Data Subject versus Storstockholms Lokaltrafik (SL) – €6,600 Fine (Sweden, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Storstockholms Lokaltrafik (the controller) is the public transport authority in the Stockholm region. The controller engaged a subcontractor to operate commuter ferry services. Between October 2021 and August 2022, ferry captains were required to perform breath alcohol tests prior to each departure. The tests were administered via alcohol meters installed on the vessels. While the results did not include names, they contained timestamps and vessel identifiers, which could be matched with duty rosters to identify crew members. The results were automatically stored both locally and on a server accessible to the controller and the subcontractor. A data subject, who was employed as a ferry captain, submitted a complaint to the Swedish DPA (IMY). He caimed that the breath alcohol test results constituted sensitive health data and that the processing of such data was not allowed under Article 9 GDPR. The data subject also argued that no valid ground under Article 6 GDPR justified the collection and storage of the data, and that the routine and systematic storage of test results prior to each departure was disproportionate and not necessary to ensure transport safety. Finally, the data subject complained about the lack of a clear time limit for storing the data. Storstockholms Lokaltrafik claimed that the processing was lawful under Article 6(1)(f) GDPR (legitimate interest), as well as Article 6(1)(e) and Article 9(2)(g) GDPR (public interest in the exercise of official authority). In support of its position, the controller cited provisions of national Swedish law, including the Swedish Maritime CodeSäkerhetskrav som framgår i sjölagen - 1994:1004. and the Ship Safety ActOch fartygssäkerhetslagen - 2003:365.. The controller asserted that the processing was necessary to ensure public safety and to meet its maritime safety obligations under Swedish legislation The Swedish DPA (IMY) held that the controller violated Article 6 GDPR and Article 9 GDPR by unlawfully processi
GDPR Articles Cited
National Law Articles
Storstockholms Lokaltrafik (the controller) is the public transport authority in the Stockholm region. The controller engaged a subcontractor to operate commuter ferry services. Between October 2021 and August 2022, ferry captains were required to perform breath alcohol tests prior to each departure. The tests were administered via alcohol meters installed on the vessels. While the results did not include names, they contained timestamps and vessel identifiers, which could be matched with duty rosters to identify crew members. The results were automatically stored both locally and on a server accessible to the controller and the subcontractor. A data subject, who was employed as a ferry captain, submitted a complaint to the Swedish DPA (IMY). He caimed that the breath alcohol test results constituted sensitive health data and that the processing of such data was not allowed under Article 9 GDPR. The data subject also argued that no valid ground under Article 6 GDPR justified the collection and storage of the data, and that the routine and systematic storage of test results prior to each departure was disproportionate and not necessary to ensure transport safety. Finally, the data subject complained about the lack of a clear time limit for storing the data. Storstockholms Lokaltrafik claimed that the processing was lawful under Article 6(1)(f) GDPR (legitimate interest), as well as Article 6(1)(e) and Article 9(2)(g) GDPR (public interest in the exercise of official authority). In support of its position, the controller cited provisions of national Swedish law, including the Swedish Maritime CodeSäkerhetskrav som framgår i sjölagen - 1994:1004. and the Ship Safety ActOch fartygssäkerhetslagen - 2003:365.. The controller asserted that the processing was necessary to ensure public safety and to meet its maritime safety obligations under Swedish legislation The Swedish DPA (IMY) held that the controller violated Article 6 GDPR and Article 9 GDPR by unlawfully processi
Related Enforcement Actions (0)
No other enforcement actions found for Data Subject versus Storstockholms Lokaltrafik (SL) in SE
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
18 June 2025
Authority
Integritetsskyddsmyndigheten
Fine Amount
€6,600
75,000 SEK
GDPRhub ID
gdprhub-9362About this data
Cite as: Cookie Fines. Data Subject versus Storstockholms Lokaltrafik (SL) - Sweden (2025). Retrieved from cookiefines.eu
Last updated: