Tele2’s administrative fine from PTS – lessons for operators

The Swedish Post and Telecom Authority (PTS) has ordered Tele2 to pay SEK 8.1 million in administrative fines after the operator disclosed details of subscribers with protected population registration to directory enquiry companies. The decision underscores how seriously the framework views shortcomings in the protection of subscriber data – particularly where individuals with protected personal data are concerned.

For telecoms operators, other providers within electronic communications and larger organisations handling sensitive customer data, the decision is a clear reminder of the importance of structured risk management, correct technical implementation and clear information to those affected.

Background: when protected data are disclosed

In early 2025, Tele2 reported privacy incidents to PTS. The reports showed that first and last names, telephone numbers and addresses of subscribers with protected population registration (skyddad folkbokföring) had been disclosed to companies providing directory enquiry services.

Protected population registration, confidentiality markings (sekretessmarkering) and other forms of protected personal data are key safeguards for people who may be exposed to threats, violence or other particular risks. When such data are disclosed to unauthorised parties, the consequences can be directly life-threatening.

In its supervisory review, PTS concluded that Tele2 had failed in its risk management and in the protection of subscriber data, and that the company had not provided sufficient information to the affected subscribers about the incident.

Legal framework – PTS’s role and the security duties

PTS supervises legislation on electronic communications. Operators and certain other actors must maintain a high level of security for the data processed in their operations, including subscriber information.

In brief, the framework requires providers to:

• assess risks of privacy incidents and other security shortcomings,
• implement appropriate technical and organisational security measures,
• maintain structured procedures for incident handling and reporting,
• inform affected subscribers when an incident occurs that impacts their privacy.

In parallel, the data protection regime (including the GDPR) applies to the processing of personal data. Where protected personal data are concerned, the requirement for risk awareness and proportionality is particularly stringent, albeit assessments must always be made case by case.

Practical risks and typical pitfalls

The Tele2 case illustrates recurring pitfalls recognisable to actors within electronic communications and other data-intensive operations:

• Poor classification of data – protected personal data are handled in the same flows as less sensitive data.
• Insufficient risk analysis – risk assessments are one-off or too generic, failing to capture specific scenarios such as disclosures to directory enquiry companies or other third parties.
• Technical weaknesses in system integrations – integrations with external parties (for example directory and enquiry services) are updated without fully analysing and testing the security implications.
• Unclear instructions to suppliers – data processors or other suppliers receive ambiguous instructions on handling protected data.
• Weak incident-handling routines – there are no ready-made templates and processes to inform affected subscribers swiftly and accurately.

For companies in the sector, it is therefore important not to view security regulations and administrative fines solely as regulatory demands, but as part of fundamental risk management and the governance structure.

How operators and other actors can act

While each organisation needs its own tailored approach, several general measures reduce the risk of an administrative fine from PTS.

1. Conduct a targeted risk analysis for protected data

• Identify which categories of particularly sensitive data you process (for example protected population registration, confidentiality-marked customers).
• Map all systems, integrations and suppliers where these data occur.
• Perform scenario-based risk analyses – what happens if data leak via this specific integration or process?

2. Strengthen technical and organisational measures

• Introduce separate controls and, where appropriate, dedicated processes for protected data.
• Ensure roles and access rights are strictly limited and regularly reviewed.
• Test system changes and integrations from a privacy perspective, not only for technical function.

3. Review contracts and instructions to external parties

• Review contracts with directory enquiry companies and other recipients of subscriber data.
• Clarify in the contracts how protected data must be handled and which data must never be disclosed.
• Ensure the instructions are followed in practice through controls and ongoing dialogue.

4. Prepare structured incident handling and communications

• Establish routines for identifying, internally reporting and assessing privacy incidents.
• Prepare templates for communications to affected subscribers that can be adapted to the circumstances.
• Rehearse incident handling so the organisation knows what to do when an incident occurs.

5. Integrate data protection and security into governance

• Ensure the board and executive management receive regular reporting on privacy and security risks.
• Link compliance with PTS regulations and the data protection regime to the broader risk and compliance programme.
• Give relevant functions (for example the security organisation and data protection officers) sufficient mandates and resources.

The Tele2 decision shows that deficiencies in risk management and communications in themselves can justify administrative fines, even if the incident primarily concerns technical or process errors. For operators and other actors, it is therefore essential to treat these issues as core risk management, not merely an IT or compliance problem.

At Morling Consulting, our data protection lawyers and electronic communications regulatory experts support companies and organisations across Europe in analysing risks, adapting processes and drafting governance documents that reduce the risk of privacy incidents and administrative fines.