IMY initiates supervisory review following the Miljödata breach

The Swedish Data Protection Authority (IMY) has launched supervision of both the system supplier Miljödata and three public bodies that have used the company’s services. The review follows the large-scale security incident that hit Miljödata in August 2025, when personal data concerning more than 500,000 individuals in Sweden were published on the Darknet.

What makes IMY’s decision particularly noteworthy is that it does not only examine the supplier’s security shortcomings, but also the role of the data controllers – the customers who processed personal data in Miljödata’s systems. This type of supervision underscores a central message in our earlier post on the employer’s responsibilities for personal data incidents: an IT attack on an external party can swiftly become a supervisory matter for your own organisation. An external Data Protection Officer (DPO) is therefore a key resource to ensure both compliance and readiness when incidents occur.

Supervision of both the processor and the data controller

IMY signals that responsibility does not stop with the affected supplier – customers processing data in the supplier’s systems must also be able to demonstrate that their own processes comply with the GDPR. IMY’s supervision covers:

• Miljödata AB – focusing on information security deficiencies linked to the breach itself.
• City of Gothenburg, Älmhult Municipality and Region Västmanland – where the review concerns their own processing of personal data in Miljödata’s systems.

For these customers, IMY requests, among other things:

• the scope of the personal data processing,
• the categories of data processed (for example, special category data and children’s data),
• whether data about individuals with a protected identity have been processed,
• and the retention period in the system.

These questions reflect the requirement that customers, as data controllers under the GDPR, must maintain control over content, retention and the level of protection – even where the supplier operates the system from a technical perspective.

What does this mean for private actors?

Although the supervision targets public bodies, the lessons apply equally to private companies using cloud services, for example in HR, healthcare or other sectors. Under the GDPR, the data controller retains undiminished responsibility to:

• know which data are processed in the cloud service,
• ensure that data are not stored longer than necessary,
• be able to demonstrate that the processor has adequate technical and organisational measures,
• and document that there are routines for deletion and follow-up.

Lack of such control may result in supervision of private actors as well, particularly in major incidents or where sensitive data are involved.

The Data Protection Officer’s role is becoming ever more critical

The fact that supervision now targets several links in the personal data chain shows why an active and independent Data Protection Officer is crucial. In incidents like the Miljödata breach, the DPO needs to:

• maintain oversight of both the supplier’s and the organisation’s respective responsibilities,
• ensure that retention and deletion comply with legal requirements,
• support incident reporting to IMY and to data subjects,
• and follow up that security measures work in practice.

For smaller organisations and companies without capacity for an internal DPO, an external Data Protection Officer can be a cost-effective solution – not only to comply with the GDPR, but to enable swift action in the event of a personal data breach.

Supplier incidents have consequences across the chain

The post-incident supervision following Miljödata illustrates how a single security deficiency at a processor can expose broader weaknesses – including at customers. It underlines the importance for data controllers (such as employers), irrespective of sector, to keep track of which data they process, for how long, and for what purpose.

Outsourcing the technology does not outsource the accountability. Every organisation – public and private alike – should ensure the right expertise and routines are in place to manage both day-to-day compliance and crisis response in data protection.

At Morling Consulting, our data protection lawyers support companies and organisations across Europe in navigating supplier relationships, documenting allocation of responsibilities and acting correctly in personal data incidents. We can assist as your Data Protection Officer or provide interim or ongoing advisory support.