Background information
- Date of final decision: 18 June 2025
- National case
- Controller: the SL Group
- Legal Reference (s): Article 6 (Lawfulness of processing), Article 9 (Processing of special categories of personal data), Article 83 (General conditions for imposing administrative fines)
- Decision: Administrative fine
- Key words: Personal data breach, Sensitive data, Administrative fine, Data retention, Retention time
Summary of the Decision
Origin of the case
The Swedish Supervisory Authority (SA), IMY has reviewed two complaints from employees that had been subject to sobriety tests during their employment as ship’s captains in public transport. The two companies Aktiebolaget Storstockholms Lokaltrafik (SL) and Waxholms Ångfartygs AB (WÅAB), which both are a part of The SL Group, collected and stored the employee’s sobriety tests for months. An employer could have a legitimate interest of letting their employees undergo sobriety tests to ensure security in, for example, public transport, but the question in the case was whether the personal data collected from the tests had been handled in compliance with the GDPR
Key Findings
The review shows that it is not necessary to collect and store employee’s sobriety tests to the extent SL and WÅAB have done. Due to insufficient routines the data was stored for months even though that was not necessary to achieve the purpose of the processing.
Swedish SA concludes that it is important to take into account an employee’s position of dependency. The employer must ensure that the processing of personal data is lawful under the GDPR and that it does not interfere with the individual’s privacy more than necessary. An employer who considers sobriety tests for their employees must also be aware that the results from the tests can indicate that a person has an alcohol addiction. Such information is classified as health data which is subject to a strong legal protection under the GDPR.
Decision
Swedish SA concludes that SL and WÅAB has violated
- Article 6 in the GDPR, by processing the complainants’ personal data without legal base and
- article 9 in the GDPR, by processing sensitive personal data about the complainants without any of the exemptions from the prohibition to process such data were applicable.
Swedish SA issues an administrative fine of SEK 75 000 (approximately €6 250) against each of the companies.
- For further information: national press release: Administrative fines against two companies in the SL Group | IMY (Swedish)
The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.