Sweden: Privacy and Data Protection-related Laws

The General Data Protection Regulation (GDPR) came into force in May 2018. It has taken years of effort by the European Parliament, the Council of the European Union and the European Commission to strengthen and unify data protection for everyone who lives within the EU, and to address the export of personal data outside it, creating a compliance challenge for every company.

GDPR creates one set of EU rules for protection applicable to personal data. It also applies to businesses dealing with personal data in the EU, even if they are based elsewhere. By updating the law on individual privacy and autonomy, it recognises the enormous changes in technology and data usage that have taken place. Specifically, GDPR will introduce new accountability obligations, stronger rights and restrictions on international data flows. For EU’s GDPR regulation, please visit Europe: Privacy and Data Protection-related Laws

GDPR Implementation Law

Sweden’s national GDPR Implementation Law is currently in progress, key differences between the bill and the GDPR are listed here.

For information regarding Sweden’s former privacy and data protection-related laws still currently in effect, please see below.

For information regarding discussion on GDPR, blockchain, and data-protection, please read the following websites: Blockchains and Personal Data Protection Regulations Explained, Five considerations for blockchain applied to data privacy and GDPR, Blockchains and the GDPR, and Blockchain From a Perspective of Data Protection Law.

Sweden’s Personal Data Act

Various laws govern the use of personal data in the public sector (for example, in relation to the activities of law enforcement authorities). See here for more details.

The Personal Data Act (1998:204) applies to data controllers. A data controller is defined as the person or legal entity who, alone or together with others, decides on the purpose and means of personal data processing.

The Personal Data Act (1998:204) (PDA) applies to personal data, which is defined as “all kinds of information that, directly or indirectly, can be linked to a living natural person”. This means that any information, alone or together with other data, that can be used to identify a person, falls under the definition. An IP address is an example of data that can indirectly identify a person, and is therefore considered to be personal data.

The PDA also includes a definition of sensitive personal data, which is personal data that:

  • Reveals a person’s race or ethnic origin.
  • Reveals a person’s political opinions.
  • Reveals a person’s religious or philosophical beliefs.
  • Reveals a person’s union membership.
  • Concerns a person’s health or sex life.

The Personal Data Act (1998:204) (PDA) applies to any processing of personal data that is carried out wholly or partly by automatic means. Processing refers to all kinds of actions or measures taken in relation to personal data, such as collecting, storing, processing, changing and deleting personal data. The PDA also applies to the processing of personal data that is not wholly or partly automatic, if the data is intended to form part of a structured collection of personal data in which it is possible to search or compile personal data according to specific criteria (for example, paper-based registers).

The Personal Data Act (1998:204) (PDA) applies to data controllers established in Sweden. The PDA also applies to data controllers established in third countries (non-EU/EEA countries) if the equipment used for processing personal data is located in Sweden, unless the equipment is solely used to transfer data from one third country to another third country. The DPA considers that a cookie placed on a computer in Sweden is equipment used for processing. Consequently, the PDA can apply to a data controller established in a third country with no other connection to Sweden.

To read about exemptions to the juridical scope of the rules, please see here. The main rule is that the processing of personal data must be notified to the Swedish Data Protection Authority (DPA) in writing. To read about exemptions to this rule, read more here.

Main obligations and processing requirements

The data controller must ensure that:

  • Personal data is only processed if it is lawful.
  • Personal data is always processed in a correct manner and according to good practice.
  • Personal data is only processed for specific, explicitly stated and legitimate purposes.
  • Personal data is not processed for any purpose incompatible with the purpose for which the data was collected.
  • The personal data processed is adequate and relevant for the purpose of the processing.
  • No more personal data is processed than is necessary for the purpose of the processing.
  • The personal data processed is correct and, if necessary, current.
  • All reasonable measures are taken to correct, block or delete personal data that is incorrect or incomplete in relation to the purpose of the processing.
  • Personal data is not stored for longer than necessary for the purpose of the processing.

Consent of data subjects required before processing?

Consent is one of the legal bases for the processing of personal data. For more details on consent read more here. If consent is not given there are some grounds which allows the processing of personal data. Read more here.

Sensitive personal data

Under the Personal Data Act (1998:204), it is generally forbidden to process sensitive personal data. However, there are exceptions to this rule (for example, if the data subject gives express consent or has clearly made the data public). To read more about exemptions, read more here.

Rights of Individuals

The data controller must provide the following information to the data subject: Contact details.

Information on the purpose or purposes of the processing. Any other information that the data subject needs to exercise his or her rights in relation to the processing (such as the data subject’s right to request information, have data corrected and obtain information on third parties to which the data may be transferred or shared with).

For more, please read more here.

For further rights granted to data subjects, please read more here. Data subjects have the right to request the deletion of their data if the data has been processed contrary to the Personal Data Act (1998:204) read more here.

Security Requirements

Read more here.

Processing by Third Parties

Read more here.

Electronic communications

Read more here.

International Transfer of Data

Read more here.

Data Transfer Agreements

Read more here.

Enforcement and Sanctions

Read more here.

Further Reading

Data protection cases are handled by the Swedish Data Protection Authority (Datainspektionen) (DPA). Information is generally up to date, although the website may contain out-of-date information in languages other than Swedish. To learn more, please go here.


Previous Section Next Section

Have a comment, edit, or item to add? Share your thoughts by commenting below!

comments powered by Disqus