GDPR Breach Fines for SL Group Companies

IMY News (Sweden DPA)

Filed July 3rd, 2025

Detected February 11th, 2026

Summary

The Swedish Authority for Privacy Protection (IMY) has issued administrative fines of SEK 75,000 each to Aktiebolaget Storstockholms Lokaltrafik (SL) and Waxholms Ångfartygs AB (WÅAB). The fines were imposed for processing personal data related to employee sobriety tests in breach of the GDPR, specifically regarding excessive data storage and handling of potentially sensitive health data.

View original document View source feed page

What changed

The Swedish Authority for Privacy Protection (IMY) has fined two companies within the SL Group, Aktiebolaget Storstockholms Lokaltrafik (SL) and Waxholms Ångfartygs AB (WÅAB), SEK 75,000 each for violations of the General Data Protection Regulation (GDPR). The violations stem from the processing of personal data related to sobriety tests conducted on employees, specifically ship captains. IMY found that the companies stored this data for longer than necessary and failed to implement sufficient routines, thereby exceeding legitimate interests and potentially mishandling sensitive health data.

Companies that conduct sobriety tests on employees must ensure that data processing is lawful under the GDPR and that data is not stored for longer than necessary. Employers must be aware that sobriety test results can indicate alcohol dependency, classifying this information as health data which requires strong legal protection. Failure to comply with GDPR requirements regarding data minimization, purpose limitation, and data security can result in significant administrative fines.

What to do next

Review data retention policies for employee sobriety test results to ensure compliance with GDPR.
Assess the necessity and proportionality of collecting and storing employee sobriety test data.
Ensure robust data protection routines are in place for handling sensitive personal data, including health data.

Penalties

Administrative fines of SEK 75,000 each for the two companies.

Source document (simplified)

Svensk version Listen

Administrative fines against two companies in the SL Group

Published: 3 July 2025 The Swedish Authority for Privacy Protection (IMY) has fined Aktiebolaget Storstockholms Lokaltrafik (SL) and Waxholms Ångfartygs AB (WÅAB) for processing personal data relating to sobriety tests conducted by employees in breach fo the GDPR. IMY issues an administrative fine of SEK 75, 000 against each companies. IMY has reviewed two complaints from employees that has conducted sobriety tests during their employments as ship captains of public transports. An employer could have a legitimate interest of letting their employees do sobriety tests to ensure security in, for example, public transports.

– Our review shows that it is not necessary to collect and store employee’s sobriety tests to the extent SL and WÅAB have done. Due to insufficient routines the data has been stored for months even though that was not necessary to achieve the purpose of the processing, says Maja Welander, department lawyer at IMY.

IMY concludes that it is important to take into account an employee’s position of dependency. The employer must ensure that the processing of personal data is lawful under the GDPR and that it does not interfere with the individuals privacy more than necessary. An employer who considers sobriety tests for their employees must also be aware that the results from the tests can indicate that a person is alcohol dependent. Such information is classified as health data which is subject to a strong legal protection under the GDPR.

IMY concludes that SL and WÅAB has violated the GDPR. IMY issues an administrative fine of SEK 75, 000 against each of the companies.