AB Storstockholms Lokaltrafik – CJEU Judgment (Sweden, 2025)
CJEU judgment — not a DPA enforcement action
This is a Court of Justice ruling, not an enforcement action by a data protection authority. It is not included in cookie statistics or the Risk Calculator.
AB Storstockholms Lokaltrafik (the controller), the operator of public transport in Stockholm, equipped its ticket inspectors with body-worn cameras that continuously recorded video and audio during inspections. The cameras had a short circular memory, automatically overwriting footage unless inspectors saved it when issuing fines or facing threats. The stated purposes of the cameras were to prevent and document violence against inspectors and to verify the identity of fined passengers. Following a supervisory investigation, the Swedish Data Protection Authority found that the controller had infringed several provisions of the GDPR, including the obligation to provide information to data subjects. The Authority imposed an administrative fine in total SEK 16,000,000 (€1,420,670) of which SEK 4,000,000 (€355,188) was for failure to provide information to the data subjects. The controller challenged the Swedish DPA’s decision before the Administrative court of first instance (Förvaltningsrätten i Stockholm), which upheld the fine. The controller then appealed to the Administrative Court of Appeal (Kammarrätten i Stockholm), which annulled the fine, holding that Article 13 GDPR was not applicable. The Swedish DPA subsequently appealed to the Supreme Administrative Court of Sweden (Högsta förvaltningsdomstolen). The referring court identified the key issue as whether Article 13 GDPR or Article 14 GDPR applies to personal data collected by body-worn cameras. Resolving this question was necessary to determine the content, timing, and possible exceptions of the information obligation and to assess whether the Authority was entitled to impose an administrative fine for non-compliance with Article 13 GDPR. The court also noted uncertainty regarding the legal weight of the [https://www.edpb.europa.eu/about-edpb/who-we-are/legacy-art-29-working-party_en Article 29 Working Party’s Guidelines] on transparency, which provide that Article 13 GDPR applies to video surveillance. In
GDPR Articles Cited
AB Storstockholms Lokaltrafik (the controller), the operator of public transport in Stockholm, equipped its ticket inspectors with body-worn cameras that continuously recorded video and audio during inspections. The cameras had a short circular memory, automatically overwriting footage unless inspectors saved it when issuing fines or facing threats. The stated purposes of the cameras were to prevent and document violence against inspectors and to verify the identity of fined passengers. Following a supervisory investigation, the Swedish Data Protection Authority found that the controller had infringed several provisions of the GDPR, including the obligation to provide information to data subjects. The Authority imposed an administrative fine in total SEK 16,000,000 (€1,420,670) of which SEK 4,000,000 (€355,188) was for failure to provide information to the data subjects. The controller challenged the Swedish DPA’s decision before the Administrative court of first instance (Förvaltningsrätten i Stockholm), which upheld the fine. The controller then appealed to the Administrative Court of Appeal (Kammarrätten i Stockholm), which annulled the fine, holding that Article 13 GDPR was not applicable. The Swedish DPA subsequently appealed to the Supreme Administrative Court of Sweden (Högsta förvaltningsdomstolen). The referring court identified the key issue as whether Article 13 GDPR or Article 14 GDPR applies to personal data collected by body-worn cameras. Resolving this question was necessary to determine the content, timing, and possible exceptions of the information obligation and to assess whether the Authority was entitled to impose an administrative fine for non-compliance with Article 13 GDPR. The court also noted uncertainty regarding the legal weight of the [https://www.edpb.europa.eu/about-edpb/who-we-are/legacy-art-29-working-party_en Article 29 Working Party’s Guidelines] on transparency, which provide that Article 13 GDPR applies to video surveillance. In
Outcome
CJEU Judgment
A judgment by the Court of Justice of the European Union, typically on a preliminary reference from a national court.
Related Cases (1)
Other cases involving AB Storstockholms Lokaltrafik in SE
Details
Judgment Date
18 December 2025
Authority
Court of Justice of the European Union
GDPRhub ID
gdprhub-cjeu-9711About this data
Cite as: Cookie Fines. AB Storstockholms Lokaltrafik - Sweden (2025). Retrieved from cookiefines.eu
Last updated: