Changeflow GovPing Government GDPR Breach Fines for SL Group Companies
Priority review Enforcement Amended Final

GDPR Breach Fines for SL Group Companies

IMY News (Sweden DPA)
Filed July 3rd, 2025
Detected February 11th, 2026
Email Set alert

Summary

The Swedish Authority for Privacy Protection (IMY) has issued administrative fines of SEK 75,000 each to Aktiebolaget Storstockholms Lokaltrafik (SL) and Waxholms Ångfartygs AB (WÅAB). The fines were imposed for processing personal data related to employee sobriety tests in breach of the GDPR, specifically regarding excessive data storage and handling of potentially sensitive health data.

View original document View source feed page

What changed

The Swedish Authority for Privacy Protection (IMY) has fined two companies within the SL Group, Aktiebolaget Storstockholms Lokaltrafik (SL) and Waxholms Ångfartygs AB (WÅAB), SEK 75,000 each for violations of the General Data Protection Regulation (GDPR). The violations stem from the processing of personal data related to sobriety tests conducted on employees, specifically ship captains. IMY found that the companies stored this data for longer than necessary and failed to implement sufficient routines, thereby exceeding legitimate interests and potentially mishandling sensitive health data.

Companies that conduct sobriety tests on employees must ensure that data processing is lawful under the GDPR and that data is not stored for longer than necessary. Employers must be aware that sobriety test results can indicate alcohol dependency, classifying this information as health data which requires strong legal protection. Failure to comply with GDPR requirements regarding data minimization, purpose limitation, and data security can result in significant administrative fines.

What to do next

  1. Review data retention policies for employee sobriety test results to ensure compliance with GDPR.
  2. Assess the necessity and proportionality of collecting and storing employee sobriety test data.
  3. Ensure robust data protection routines are in place for handling sensitive personal data, including health data.

Penalties

Administrative fines of SEK 75,000 each for the two companies.

Related changes

Catalyst Grant: Digital Health Funding Opportunity
Priority review Mar 08, 2026 CIHR Funding Opportunities (Canada Health Research) Trade Procurement
Doctoral Research Award CGRS D 2025-2026 Application Deadline
Priority review Mar 08, 2026 CIHR Funding Opportunities (Canada Health Research) Trade Procurement
Doctoral Research Award Application Deadline
Priority review Mar 08, 2026 CIHR Funding Opportunities (Canada Health Research) Trade Procurement
CNIL Closes Order Against KASPR Following GDPR Violations
Priority review Mar 07, 2026 CNIL News (France DPA) Data Protection
Svoboda v. Amazon.com Inc. - Biometric Information Privacy Act Class Action
Priority review Mar 07, 2026 7th Circuit Court of Appeals Federal Courts
AEPD Archives Proceedings Against Orange Spain Regarding Portability
Priority review Mar 07, 2026 AEPD Resolutions (Spain DPA) Data Protection

Source

IMY News (Sweden DPA) imy.se/en/news
Government
Analysis generated by AI. Source diff and links are from the original.

Classification

Agency
Various
Filed
July 3rd, 2025
Instrument
Enforcement
Legal weight
Binding
Stage
Final
Change scope
Substantive

Who this affects

Applies to
Employers Employees
Geographic scope
Sweden

Taxonomy

Primary area
Data Protection
Operational domain
Compliance
Topics
Employment Law GDPR

Browse Categories

Federal Courts 27 State Courts 105 Securities Regulation 2 Financial Regulation 24 Consumer Protection 2 Drug Safety 15 Data Protection 10 Competition 2 Attorneys General 3 Insurance Regulation 3 Trade & Export 38 Legislation 39 Government 98 Energy Regulation 6 Environment 3 Labor & Employment 2 Tax 1

Get Government alerts

Weekly digest. AI-summarized, no noise.

Free. Unsubscribe anytime.