Photo: Valdemar Lindekrantz

Information on personal data incident

Kustbevakningen (the Swedish Coast Guard) has disclosed personal data to an unauthorised recipient. Due to an incorrectly spelled error, the personal data were sent to the wrong email address. In accordance with GDPR, there is a duty to report certain types of personal data breach incidents.

The incident was due to human error. Due to an incorrectly spelled email address, personal data have reached the wrong hands. The incorrectly spelled address was immediately deleted when the mistake was discovered. After which, the domain concerned was also blocked in the Kustbevakningen email system by a technical solution.

At this moment in time, there is no information to suggest that the data can have been used in a damaging way or for fraudulent purposes.

The personal data concern crew members on board certain vessels that arrived from a third country in June and July 2019, that is to say, the Swedish port was the first point of entry in the Schengen area. The individuals concerned are citizens of some forty countries in different parts of the world. The personal data are not part of Kustbevakningen law enforcement.

By hereby notifying what has occurred, duty to report in accordance with GDPR article 34 has been satisfied. The incident has been reported to Datainspektionen (the Swedish Data Protection Authority).

Anyone who thinks they can have been affected by the incident, may personally, or for example, via a ship broker, contact Kustbevakningen for more information:

Kustbevakningen is the national contact point for shipping with responsibility for receiving and inspecting notifications in advance for border checks and maritime security. In practice, this means that merchant vessels are required to submit data on the vessel and persons onboard to Kustbevakningen.

In addition to personal data on crew members, the time of vessel arrival and departure from the port is to be provided. This is part of Swedish border security. Kustbevakningen then forwards the data to the Police Authority in the region where the vessel is expected.

During a limited period in 2019, a number of advance notifications containing personal data were sent to the domain pollisen.se. When Kustbevakningen discovered the mistake, the incorrect traffic was terminated.