Report a cross-border personal data breach

• FromPortal
• StartCRH

• Please use this form to notify a personal data breach to IMY. If you are not able to answer all the questions at this stage, you may provide supplementary information later on but it is important that we receive the information without undue delay. Fields marked with an asterisk (*) must be filled in before submitting the application.

  When you have filled in the form, press "send". We will confirm that we have received your notification and you will then be able to download a copy of it.

• Controller
• 1. Name of the organisation
  Please enter the name of the controller where the data breach occurred.
• 2. Corporate identity number
  Please enter the corporate identity number (XXXXXX-XXXX). Note! If the corportate identity number is the same as your personal identity number, you should not enter it.
• 3. Postal address of the controller
  Please enter the postal address, not visiting address.
• Address
• Postcode
• City
• Country Afghanistan Albania Algeria American Samoa Andorra Angola Anguilla Antarctica Antigua and Barbuda Argentina Armenia Aruba Ascension Australia Australian External Territories Austria Azerbaijan Bahamas Bahrain Bangladesh Barbados Belarus Belgium Belize Benin Bermuda Bhutan Bolivia Bosnia and Hercegovina Botswana Bouvet Island Brazil British Indian Ocean Territory British Virgin Islands Brunei Darussalm Bulgaria Burkina Faso Burundi Cambodia Cameroon Canada Cape Verde Caribbean Nations Cayman Islands Central African Republic Chad Chile China Christmas Island Cocos (Keeling) Islands Colombia Comoros & Mayotte Congo Cook Islands Costa Rica Cote d'Ivoire Croatia Cuba Cyprus Czech Republic Denmark Diego-Garcia Djibouti Dominica Dominican Republic Ecuador Egypt El Salvador Equatorial Guinea Eritrea Estonia Ethiopia Falkland Islands Faroe Islands Fiji Islands Finland France France métropolitaine French Guiana French Polynesia French Southern Territories Gabonese Republic Gambia Georgia Germany Ghana Gibraltar Greece Greenland Grenada/Carricou Guadeloupe Guam Guatemala Guinea Guinea-Bissau Guyana Haiti Heard Island and McDonald Islands Honduras Hong Kong Hungary Iceland India Indonesia Iran Iraq Ireland Israel Italy Jamaica Japan Jordan Kazakstan Kenya Kiribati, Gilbert Islands Kuwait Kyrgyz Republic Laos Latvia Lebanon Lesotho Liberia Libya Liechtenstein Lithuania Luxembourg Macao Macedonia Madagascar Malawi Malaysia Maldives Mali Malta Marshall Islands Martinique Mauritania Mauritius Mayotte Mexico Micronesia Moldova Monaco Mongolia Montenegro Montserrat Morocco Mozambique Myanmar (Burma) Namibia Nauru Nepal Netherlands Netherlands Antilles New Caledonia New Zealand Nicaragua Niger Nigeria Niue Island Norfolk Island North Korea Northern Mariana Islands (Commonwealth of) Norway Oman Pakistan Palau Palestine Panama Papua New Guinea Paraguay Peru Philippines Pitcairn Poland Portugal Puerto Rico Qatar Reunion (France) Romania Russia Rwanda Saipan San Marino Sao Tome & Principe Saudi Arabia Senegal Serbia Seychelles Sierra Leone Singapore Slovakia Slovenia Solomon Islands Somalia South Africa South Korea Spain Sri Lanka St Helena St Kitts and Nevis St Lucia St Pierre & Miquelon St Vincent/Grenadines Sudan Suriname Svalbard and Jan Mayen Swaziland Sweden Switzerland Syria Taiwan Tajikistan Tanzania Thailand Timor-Leste Togolese Republic Tokelau Tonga Trinidad and Tobago Tunisia Turkey Turkmenistan Turks and Caicos Tuvalu, Ellice Islands Uganda Ukraine United Arab Emirates United Kingdom United States United States Minor Outlying Islands United States Pacific Islands Uruguay Uzbekistan Wallis & Futuna Vanuatu Vatican City Venezuela Western Sahara Western Samoa Vietnam Virgin Islands, U.S. Yemen Zaire Zambia Zanzibar Zimbabwe Åland Islands
• 4. Internal reference number
  Please enter the organisation's internal reference number for the data breach.
• 9. The postal address you wish to be contacted at
  Letters that IMY will send to you regarding the notification will be sent to this address.
• Address
• Postcode
• City
• Country Afghanistan Albania Algeria American Samoa Andorra Angola Anguilla Antarctica Antigua and Barbuda Argentina Armenia Aruba Ascension Australia Australian External Territories Austria Azerbaijan Bahamas Bahrain Bangladesh Barbados Belarus Belgium Belize Benin Bermuda Bhutan Bolivia Bosnia and Hercegovina Botswana Bouvet Island Brazil British Indian Ocean Territory British Virgin Islands Brunei Darussalm Bulgaria Burkina Faso Burundi Cambodia Cameroon Canada Cape Verde Caribbean Nations Cayman Islands Central African Republic Chad Chile China Christmas Island Cocos (Keeling) Islands Colombia Comoros & Mayotte Congo Cook Islands Costa Rica Cote d'Ivoire Croatia Cuba Cyprus Czech Republic Denmark Diego-Garcia Djibouti Dominica Dominican Republic Ecuador Egypt El Salvador Equatorial Guinea Eritrea Estonia Ethiopia Falkland Islands Faroe Islands Fiji Islands Finland France France métropolitaine French Guiana French Polynesia French Southern Territories Gabonese Republic Gambia Georgia Germany Ghana Gibraltar Greece Greenland Grenada/Carricou Guadeloupe Guam Guatemala Guinea Guinea-Bissau Guyana Haiti Heard Island and McDonald Islands Honduras Hong Kong Hungary Iceland India Indonesia Iran Iraq Ireland Israel Italy Jamaica Japan Jordan Kazakstan Kenya Kiribati, Gilbert Islands Kuwait Kyrgyz Republic Laos Latvia Lebanon Lesotho Liberia Libya Liechtenstein Lithuania Luxembourg Macao Macedonia Madagascar Malawi Malaysia Maldives Mali Malta Marshall Islands Martinique Mauritania Mauritius Mayotte Mexico Micronesia Moldova Monaco Mongolia Montenegro Montserrat Morocco Mozambique Myanmar (Burma) Namibia Nauru Nepal Netherlands Netherlands Antilles New Caledonia New Zealand Nicaragua Niger Nigeria Niue Island Norfolk Island North Korea Northern Mariana Islands (Commonwealth of) Norway Oman Pakistan Palau Palestine Panama Papua New Guinea Paraguay Peru Philippines Pitcairn Poland Portugal Puerto Rico Qatar Reunion (France) Romania Russia Rwanda Saipan San Marino Sao Tome & Principe Saudi Arabia Senegal Serbia Seychelles Sierra Leone Singapore Slovakia Slovenia Solomon Islands Somalia South Africa South Korea Spain Sri Lanka St Helena St Kitts and Nevis St Lucia St Pierre & Miquelon St Vincent/Grenadines Sudan Suriname Svalbard and Jan Mayen Swaziland Sweden Switzerland Syria Taiwan Tajikistan Tanzania Thailand Timor-Leste Togolese Republic Tokelau Tonga Trinidad and Tobago Tunisia Turkey Turkmenistan Turks and Caicos Tuvalu, Ellice Islands Uganda Ukraine United Arab Emirates United Kingdom United States United States Minor Outlying Islands United States Pacific Islands Uruguay Uzbekistan Wallis & Futuna Vanuatu Vatican City Venezuela Western Sahara Western Samoa Vietnam Virgin Islands, U.S. Yemen Zaire Zambia Zanzibar Zimbabwe Åland Islands
• The data breach
• 10. Which other countries are concerned by the data breach?
  Please mark all relevant boxes.
• Austria

  Belgium

  Bulgaria

  Croatia

  Cyprus

  Czech Republic

  Denmark

  Estonia

  Finland

  France

  Germany
• Greece

  Hungary

  Ireland

  Iceland (EES)

  Italy

  Latvia

  Liechtenstein (EES)

  Lithuania

  Luxembourg

  Malta

  Netherlands
• Norway (EES)

  Poland

  Portugal

  Romania

  Slovakia

  Slovenia

  Spain

  Sweden
• 11. When did the data breach occur?
• Date
• Time
• If you have a comment, please write it here
  characters left
• 12. When did you become aware of the data breach?
• Date
• Time
• If you have a comment, please write it here
  characters left
• 13. Is the data breach still ongoing? [Choose an alternative] Yes No
• 14. When did the data breach cease?
• Date
• Time
• If you have a comment, please write it here
  characters left
• 15. If your notification is submitted later than 72 hours after the time of discovering the data breach, please describe the reasons why.
• 16. What has happened in relation to the data breach?
  Please select the most relevant option.
  [Choose an alternative] Unauthorized disclosure through mailings of e-mail/letter/text message Unauthorized disclosure: Other Unauthorized access: Someone within or outside the organisation has accessed information that they were not authorized to access Loss: Information has been lost in some way, for example by a stolen computer or other device Destruction: Someone or something has destroyed information, for example because a computer has been broken Alteration: Personal data has been altered in some way
• 17. Short description of the data breach
• 18. What kind of data breach does the notification relate to?
  Please mark all relevant options.
• A digital device has been lost

  A document has been lost/damaged

  An E-mail message has been lost or opened by an unauthorized person

  Hacking

  Malware

  Phishing

  Incorrect disposal of personal data on paper

  E-waste (personal data still present on obsolete device)

  Personal data has been published unintentionally

  Unauthorized verbal disclosure of personal data

  Other:
• Please state a comment when selecting "Other"
  characters left
• 19. How did you become aware of the data breach? [Choose an alternative] Through an automized procedure: technical security measures Through organisational routines, such as regular checks One of our employees has informed us Our processor informed us A person outside the organisation or a data subject informed us
• 20. In your organisation's opinion, why did the data breach occur? [Choose an alternative] Human error: a single mistake Lack of organisational routines or procedures: systematic errors Technical errors, such as software bugs, program settings Intentional attacks from someone within the organisation: internal attacks Antagonistic attacks: attacks from outside Unknown reason Other
• Please state a comment when selecting "Other"
  characters left
• 21. Within which sector did the data breach occur? [Choose an alternative] Public sector Private sector Other
• 22. Within which field of activity did the data breach occur? [Choose an alternative] Health and medical care Social services Schools: preschool, primary and secondary education University or college Other post-secondary education Research Finance and insurance Credit information Debt collection Other business activity Police Other judicial authorities Non-profit organisations or economic associations Municipal authority Governmental authority Other:
• Please state a comment when selecting "Other"
  characters left
• Processor
• 23. Does the data breach relate to personal data processing that is carried out by a processor or sub-processors? [Choose an alternative] Yes No
• The personal data and the data subjects
• 25. How many data subjects are affected?
• Exact number of data subjects
• If you do not have an exact number, please provide an estimate by marking one of the options below. [Choose an alternative] 1 - 10 11 - 100 101 - 1 000 1 001 - 10 000 10 001 - 100 000 100 001 - 500 000 500 001 - 1 million More than 1 million Unknown/No information available
• 26. How many data items about data subjects have been affected in total?
• Exact number of data items
• If you do not have an exact number, please provide an estimate by marking one of the options below. [Choose an alternative] 1 - 10 11 - 100 101 - 1 000 1 001 - 10 000 10 001 - 100 000 100 001 - 500 000 500 001 - 1 million More than 1 million Unknown/No information available
• 27. Which categories of data subjects are concerned?
  Please mark all relevant options.
• The controller’s employees

  Users of services offered by the controller

  The controller’s customers

  Subscribers

  Members, due to membership in an organisation or a customer membership

  Military staff, i.e. employees in the Swedish Armed Forces

  Health and medical care patients

  Children

  Children in preschool or students in primary and secondary school

  Postsecondary students

  Vulnerable persons, such as persons with identity protection

  Other categories that you consider particularly exposed if personal data are disclosed

  Not yet known

  Other:
• Please state a comment when selecting "Other"
  characters left
• 28. What categories of personal data have been affected by the data breach?
  Please mark all relevant options.
• Ethnic origin

  Political opinions

  Religious or philosophical belief

  Trade union membership

  Genetic data

  Biometric data

  Health data

  Data about sex life or sexual orientation

  Data about criminal convictions, offence or related security measures

  Personal identity number

  Economic or financial data

  Official documents

  Location data (for example GPS-position, not address information)

  Communication traces

  Communication metadata

  Identifying information (for example name and surname)

  Contact details

  Unknown

  Other:
• Please state a comment when selecting "Other"
  characters left
• 29. Was the personal data encrypted? [Choose an alternative] Yes, all data Yes, but not all data No Unknown
• Consequences
• 30. What may be the consequences of the data breach?
  Please mark all relevant options.
• The data subject loses control over his/her own personal data

  Deprivation of rights

  Discrimination

  Identity theft or fraud

  Financial loss

  Unauthorized reversal of pseudonymisation

  Damage to the reputation

  Loss of confidentiality of personal data protected by professional secrecy

  Any other economic or social disadvantage

  Other:
• Please state a comment when selecting "Other"
  characters left
• 31. What other consequences may be the result of the data breach?
  Please mark all relevant options.
• Confidentiality breaches
  A larger distribution of personal data than necessary or consented by the data subjects

  Personal data may be linked with other information about the data subjects

  Other:
• Please state a comment when selecting "Other"
  characters left
• Integrity (alternation) breaches
  Incorrect personal data may have been processed by mistake

  Personal data may have been processed for other purposes than originally intended

  Other:
• Please state a comment when selecting "Other"
  characters left
• Availability breaches
  Loss of the ability to provide a critical service to the data subjects

  Alteration of the ability to provide a critical service to the data subjects

  Other:
• Please state a comment when selecting "Other"
  characters left
• 32. How serious is this data breach in your opinion?
  Assess how serious the breach is with regard to the data subjects’ privacy.
  [Choose an alternative] 1. Negligible 2. Limited 3. Significant 4. Maximal
• 33. How have you acted after the data breach?
  Describe the action taken. Have you taken measures, or do you intend to take measures in order to solve problems, prevent or mitigate the effects of the data breach?
• Information to data subjects
• 34. Have you informed the data subjects about the data breach? [Choose an alternative] Yes No
• 35. When did you inform the data subjects?
• Date
• 36. How have you provided information to the data subjects?
• 37. Will you inform the data subjects later? [Choose an alternative] Yes No We have not decided yet
• 38. When will you inform the data subjects?
• Date
• 39. On what grounds are you not going to inform the data subjects?
  Please mark all relevant options.
• The data breach does not result in a high risk to the rights and freedoms of natural persons

  The personal data was encrypted or otherwise protected

  We have already taken measures to prevent the risk

  It would involve a disproportionate effort to inform each data subject individually, we have instead provided information to the public
• 40. If relevant: Describe the measures taken in order to prevent the risks so that information to the data subjects is not required.
• 41. If relevant: Describe in what way you have informed the public or what other measures you have taken in order to inform the data subjects in an efficient way.
• Notification in phases/secrecy
• 42. Will this notification be supplemented? If you are going to complete the notification later you must do so promptly. [Choose an alternative] Yes No
• 43. If you think that certain information in the notification should be considered confidential, please describe which information that in your view should be confidential and why.