The Ombudsman for Civic Discrimination (DO) has notified the Swedish Data Protection Authority (IMY) of a personal data incident concerning an online form for submitting suggestions and complaints. IMY will now review the incident.
The General Data Protection Regulation, GDPR, imposes an obligation to notify IMY of certain incidents involving personal data. According to DO, an analytics tool used to improve the website’s user-friendliness may have collected and stored personal data in some cases, including from the form on DO’s website that visitors might use to submit suggestions and complaints.
IMY has now decided to investigate the incident.
As a data controller, you have a great responsibility to continuously check your IT systems and ensure that the security of these systems can be trusted, especially when it comes to a web form where people may submit complaints that may contain sensitive data.
IMY will conduct an on-site inspection at the DO to investigate what happened, the extent of the incident and what measures have been taken to prevent a recurrence.