Being a member of the European Union, Sweden implemented the EU Data Protection Directive
95/46/EC in 1998 with the Personal Data Act (Sw. personuppgiftslagen, SFS 1998:204,
below “the Act”). The previous Swedish Data Act enacted in 1973 had by then already been considered to be outdated for many years.
Definition of Personal Data
Personal data means all kinds of information that is directly or indirectly referable to a natural living person.
Definition of sensitive Personal Data
Sensitive personal data means personal data that discloses race or ethnic origin, political opinions, religious or philosophical convictions and membership of trade unions. Personal data relating to health or sexual life is also embraced by the term.
National Data Protection authority
The Data inspection board (Sw. Datainspektionen, below “DiB”) is the supervisory authority under the Act.
All controllers except those whose processing falls under any of the exemptions in the Act, need to file notifications with the DIB.
Notification is not required if:
- the controller has appointed a personal data representative (a data protection officer or
- “Privacy Officer”) and notified the DPA about this, or
- the processing would probably not result in an improper intrusion of personal integrity, if specified in rules issued by either the Government or the DIB (for instance processing of personal data in running text, processing takes place with the individuals consent, or the data relates to a registered person who has a link to the controller such as members, employees, customers).
Data Protection officers
There is no requirement in Sweden for organizations to appoint a data protection officer. It is a voluntary arrangement. However, if a data protection officer has been appointed and notified to the DIB, the general notification obligation does not apply. Instead, the officer has to maintain
a register of the processing that the data controller implements and which would have been
subject to the notification duty if the data protection officer had not existed.
Collection and Processing
Data controllers may collect and process personal data when any of the following conditions are met:
- the data subject consents;
- there is statutory authority for the processing;
- the processing is necessary to fulfill a contract to which the data subject is party, or to take
- steps at the request of the data subject prior to entering into such a contract;
- the processing is necessary to enable the controller to fulfill a legal obligation;
- the processing is necessary to protect the vital interests of the data subject;
- the processing is necessary to perform a task in the public interest;
- the processing is necessary to exercise official authority; or
- to satisfy a purpose that concerns a justified interest on the part of the controller or on
the part of a third party to whom the personal data is disclosed, provided that this interest outweighs the registered person’s interest in protection against violation of personal integrity.
In relation to processing of sensitive personal data, additional requirements apply apart from what has been mentioned above.
Whichever of the above conditions is relied upon, the controller must first provide the data subject with certain information, unless an exemption applies. The notification shall include information on the identity of the controller, the purposes of the processing, whether the data will be disclosed and/or transferred and to who/where, the fact that the provision of data is voluntary and any other circumstances that will enable the data subject to exercise his/her rights pursuant to the Act
In principle, it is forbidden to transfer personal data that is being processed to a country outside the EU/EEA that does not have an adequate level of protection for personal data.
Even if the third country in question does not have an adequate level of protection, it is allowed to transfer personal data to such country if the registered person has given his/her consent to the transfer or when the transfer is necessary in order that:
- a contract between the registered person and the controller may be performed or measures that the registered person requested may be taken before a contract is made;
- a contract between the controller and a third party that is in the interests of the registered person may be made or performed;
- legal claims should be established, exercised or defended; or
- vital interests of the registered person may be protected.
It is also permitted to transfer personal data for use solely in a state that has acceded to the Council of Europe Convention of 28 January 1981 on the protection of individuals in automatic data processing.
Transfer of personal data to third countries is allowed if the countries provide “adequate protection” for the security of the data, or if the transfer is covered by standard contractual clauses approved by the European Commission, or subject to an organization’s Binding Corporate Rules.
For transfer of data to the United States, compliance with the US/EU Safe Harbor principles satisfies the requirements of Sweden’s transfer law.
The data controller is liable to implement technical and organizational measures to protect the personal data. The measures shall attain a suitable level of security. When the controller engages a data assistant to conduct the processing of personal data (data processor), there shall be a written contract that specifically regulates the security aspects. The controller shall also be responsible to ensure that the assistant actually implements the necessary security measures.
It is the controller who is responsible in relation to the registered person as regards the processing, even if an assistant/processor has been engaged or if someone who works for the controller has wrongfully disclosed personal data.
The DIB may issue decisions on security measures in individual cases.
There is no mandatory requirement in the Act to report data security breaches or losses to the DIB. Data security breaches are handled on a case-by-case basis and addressed by the DIB only if they for instance relate to a large number of data subjects or indicate a general
non-compliance issue. There is no DIB guidance on the subject matter.
However, pursuant to the implementation of the ePrivacy Directive as amended, regarding security breach notification obligations, chapter 6 of the Swedish Electronic Communications Act (Sw. lag om elektronisk kommunikation, SFS 2003:389) as of July 2011 provides that a provider of publicly available electronic communications services shall without undue delay notify the Swedish Post and Telecom Authority (Sw. Post och Telestyrelsen) regarding privacy incidents. Where the incident is likely to adversely affect subscribers or user of whom the processed data concerns, or where the Post and Telecom Authority requests it, the provider shall also notify subscribers without undue delay. Incidents that only have a marginal effect
on subscribers and users do not have to be notified to the authority. Moreover, notification is not required where the service provider has implemented appropriate security measures which renders the data unreadable to unauthorized persons.
The DIB has, in its capacity as the supervisory authority, the right of access to the personal data
processed and information about and the documentation of processing, and is also empowered
to enter premises connected with the processing.
Appeal may be made against a decision by the DIB to a general administrative court; i.e. in
the first instance the County Administrative Court. The DIB may decide that a decision should apply even if it is appealed against.
A person who has intentionally or by gross negligence disclosed untrue data under the Act, who in contravention of the regulations processes sensitive personal data or data concerning offences, etc., or transfers personal data to a third country or neglects to give notice concerning the processing to the supervisory authority may be sentenced to a fine or imprisonment of at most six months. If the offence is grave, the penalty may be imprisonment up to two years. A sentence shall not be imposed in petty cases.
Furthermore, the controller may also be liable to pay compensation to a registered person for damage and violation of personal integrity caused by the processing of personal data in contravention of the Act.
The Act applies to most electronic marketing activities, given that it is likely that such marketing involves processing of personal data (e.g. an e-mail address is likely regarded as personal data under the Act). Please note that if the data subject’s e-mail address has not been obtained in the context of a customer relationship or similar, the data subject’s consent is, as a main rule, required for electronic marketing. Moreover, a data subject has a right to at any time
oppose (“opt-out” of ) further processing of his or her personal data for marketing purposes.
online Privacy (including cookies and Location Data)
Pursuant to the Swedish Electronic Communications Act (as amended by e-Privacy Directive
Consent is, however, not required for cookies that are;
- used for the sole purpose of carrying out the transmission of communication over an
- electronic communications network; or
- necessary for the provision of a service explicitly requested by the user.
Wilful or negligent breach of the Swedish Electronic Communications Act in this regard is sanctioned with fines, provided that the offense is not sanctioned by the Swedish Criminal Code (Sw. brottsbalken). However, if the breach is deemed to be minor, no sanction shall be imposed. To our knowledge there has been no case where a website operator has been fined for breach of the Swedish Electronic Communications Act.