The Swedish DPA Datainspektionen issues a fine of €20 000 towards the Swedish National Government Service Centre for breaches towards the GDPR.

The Swedish National Government Service Centre got aware of a security hole in the software Primula in March 2019, but the incident report to the DPA was not filed until 25th of June. A process that normally must not take more than 72 hours.

The Swedish National Government Service Centre is a personal data processer for several Swedish authorities and these only got notified about the breach after 5 months. As a controller, such reporting must take place “without due delay”.

Although the fine can be considered low, it shows that the Swedish DPA acts also towards public sector negligence towards data protection.