GDPR Guide to National Implementation: Sweden
16 min read
In this chapter:
Q24/ Regulatory Guidance
Q1/ Applicable legislation
(a) Have the requirements of the GDPR been addressed by introducing a new law, or by updating existing legislation?
The main national pre-GDPR act on data privacy has been revoked, whereas other types of legislation also covering data protection such as the Patient Data Act have been amended in line with the GDPR.
(b) Relevant legislation includes:
- The Swedish Data Protection Act (2018:218) (Swe. lag (2018:218) med kompletterande bestämmelser till EU:s dataskyddsförordning) (the ”Data Protection Act”)
- Date in force: 25 May 2018
- Link: see here
- The Swedish Data Protection Regulation (2018:219) (Swe. Förordning (2018:219) med kompletterande bestämmelser till EU:s dataskyddsförordning) (the “Data Protection Regulation”)
- Date in force: 25 May 2018
- Link: see here
(c) What is the status of national pre-GDPR data protection law?
The main national pre-GDPR act on data privacy has been revoked, whereas other types of legislation also covering data protection have been amended in line with GDPR.
Q2/ Personal data of deceased persons
Does national law make specific rules regarding the processing of personal data of deceased persons?
The Patient Data Act sets out rules on how health care providers and other care-givers may process health data in a digital environment. In applicable parts, the regulation also applies to deceased persons, for example, the processing must still be based on a valid legal ground specified in the Data Protection Act, and requirements on data minimisation continue to apply.
Q3/ Legal bases for processing
(a) Does national law make specific rules regarding the processing of personal data in compliance with a legal obligation?
Certain legislation provides specific rules on processing personal data in compliance with a legal obligation, including legislation relating to mandatory bookkeeping obligations for companies in Sweden, employment obligations for employers, collective bargaining agreements and social insurance, screening obligations in the banking and credit sector under AML and terrorism financing legislation, obligations for health care providers to keep patient records, archiving duties for public authorities, obligations for banks and credit institutes to assess the creditworthiness of customers and to document such assessments, and legal obligations placed on principals responsible for education to document certain information about students.
(b) Does national law make specific rules regarding the processing of personal data for the performance of tasks carried out in the public interest?
The Data Protection Act stipulates that a task of public interest must be laid down in law or other statute, in a collective bargaining agreement or in orders that have been issued based on an existing statute.
(c) Does national law make specific rules regarding the processing of personal data in the exercise of official authority vested in the controller?
The Data Protection Act stipulates that the exercise of official authority must be laid down in law or other statute.
(d) Does national law contain criteria in addition to those listed in the GDPR, to determine whether processing for a new purpose is compatible with the purpose for which the personal data were initially collected?
There are no specific additional criteria governing this issue.
Q4/ Consent of children
At what age can a child give their consent to processing in relation to ISS?
13 years of age.
Q5/ Processing of sensitive personal data
(a) Are there any sensitive personal data which cannot be processed on the basis of a data subject’s consent?
All sensitive personal data can be processed if the data subject’s valid consent has been obtained.
b) Does national law contain any specific requirements regarding the processing of sensitive personal data in respect of the following:
(i) Employment, social security and/or social protection law
The Data Protection Act stipulates that personal data processed on the basis of this exception may only be disclosed to third parties if there is an obligation for the controller to do so according to labour laws or if the data subject has expressly consented to the processing in the context of social security and social protection.
(ii) Substantial public interest
According to the Data Protection Act, personal data may only be processed based on this exception if one of the following applies:
- if the data has been submitted to the authority and the processing is required by law;
- if the processing is necessary for the handling of a matter; or
- in other situations, if the processing is necessary with regard to an important public interest and does not constitute an undue infringement of the data subject’s personal integrity.
Furthermore, when processing personal data based on this exception, it is unlawful to perform searches in order to obtain a selection of individuals based on sensitive personal data.
(iii) Preventative or occupational medicine; employee working capacity, medical diagnosis, provision of health or social care, or management of health or social care systems or services
Specific rules apply in relation to health care providers including the Patient Data Act and related regulations and also in relation to social care including the activities that they perform.
(iv) Public interest in the area of public health
There are no specific rules on processing this category of data.
(v) Archiving purposes, scientific or historical research purposes or statistical purposes
Processing for archiving purposes requires that the processing be necessary to enable the controller to comply with regulations on archives.
The government or a public authority designated by the government may extend the rules on processing for archival purposes to other entities if the processing of sensitive personal data is in the public interest.
Processing for statistical purposes is permitted where the processing is necessary for statistical purposes and the public interest of the statistical project for which the processing is being carried out clearly outweighs the risk of undue intrusion into data subjects’ personal integrity.
(c) Has national law introduced any further conditions and/ or limitations with regard to the processing of genetic data, biometric data, or health data?
Certain sector-specific regulations will be relevant when processing health and genetic data.
Q6/ Data relating to criminal offences or convictions
Under what conditions does national law permit the processing of personal data relating to criminal convictions?
Entities other than public authorities may process personal data relating to criminal convictions and offences if the processing is necessary for the controller to be able to comply with regulations on archives.
The government or a public authority designated by the government may issue additional regulations on when the above power may be extended to entities other than public authorities.
Under the Data Protection Regulation, entities other than public authorities may only process personal data related to criminal convictions and offences where such processing is necessary in order for:
- legal claims to be established, enforced or defended; or
- legal obligations to be fulfilled in accordance with the law.
The DPA has further discretion as to which entities other than public authorities may process such personal data.
(a) Does national law specify exemptions to a data subject’s right to erasure?
There are no specific exemptions to the right to erasure.
(b) Does national law specify exemptions to a data subject’s right to be provided information under Art. 14 GDPR where the personal data has not been obtained from the data subject?
There are no specific exemptions to the right to be provided information.
(c) Does national law specify exemptions to a data subject’s right to not be subject to a decision based solely on automated processing, including profiling?
Public authorities are permitted to make automated decisions.
Q8/ Restrictions on data subjects’ rights
Aside from the exemptions noted in Q7, does national law contain any other restrictions on the rights of data subjects under Chapter III GDPR?
The rights under Arts. 13-15 GDPR will not apply where the controller cannot, in accordance with the law, disclose the relevant personal data to the data subject. Where the controller is not a public authority, the exemption also applies to personal data that would be classified as confidential with a public authority under certain secrecy legislation.
Furthermore, the right of access under Art. 15 GDPR will be restricted where personal data is contained in a “running text” that has not been finalised when the request is made or which constitutes a memo or a similar document. However, this exemption will not apply if the personal data:
- has been disclosed to a third party;
- is processed solely for archival purposes of public interest or statistical purposes; or
- has been processed for longer than one year as “running text” without being finalised.
Q9/ Joint controllership
Does national law provide rules or guidance on the apportionment of responsibility between joint controllers?
There are no additional rules on apportionment of liability between joint controllers.
In addition to the contract between controller and processor, are there any pieces of legislation which govern processing by a processor?
There are no additional pieces of legislation.
Q11/ Impact Assessments
Are there any circumstances in which national law requires an Impact Assessment to be carried out, where the GDPR would not otherwise require such an assessment?
Impact Assessments are only required in accordance with the provisions of the GDPR. The DPA has issued guidelines for those situations when it considers an Impact Assessment to be required (see here).
Q12/ Prior authorisation and public interest
Are there any circumstances in which national law requires controllers to consult with, or obtain prior authorisation from, the DPA in relation to processing for the performance of a task carried out by the controller in the public interest (including processing in relation to social protection and public health)?
Prior authorisation from the DPA is only required in accordance with the provisions of the GDPR.
(a) Does national law require controllers to appoint a DPO in circumstances other than those in Art. 37(1) GDPR?
DPOs are only mandatory in the circumstances set out in Art. 37(1) GDPR.
(b) Does national law impose secrecy and confidentiality obligations on DPOs and if so, in what circumstances do they apply?
Yes. According to the Data Protection Act, if the DPO acts on behalf of an entity other than a public authority, unauthorised disclosure by DPOs of what he or she has become aware of in the performance of his/her task is not permitted. An example of when a disclosure is typically authorised is when the DPO discloses relevant information to the DPA.
Where DPOs act on behalf of public authorities, confidentiality is instead governed by separate legislation.
Q14/ International data transfers
(a) Does national law make specific rules about transfers of personal data from public registers?
Data transfers from public registers are not subject to specific rules.
(b) Does national law restrict the transfer of specific categories of personal data to third countries?
Data transfers are not subject to restrictions beyond those set out in the GDPR.
(a) Details of the DPA(s).
- Name of DPA: Datainspektionen
- Address: Drottninggatan 29, level 5, Stockholm, Sweden
- Website: datainspektionen.se
(b) If more than one national DPA has been established, what is the rationale behind multiple DPAs?
Not applicable as there is only one DPA.
(c) How does national law ensure consistent application of the GDPR by the various DPAs in accordance with Art. 63 GDPR?
The law in Sweden does not grant additional powers to the DPA.
(d) Does national law grant the relevant DPA additional powers beyond those set out in Art. 58 GDPR?
The law in Sweden does not grant additional powers to the DPA.
(e) What national appeals process exists to enable parties to challenge the decisions of the DPA?
The DPA’s decisions regarding breaches of the GDPR or sanctions under the Data Protection Act may be appealed to the administrative court. Leave to appeal is required for appeals to the (second instance) Administrative Court of Appeal.
Other decisions issued by the DPA cannot be appealed.
(f) Have specific national rules been adopted regarding the DPA’s power to obtain information from controllers or processors that are subject to obligations of professional secrecy (or equivalent)?
There are no specific rules on this issue.
Q16/ Claims by not-for-profit bodies
Does national law specify any not-for-profit bodies that are entitled to bring claims on behalf of individuals without the specific mandate of those individuals?
There are no not-for-profit bodies that are specifically mandated to bring such claims.
Q17/ Administrative fines, penalties and sanctions
(a) Does national law lay down rules on whether and to what extent administrative fines may be imposed on public authorities for breaches of the GDPR?
According to the Data Protection Act, administrative fines may be imposed on public authorities. Fines must amount to max. SEK 5 million (approx. €470,000) for infringements of Art. 83(4) GDPR and to max. SEK 10 million (approx. €940,000) for infringements of Arts. 83(5) & 83(6) GDPR.
(b) Does national law impose penalties/sanctions in addition to those set out in the GDPR, for breaches of the GDPR not subject to administrative fines (e.g., criminal penalties)?
The DPA may impose administrative fines for violations of Art. 10 GDPR. The size of the fines must be determined in accordance with Art. 83(5) GDPR.
Q18/ Freedom of expression and information
(a) What (if anything) does national law do to balance the provisions of the GDPR against the right to freedom of expression and information?
The GDPR and the Data Protection Act must not apply to the extent it conflicts with the legislation on freedom of the press and/or freedom of expression.
(b) What derogations have been introduced by national law concerning the processing of personal data for the purpose of academic, artistic or literary expression?
Arts. 5-30 & 35-50 GDPR and ss. 2-5 of the Data Protection Act must not apply to processing of personal data carried out for journalistic purposes or for academic, artistic or literary expression.
Q19/ National identification numbers
Does national law stipulate specific conditions for the processing of a national identification number, and if so, what are the conditions?
Processing national identification numbers and coordination numbers may be carried out without consent only when it is clearly justified for the purpose of the processing, or where it is justified by the need for secure identification or another significant reason.
Q20/ Processing in the context of employment
(a) For what purposes can employees’ personal data in the employment context be processed under national law?
There are no specific provisions governing the processing of employee data.
(b) Does national law provide safeguards for employees’ dignity, legitimate interests, and fundamental rights?
There are no specific safeguards of this nature.
Q21/ Other material derogations
Are there any other material derogations from, or additions to, the GDPR under national law?
The provisions of the GDPR and the Data Protection Act also apply to activities which fall outside the scope of EU law and when Sweden carries out activities relating to Sweden’s participation in formulation of EU foreign and security policy.
However, the GDPR does not apply to activities subject to legislation on processing personal data in the context of the armed forces, intelligence services or the police.
Q22/ Current legal challenges
Are there any current legal challenges (e.g., court cases or regulatory appeals) regarding the validity or operation of the national GDPR implementation law (e.g., claims that the law incorrectly applies the GDPR; claims that the law is incompatible with constitutional principles; etc.)?
There are no current legal challenges ongoing.
Has the local DPA issued any material fines or taken any material enforcement action to date for breaches of the GDPR?
At present, the DPA has only issued warnings, reprimands and orders for breaches of the GDPR. Such breaches have included failure to appoint a DPO where necessary, unlawful disclosure of personal data by a public authority and deficiencies in a region’s main electronic health record system.
Q24/ Regulatory Guidance
Has the DPA issued any significant guidance on the application of the GDPR or national implementation law?
The DPA has issued a number of practical guides on GDPR compliance on its website (see here).
The DPA has also established and published a list of the types of processing where an Impact Assessment must be performed. The list is available in English (see here).
Björn Johansson Heigis
Björn Johansson Heigis is a Stockholm-based partner and head of Roschier’s Data Protection & Digitalisation, Outsourcing and TMT practices in Sweden. He is highly specialised in all information technology related matters, both stand-alone and in relation to transactions. Björn also has considerable experience from working on intellectual property matters, advising, for example, on copyright in software and open source patent issues. He regularly advises media, telecom and high-tech companies on complex cross-border data protection issues, as well as more traditional consumer and manufacturing companies on issues relating to digitalisation, cybersecurity and GDPR.
Björn is recognised as one of the leading experts in Sweden in intellectual property, TMT and information technology. He has chaired and lectured on GDPR in several high-profile seminars.
- Foreword and issue-by-issue comparison
- Country-by-country guides:
This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.
© 2019 White & Case LLP