Sweden: IMY fines Aktiebolaget SEK 16M for GDPR violations
The Swedish Authority for Privacy Protection ('IMY') issued, on 21 June 2021, a decision fining Aktiebolaget Storstockholms Lokaltrafik SEK 16,000,000 (approx. €1,572,770) for violations of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). In particular, the decision notes that the IMY found that Aktiebolaget had violated several articles of the GDPR in its use of body-worn camera surveillance equipment used by members of its employees while carrying out ticket control checks. In addition, the decision notes that the IMY found that Aktiebolaget had violated:
- Article 5(1)(a) of the GDPR, as the camera surveillance had been undertaken unlawfully and in breach of the principle of transparency;
- Article 5(1)(c) of the GDPR, as the company had collected and processed more data than was necessary, violating the data minimisation principle;
- Article 6(1) of the GDPR by processing personal data without any legal basis; and
- Article 13 of the GDPR by failing to provide the data subjects with sufficient information.
You can read the decision here, only available in Swedish, here.