Within 72 hours of discovery a report must be made to Datainspektionen. However, a report does not have to be made if the incident is unlikely to pose any risk to individuals rights or freedom. Possible risks are when individuals can lose control over their information (hijacked identity) or that their rights are restrained, being subject to discrimination, identity theft or fraud, financial loss, detrimental rumour spreading and violations of secrecy or confidentiality.
If it's impossible to leave all information within 72 hours, one can group the information and leave information at several instances as it becomes available. If unable to report anything at all within 72 hours, one still need to notify Datainspektionen and provide a reason for the delay.
What information must be included in the report?
The report shall contain information about:
Type of incident
Which category/ies of person might be affected
Number of persons concerned
Which consequences this the incident may have
Actions taken to prevent any negative consequences
Who should file the report?
The person responsible for person information shall file the report. That is the company, authority or other organisation who determines means and purpose of the usage.