AB Storstockholms Lokaltrafik – CJEU Judgment (Sweden, 2025)
CJEU judgment — not a DPA enforcement action
This is a Court of Justice ruling, not an enforcement action by a data protection authority. It is not included in cookie statistics or the Risk Calculator.
The Court of Justice ruled that AB Storstockholms Lokaltrafik's use of body-worn cameras by ticket inspectors raised important privacy concerns. The company failed to properly inform people about how their data was being collected and used. This decision highlights the need for transparency when using surveillance technology.
What happened
AB Storstockholms Lokaltrafik used body-worn cameras that recorded video and audio during inspections without adequately informing individuals about the data collection.
Who was affected
Passengers and individuals interacting with ticket inspectors who were recorded by the body-worn cameras.
What the authority found
The Court held that the company did not comply with GDPR's requirements to provide information to individuals about data collection, particularly under Article 13.
Why this matters
This ruling emphasizes that companies must clearly communicate how they collect and use personal data, especially with surveillance tools. Other businesses should review their privacy practices to ensure compliance with transparency obligations.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
AB Storstockholms Lokaltrafik (the controller), the operator of public transport in Stockholm, equipped its ticket inspectors with body-worn cameras that continuously recorded video and audio during inspections. The cameras had a short circular memory, automatically overwriting footage unless inspectors saved it when issuing fines or facing threats. The stated purposes of the cameras were to prevent and document violence against inspectors and to verify the identity of fined passengers. Following a supervisory investigation, the Swedish Data Protection Authority found that the controller had infringed several provisions of the GDPR, including the obligation to provide information to data subjects. The Authority imposed an administrative fine in total SEK 16,000,000 (€1,420,670) of which SEK 4,000,000 (€355,188) was for failure to provide information to the data subjects. The controller challenged the Swedish DPA’s decision before the Administrative court of first instance (Förvaltningsrätten i Stockholm), which upheld the fine. The controller then appealed to the Administrative Court of Appeal (Kammarrätten i Stockholm), which annulled the fine, holding that Article 13 GDPR was not applicable. The Swedish DPA subsequently appealed to the Supreme Administrative Court of Sweden (Högsta förvaltningsdomstolen). The referring court identified the key issue as whether Article 13 GDPR or Article 14 GDPR applies to personal data collected by body-worn cameras. Resolving this question was necessary to determine the content, timing, and possible exceptions of the information obligation and to assess whether the Authority was entitled to impose an administrative fine for non-compliance with Article 13 GDPR. The court also noted uncertainty regarding the legal weight of the [https://www.edpb.europa.eu/about-edpb/who-we-are/legacy-art-29-working-party_en Article 29 Working Party’s Guidelines] on transparency, which provide that Article 13 GDPR applies to video surveillance. In
Outcome
CJEU Judgment
A judgment by the Court of Justice of the European Union, typically on a preliminary reference from a national court.
Related Cases (1)
Other cases involving AB Storstockholms Lokaltrafik in SE
Details
Judgment Date
18 December 2025
Authority
Court of Justice of the European Union
GDPRhub ID
gdprhub-cjeu-9711About this data
Cite as: Cookie Fines. AB Storstockholms Lokaltrafik - Sweden (2025). Retrieved from cookiefines.eu
Last updated: