Court case 12009-25 – Court Ruling (Sweden, 2026)

A data subject filed a complaint with the DPA concerning the processing of personal data in a research project linked to an American researcher, the American association Prostitution Research and Education (PRE), and a Swedish association (the controller). The DPA opened supervision against the controller. It intended to assess compliance with the GDPR provisions on the basic principles, legal basis, special category data, criminal offence data and transparency obligations. The DPA later closed the case. It considered that the Swedish association was not the controller for the processing of the complainant’s personal data. In particular, the DPA relied on the ethical review application, where the association was not identified as responsible for the research project. The DPA considered that it's involvement, including participant selection, provision of premises, storage facilities and an email address, indicated processor status rather than controller status. The complainant appealed. They argued that the Swedish association had exercised influence over both the purposes and means of the processing, had its own interest in the research project, and could not avoid responsibility merely because PRE or another actor may also have been a controller. The Court upheld the appeal. First, the court held that the Swedish association was a joint controller. It recalled that controller status must be assessed objectively and interpreted broadly. What matters is whether an entity, for its own purposes, actually exercised influence over the purposes and means of the processing. A formal designation in project documents is not decisive. The court found that the Swedish association had a significant role in the project. It had initially identified itself as controller, was listed as a co-founder, had a representative involved in data collection, processing, analysis and report writing, had published research based on the project data, had used the project to pursue its own kno