A Q&A guide to data protection in Sweden.
This Q&A guide gives a high-level overview of data protection rules and principles, including obligations on the data controller and the consent of data subjects; rights to access personal data or object to its collection; and security requirements. It also covers cookies and spam; data processing by third parties; and the international transfer of data. This article also details the national regulator; its enforcement powers; and sanctions and remedies.
To compare answers across multiple jurisdictions, visit the Data protection Country Q&A tool.
This article is part of the PLC multi-jurisdictional guide to data protection. For a full list of contents, please visit www.practicallaw.com/dataprotection-mjg.
The collection and use of personal data is regulated by the Personal Data Act (Personuppgiftslag (1998:204)) (PDA). The PDA is the most important legal instrument on data protection and applies to automatic processing of personal data and, in certain cases, manual processing of personal data on traditional paper-based files. The PDA applies to both the public and private sector, and contains provisions to protect individuals' privacy from being violated by the processing of personal data.
The PDA implements Directive 95/46/EC on data protection. The PDA is supplemented by a Personal Data Ordinance, the Data Inspection Board's (see box, The regulatory authority) own statute book (Statute Book). To the extent specific legislation deviates from the PDA, it has priority and applies instead of the PDA. This guide will mainly focus on the PDA.
In addition to the PDA, there are various sectoral laws, mainly the:
Debt Recovery Act (Inkassolagen (1974:182)). The Act stipulates that anyone who collects debts on behalf of another, or who has purchased debts for collection, with a few exceptions, must have a permit from the Data Inspection Board.
Credit Information Act (Kreditupplysningslagen (1973:1173)). The primary purpose of the Act is to protect individuals' privacy with respect to credit information. The Act stipulates that credit information concerning an individual can only be disclosed if there is a legitimate reason for disclosure.
Electronic Communications Act (Lagen (2003:389) om elektronisk kommunikation). The Act contains certain privacy rules concerning the processing of personal data in connection with the provision of electronic communications networks and electronic communications services. The Act implements Directive 2002/58/EC on the protection of privacy in the electronic communications sector (Privacy and Electronic Communications Directive).
Patients' Personal Data Act (Patientdatalag (2008:355)). The Act provides coherent regulation of the processing of personal data in the healthcare sector. The purpose of the legislation is to ensure increased patient security and protection of patients' privacy.
The PDA applies to controllers of personal data. The PDA defines a data controller as a person who alone, or together with others, decides the purpose and means of processing personal data. The data controller is usually a legal entity, but can also be an individual.
The PDA applies to all types of personal data, that is, data that are directly or indirectly (that is, used in conjunction with other data) referable to an existing natural person. For example, an Internet Protocol address (IP address) is deemed as personal data, as long as the IP address in conjunction with additional information (such as an internet provider's billing information) can identify the individual using the IP address.
The PDA is technology-neutral and applies to the processing of personal data that is wholly or partly performed with the aid of computers or similar equipment that is capable of automatically processing personal data. The PDA also applies to manual registers or filing systems if the personal data is included or is intended to be included in a structured collection making the personal data available for searching or compilation according to specific criteria.
The PDA does not apply to personal data that an individual collects and maintains in an activity of a purely private nature. For example, an individual is permitted to maintain an electronic diary or a register with the addresses of friends and relatives.
The PDA applies to any operation taken in relation to personal data. The following are examples of operations that constitute processing of personal data:
Disclosure by transfer or dissemination of personal information.
Compilations or joint processing.
Personal data in structured material can only be collected for specific, explicitly stated and legitimate purposes. Personal data cannot be reprocessed for any purpose that is incompatible with the original purpose, meaning that data that has been gathered for a particular purpose cannot be processed later for a different purpose or in a different manner.
The application of the PDA does not require that the information processed be structured in a specific way or be processed by any particular method, therefore all computerised work and text processing, or similar processing of running text, containing personal data, would be subject to the PDA. This broad application of the PDA was generally considered too restrictive and bureaucratic. Therefore in 2007, Sweden amended the PDA to include simplified rules that apply to the processing of personal data in unstructured material to facilitate such processing of personal data that generally would not entail a violation of personal privacy. Unstructured material can, for example, constitute running texts published on the internet, sounds, images and e-mail messages.
According to the simplified rules, the majority of the PDA's provisions do not apply when processing personal data in unstructured material. For example, the data controller is not required to comply with the fundamental requirements of the PDA nor fulfil the general information requirements (see Question 12).
The simplified rules constitute "abuse rules", meaning that the exemptions when processing personal data in unstructured material only apply if the privacy of the data subject is not violated.
If the data controller violates the privacy of the data subject when processing data in unstructured material, then the PDA will apply in its entirety.
The PDA applies to data controllers established in Sweden. In addition, the PDA also applies to data controllers who are established in a country outside the EU/EEA, but use equipment situated in Sweden to process personal data. In such cases, the data controller must appoint a representative established in Sweden. The provisions in the PDA concerning data controllers also apply to the representative.
The PDA does not apply if equipment is used only to transfer information between two countries that are both located outside the EU/EEA.
The main rule under the PDA is that personal data can only be processed if the data subject has given his consent to the processing (see Question 9). However, there are exemptions to this rule, for example, processing of personal data is permitted if the processing is necessary to:
Enable the performance of a contract with the data subject, or to enable measures that the data subject has requested to be taken before a contract is entered into.
Enable the data controller to comply with a legal obligation.
Protect the data subject's vital interests.
Perform a work task of public interest.
Enable the data controller, or a third party to whom the personal data are provided, to perform a work task in conjunction with the exercise of official authority.
Satisfy a purpose that concerns a legitimate interest of the data controller, or of a party to whom personal data are provided, if this interest is of greater weight than the prevention of the possible violation of the data subject's personal privacy.
Further, under Swedish law, public authorities have a duty to disclose public documents on request (unless secrecy applies), and also to archive and save public documents without alterations. The provisions of the PDA cannot be applied to limit the principle of access to official documents. In addition, the provisions concerning freedom of the press and freedom of expression in the Freedom of the Press Act (Tryckfrihetsförodningen (1949:105)) and Fundamental Law on the Freedom of Expression Act (Yttrandefrihetsgrundlagen (1991:1469)) also prevail over the provisions of the PDA. The PDA also includes exemptions for the processing of personal data that is only related to journalistic work, or artistic or literary creations.
The general rule is that all processing of personal data that is completely or partially automated is subject to a notification duty under the PDA. Therefore, the data controller must provide a written notification to the Data Inspection Board before any processing is conducted.
Notification is not required if the data controller has appointed a data protection officer by giving notice to the Data Inspection Board identifying the data protection officer. A data controller must keep the Data Inspection Board informed of all changes by notifying it of any new appointment or removal of a data protection officer. The data protection officer is responsible for independently ensuring that the data controller processes personal data in a lawful and correct manner and in accordance with good practice (see Question 5). The data protection officer must identify any inadequacies to the data controller and maintain a register of the processing that the data controller conducts, and which would have been subject to notification to the Data Inspection Board if the data protection officer had not been appointed.
In addition, the government, or the authority appointed by the government, can grant exemptions from the duty of notification in certain cases, and for certain kinds of processing that are not likely to result in an improper intrusion of privacy, for example if the data controller has received the data subject’s consent.
The data controller must ensure that the processing of personal data is at all times in accordance with the PDA's fundamental requirements that personal data are:
Processed only if it is lawful.
Always processed in a correct manner and in accordance with good practice.
Only collected for specific, explicitly stated and justified purposes.
Not processed for any purpose that is incompatible with the purpose for which the information was gathered.
Adequate and relevant for the purposes of the processing.
Not excessive. Only the required sets of personal data can be processed and they must be linked to the purposes of the processing.
Correct and up to date.
Rectified, corrected, blocked or erased, if it is incorrect or incomplete with regard to the purpose of the processing.
Not kept for a longer period than necessary with regard to the purpose of the processing.
Generally, the PDA states that personal data can only be processed if the data subject has given his consent to the processing.
Under the PDA, consent means every kind of active, voluntary, specific and unambiguous expression of will by which the data subject, after the receipt of information, accepts the processing of personal data concerning him. Consent must always be voluntary, but can be either verbal or written. The burden of proof is on the data controller to show that consent has been given to the particular processing. It is therefore recommended that written confirmation be obtained by the data controller.
The data subject must receive all information necessary to enable him to assess how the collected personal data will be used and the advantages and disadvantages of the processing, so that he can exercise his rights under the PDA. The consent must be specific to a particular processing performed by a particular data controller for a particular purpose. Therefore, it is not possible to obtain general consent.
Generally, online consent is sufficient provided it complies with the above regulations. However, it is preferable to use an opt-in mechanism (for example, the individual could tick an "I Agree" checkbox) when seeking consent, as it is uncertain if an "opt-out" mechanism with a pre-ticked checkbox qualifies as an active, voluntary and unambiguous action.
The PDA does not include any special rules relating to consent by minors. Any individual, including a minor, able to comprehend the implications of consent to the processing of personal data is entitled to give this consent. Only if a minor is unable to understand the implications of his actions, should the data controller obtain consent from the minor's guardian instead. The Data Inspection Board has stated that a 15-year old is generally able to consent to processing of its personal data, however, an assessment may have to be made on case-by-case basis.
See Question 6.
The PDA stipulates special rules for personal data relating to sensitive personal data, personal identity numbers and criminal records.
Sensitive personal data. The processing of sensitive personal data is generally prohibited. The PDA defines sensitive personal data as data that reveal:
Race or ethnic origin.
Health and sex life.
Religious or philosophical beliefs.
Membership of a trade union.
However, there are several exemptions and sensitive personal data can be processed if, for example:
The data subject has given his explicit consent to the processing.
The processing is necessary to ensure that the data controller is able to:
fulfil obligations or exercise rights under employment law; or
establish, exercise or defend legal claims.
The processing is necessary for certain healthcare or the administration of healthcare.
Personal identity numbers. In Sweden, each individual is assigned a personal identity number at birth. Personal identity numbers can be processed without consent only when manifestly justified, with regard to the purpose of the processing, the importance of secure identification or some other substantial reason.
Criminal records. It is generally prohibited for any person or party other than public authorities to process personal data concerning violations of laws involving crimes and judgments in criminal cases, coercive penal procedural and so on.
The government or the Data Inspection Board can issue exemptions from the prohibition on processing sensitive personal data and personal data concerning criminal records where such exemptions are necessary for public interest.
The general rule is that a data controller must voluntarily provide information to a data subject at the point of collecting personal data. This information includes:
The name, address, telephone number, company registration number and e-mail address (to the extent applicable) of the data controller.
Information concerning the purpose of the processing.
All other information necessary for the data subject to be able to exercise his rights in connection with the processing.
This means that the information provided by the data controller must include information about the recipients of the information, and that the data subject is entitled to request information from the data controller concerning the processing and that the data controller is obliged to rectify any information about the data subject that has been erroneously processed.
There are exceptions to a data subject's right to receive information. Information does not need to be provided in relation to matters of which the data subject is already aware. Where the personal data is collected from a third party and not from the data subject himself, it is not necessary to provide information to the data subject if it:
Would involve a disproportionate effort.
The obligation to provide information can also be limited by legislation. For example, secrecy and confidentiality in health and hospital care can apply to the data subject (for example, the patient) with regard to the purpose of the care or treatment. In these circumstances, there is no obligation to provide information to the data subject.
Upon a data subject's request, the data controller must provide information on whether personal data concerning the data subject are being processed or not. If personal data are processed, written information must also be provided about:
What information is being processed.
The source from which it was collected.
Why the processing is taking place.
To which recipients or groups of recipients the data are disclosed.
The data controller must submit the information to the data subject free of charge within one month of the request. The duty to submit information at the request of the data subject is limited to one occasion per calendar year.
A data subject is entitled to withdraw his consent to the processing of personal data at any time. After the data subject's withdrawal of his consent, no subsequent processing of the data subject's personal data can be conducted by the data controller. The data subject is not entitled to oppose any other processing of personal data that is permitted under the PDA without the data subject's consent.
The data subject can at any time object to the processing of personal data for the purpose of direct marketing by notifying the controller in writing that he opposes the processing. After the data subject's notification, no subsequent processing of the data subject's personal data for the purpose of direct marketing can be conducted by the data controller.
Upon a data subject's request, the data controller must immediately delete, rectify or block personal data that have not been processed lawfully (including erroneous data). The data controller must also notify any third party to whom personal data have been disclosed about the measures taken if requested to do so by the data subject, or if such notification would prevent substantial damage or inconvenience to the data subject. However, no such notification is needed if it proves impossible or would involve a disproportionate effort.
The rules concerning secrecy and confidentiality (see Question 12) also apply when providing information after a request for information from the data subject.
The data controller must implement technical and organisational measures to attain a suitable level of security to protect the personal data. When assessing the suitable level of security needed, consideration must be given to:
The technical possibilities available.
What it would cost to implement the measures.
The special risks that exist with processing of personal data.
How sensitive the processed personal data are.
The Data Inspection Board has issued non-binding guidelines concerning the security required in the PDA as well as practical advice on designing secure IT-systems honouring data privacy (that is, privacy by design guidelines).
The Data Inspection Board strictly enforces security matters and can, to a reasonable extent, provide advice on security matters to a data controller. The Data Inspection Board can also decide on measures a data controller must implement to satisfy the Data Inspection Board's security requirements. If the data controller fails to comply with such security measures, the Data Inspection Board can prescribe a default fine.
There is generally no obligation under the PDA requiring data controllers to notify security breaches to the Data Inspection Board or to the data subject. However, there is one exception: if a data protection officer (DPO) has been appointed and identifies a breach of the PDA, the DPO must raise the breach with the data controller. If the data controller does not rectify the breach as soon as it is practicable after being made aware of it, the DPO must then notify the breach to the Data Inspection Board.
There are no requirements for the DPO to notify the data subject if there is a breach of the PDA, but it could be argued that in certain cases, and to mitigate a loss for the data subject, the data subject should be informed of the breach.
If the data controller engages a third party to conduct the processing of personal data on behalf of the data controller (data processor), there must be a written contract between the data controller and the data processor:
Stipulating that the data processor may only process personal data in accordance with the data controller's instructions.
Specifically regulating security aspects of the processing of personal data.
It is always the data controller who is responsible in relation to the data subject, even if the data controller has engaged a data processor. Therefore, it is the data controller that bears the legal responsibility that the data processor actually implements the necessary security measures.
Under the Electronic Communications Act, the general rule is that visitors must actively consent to cookies being used. It is also stipulated that in order to store a cookie on a data subject's terminal, the data controller must inform the data subject:
What the cookie is used for.
Where the cookie originates from.
How long the cookie is stored.
How the cookie can be avoided.
Cookies that are necessary for the provided service to function (for example, cookies relating to shopping basket and authentication) are exempted from the general rule.
However, the legal situation is currently unclear and no clear practice has evolved as to when and how consent will be made. The supervising authority for the Electronic Communications Act has to date not imposed sanctions on data controllers not complying with the rules and has instead encouraged the industry to come up with practical solutions on how to ensure that the rules are complied with.
Sweden has implemented "anti-spam" rules, based on the Privacy and Electronic Communications Directive. The main rule is that advertising to a natural person using electronic mail or other automatic systems is permitted only if the individual has given his prior consent. However, no prior consent is necessary if the natural person's e-mail address has been obtained in connection with the sale of a product, provided the following conditions are met:
The person has not objected to the use of the e-mail address for marketing purposes.
The marketing pertains to the sender's own products or similar products.
The person must be given the opportunity to opt out, free of charge and in an easy manner, when the information is collected, and in conjunction with each subsequent marketing communication.
The marketing must always contain a valid address to which the recipient can send a request to opt out of the marketing.
Generally, it is prohibited to transfer personal data that are being processed to a country outside the EU/EEA that does not have an adequate level of protection for personal data, unless the data subject has explicitly consented to the transfer. When assessing the level of protection afforded by a country outside of the EU/EEA, all circumstances surrounding the transfer are considered. However, particular consideration must be given to the:
Nature of the data.
Purpose of the processing.
Duration of the processing.
Country of origin.
Country of final destination.
Rules that exist for the processing in the third country.
Whether the level of protection in a particular country is adequate must be assessed on a case-by-case basis.
However, a transfer of personal data to a country outside the EU/EEA is permitted without the data subject's consent if the transfer is necessary for the:
Performance of a contract between the data controller and the data subject, or measures that the data subject has requested to be taken before a contract is made.
Conclusion or performance of a contract between the data controller and a third party, which is in the data subject's interest.
Establishment, exercise or defence of legal claims.
Protection of vital interests of the data subject.
It is also permitted to transfer personal data for use in a state that is party to the Strasbourg Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data 1981 (Strasbourg Data Processing Convention), provided the personal data is used only in that particular state.
For automated processing, the government can issue regulations permitting the transfer of personal data to a country outside the EU/EEA if the transfer is regulated by an agreement with sufficient guarantees of the rights of the data subject (see Questions 21 to 22). In addition, the government can issue regulations, or decide on individual cases, to permit the transfer of personal data to a country outside the EU/EEA:
Provided it is considered necessary, with regard to vital public interests.
If there are sufficient safeguards to protect the data subject's rights.
A group of companies that has formally adopted binding corporate rules (BCRs) can also freely transfer personal data among their group companies. The BCRs must be pre-approved by the Data Inspection Board. Sweden is not part of the mutual recognition procedures. In addition, transfers of personal data to the US are permitted if the recipient in the US has adopted the Safe Harbor Rules.
Publication of personal data on the internet does not normally entail a transfer of information to all countries that have access to the internet.
The government can, in relation to matters of automated processing of personal data, issue regulations permitting the transfer of personal data to a party outside the EU/EEA (see Question 20), provided the transfer is regulated by an agreement that provides sufficient guarantees of the rights of the registered persons.
Sweden has acknowledged the validity of the three standard form clauses approved by the European Commission. The Personal Data Ordinance expressly provides that a transfer of personal data to a country outside the EU/EEA is allowed when the transfer is conditioned by any of the three standard form clauses. However, the transfer must always be in accordance with the general rules concerning the processing of personal data and the specific rules regarding sensitive personal data.
Provided the rules concerning the processing of personal data and sensitive personal data are complied with, the use of a data transfer agreement is sufficient to legitimise a data transfer to a country outside the EU/EEA.
There is no duty of notification, or other similar requirements, nor is any approval required from the Data Inspection Board to legitimise a transfer of personal data to a country outside the EU/EEA.
The main objective of the Data Inspection Board is to assist and advise data controllers in resolving any unlawful processing of personal data. The Data Inspection Board can decide on measures that a data controller must implement to satisfy the Data Inspection Board's security requirements (see Question 15). However, the Data Inspection Board will normally first request a data controller to remedy any breaches.
The Data Inspection Board can obtain, on request:
Access to personal data processed by a data controller.
Information about and documentation of the processing of personal data.
Information on security of the processing of the personal data.
Access to the premises connected with the processing of personal data.
If the Data Inspection Board concludes that the processing of personal data is unlawful, or is unable to obtain sufficient guarantees that the processing of personal data is lawful, the Data Inspection Board can prohibit a data controller from processing personal data in any manner other than by storing it.
The Data Inspection Board can also, at the County Administrative Court, apply for the erasure of the personal data that has been unlawfully processed.
A data controller is liable to pay damages to a data subject for damage and violation of personal privacy caused by the processing of personal data in contravention of the PDA. Further, a person can, in addition to damages, be subject to a fine or imprisonment of up to two years if he:
Intentionally or by gross negligence discloses untrue data in information or notifications under the PDA.
In contravention of the provisions of the PDA, processes sensitive personal data or data concerning violations of laws.
Transfers personal data to a country outside the EU/EEA.
Fails to give notice concerning the processing to the Data Inspection Board.
Normally, the courts impose penalties in the form of fines and damages. Imprisonment sentences are rare and the few imprisonment sentences rendered by Swedish courts have involved additional offences, such as defamation.
Main areas of responsibility. The Swedish Data Inspection Board is a central government agency. Its task is, among other things, to ensure that the processing of personal data does not violate individuals’ privacy. The Data Inspection Board also assists individuals whose privacy has been violated, and issues regulations and general recommendations, as well as opinions on legislative proposals.
Description. This is the official web site maintained by the Data Inspection Board. The information it contains is up-to-date with the exception for information in non-Swedish which may have older information. For example, the translation of the PDA has not been updated and is therefore currently partly obsolete.
Professional qualifications. LLM (Uppsala University, 1993 and Harvard Law School 1999). Admitted to the bars of Sweden and New York State.
Areas of practice. Data protection and privacy, compliance programs, outsourcing, drafting and negotiating IT-related contracts.
Professional qualifications. LLM (Stockholm University, 2007).
Areas of practice. Data privacy; commercial transactions, in particular IT related procurement and outsourcing projects; and negotiating and drafting commercial technology contracts.
Professional qualifications. LL.M (Uppsala University, 2010)
Areas of practice. Data protection and privacy, negotiating and drafting commercial technology contracts and IT- related contracts in particular.
Advising a global engineering group in connection with a + 100 countries IT outsourcing, ensuring data protection compliance.
Advising a leading global provider of integrated design measurement and visualisation technologies in rolling out a privacy compliance program for its 13.000 employees in 40 countries.
Advising a direct marketing-group on the implications of the proposed EU data protection regulation, in particular as regards issues of profiling and opt-in.