Data breach at Miljödata – employer liability and the data protection officer’s role

When a system provider such as Miljödata is hit by a cyberattack, the impact on both employers and employees can be significant. In the present case, personal data concerning over one million individuals in Sweden has been exposed, creating a risk of fraud and identity theft. This underscores the need for employers to ensure proper handling of personal data and to appoint a data protection officer (DPO) to oversee GDPR compliance. The employer (the controller) must also be able to demonstrate that the provider has appropriate technical and organisational security measures in place, including encryption, access control and logging, and that retention and deletion routines are genuinely enforced.

What does the employer’s responsibility involve?

An employer is always the controller for employee data processed, even where processing is carried out by an external provider supplying, for example, an HR system. This means the employer must ensure the provider meets GDPR requirements, including by entering into a data processing agreement, following up on security measures and ensuring that only data strictly necessary is processed.

The Miljödata data breach raises questions about why such large volumes of information were retained for so long. Under the storage limitation principle in Article 5(1)(e) GDPR, personal data must not be kept longer than necessary. It is therefore notable that data relating to individuals who worked only briefly many years ago still remained in the system. Many HR systems fail in practice: the absence of robust deletion routines means former employees linger in “archives” for years. This is difficult to justify under storage limitation and can be addressed through documented deletion procedures and ongoing reviews.

Compensation when data appears on the darknet

When personal data is disseminated on the darknet, leaked datasets are typically sold or shared in closed forums. The risk profile depends on the data exposed (national identity numbers, contact details, employment data) and whether the material can be cross-referenced with other sources to build a broader profile.

Where sensitive personal data is spread on the darknet, the risk of fraud, identity theft and improper approaches increases markedly. Affected individuals may, under Article 82 GDPR, be entitled to compensation if processing has infringed the Regulation. For employers, swift action following a personal data incident is critical, including notifying the Data Protection Agency, informing data subjects and taking measures such as imposing remedial requirements on the provider.

The data protection officer’s role in a personal data incident

The DPO plays a central role in an incident of this kind. The DPO should advise the controller (the employer), monitor compliance with the GDPR and act as the contact point with the Data Protection Agency. Another key task is to review, on an ongoing basis, how providers handle personal data and to ensure risks are identified in time. This becomes particularly relevant in light of the NIS2 Directive, which will impose higher security and reporting obligations.

Lessons from the Miljödata incident

The breach demonstrates there are no shortcuts in data protection. Employers must take responsibility for updating processes, purging obsolete personal data and ensuring providers meet GDPR standards. Previous events, such as the Tieto incident, show this is not a one-off but a recurring problem. A structured data protection programme is therefore a necessity – not a choice.

How we can help

At Morling Consulting, we provide advisory support on data protection and IT security. Our GDPR consultants can assist with everything from preparing data processing agreements to incident management and communications with the Data Protection Agency. We ensure your data protection work aligns with the GDPR and support clients across Europe. If you have been affected and require immediate assistance, we can prepare the notification to the Data Protection Agency, information for data subjects, demands on the processor and materials for board reporting.