unauthorized persons to personal data concerning information of a sensitive nature about Trygg-Hansa's customers. Notably, the IMY clarified that Trygg-Hansa merged with Moderna Försäkringar in April 2022, but that the affected branch changed its name to Trygg-Hansa.

Findings of the IMY

Following its investigation, the IMY found that Trygg-Hansa processed the personal data of approximately 650,000 data subjects. The personal data of such data subjects held by Trygg-Hansa included documents that held information such as names, contact details, health details, social security numbers, financial details, insurance holdings, sequence of events (for example time, place, actions, and other information that the data subject provided in a free text field), and information regarding ownership and property damage. Accordingly, the IMY noted that it was possible, to get a detailed picture of the registered person's personal circumstances through such information. Further, IMY stipulated that the documents contained sensitive personal data, namely information about health. More specifically, the IMY outlined that it was possible to access such information in plain text on the internet and that no authentication was required either. The IMY noted that based on Trygg-Hansa's own logs, 202 customers' personal information was affected by such access. Moreover, the IMY detailed that such access was possible for a period between October 2018 to February 2021.

Therefore, the IMY found Trygg-Hansa in violation of Article 5(1)(f) of the GDPR, for the failure to prevent unauthorized access or processing of personal data, and Article 32(1) of the GDPR for the failure to take appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing.

Outcomes

In conclusion, the IMY imposed a fine of SEK 35 million (approx. €2,915,316) for the abovementioned violations of the GDPR.

You can read the press release here and the decision here, both only available in Swedish.