Consulate General of Sweden in Istanbul – Violation Found (Sweden, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The DPA carried out an ex officio investigation of the Consulate General of Sweden in Istanbul (the controller)See Article 3(3) GDPR: "This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law". in order to assess its compliance with the GDPR and other Regulations (the VIS Regulation and the Borders Regulation). During the investigation, the DPA carried out an on-site inspection of the Consulate. The DPA also assessed the operations of VSF Global (the processor), an external provider responsible for transmitting most of the VISA applications received by the Consulate. Applications were collected on the processor’s premises, which included an area reserved for the personnel of the Swedish mission. This area was secured via a biometric locking system that recognized the fingerprints of authorized personnel. The DPA found that access to the reserved area of VSF’s center, was not properly secured. When the biometric system repeatedly failed to capture a high-quality fingerprint image, an officer could override the system and allow the image despite its insufficient quality. In practice, the override window of the system was always open and the officer would allow access without checking why the override was needed in the first place. The DPA held the system to be unsecure. Furthermore, the DPA found that the passports of VISA applicantsSee Article 2(1) GDPR: "This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system". were stored in boxes and placed on the floor. The DPA held that this practice was also insecure and unappropriate, as it would be easy to lose documents. On these grounds, the DPA concluded that the controller violated Articles 28(1) and 32
GDPR Articles Cited
The DPA carried out an ex officio investigation of the Consulate General of Sweden in Istanbul (the controller)See Article 3(3) GDPR: "This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law". in order to assess its compliance with the GDPR and other Regulations (the VIS Regulation and the Borders Regulation). During the investigation, the DPA carried out an on-site inspection of the Consulate. The DPA also assessed the operations of VSF Global (the processor), an external provider responsible for transmitting most of the VISA applications received by the Consulate. Applications were collected on the processor’s premises, which included an area reserved for the personnel of the Swedish mission. This area was secured via a biometric locking system that recognized the fingerprints of authorized personnel. The DPA found that access to the reserved area of VSF’s center, was not properly secured. When the biometric system repeatedly failed to capture a high-quality fingerprint image, an officer could override the system and allow the image despite its insufficient quality. In practice, the override window of the system was always open and the officer would allow access without checking why the override was needed in the first place. The DPA held the system to be unsecure. Furthermore, the DPA found that the passports of VISA applicantsSee Article 2(1) GDPR: "This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system". were stored in boxes and placed on the floor. The DPA held that this practice was also insecure and unappropriate, as it would be easy to lose documents. On these grounds, the DPA concluded that the controller violated Articles 28(1) and 32
Outcome
Violation Found
The DPA found a violation but did not impose a fine.
Related Enforcement Actions (0)
No other enforcement actions found for Consulate General of Sweden in Istanbul in SE
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Consulate General of Sweden in Istanbul - Sweden (2025). Retrieved from cookiefines.eu
Last updated: