Mannheimer Swartling has represented Capio S:t Görans Sjukhus against a decision by the Swedish Authority for Privacy Protection.

In December 2020, the Swedish Authority for Privacy Protection (“IMY”) issued a decision against Capio S:t Görans Sjukhus for alleged breaches of the GDPR.

In its decision, IMY imposed Capio S:t Görans Sjukhus an administrative fine of SEK 30 million and issued an order for the hospital to take certain actions.

The administrative fine was based on alleged violations in relation to the access to medical records by hospital personnel. IMY claimed that Capio S:t Görans Sjukhus had violated national regulations and thereby not implemented technical and organizational security measures in accordance with the GDPR. IMY also claimed that the hospital had violated the GDPR by not having sufficiently limited employees’ access to medical records.

The decision was appealed to the Administrative Court of Stockholm, which upheld the decision but lowered the administrative fine to SEK 10 million. Following an appeal of the judgment by both parties, the Administrative Court of Appeal in Stockholm set aside IMY’s decision, primarily on the basis that IMY had not demonstrated sufficient basis in fact for its decision.

The Administrative Court of Appeal held that the burden of proof is on the supervisory authority and that it must be clear that the conditions for imposing an administrative fine are met. Since IMY had neither demonstrated that Capio S:t Görans Sjukhus had failed to take technical and organizational measures in accordance with the GDPR nor demonstrated that the personnel’s access to medical records was too broad, the decision was set aside.

IMY appealed the judgment to the Supreme Administrative Court, which on 30 June 2023 decided not to grant leave to appeal. Consequently, the case has been finally settled and IMY’s decision set aside.