Data Subject versus Storstockholms Lokaltrafik (SL) – €6,600 Fine (Sweden, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A ferry captain won a case against Storstockholms Lokaltrafik, which was fined EUR 6,600 for improperly storing breath alcohol test results. This ruling matters because it shows that even anonymized data can be sensitive and requires careful handling. Companies should be cautious about how they collect and store data.
What happened
Storstockholms Lokaltrafik stored breath alcohol test results in a way that violated data protection rules.
Who was affected
Ferry captains employed by Storstockholms Lokaltrafik who were subjected to breath alcohol tests.
What the authority found
The Swedish data protection authority found that the company unlawfully processed sensitive health data without a valid reason.
Why this matters
This case highlights the need for companies to ensure that their data processing practices comply with legal standards, especially regarding sensitive data. Small business operators should regularly review their data policies to prevent violations.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
Storstockholms Lokaltrafik (the controller) is the public transport authority in the Stockholm region. The controller engaged a subcontractor to operate commuter ferry services. Between October 2021 and August 2022, ferry captains were required to perform breath alcohol tests prior to each departure. The tests were administered via alcohol meters installed on the vessels. While the results did not include names, they contained timestamps and vessel identifiers, which could be matched with duty rosters to identify crew members. The results were automatically stored both locally and on a server accessible to the controller and the subcontractor. A data subject, who was employed as a ferry captain, submitted a complaint to the Swedish DPA (IMY). He caimed that the breath alcohol test results constituted sensitive health data and that the processing of such data was not allowed under Article 9 GDPR. The data subject also argued that no valid ground under Article 6 GDPR justified the collection and storage of the data, and that the routine and systematic storage of test results prior to each departure was disproportionate and not necessary to ensure transport safety. Finally, the data subject complained about the lack of a clear time limit for storing the data. Storstockholms Lokaltrafik claimed that the processing was lawful under Article 6(1)(f) GDPR (legitimate interest), as well as Article 6(1)(e) and Article 9(2)(g) GDPR (public interest in the exercise of official authority). In support of its position, the controller cited provisions of national Swedish law, including the Swedish Maritime CodeSäkerhetskrav som framgår i sjölagen - 1994:1004. and the Ship Safety ActOch fartygssäkerhetslagen - 2003:365.. The controller asserted that the processing was necessary to ensure public safety and to meet its maritime safety obligations under Swedish legislation The Swedish DPA (IMY) held that the controller violated Article 6 GDPR and Article 9 GDPR by unlawfully processi
Related Enforcement Actions (0)
No other enforcement actions found for Data Subject versus Storstockholms Lokaltrafik (SL) in SE
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
18 June 2025
Authority
Integritetsskyddsmyndigheten
Fine Amount
€6,600
75,000 SEK
GDPRhub ID
gdprhub-9362About this data
Cite as: Cookie Fines. Data Subject versus Storstockholms Lokaltrafik (SL) - Sweden (2025). Retrieved from cookiefines.eu
Last updated: