On September 16, 2022, the Swedish Court of Appeals issued the judgement regarding the size of the penalty fee to Stockholms Stad in a case of several violations of the GDPR. The violations regarded deficiencies in a school platform. IMY appealed the decision of the Swedish Administrative Court (förvaltningsrätten) regarding a 3 million SEK sanction fee and demanded the upholding of IMY’s previous decision (4 million SEK sanction fee).
The deficiencies in the platform meant that it was possible for teachers and parents to access information that one should not have access to. The processing regarded several hundred thousand of people, the majority of whom were students and guardians. The information included sensitive personal data as well as data with high protectional value, such as student reviews and confidential personal data. The violations were found to be of a serious nature and relatively long-lasting.
The Swedish Court of Appeal examined the presence of mitigating and aggravating circumstances. The court found that the fact that no previous violations had occurred was not to be considered as a mitigating factor, and that it therefore should not affect the size of the penalty fee. Neither the cooperation of the municipal council was to be viewed as a mitigating circumstance in this case since the cooperation did not reduce the occurred damages. Furthermore, the court found that the nature of the processing and the protectional value of the personal data amounts to high demands regarding the security of the system. The fact that it required a certain technical knowledge to exploit the deficiencies in the system was not considered to affect the degree of responsibility that the municipal council had as personal data controller. The court held that the violations in question justified a penalty fee of at least 4 million SEK. Therefore, the decision of IMY was upheld.