News

🛳️🫧 When daily breath tests sink GDPR compliance: the WÅAB case (Sweden)

Regulator: IMY (Swedish DPA)
Source: IMY-2024-1520, 18 June 2025

🔍 The facts
For safety reasons, the publicly owned ferry company Waxholms Ångfartygs AB (WÅAB) required every captain to take a breathalyser test before each departure.
🚦 The result (green/red, timestamp, vessel name) was automatically uploaded to a server and kept for several months.

A crew member filed a complaint with IMY.

💥 Breaches found
🔴 Legal basis (Art. 6) – WÅAB invoked “legitimate interest / public task” but failed to show that systematic testing and long retention were necessary. Random spot-checks or an ignition-lock would have been less intrusive.
🔴 Health data (Art. 9) – Even a “negative” result reveals a sailor’s fitness for duty, so the processing involves sensitive data.

⚖️ Administrative sanction
💸 Fine: 75 000 SEK (≈ €6 500)
🕒 Period examined: July 2020 – August 2022
👥 WÅAB deemed the data controller; its contractor was only a processor.

💡 Five lessons for HR & compliance
1.     Prove necessity. Even for safety, you must show the chosen method and retention are the least intrusive option.
2.     A negative test is still health data. Repeated “all clear” logs describe someone’s medical condition.
3.     Cut retention. IMY accepts seven days; “several months” is disproportionate.
4.     Document alternatives. Explain why random checks or an ignition breath-lock are not enough.
5.     Public ownership ≠ immunity. WÅAB is 100 % owned by Stockholm Region and was fined like any private firm.

“Maritime safety matters, but GDPR demands the least intrusive solution, a clear legal basis and minimal retention.”

✅ Add to your checklist: DPIA, data-minimisation, auto-deletion schedule, staff information.