Companies at risk of being fined for their personal data processing

The General Data Protection Regulation (GDPR) applies to all companies operating in the EU and aims to ensure that personal data is processed in a way that protects citizens' privacy. If a company or public authority breaks the rules of the GDPR, they risk being fined. Responsibility for personal data management lies with companies and applies to the personal data of customers, employees and suppliers.

The basic requirement is that the data subject has given his or her consent to the processing of the personal data. The processing of personal data must then be carried out in accordance with the principles of the General Data Protection Regulation. This means, among other things, that as a data controller:

  • must be supported by the General Data Protection Regulation in order to process personal data
  • may only collect personal data for specific, explicit and legitimate purposes
  • shall not process more personal data than necessary for the purposes
  • shall ensure the accuracy of the personal data
  • shall erase the personal data when it is no longer needed
  • protect personal data, for example, from unauthorised access, loss or destruction
  • must be able to demonstrate that you comply with the GDPR and how you do so.
Cloud services and personal data management

In the case of cloud computing, it is the issue of protecting personal data from unauthorised access that is of particular interest. With US laws such as the CLOUD Act, which conflict with the GDPR, it becomes impossible to guarantee privacy and therefore risks violating the GDPR by processing personal data in foreign cloud services.

Many are unaware that their personal data handling may be in breach of the law. They don't think about the fact that the files they work with on a daily basis may contain sensitive data, but the fact is that, for example, customer records, pay slips or notes from development meetings may be inappropriate to handle in foreign cloud services. We have several clients who have come to us with a need to be able to manage sensitive data in a compliant manner, where we have helped them with a GDPR-safe solution.

Axel Hermansen, Sales Manager, Storegate AB
What is the amount of the fine?

The Privacy Authority (IMY) is responsible for monitoring compliance with the GDPR and deciding on penalties for infringements. The penalty varies according to the seriousness of the breach. The maximum amount of the fine for companies is €20 million for a serious breach, or 4% of global turnover, whichever is higher. For a slightly less serious infringement, the maximum amount is €10 million or 2% of global turnover, whichever is higher. For public authorities, the maximum amount is SEK 10 million.

The amount also depends on the nature of the breach itself and whether one or more provisions of the GDPR have been breached. IMY looks at the circumstances of each case. The idea is that the fines should be proportionate to the company's turnover and act as a deterrent.

Book a free demo

We'd love to tell you more about how our Swedish cloud gives you full control of your files. Storegate makes it easy to store, share and collaborate on files. We safeguard privacy and store all information in Sweden in accordance with GDPR, under Swedish law.