Get ready for the whistleblowing lawBOOK DEMO NOW!

Insurance company sent sensitive data via unprotected e-mail

10 October 2023

The Swedish Authority for Data Protection (IMY) has issued a reprimand against “If” as the insurance company has processed personal data violating the GDPR.

The background to the decision includes the fact that If has sent sensitive personal data via e-mail without adequate safety measures. If used encryption in transit, but the e-mail was not encrypted the entire time from sender to recipient (so-called end-to-end encryption).

After the incident, If has improved its safety standards where the insurance company has developed and launched a new way of communicating with their customers. Thus, the customers can access messages under “My profile”, which requires safe log-in with Swedish BankID (a two-step authentication).

Due to the safety measures taken after the incident, IMY “only” issues a reprimand against the company.



We are always happy to help

Do you have any questions or want to book a demo? We are ready to guide you through the compliance jungle.

We are always happy to help