City of Stockholm – €394,000 Fine (Sweden, 2020)

€394,000Integritetsskyddsmyndigheten24 November 2020Sweden
final
Fine

General GDPR enforcement action

This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.

The City of Stockholm was fined for not securing student data on a school platform. Sensitive information about students and teachers was too easily accessible, even appearing in Google search results. This case highlights the importance of protecting personal data in educational systems.

What happened

The City of Stockholm failed to secure student and teacher data on a school platform, allowing unauthorized access.

Who was affected

Students and teachers whose personal information was exposed on the school's education platform.

What the authority found

The Swedish DPA found that the City of Stockholm violated GDPR by not implementing adequate security measures to protect personal data.

Why this matters

This case emphasizes the need for educational institutions to ensure robust data protection measures. It serves as a reminder that public entities must safeguard sensitive information, especially when it involves minors.

GDPR Articles Cited

AI-verified

Art. 32 GDPR
Art. 5(1)(f) GDPR
View original scraped data
Art. 5 GDPR
Art. 32 GDPR

Original data from scraper before AI verification against source document.

Source verified 6 March 2026
articles corrected
Sweden enforcementIntegritetsskyddsmyndigheten actionsAll City of Stockholm actions
Full Legal Summary
Detailed

The Swedish DPA imposed a fine on the City of Stockholm for data breaches on a school education platform. The platform consists of different subsystems, including a system for monitoring school attendance, a student administration system, an interface for parents and an administration interface for teachers. In one of the subsystems, a lack of ability to restrict user access to the data has allowed a significant number of staff to access information about students using a protected identity. In another sub-system, parents could access information about other students, such as grades relatively easily. Via Google's search engine, it was possible to find links to enter an administrative interface where information about teachers with a protected identity was accessible.

Related Enforcement Actions (0)

No other enforcement actions found for City of Stockholm in SE

This is the only recorded action for this entity in this jurisdiction.

Details

Fine Date

24 November 2020

Authority

Integritetsskyddsmyndigheten

Fine Amount

€394,000

Enforcement Tracker ID

ETid-455

Sources

About this data

Data: CMS GDPR Enforcement Tracker
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. City of Stockholm - Sweden (2020). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: