Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Sweden: IMY fines Aktiebolaget SEK 16M for GDPR violations

The Swedish Authority for Privacy Protection ('IMY') issued, on 21 June 2021, a decision fining Aktiebolaget Storstockholms Lokaltrafik SEK 16,000,000 (approx. €1,572,770) for violations of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). In particular, the decision notes that the IMY found that Aktiebolaget had violated several articles of the GDPR in its use of body-worn camera surveillance equipment used by members of its employees while carrying out ticket control checks. In addition, the decision notes that the IMY found that Aktiebolaget had violated: 

  • Article 5(1)(a) of the GDPR, as the camera surveillance had been undertaken unlawfully and in breach of the principle of transparency;
  • Article 5(1)(c) of the GDPR, as the company had collected and processed more data than was necessary, violating the data minimisation principle;
  • Article 6(1) of the GDPR by processing personal data without any legal basis; and 
  • Article 13 of the GDPR by failing to provide the data subjects with sufficient information. 

 You can read the decision here, only available in Swedish, here