[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fOi4lL4hrSbKw4H1YsXJFehrX0om-P_Ck9S_S3TtQ6Ig":3},{"article":4,"iocs":44},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":21,"category":22,"article_tags":26},"ebdd623f-dba2-4ed0-94c9-41be02614e24","IMY (Sweden) - 2025-10429","imy-sweden-2025-10429-0bf3ab","Created page with \"{{DPAdecisionBOX |Jurisdiction=Sweden |DPA-BG-Color= |DPAlogo=LogoSE.png |DPA_Abbrevation=IMY |DPA_With_Country=IMY (Sweden) |Case_Number_Name=2025-10429 |ECLI= |Original_Source_Name_1=IMY |Original_Source_Link_1=https:\u002F\u002Fwww.imy.se\u002Fglobalassets\u002Fdokument\u002Fbeslut\u002Fbeslut-securitas-sverige-ab.pdf |Original_Source_Language_1=Swedish |Original_Source_Language__Code_1=SV |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Source_Language__...\" Show changes","IMY (Sweden) has issued a reprimand to a security services company for conducting video surveillance of its patrol car drivers without a valid legal basis under GDPR. The company used cameras in approximately 50 vehicles for a pilot project to detect dangerous driving behaviors, storing footage locally. While the company cited employee safety obligations and legitimate interests, IMY ruled that these did not justify the real-time monitoring and that the employees' right to privacy outweighed the company's interests.","Sweden's IMY reprimands security firm for unlawful employee video surveillance.","Help IMY (Sweden) - 2025-10429: Difference between revisions From GDPRhub Jump to:navigation, search Newer edit →VisualWikitext Revision as of 13:51, 18 June 2026 view source Av (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators25 edits Tag: submission [1.0]Newer edit → (No difference) Revision as of 13:51, 18 June 2026 IMY - 2025-10429 Authority: IMY (Sweden) Jurisdiction: Sweden Relevant Law: Article 6(1) GDPR Article 32(1) GDPR Article 58(2) GDPR Type: Investigation Outcome: Violation Found Started: 03.06.2025 Decided: 16.06.2026 Published: 16.06.2026 Fine: n\u002Fa Parties: n\u002Fa National Case Number\u002FName: 2025-10429 European Case Law Identifier: n\u002Fa Appeal: Unknown Original Language(s): Swedish Original Source: IMY (in SV) Initial Contributor: av A DPA issued a security services company a reprimand for video surveillance of the company’s patrol car drivers without a legal basis under Article 6(1) GDPR. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts A security services company (the controller) had installed cameras in its patrol vehicles that filmed the drivers (the data subjects) during their shifts. The video surveillance was part of a temporary pilot project that was conducted in December 2024 as well as April and May 2025. The surveillance technology was installed in around 50 cars and affected 119 drivers. The technology was meant to detect certain potentially dangerous behaviours of the driver, such as not wearing a seat belt or using a cell phone. The most recent 100 hours of the footage were stored on local memory cards in the cars. If especially risky behaviour was detected, short video clips or still images were stored for 90 days. The supervisory authority launched an investigation into this practice to determine whether it had a legal basis for the processing of personal data of the drivers. The DPA also investigated whether the controller had ensured an appropriate level of security in accordance with Article 32(1) GDPR when storing the personal data collected. The controller relied on Articles 6(1)(c) and 6(1)(f) GDPR as legal bases. First, the controller argued that it had a legal obligation to guarantee a safe work environment and eliminate risks under national legislation on employee safety. Second, the controller relied on its legitimate interests to minimise damage, investigate alleged misconduct, and protect itself against disputes with insurance companies. Holding The DPA issued the controller a reprimand under Article 58(2)(b) GDPR and held that there had been no legal basis under Article 6(1) GDPR for filming the data subjects during their shifts. First, the DPA held that the processing of personal data could not be based on Article 6(1)(c) GDPR. According to the DPA, the processing was of sensitive nature as it involved the real-time monitoring of employees. It stated that the provisions the controller relied on were not sufficiently clear and precise to constitute a legal obligation within the meaning of Article 6(1)(c). Second, the DPA held that the controller had legitimate interests for the processing as defined in Article 6(1)(f) GDPR. Furthermore, the processing may have been necessary for the purposes of the legitimate interests pursued. However, the DPA held that the legitimate interests of the controller were overridden by the right of the data subjects not to be subject to continuous video surveillance at work. In particular, the DPA took into account the imbalance of power between the controller and the data subjects in an employment relationship when determining the outcome of the balancing test. Third, the DPA found no infringement of Article 32(1) GDPR. It held that the controller had implemented appropriate technical and organisational measures when storing the personal data. Comment Share your comments here! Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details. Swedish Data Protection Authority Registration number: IMY-2025-10429 3(12) Date: 2026-06-16 Legal obligation, Article 6.1 c Securitas has a legal obligation under Article 6.1 c of the Data Protection Regulation as an employer and as a company regarding the company's responsibility for the working environment of its employees. This is stated in Chapter 3, Section 2 of the Work Environment Act (1977:1160), which states that the employer shall take all necessary measures to prevent the employee from being exposed to ill health and accidents and to eliminate risks and take into account special risks that may result from the employee working alone, and in Chapter 3, Section 2 a of the same Act, which states that the employer shall systematically plan, manage and control the activities in a way that leads to the work environment meeting the prescribed requirements for a good working environment. This also refers to the rules in Sections 11–12 of the Swedish Work Environment Authority's regulations and general advice (AFS 2023:1) on systematic work environment work 3 regarding investigation and risk assessments. The above includes that Securitas as an employer has a broad responsibility regarding employee safety, where the solution as a whole was evaluated during the pilot project as part of preventing ill health and accidents and investigating such incidents and taking risks into account. It should be taken into account that the work environment with vehicles in traffic is associated with high risks, especially within the framework of Securitas' operations. Legitimate interest, Article 6(1)(f) Securitas has further stated that the camera surveillance was necessary for the company's legitimate interest according to Article 6(1)(f) of the Data Protection Regulation, i.e. to minimize damages and ensure good vehicle economy through follow-up on insurance investigation and repair costs. The processing is also necessary for Securitas' legitimate interest in handling incident reports and investigating alleged malpractice, misconduct, non-compliance with Securitas' applicable policies and to protect itself against disputes with insurance companies. Securitas is a large public security company in a socially important sector with a particular trust and requirement for security, reliability and accountability. The company operates in particularly risky environments with a higher degree of stress than in many other companies. The data subjects work with the execution of assignments in the security industry, which justifies higher requirements for both processing, security routines, damage minimization efforts and follow-up. The processing has been reasonable, predictable, informed and has also brought clear benefits for the data subjects; including through direct feedback on unsafe driving and the creation of a safer working environment. There have also been benefits for the public in the form of a reduction in the number of accidents and injuries involving vehicles, and for Securitas in terms of a reduction in injuries and the ability to follow up on injuries. Without the processing, the possibilities to detect, warn and follow up on the performance of vehicles are significantly limited, which prevents the fulfilment of the purposes. Appropriate security measures have also been in place. The processing was deemed necessary as, without the technology, it was not possible to provide clear and direct feedback to drivers about unsafe driving behaviour and thus be able to achieve the purposes, and recorded material is a crucial basis for investigating and following up on incidents in the event of accidents, including the handling of insurance cases and insurance disputes. The recordings were limited by not including sound and the generated film clips were predetermined to ","https:\u002F\u002Fgdprhub.eu\u002Findex.php?title=IMY_(Sweden)_-_2025-10429&diff=51916&oldid=0","https:\u002F\u002Fgdprhub.eu\u002Fimages\u002Fthumb\u002F7\u002F75\u002FLogoSE.png\u002F1200px-LogoSE.png","2026-06-18T13:51:27+00:00","2026-06-18T14:00:20.594952+00:00",7,[18],{"name":19,"type":20},"IMY","vendor","c5c77cdb-f7d7-4990-9436-c81dcbff1163",{"id":21,"icon":23,"name":24,"slug":25},null,"Policy","policy",[27,32,37,39],{"category":28},{"id":29,"icon":23,"name":30,"slug":31},"3f0f8451-91df-4b6c-9a73-ef3b2509b7f1","GDPR","gdpr",{"category":33},{"id":34,"icon":23,"name":35,"slug":36},"53f9c4b6-8bc6-4964-9169-d09e5cd41d72","Compliance","compliance",{"category":38},{"id":21,"icon":23,"name":24,"slug":25},{"category":40},{"id":41,"icon":23,"name":42,"slug":43},"d95477d7-eb04-4fad-a2dc-be1428040ce7","Privacy Fines","privacy-fines",[]]