Swedish DPA: Systematic Alcohol Tests May Qualify as Health Data

The Swedish DPA (IMY) has issued two decisions concerning the routine use of alcohol breath tests conducted on vessel captains operating within the regionally procured public transportation system in Stockholm.

The tests were carried out systematically before and after each work shift, targeting personnel in safety-critical positions. Both the transport operator and the regional public transport authority were found to have infringed the GDPR and were fined SEK 75,000 each.

Although the employers justified the testing based on passenger safety and the high level of responsibility associated with the role, IMY concluded that the practice did not meet the necessity requirement under the GDPR. IMY emphasized that less intrusive measures such as alcohol interlock devices or random testing could have achieved the same safety goals with a significantly lower impact on employee privacy.

Notably, IMY also determined that the extensive testing regime resulted in the processing of sensitive health data. While a single negative test result may not, on its own, reveal health status, the accumulated data over time enabled the controller to infer patterns about the individual’s sobriety, thereby qualifying the data as “health data” under Article 4(15) of the GDPR.

Click here to read the decisions (in Swedish only).

See All News Here

Related News

Swedish Supreme Court Adds Nuance to Previous Ruling on Bulk Requests for Court Judgments and Decisions

NIS2 and the Swedish Regulation Jungle

EU Commission Proposes Tech Sovereignty Package with New Rules for Chips, Cloud Services and AI infrastructure